Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Who Cares Whos Behind A Data Breach?
Threaded  |  Newest First  |  Oldest First
GangstaNerd
GangstaNerd,
User Rank: Apprentice
2/20/2015 | 4:03:15 PM
Funny
Love the response, "My sources believe it's an alien plot to study human behavior." 
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
2/23/2015 | 10:21:46 AM
Re: Funny
LOL. If aliens could figure out the human behavior behind cyberattacks, I hope they will share it with infosec so we can figure out how to better defend against them.    
Dr.T
Dr.T,
User Rank: Ninja
2/23/2015 | 12:22:51 PM
Re: Funny
Aliens most likely have no idea what cyberattack is. They mostly likely develop their services security in mind from group up and enjoying the life without any cyberattacks. :--))
ChrisMurphy
ChrisMurphy,
User Rank: Strategist
2/23/2015 | 11:03:11 AM
Motive
Isn't knowing who attacked important for the prevention piece -- from stopping an attack from happening again?  
SDiver
SDiver,
User Rank: Strategist
2/23/2015 | 11:29:45 AM
Re: Motive
That would be valuable Chris but how would you know that your information was correct?  Having the wrong information can draw incorrect conclusions and solutions.
GonzSTL
GonzSTL,
User Rank: Ninja
2/23/2015 | 12:14:30 PM
Re: Motive
"Attribution takes a long time, a lot of work, and a healthy dose of luck. But is it worth the effort?"

It certainly is! However, this is a secondary priority of the incident response. There is value in a successful attribution, as it adds threat intelligence that can be used in IT security strategies.
Dr.T
Dr.T,
User Rank: Ninja
2/23/2015 | 12:28:14 PM
Re: Motive
I agree. That is how you build enough knowledge base to adapt to current environment and try to get ready for next set of waves for attacks. Without any experience you are actually in the dark and not knowing what to do even for simple preventive course of actions.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
2/23/2015 | 4:48:40 PM
Re: Motive
I would suspect that if you can identify who is responsble -- and make them accountable (e.g. disincent them frm doing doing it again) -- it would be extremely worth the effort. But that is the exception, not the rule, it would seem.
Kerstyn Clover
Kerstyn Clover,
User Rank: Moderator
2/23/2015 | 10:54:47 PM
Re: Motive
You're correct, and my intent wasn't to completely discredit attribution as a piece of maturing your incident response/security program internally. Just to put the emphasis on your "secondary" phrasing, and to perhaps try to push away from rapid finger-pointing in the initial days after an incident. When evidence is there and trustworthy the effort is certainly worth it; however, I've also encountered many cases where effort and resources are best focused on other things first and attribution later if at all.
GonzSTL
GonzSTL,
User Rank: Ninja
2/24/2015 | 8:39:15 AM
Re: Motive
I realize that you are not discrediting attribution, as no serious security professional really would. I do agree with you that the early finger pointing thing can be an awful distraction. Unfortunately, media coverage puts as great an emphasis on this as they do on the breach itself, even to the point of sharing and sometimes leading the headline. As a society, this is what we have been accustomed to seek from the news. Bad news sells, and we want to know who the bad guys are. This is a serious distraction that can divert valuable resources towards the effort to discover who the perpetrators are, which of course detracts from the primary goals of the incident response team, particularly in smaller organizations. It can also lead to flawed incident response if improper assumptions are made based on the known modus operandi of the suspected intruder. A valid argument can be made that an initial attempt to identify the intruder can help analyze what happened in that the team can look for indicators of the attack, but it is better to leave this out of the public until after the investigation has been completed. Correct attribution however, is a small consolation after the fact, but unfortunately does not necessarily lead to successful prosecution of the attacker.
Sara Peters
Sara Peters,
User Rank: Author
2/25/2015 | 10:36:46 AM
Re: Motive
@Kerstyn  In your experience, do breached companies mostly want to know which outside criminal group is to blame for the attack, or which employee/executive is to blame for the failure of the company's security?
Kerstyn Clover
Kerstyn Clover,
User Rank: Moderator
2/25/2015 | 10:12:28 PM
Re: Motive
In the vast majority of my experiences, everyone wants to know who did it and on top of that, how they can press charges. Unfortunately part of my response duties can be to explain the difficulties in not just attribution, but prosecution. It is usually after things have settled and we've had that conversation that we'll sit down and go over areas that were identified to have failed, or where defenses can be beefed up.
Dr.T
Dr.T,
User Rank: Ninja
2/23/2015 | 12:25:01 PM
Re: Motive
I agree, who need to know where it came from and what they of characteristics it has to be able to respond to similar future attacks.
GangstaNerd
GangstaNerd,
User Rank: Apprentice
2/23/2015 | 1:49:33 PM
Re: Motive
The term "Prevention" never sits well with me because we all know we can only delay or deter attacks not prevent them.
Kerstyn Clover
Kerstyn Clover,
User Rank: Moderator
2/23/2015 | 10:40:51 PM
Re: Motive
It certainly can be. As an internal process, it's important to look for indications of the origin of an attack if they're present and reliable. Especially if a certain actor is launching multiple attacks, correlation of these can start to paint a picture that helps to prepare for future attack attempts. My focus with this was really to discuss how much we tend to over-hype attribution, especially in the early moments after a breach and on the media. Pointing fingers preemptively and vocally isn't helpful, but you're right that it is certainly a piece of the puzzle in lessons-learned and maturing an incident response/defense program over time.
SDiver
SDiver,
User Rank: Strategist
2/23/2015 | 11:26:54 AM
Rod Sirling was right.
"My sources believe it's an alien plot to study human behavior."

