Too often, we think of ransoms in IT as limited to the ransomware attacks that lock files behind encryption keys and demand a Bitcoin for the release. However, there is more than one way to hold your data hostage.
Recently, a prospective customer approached me to replace their Identity management system after they fought off an attack. An attacker bought credentials to their stand-alone HR SaaS System. The HR System had administrative access to their cloud storage. The cloud storage, in turn, not only stored most of their IP but also served as a configuration backend for all other systems. Meaning they gained credentials to every server and client. Once the attackers established themselves, they started copying files. Now, they had demanded a ransom not to sell the intellectual property to their overseas competitors.
Ultimately, our client had determined that their intellectual property was sufficiently protected to legally stop any products from entering the market. Thus, they declined to pay the ransom.
However, it left the question of how common these attacks are, what to do about detecting them, and which way to fight them.
The Art of Selling Data
In contrast to a simple crypto logger, exfiltrated data doesn’t stop the operation. Thus, the ransom attack only works if you can credibly sell the files to a buyer. The availability of buyers depends on the type of data. Credit card numbers, contact information, and credentials are an easy sell. Criminals can easily reuse them to gain access to funds or jump points. Intellectual property and marketing plans need ruthless competitors willing to exploit a situation. Some non-traditional information, such as employee performance reviews, sell well if you can find the right contacts.
However, in contrast to a crypto logger, converting the data into cash is a lot harder. However, criminals also have more time to do so. In traditional ransomware attacks, companies fight back when they detect the crypto logger. The detection period for hostage data sometimes only starts once criminals send the ransom note.
Hard to Detect What Criminals Took
The detection window is one of the biggest technical challenges. In all companies, employees routinely access data. They modify plans, access legacy files to find contract details or store a final presentation for approval. Likewise, automated systems touch the files all the time. From the search bar in the file explorer to the backup process running every night, computer accounts might be more active than any real user.
At the same time, organizations seldom log access or only log it at the storage level, not for each file. The low-level logging preserves disk space for the log files and cuts down the noise in the logging system.
Consequently, the detection is challenging and requires significant knowledge of the user behavior.
Hard to separate Ransom from Espionage
Lastly, the problem is determining whether an attacker’s focus is espionage or whether the ransom is the primary purpose. Both exfiltrate the data to get it to competitors. Yet, in the case of data theft, to hold it hostage, the criminals aim to get money from you. When dealing with espionage, the aim is to create a false trail or ensure your team goes on a wild goose chase. While a group’s reputation might hint at its intent, nothing guarantees its authenticity.
Protecting your Data: Segregating Data
As with so many issues in IT, an ounce of preparation replaces a pound of cure. Segregating Data on different platforms is the first step. Each platform must have access rights and a limit on who needs to know what.
The need to know doesn’t just extend to actual users but should include function accounts, like backup services. While having different service accounts and credentials is more cumbersome, once set up, there is little user interaction. Thus, the one-time costs diminish over time, while the benefit doesn’t.
Protecting your Data: User Identities
The segregation and access groups only work with a robust identity management system. IT needs to centrally manage user identities and access rights so they can quickly be audited and set up.
All systems need to utilize the central database and systems for their credential verification and login. Technologies, such as Single Sign-On and transparent logins, ensure users are willing to use a different system per workflow.
Protecting your Data: Policies and Governance
Lastly, HR and IT Policies and Governance principles must work hand in hand with the tech solutions. Users need to be aware of the risks and challenges of data ownership. Copying significant amounts of data to mobile devices, unauthorized cloud services, and communication via personal E-Mails significantly increase the risk. However, it is sometimes the easier path, especially if IT isn’t working well.
Increasing awareness and reminding employees of the associated HR policies is critical to securing the system. After all, we humans are often the biggest problem in cybersecurity.
Data Theft and Data Ransom
Thankfully, the problem of selling the data and the risk involved for the buyer make crypto loggers the more prominent attack. However, heating trade wars and the associated espionage make data theft and data ransom a growing threat. Given the willingness of some countries to protect the theft of intellectual property, we can expect an increase in these attacks. A robust IT foundation can make all the difference in protecting yourself and your company.