Discover all the Smart Security Summit on-demand sessions here.
Ransomware gets all the fanfare because successful attacks lock victims out of their vital systems. The business interruption coupled with the large sums of money the hackers demand makes these events front-page news and hard for the victim to hide. Victims should then perform a full restore of their network to ensure that the threat actor no longer has access to it.
Some breaches simply see the data exfiltrated, but the environment has not been encrypted. Don’t get me wrong: disaster recovery is also necessary in this case.
According to cyberinsurer Beazleydata exfiltration was implicated in 65% of its cyber extortion incidents in Q1 2022. Without the business interruption component of ransomware, the overwhelming majority of data exfiltration the cases never reach the news outlets.
This is also common in attacks on nation states, which have increased since Russia invaded Ukraine. A Microsoft’s recent report found that Russian intelligence agencies have increased network penetration and espionage efforts targeting Ukraine and its allies. The report calls for “a coordinated and comprehensive strategy to strengthen defenses against the full range of cyber destruction, espionage and influence operations”.
This shows why ransomware isn’t the only threat worthy of cleaning up an environment. Whether or not it is a simple data exfiltration, it is essential to collect forensic data and ask a disaster recovery partner to use the report, including details on how the threat actor accessed and compromised the network, to inform how he creates a new clean environment.
If a threat actor To has had access to an environment, it must be considered “dirty”. Even if it has not been encrypted, it is essential that the environment be recovered so that it is better protected the next time a malicious actor attempts to breach it.
Let’s dive deeper into four common misconceptions about data exfiltration events and why victims should take them as seriously as a ransomware attack.
IT = security
Leaders often think of IT as synonymous with security, but in reality, the function of IT is to enable the business functions that generate revenue. The misconception puts pressure on the IT team and creates a security hole where the board doesn’t get the information it needs and the security team doesn’t get the direction it needs .
Too often we find that security teams lack a senior executive and instead report to CIOs. It’s like a defensive coordinator reporting to the offensive coordinator, who in turn reports to the head coach. Which side of the football team do you think can spend the most on free agency in this scenario?
Organizations can solve this problem by having a chief information security officer (CISO) who works with the IT team, but reports to the board and explains the risk to executives so they can decide what to do. their risk appetite. The more security professionals can quantify their risk, the more likely boards are to understand the issues and act accordingly.
We have cover
Security should not be an afterthought. For example, some small and medium enterprises lack the budget to support substantial security investments and mistakenly believe that having cyber insurance is an acceptable substitute.
Threat actors are smart enough to do reconnaissance of covered organizations and read their policies to understand how much would be covered by a ransom payment. This tells them exactly how much they can demand to force the victim’s hand.
Insurers are mandating new controls such as multi-factor authentication (MFA) or endpoint detection and response to mitigate their customer coverage risk. However, it’s not foolproof and may be just another box to check for a company when looking to secure coverage.
For example, if you buy an endpoint protection tool but don’t deploy it properly or fit it to their specifications, it won’t protect your data. According to Beazleyorganizations are more than twice as likely to experience a ransomware attack if they have not deployed MFA.
We are still operational, so that’s fine
If a victim hasn’t been blocked, it’s tempting to try to go about their business as normal and ignore what just happened to the network. What these victims don’t realize is that if they don’t clean up their environment, the threat actors still have command and control capability.
A company that takes cyber security serious will call their insurer and enlist the help of a digital forensics and incident response (DFIR) partner to analyze indicators of compromise and create a new clean and secure IT environment.
A good DFIR partner can work on a normal maintenance schedule and clean up your network in phases during your offline hours and weekends to minimize the impact on your production environment and prevent threat actors from attacking. enter.
Lightning won’t strike twice
Many victims do not understand the extent to which their data breach was. They assume that since they were not encrypted, they can make minor changes to their firewall and think they will be safer in the future.
It’s just not enough action to take. According to the recent Cymulate report Data Breach Study, 67% of victims of cybercrime in the past year were affected more than once. Nearly 10% suffered 10 or more attacks!
Threat actors publish and sell data on the dark web, and if you don’t know how they got in to begin with and you don’t build a clean new environment…well, you can probably guess what will happen next . They will come back into your network and they will attack harder than before.
Data exfiltration victims need to understand how real this threat is, take a close look at their network, and deploy the appropriate defenses to keep threat actors out. The cost of inaction could be devastating.
Heath Renfrow is co-founder of Fenix24.
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including data technicians, can share data insights and innovations.
If you want to learn more about cutting-edge insights and up-to-date information, best practices, and the future of data and data technology, join us at DataDecisionMakers.
You might even consider contributing an article your own!