Credit is due to Rod Sirling and "The Twilight Zone" that disclosed the alien plot years ago!  ;-)
Kerstyn Clover
Kerstyn Clover,
User Rank: Moderator
2/23/2015 | 10:42:08 PM
Re: Rod Sirling was right.
Oh, really? I've been slowly starting to watch the show but must not have come across that one yet. I'll be looking forward to it!
SDiver
SDiver,
User Rank: Strategist
2/24/2015 | 9:48:43 AM
Re: Rod Sirling was right.
"The Monsters Are Due on Maple Street."  Good episode.
Dr.T
Dr.T,
User Rank: Ninja
2/23/2015 | 12:20:26 PM
Owning the consequences
One of the reasons breaches is getting increased exponentially is simply because there is no consequences to the person who did the breach and/or person who did not do his/her job and that caused the breach. We constantly talk about it but it is hard to locate who are responsible.
Kerstyn Clover
Kerstyn Clover,
User Rank: Moderator
2/23/2015 | 10:44:03 PM
Re: Owning the consequences
You're spot on. One of the other things on my mind, but a bit out of my league to speak on is the idea of trying to wrap laws or legislation around these attacks if we do manage to pin down a source. Topic for someone else's blog, perhaps :)
macker490
macker490,
User Rank: Ninja
2/24/2015 | 8:43:12 AM
who cares? sheriff, maybe
Mr: Snowden noted in his recent AMA:

"The only way to ensure the human rights of citizens around the world are being respected in the digital realm is to enforce them through systems and standards rather than policies and procedures."

remember: the sheriff only cleans up a mess after it has been made.   better to not get into a mess,-- whether driving a car or running a 'puter.   prevention is better than cleanup.  and yes: malware can be stopped -- if you're interested in stopping it.
ODA155
ODA155,
User Rank: Ninja
2/24/2015 | 9:34:08 AM
Re: who cares? sheriff, maybe
...and as Mr. Snowden has also showed us and left out of his AMA speach, there will always be someone behind the scenes with the means to circumvent those systems and standards for what ever purpose they choose to be right or wrong.
Sara Peters
Sara Peters,
User Rank: Author
2/25/2015 | 10:31:41 AM
is it just human nature?
Ya know, I've often wondered if this immediate, desperate need to assess blame -- not just for data breaches, but for EVERYTHING -- was a basic human instinct or a particularly American trait. In this exceptionally litigious US society, we're always looking for someone to sue, so of course attribution is important so that you can decide who to drag into court.

