Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/20/2015
12:00 PM
Kerstyn Clover
Kerstyn Clover
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Who Cares Who’s Behind A Data Breach?

Attribution takes a long time, a lot of work, and a healthy dose of luck. But is it worth the effort?

Recently, I cracked a joke suggesting that whenever a reporter asks during a breach investigation, "so who do you think is behind this…" I should start making up outlandish answers like:

  • “My sources believe it’s an alien plot to study human behavior.” 
  • Or, “Definitely the underground mole people.”
  • A colleague even suggested, “I think it was actually all filmed on a soundstage like the moon landing.”

In real life, however, discovering who is responsible for an incident might ultimately lead to some sort of recourse, but attribution generally takes a long time, a lot of work, and a healthy dose of luck. Identifying what happened and working to prevent that from happening again can't get my data back. But it can help reduce how often it's exposed.

So instead of pointing fingers, I do my best to steer the conversation toward two things that matter a lot more: verifying what happened and keeping it from happening again. If I get a notice that something like my social security number has been accessed, my major concerns are why it happened in the first place and what steps are being taken to protect my information in the future.

Identifying precisely what information was accessed and communicating this information to those compromised is a major first step. A victim who knows that their credit card number has been stolen can act to set up credit freezes or alerts on its use; the longer that notification is delayed, the more time an attacker has to complete their scams and distance themselves from the event. During investigations, evidence should be preserved so that an attempt can be made to identify the culprit later and first response can focus on determining the entire scope of the attack.

The concept of continuous improvement -- taking the lessons learned from a security incident and using them to mature the incident response program -- is also frequently overlooked. The post-breach time is obviously hectic, but it can also be turned into a huge learning opportunity, where weaknesses in the existing security program are highlighted so that they can be improved. Worse, if these aren't remediated, attackers face a lower barrier of entry to your systems, as these vulnerabilities have already been identified.

President Obama in his State of the Union in January proposed legislation that would require companies hit by a data breach to inform affected customers within 30 days of discovering exposure of the data. It is my hope is that any new cybersecurity legislation or regulation will also encourage information sharing of useful data, such as what was accessed and what is being done to improve security for next time.

What do you think about current practices in data breach response? Do you think that President Obama’s proposed reporting requirements are a step in the right direction? If you handle incident response, how much weight do you place on attribution versus other information gathered in the course of the investigation? Let’s chat about these issues in the comments.

As a staff consultant on the SecureState Attack and Defense Team, Kerstyn works with a broad range of organizations across a variety of industries on security assessments including incident response, forensic analysis, and social engineering. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
ODA155
50%
50%
ODA155,
User Rank: Ninja
2/26/2015 | 9:38:53 AM
Re: is it just human nature?
@Sara...

"Still though: if they sue a third party for doing a lousy job of securing data, they might be able to make a civil case out of it and win cash. But attribution -- learning who the attackers are -- will only lead to a criminal case, won't it? And the breached company isn't going to make any cash off of that, will they?"

Seriously! Look at the Anthem, Sony and Target breaches... who are they going to sue? From what we do know everyone of them were at the very least borderline negligent, doing only the very minimum to meet requirments ignoring or flat out dismissing warnings and examples of how other companies were successfully attacked.

It's way to easy to blame an attacker for breacking into your network and stealing whatever is available, but it's much harder to hold your own feet to the fire... and keep the shareholders happy.
Sara Peters
100%
0%
Sara Peters,
User Rank: Author
2/26/2015 | 9:26:13 AM
Re: is it just human nature?
@Kerstyn  I suppose when a company's trying to get back some of the dough they dropped on the breach recovery process they would make suing somebody for damages a priority.

Still though: if they sue a third party for doing a lousy job of securing data, they might be able to make a civil case out of it and win cash. But attribution -- learning who the attackers are -- will only lead to a criminal case, won't it? And the breached company isn't going to make any cash off of that, will they?

