When the Equifax breach — one of the largest breaches of all time — went public nearly a year-and-a-half ago, it was widely assumed that the data had been stolen for nefarious financial purposes. But as the resulting frenzy of consumer credit freezes and monitoring programs spread, investigators who were tracking the breach behind the scenes made an interesting discovery.
The data had up and vanished.
This was surprising because if the data had, in fact, been stolen with the ultimate goal of committing financial fraud, experts would have expected it to be sold on the Dark Web. At the very least, they would have expected to see a wave of fraudulent credit transactions.
CNBC recently published an article that takes an in-depth look at what exactly happened to the credit, Social Security, and other sensitive data of 143 million people after it was stolen. The deeper the threat hunters have gone down the rabbit hole of this story, the more convinced they have become that the motive was actually even more sinister than pure financial gain.
In essence, security experts most familiar with this breach believe that a nation-state — likely China or Russia — stole the data in order to suss out current spies and pick out potential targets they could recruit as spies.
It's the latter part that should concern organizations in the US and beyond. While the complex spy scheme sounds like something out of a movie, it actually has serious, real-world implications.
The Rise of State-Sponsored Threats
State-sponsored threats are increasingly one of the biggest threats to information assets across the globe. Threat actors are increasingly targeting businesses, universities, and other organizations with powerful and sophisticated trade-craft techniques designed to steal confidential information that can result in massive data and revenue loss.
People have many different motives to spy on behalf of a foreign government. The vast majority of nefarious insiders are acting on financial greed, but other motivations include, anger, ideology, patriotism, and organizational conflicts. The news has been flooded about employees convicted for working on behalf of a foreign government. Most recently, Chinese-born scientist You Xiaorong was accused of using her employment at Coca-Cola to steal trade secrets, with the intent to set up a competing venture in China and win a reward from a Chinese government-backed program. Apple also has come under fire, with two employees charged with stealing self-driving car project secrets in the past year.
Power-hungry executives are a major target for state-sponsored recuitment, along with those who may be suffering from financial problems. These executives can be lured into revealing secrets in return for money or power – from credentials to highly confidential documents and trade secrets. If nation-state spies have enough information to identify potential financial instability, they can determine the best targets to identify as spies, especially individuals they can convert for monetary gain.
Are There Spies in Your Organization?
As more employees become the targets for spy recruitment, it is more important than ever for businesses to quickly defend themselves before it is too late.
However, the reality is that most organizations do not have much visibility into what their employees and other insiders are doing with valuable company data. One study found that 42% of organizations rely on server logs to detect threats. These are very difficult to parse and rarely provide sufficient context to indicate that an employee may be conducting nefarious activity. The study also found only about a quarter of organizations are using keylogging or session recording, while 8% admit they have zero visibility whatsoever into all employee activity.
These gaps can leave organizations open to some major risks. Criminal insider incidents can have serious financial repercussions – to the tune of an average annualized cost of $2.99 million, according to a recent Ponemon report. Many organizations simply can't recover from the financial loss and reputational damage that an insider incident can bring.
Security teams' lack of visibility into insiders’ actions also poses a massive security risk to organizations. With the Equifax breach's true implications becoming increasingly clear, it has never been more important to understand what actions users are taking related to sensitive corporate data and systems. In particular, organizations should aim to gain visibility into all employee activities, especially when they are related to:
- Unauthorized cloud storage or large file-sending sites
- Disposable or temporary email clients
- USB storage devices and other removable media
- Copy/pasting, cut/copying, and large print jobs
These are just a few examples of user activities that, when put into context with the specific types of data in play and other factors, can shed valuable light on potential malicious employee activity.
Given the likelihood that we will see some major spy-recruitment efforts take place over the coming years, any business that stores or handles sensitive data should have full visibility into exactly how all employees are using organizational data. It might sound like the plot for a good movie, but when it's valuable company or customer data on the line, the ending could be very unpleasant.
- The Equifax Breach One Year Later: 6 Action Items for Security Pros
- Ex-US Intel Officer Charged with Helping Iran Target Her Former Colleagues
- Spies Among Us: Tracking, IoT & the Truly Inside Threat
- GAO Says Equifax Missed Flaws, Intrusion in Massive Breach
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.