Narrowing The Compromise-To-Discovery Breach Time Line

Security professionals are intrigued by the fact that for approximately half of the data breach cases Verizon Business works, the victim doesn't realize there's a problem until more than six months after the incident occurred. Another stunning fact: More than two-thirds of incidents we work are discovered by a third-party.Most people consider this a failure of on-staff security personnel, whose very jobs are to detect and respond to such incidents. While there is some truth to that, it is important to consider that in many cases, the intruders themselves clearly have a plan for the compromise-to-discovery time line. That is, in many cases, the victim discovers the breach when the perpetrator wants them to, and not a moment before.

In the past year, I've worked several cases where the intruder clearly planned in advance the probable compromise-to-discovery time in almost every aspect of the attack.

For example, a prepaid debit card company was having a weekly Monday morning meeting to balance its card transactions. The staff realized its ledger balance and available balance values did not match system totals. Essentially, funds that were available and should have been available did not match up. The team discovered prepaid debit cards had been loaded at the system level and used over the weekend without any actual corresponding deposits.

This meant the available balance value of several prepaid card accounts had been increased without a corresponding load increase granted from an authorized merchant. How much money did the thieves go after? The nonauthorized card value increases totalled approximately $3,500,000. Of this total, $1,800,000 had been successfully withdrawn from ATMs all around the world within a 48-hour period.

With these arbitrarily loaded prepaid debit cards in hand, the intruder worked diligently during a 48-hour period during a weekend to make as many cash withdrawals as possible while no one was at work, avoiding detection during routine account balancing. Working off the assumption that absolutely no account balancing would occur over the weekend, the intruder made sure not to load a single card until after business hours on Friday, and ensured all cash withdrawals were completed by the opening of business on Monday. I won't get into how the PINs were compromised -- that's a whole other discussion.

One of the scariest parts of this story is it is just a short time frame example. In many other cases, intruders count on having months -- and sometimes years -- of undetected access to victim systems without their activities being noticed. In most cases, the perpetrators realize the victim organization won't discover the breach until overwhelming fraud patterns begin to show that the organization has a problem.

Think about this: As an individual, I work on maybe 20 data breaches annually. The last time I saw a calling card or taunt where the intruder announced his presence to the victim with an obscene text file or HTML page bragging about the intrusion was in late 2005. It simply does not happen anymore. The reason organizations are not discovering data breaches as they occur is quite simply because the perpetrators don't what them to! Perpetrators are effectively able to exploit professional complacency. Very rarely does an organization discover a data breach event before the intruder is ready for them to. Bottom line: Organizations need to close the compromise-to-discovery time line by utilizing better detective controls, having an appropriate incident response team, and testing the proficiency of their skill sets regularly. If organizations continue to let all of the above happen on the perpetrator's time table, then we'll continue to be one step behind them.

-- Christopher Novak is a managing principal and founding member of Verizon Business' Investigative Response Team. He is also a senior investigator and has more than 10 years of experience investigating both civil and criminal computer-based data breaches, along with acting in a litigation support capacity. Novak continues to respond to high-profile cases on a global basis and works closely with local, state, federal, and foreign law enforcement agencies. He was an author of this year's Data Breach Investigations Report, is a frequent source in technology-related media, and a regular speaker at industry conferences.