I confess that I don't know much about this -- I try to stay out of court rooms.  :)
Kerstyn Clover
100%
0%
Kerstyn Clover,
User Rank: Moderator
2/25/2015 | 10:16:48 PM
Re: is it just human nature?
Sara, I didn't realize it but I somewhat addressed this in my last reply to a comment of yours! Litigation definitely comes up frequently and it's pretty understandable, especially since there is usually a tangible business impact (at least by the time I get called in.)
Kerstyn Clover
100%
0%
Kerstyn Clover,
User Rank: Moderator
2/25/2015 | 10:12:28 PM
Re: Motive
In the vast majority of my experiences, everyone wants to know who did it and on top of that, how they can press charges. Unfortunately part of my response duties can be to explain the difficulties in not just attribution, but prosecution. It is usually after things have settled and we've had that conversation that we'll sit down and go over areas that were identified to have failed, or where defenses can be beefed up.
ODA155
100%
0%
ODA155,
User Rank: Ninja
2/25/2015 | 6:05:33 PM
Re: is it just human nature?
Sara,

Personally, it's a little more refined than a simple "...immediate, desperate need to assess blame...". Sure there is enough of that going around, but I think identifying the responsible parties is important as well as holding them accontable, and if you can catch the bad guys...OK.  And by responsible parties I tend to focus on the internal people at all levels who should be held responsible for protecting and safeguarding this information. As someone said on another topic some time ago, these companies put too much faith in the outcome of a risk assessment then they purchase insurance to protect their company, but then as in the case of Anthem, I and probably more than one person reading this gets an email telling us "how seriously they take security and protecting... blah blah blah", and give me two years of credit monitoring.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
2/25/2015 | 10:36:46 AM
Re: Motive
@Kerstyn  In your experience, do breached companies mostly want to know which outside criminal group is to blame for the attack, or which employee/executive is to blame for the failure of the company's security?
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
2/25/2015 | 10:31:41 AM
is it just human nature?
Ya know, I've often wondered if this immediate, desperate need to assess blame -- not just for data breaches, but for EVERYTHING -- was a basic human instinct or a particularly American trait. In this exceptionally litigious US society, we're always looking for someone to sue, so of course attribution is important so that you can decide who to drag into court.

But maybe everyone feels the same need to know whodunit? Just so that the mystery is solved? What do you guys think?
SDiver
50%
50%
SDiver,
User Rank: Strategist
2/24/2015 | 9:48:43 AM
Re: Rod Sirling was right.
"The Monsters Are Due on Maple Street."  Good episode.
ODA155
50%
50%
ODA155,
User Rank: Ninja
2/24/2015 | 9:34:08 AM
Re: who cares? sheriff, maybe
...and as Mr. Snowden has also showed us and left out of his AMA speach, there will always be someone behind the scenes with the means to circumvent those systems and standards for what ever purpose they choose to be right or wrong.
macker490
50%
50%
macker490,
User Rank: Ninja
2/24/2015 | 8:43:12 AM
who cares? sheriff, maybe
Mr: Snowden noted in his recent AMA:

"The only way to ensure the human rights of citizens around the world are being respected in the digital realm is to enforce them through systems and standards rather than policies and procedures."

remember: the sheriff only cleans up a mess after it has been made.   better to not get into a mess,-- whether driving a car or running a 'puter.   prevention is better than cleanup.  and yes: malware can be stopped -- if you're interested in stopping it.
Page 1 / 3   >   >>
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Human Nature vs. AI: A False Dichotomy?
John McClurg, Sr. VP & CISO, BlackBerry,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3350
PUBLISHED: 2019-11-19
masqmail 0.2.21 through 0.2.30 improperly calls seteuid() in src/log.c and src/masqmail.c that results in improper privilege dropping.
CVE-2011-3352
PUBLISHED: 2019-11-19
Zikula 1.3.0 build #3168 and probably prior has XSS flaw due to improper sanitization of the 'themename' parameter by setting default, modifying and deleting themes. A remote attacker with Zikula administrator privilege could use this flaw to execute arbitrary HTML or web script code in the context ...
CVE-2011-3349
PUBLISHED: 2019-11-19
lightdm before 0.9.6 writes in .dmrc and Xauthority files using root permissions while the files are in user controlled folders. A local user can overwrite root-owned files via a symlink, which can allow possible privilege escalation.
CVE-2019-10080
PUBLISHED: 2019-11-19
The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI ...
CVE-2019-10083
PUBLISHED: 2019-11-19
When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.