But maybe everyone feels the same need to know whodunit? Just so that the mystery is solved? What do you guys think?
ODA155
ODA155,
User Rank: Ninja
2/25/2015 | 6:05:33 PM
Re: is it just human nature?
Sara,

Personally, it's a little more refined than a simple "...immediate, desperate need to assess blame...". Sure there is enough of that going around, but I think identifying the responsible parties is important as well as holding them accontable, and if you can catch the bad guys...OK.  And by responsible parties I tend to focus on the internal people at all levels who should be held responsible for protecting and safeguarding this information. As someone said on another topic some time ago, these companies put too much faith in the outcome of a risk assessment then they purchase insurance to protect their company, but then as in the case of Anthem, I and probably more than one person reading this gets an email telling us "how seriously they take security and protecting... blah blah blah", and give me two years of credit monitoring.
Kerstyn Clover
Kerstyn Clover,
User Rank: Moderator
2/25/2015 | 10:16:48 PM
Re: is it just human nature?
Sara, I didn't realize it but I somewhat addressed this in my last reply to a comment of yours! Litigation definitely comes up frequently and it's pretty understandable, especially since there is usually a tangible business impact (at least by the time I get called in.)
Sara Peters
Sara Peters,
User Rank: Author
2/26/2015 | 9:26:13 AM
Re: is it just human nature?
@Kerstyn  I suppose when a company's trying to get back some of the dough they dropped on the breach recovery process they would make suing somebody for damages a priority.

Still though: if they sue a third party for doing a lousy job of securing data, they might be able to make a civil case out of it and win cash. But attribution -- learning who the attackers are -- will only lead to a criminal case, won't it? And the breached company isn't going to make any cash off of that, will they?

I confess that I don't know much about this -- I try to stay out of court rooms.  :)
ODA155
ODA155,
User Rank: Ninja
2/26/2015 | 9:38:53 AM
Re: is it just human nature?
@Sara...

"Still though: if they sue a third party for doing a lousy job of securing data, they might be able to make a civil case out of it and win cash. But attribution -- learning who the attackers are -- will only lead to a criminal case, won't it? And the breached company isn't going to make any cash off of that, will they?"

Seriously! Look at the Anthem, Sony and Target breaches... who are they going to sue? From what we do know everyone of them were at the very least borderline negligent, doing only the very minimum to meet requirments ignoring or flat out dismissing warnings and examples of how other companies were successfully attacked.

It's way to easy to blame an attacker for breacking into your network and stealing whatever is available, but it's much harder to hold your own feet to the fire... and keep the shareholders happy.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-31104
PUBLISHED: 2022-06-28
Wasmtime is a standalone runtime for WebAssembly. In affected versions wasmtime's implementation of the SIMD proposal for WebAssembly on x86_64 contained two distinct bugs in the instruction lowerings implemented in Cranelift. The aarch64 implementation of the simd proposal is not affected. The bugs...
CVE-2022-34132
PUBLISHED: 2022-06-28
Benjamin BALET Jorani v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at application/controllers/Leaves.php.
CVE-2022-34133
PUBLISHED: 2022-06-28
Benjamin BALET Jorani v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Comment parameter at application/controllers/Leaves.php.
CVE-2022-34134
PUBLISHED: 2022-06-28
Benjamin BALET Jorani v1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /application/controllers/Users.php.
CVE-2022-31099
PUBLISHED: 2022-06-27
rulex is a new, portable, regular expression language. When parsing untrusted rulex expressions, the stack may overflow, possibly enabling a Denial of Service attack. This happens when parsing an expression with several hundred levels of nesting, causing the process to abort immediately. This is a s...