Examining Data Exfiltration
The cyber threat landscape is continually evolving, and organizations are faced with the challenge of responding with tools and processes that may not have been initially designed with these threats in mind.
The cyber threat landscape is continually evolving, and organizations are faced with the challenge of responding with tools and processes that may not have been initially designed with these threats in mind.
Beazley has invested a significant amount of effort and resource over the years that we have been writing cyber insurance into helping our clients understand, and defend against, these evolving threats and we now see an opportunity to share these insights with the wider community. In this and subsequent Cyber Services Snapshots, we’ll be updating key data derived from incidents reported to Beazley and enriching that with threat intelligence and open-source data to pinpoint emerging trends.
Our Cyber Services team will weigh in to provide insights on key issues for a deeper dive and analysis each time. This content is intended to give our clients, as well as the community at large, confidence in their understanding of – and ability to respond to – the changing cyber threat landscape.
Threat actors are finding new ways to do business, resulting in double- and even triple-extortion
Extortion techniques are evolving. No cyber crime can be viewed in isolation. Today, multiple threat actors can be involved in an attack. Even with proof of deletion, your data may still be out there in other threat actors’ hands exposing your organisation to legal and reputational risks.
Extortion incidents no longer just involve encrypted files. Now threat actors are also threatening to expose the fact that your data was stolen, or even the data itself, and looking for payment to prevent this.
Double extortion occurs when the threat actor both encrypts and exports (or exfiltrates) data from the victim’s network. The threat actor demands a ransom both for a key to decrypt data on the network and for a promise they will delete stolen data. The data may then find its way into the dark web for others to leverage.
- Even if the original threat actor has been paid for data destruction, it is almost impossible to ensure that the information is not accidentally or intentionally shared with other threat actors.
- This now happens in the majority of extortion incidents, including 2/3 of the incidents the Cyber Services team saw in Q1 of 2022.
Triple extortion occurs when the threat actor encrypts and also threatens to publish exfiltrated data online AND engages in further pressuring of the victim.
- The attacker may threaten denial of service attacks against the victim’s remaining infrastructure.
- Threat actors may also review exfiltrated data and threaten to contact any individuals whose details are found in the exfiltrated data if the targeted organziation doesn’t pay.
Just as the number of threat actors involved in a single incident is increasing, so are the risk exposures
It’s getting easier to deploy ransomware and malware, and that gives threat actors more access than ever before. Tools are cheap to rent and competition between ransomware providers means the cut that the tools’ authors are charging has gone down from 40% of ransom to around 10-15%. In addition, some tools are being made publicly available and anyone with minimal coding skills can re-use them.
There is risk in organizations’ own behavior as well. Organizations are moving business operations into the cloud to facilitate hybrid working, to scale operations more efficiently than they could using their own infrastructure, and are increasingly taking advantage of machine learning and artificial intelligence functionality.
Additionally, agile development is used to quickly publish their data and services online to keep up with competition. This may present commercial opportunities but comes with risks if speed is prioritised over security. All of these decisions present potential threat vectors.
Keeping up with the evolving threat landscape is essential to ensuring your data is protected
When it comes to defending data, multi-factor authentication (MFA) is absolutely essential. There are more and less secure forms of MFA, and attackers are increasingly using techniques like social engineering to get around protections. This is not a place to skimp; without MFA, a threat actor who uses correct credentials to connect to an organization’s system may be undetectable. Forms of MFA that can be considered more secure include push notifications, time-based one-time passwords (TOTP), OAuth (Open Authorization) tokens, hardware tokens, authenticator apps, biometrics, or a FIDO2 key like YubiKey.
Remember that services that are exposed on the internet, even where patched regularly, are vulnerable to remote code execution or remote compromise. Beazley has many tools to help organizations recognize and remediate their specific vulnerabilities and exposures.
Despite best efforts, incidents can and will still occur – and the operational, legal, and reputational impacts can be significant. It’s important to work with an insurance carrier who understands threat actors’ habits and can provide guidance that ensures well-informed decisions. While it’s ultimately up to each insured to decide how to respond to an extortion demand, Beazley’s Cyber Services and Claims teams can assist with experienced direction and advice.
What’s coming next? No one has a crystal ball, but when we look ahead, here’s what Beazley is watching for.
From shared services to open-source tools, vulnerabilities may be exploited to create impactful systematic risks. Attacks that inject malicious code into the supply chain are a very real concern.
Third party risk management is a priority, as threat actors have added tools, codes, and frameworks to their attack playbooks. The Log4J vulnerability is an example of how a single impacted open-source tool affected more than 100 million web servers globally, and was exploited as a means of attack at the same time.
Watch also for potential spillover effects from destructive software masquerading as ransomware. Though the primary goal of criminal malware is to monetize, global conflict heightens the risk that malware that has been deployed for geopolitical purposes may spill over and cause destruction instead.
Finally, organizations who use industrial systems must take steps to protect operational technology, as well as IT infrastructure. Threat actors are looking for and targeting these systems, especially in the supply chain, where stopping one vendor can hugely impact the global economy.
Data deletion is not a guarantee when you are dealing with multiple threat actors. Where once there was just one threat actor involved, now it’s a whole supply chain of different entities coordinating for a single attack, in which everyone gets a cut.
It’s a common mistake to expect that cloud providers will automatically provide security on your behalf. Often the tools may be there, but they are not enabled by default. In other words, you can’t just “cloud and go” and expect a secure experience.
If you even suspect you might be a victim, utilize Beazley’s comprehensive vendor services, which include privacy counsel, IT forensics, communications specialists, credit monitoring, dark web monitoring, ransomware negotiators, and denial-of-service mitigation experts. These services will help you take a deliberate and measured approach to mitigation and recovery.
We expect more regulatory oversight and enforcement activity directed at the ransomware ecosystem. Government organizations are attacking the issue on a number of fronts – targeting exchanges used for crypto payments, taking a more aggressive approach to sanctions, and pursuing criminal prosecution of ransomware threat groups.