By Carolyn Crandall, CMO
The occurrence of data breaches has increased in frequency and severity over the past several years. According to Identity Theft Resource Center (ITRC), 781 U.S. breaches were tracked in 2015, the second highest year on record since the ITRC began tracking breaches in 2005.
The occurrence of breaches was not constrained to any one sector, affecting various sectors including business, medical, financial and energy. Some of the more notorious breaches included Sony Pictures Entertainment, in which hackers used phishing emails to penetrate the company’s network to secure confidential data and the Ukraine Power Outage, in which hackers used a spearfishing vector to distribute “BlackEnergy” malware and facilitate a major power outage.
Last week was a landmark week for breaches with the notorious Panama Papers breach and the breach of the personal data of 50 million Turkish citizens.
In what is being deemed the “biggest data breach of its kind,” the Panama Papers breach included 11.5 million documents totaling 2.6-terabytes of data from Panamanian law firm Mossack Fonseca. The content includes data dating back to the 1970s on more than 214,000 offshore companies, including the names of shareholders and directors of the companies, revealing how wealthy business people and public officials hid assets from public scrutiny. While the creation of offshore companies is not illegal per se, these companies may have been used for illegal activities, such as drug trafficking and tax evasion. An anonymous source insisting on encrypted communication, contacted a reporter at German newspaper Suddeutsche Zeitung more than a year ago, and supplied files in batches over several months. It’s very possible the attacker used a “low and slow” approach to avoid network traffic spikes and potential detection.
The firm claims an “unfortunate” attack on its email server was responsible for the breach. Outside security researchers have noted that Mossack Fonseca did not encrypt emails with Transport Layer Security protocols. The email server itself may have been compromised versus a password-guessing attack on individual mailboxes, given the scale of the breach.
However, several editors and bloggers have questioned how an attacker could exfiltrate that amount of data via email, given the variety of documents revealed. Many speculate an insider was responsible, while others believe an outside attacker perpetrated the attack. Regardless, these attackers likely compromised the Mossack Fonseca network by granting themselves domain administrator or email administrator privileges to gain access to the data.
Turkish Data Breach
The data of more than half of Turkey’s population (including the current and former president) were impacted by a data breach of a Turkish Citizenship database. According to the Associated Press (AP), the information was posted to a database containing 49,611,709 records on Dream Market that held private information including national ID numbers, addresses, birthdates and parents’ names.
Attackers taunted the Turkish government with several messages, including:
- ‘Bit shifting isn’t encryption,’ referring to the fact that the data was improperly protected.
- ‘Index your database. We had to fix your sloppy DB work.’
- ‘Putting a hardcoded password on the UI hardly does anything for security,’ though the hackers didn’t specify in what UI.
- ‘Do something about Erdogan! He is destroying your country beyond recognition.’
While the source of the link is unknown, it is likely from a Turkish public administration office that issues identity cards, since the number of leaked identities is close to the number of registered Turkish voters. It appears that the data is hosted by an Icelandic group on servers located in Romania.
Given the magnitude of breaches occurring on a daily basis, organizations are increasingly turning to deception technology to defend against cyber attacks. While the sole use of attack prevention solutions was effective in the past, that is no longer the case. It is becoming increasingly clearer that a supplementary solution is needed, one that not only detects breaches in real-time but also provides further insight on the attack itself.
Deception technology provides real-time visibility to threats and acts as an alarm system for organizations, providing prompt alerts of threat actors that have bypassed cyber security prevention solutions and have made their way inside the network. Leveraging various deception techniques, Deception systems convert a company’s network into a trap unbeknownst to the hacker. As the attacker tries to conduct a cyberattack on the decoy network, the deception server will engage the attacker to gain forensics, allowing for analysis and time to thwart the attack and remediate infected systems.
Attivo solutions apply deception and decoys to help businesses defend against cyber attacks. Attivo solutions are designed for the highest levels of authenticity and can be completely customized to match a company’s operating environment. Additionally, attacker alerts are built on substantiated forensic data that can be actionably used to block and quarantine an attack. . Attivo boasts the most comprehensive and advanced deception platform, built on real operating systems and capable of detecting all types of cyber threat vectors including reconnaissance, stolen credentials, phishing and ransomware attacks. We can detect intrusions inside the network, data center, cloud or SCADA environment and in real time alert IT and security teams to shut down current and prevent against future attacks.
Savvy IT and security teams are in the midst of re-evaluating their cybersecurity strategies and are now focused on the incorporation of solutions that detect attacks in real time and can be integrated with their prevention solutions for the best security defense. By taking an adaptive security approach that includes a combination of prevention and detection technologies these security teams will still block what they can, but now also have the visibility to know what threats are inside the network, along with the attack data required for prompt incident response.