Tracking Everything on the Dark Web Is Mission Critical

COMMENTARY
One of the standard cybersecurity tools today is to relentlessly check the Dark Web — the preferred workplace for bad guys globally — for any hints that your enterprise's secrets and other intellectual property have been exfiltrated.

The problem is that far too many chief information security officers (CISOs) and security operations center (SOC) managers make a knee-jerk assumption that whenever they find any sensitive company information, it explicitly means their enterprise systems have been successfully attacked. It very well might mean that, but it could also mean a hundred other things. It could be that the data was grabbed from a corporate cloud site, a shadow cloud site, the home laptop from an employee, a corporate backup company, a corporate disaster recovery firm, a smartphone, a supply chain partner, or even a thumb drive that was stolen from a car. 

When dealing with routine intellectual property — including customer personal identifiable information (PII), healthcare data, payment card credentials, or the blueprints for a military weapons system — learning that some version of it has been captured is helpful. But until it is determined where, when, and how that theft took place, it's all but impossible to know what to do about it.

In some cases, the answer might be "nothing." Consider some of the most sensitive files on your system: secrets such as API keys, access tokens, passwords, encryption/decryption keys, and access credentials. 

If everything is being tracked and logged properly, your team might discover that the Dark Web secrets found have already been routinely deactivated. Hence, there would be no need for any further action. 

That said, most enterprises track the Dark Web with no coding or other tracking details sufficient to be able to effectively determine appropriate next steps if and when they find something. 

Getting the Details Right

Most CISOs understand that discovering secrets on the Dark Web means that they are compromised. But lacking appropriate details, they often overreact — or improperly react — and make expensive and disruptive changes that may indeed be entirely unnecessary. 

This might even extend to making regulatory compliance disclosures — including the European Union's General Data Protection Regulation (GDPR) and the Securities and Exchange Commission's (SEC's) cybersecurity requirements — based on flawed assumptions. This has the potential to expose the enterprise to stock drops and compliance fines where they are not necessary.

The life cycle of a secret on the Dark Web — its value, usage, and relevance — changes over time. Understanding this life cycle can help CISOs make informed decisions about which secrets to prioritize for rotation or additional protections. Secrets related to temporary projects, for example, may become irrelevant faster than those tied to long-standing infrastructure. Monitoring the Dark Web, understanding if your secrets are there, and adding metadata and context over those secrets is the key to understanding which secrets are currently valuable to attackers and require immediate action.

The Danger of False Assumptions

The situation is slightly different when the discovered material is sensitive data files, especially highly regulated data such as personally identifiable information (PII), healthcare, and financial data. But the discovery should trigger additional investigation. If the next step is action, your team might engage in the wrong action based on flawed assumptions.

First, how much data was found? Is your company the only place where this data could exist? Could this data also exist within the systems of related companies? Were they the ones breached? This is one of the key reasons why everything must be coded and labeled precisely. 

Once it is established that the data did indeed somehow get taken from your company's systems, we have to go back to the coding. Was the file stolen the one that sits in your on-premises operations? On a cloud? If cloud, then which cloud? Is this the data given to your marketing team a month ago for analysis? 

Every time the data is copied and shared, it can be traced back using logs and metadata enrichments to determine how, why, and when it was stolen. That, ideally, will tell your team where a hole exists that needs to be addressed.

Let's get back to the secret tools. If that key has already expired, you probably don't care if it's on the Dark Web. (You probably want to know because it could still be a clue about an as-yet-undiscovered breach, but the response is far less troubling.) Let's assume that the machine keys discovered are still active. This is obviously a problem. It is the solution — what to do about it — that is far from obvious. Programmatic access keys can deliver access to much of your infrastructure. From the thief's perspective, that is the most valuable data possible. Those are the proverbial keys to your kingdom. If not handled properly and quickly, it can be game over. 

What's the catch? Once you discover the purloined data or keys, it's too late. If the critical context is not being created and added to each key the instant they are created — and amended the instant they are moved anywhere by anyone — there is an infinitely more difficult task to discover the breach details later. It will take ages for the world's best forensic teams to track a key's history if it wasn't added at the very beginning. 

Establishing Best Practices

You need to maintain a strictly controlled inventory of all of your secrets, including elaborate and meticulous hashing mechanisms to track all usage and activity. This is the only viable way to monitor all activities of your machine credentials in real-time. If you do that aggressively, you should have a heads-up about a stolen machine credential long before it finds its way to the Dark Web and is sold to the highest bidder.

Another best practice is to routinely bombard the Dark Web — and other dens of evil-doers — with bogus files to add far more noise to the equation. This might make some discriminating bad guys avoid your data entirely if they aren't sure whether it's valid or not.

The bottom line: Tracking everything on the Dark Web is mission critical. But if you have not tagged all of your sensitive data beforehand, your team may make decisions that are the polar opposite of what they should be. On the Dark Web, stolen secrets are your enemy, and tons of context your friend.