Malicious attacks targeting a company’s confidential financial data with the intent to make a profit is nothing new. What is disturbing, however, is the amount of time the hacker can go unnoticed, in some reported cases of breaches as long as months.
In 2015, 32 Ukranian hackers made as much as $100 million by accessing financial earnings press releases stored at PRNewswire and other newswire services. The Securities and Exchange Commission (SEC) issued federal charges against those hackers – but in 2017, the SEC itself became a target of a similar scheme. The SEC disclosed that its electronic earnings report system, known as Edgar, had been breached for an undisclosed amount of time (perhaps as long as three months), and that these financial filings “may have provided the basis for illicit gain through trading.” Equifax reported its breach of highly sensitive consumer data on over 140 million customers noting the hackers were in operation for at least three months. How could so much data be exfiltrated and not be noticed sooner, at the onset of the attack?
How can companies ensure that their sensitive documents will be protected, regardless of where they travel or whose hands they fall into - even when they've been shared with legitimate third-party partners? What steps can a financial company take to accelerate the time-to-detection when data has been compromised, even if the breach happened outside the corporate firewall? Current security architectures certainly aren’t working well enough. Very rapid detection may be achievable but this requires strategic re-thinking of security architectures that not only provide breach prevention but also a focus on immediate breach detection and response. The key to achieving this goal is to think about new ways of safeguarding data, too, not only endpoints, networks and users.
Security Architectures and Best Practices
It’s a fair generalization to say all financial institutions invest in security technologies to secure their sensitive corporate data. It’s probably equally fair to say that most, if not all, of the security product categories are deployed in the larger institutions: firewalls, network IDS, endpoint protection, web proxies, DLP, UBA, data encryption, and so on. Yet breaches and data loss still occur. Current best practices are perhaps not the best defenses, yet.
Consider the time-to-detection in these few examples of Edgar and PRNewswire (not to mention Equifax). Attackers operated in a time frame measured in days and months. What were they doing in all that time? They were clearly moving laterally, probing, learning about the environment, and searching for their quarry. Yet, they remained undetected.
The goal, in my view, is to reduce time-to-detection to minutes by focusing on what the attacker is doing during their probing of “casing the joint.” They are touching data, inside the enterprise! Honeynet-based deception technologies may provide fast detection when attackers are ensnared in these systems (and hopefully avoid falsely detecting legitimate users or misconfiguring a connection to the internet). The best honeynet technologies must avoid obvious “tells” that reveal themselves to the attacker. They must present what appears to be realistic data. Indeed, a data deception strategy may work best by deploying deceptive materials within the operational networks of the enterprise.
Modern security architecture design typically focuses on access control and prevention of loss. Attackers by various means gain access anyway. The open, unencrypted data within the enterprise remains vulnerable to inspection by attackers and their subsequent exfiltration. Deceptive, fake data deployed alongside and throughout the operational network amongst the internal open data may well be our best chance for early detection.
Let’s consider a two-tier approach of utilizing deceptive data as a mechanism for early detection of attacker behavior:
1. Data at Rest. Think of repositories of sensitive financial data that are rarely touched but are maintained and accessible for a variety of reasons (discovery purposes in potential litigation, for example). These may include email archives with attached documents and backups of directories, for example. Historical records, documents, data of all sorts are easy prey. It is conceivable and wise to distribute decoy documents amongst these data sources, decoys that are highly believable to the adversary, but are entirely bogus. Various means of identifying the exfiltration of these decoys is possible, for example, utilizing a deployed DLP technology, or beaconizing these documents to send a signal when remotely opened. Using decoys in this way, we can know with certainty the ground truth of an attempted exfiltration by an attacker (whether legitimate insider, or remote adversary). Simple and sensible. Automating the placing and distribution of decoys is certainly doable, and the risk of ensnaring legitimate users is near null.
2. Data in Motion. Fake data dispersed among commonly used cloud storage systems are interesting-looking and appealing to attackers. Decoys in the cloud may be easily deployed in conspicuous directories loaded with deceptive documents. These are easy to deploy and manage remotely. In both cases, of data at rest and in the cloud, we know ground truth about the decoys we strategically placed, and any touching of these directories or their contents is a high-fidelity signal that someone is snooping and searching in locations they shouldn’t be. The inquisitive legitimate employee who may touch these directories are clearly false positives, but a remote access at a suspicious remote IP is not.
Of particular import is that in each case, the time-to-detection of adversarial behavior is near instantaneous, not measured in hours, days or months, but in seconds or less.
A data deception-based strategy for improving time-to-detection of unauthorized access of highly sensitive financial data is not just feasible, it is sensible and easy to deploy, requiring no network management of a bogus deceptive network. Hiding deceptive documents in full sight of an adversary nets immediate, high-value alerts.