Auriga, specialists in cyber security, technology and risk management, today warned that the time taken between detection and response, as evidenced in the Yahoo! data breach, is creating an open window of compromise. The Yahoo! data breach saw 500 million accounts compromised back in 2014 with the data then posted for sale on a dark web site called The Real Deal. Yahoo! only discovered the breach after investigating a separate incident in August and chose not to disclose the breach for two months, creating a window of opportunity for hackers to sell on and exploit user credentials. The wider application of web monitoring solutions could help lessen this threat by closing the gap between detection and disclosure and diminishing returns for the malicious parties involved.
Organisations should be monitoring both the surface and deep web for indications of compromise. The deep web accounts for 96 percent of all web traffic and is not indexed by search engines effectively hiding it from view. The dark web is a subset of the deep web and comprises unregulated community sites, websites called .onions as well as black markets accessed via TOR anonymising software.
The threat posed by web data disclosure has been acknowledged by the Information Commissioner’s Office (ICO) which broke out cyber incidents for the first time in its data security incident trends analysis in June 2016. According to ICO figures, there were 50 cyber incidents during the first quarter of 2016 making this the fourth most common type of breach. Of these, thirteen incidents were attributed to exfiltration ie the transfer of stolen data to another locale, while six were recorded where data had been detected on Pastebin. Monitoring legitimate surface sites such as Pastebin for evidence of corporate assets is a relatively simple way to increase vigilance and hackers will often use other surface web sites to publicise attacks such as in the case of the Ashley Madison attack which was announced over Reddit.
Detection and remediation of both surface and deep web sites is now possible using the next generation Security Operations Center (SOC). The Compass SOC can use various search critieria to monitor external networks such as references to company names, intellectual property and user credentials etc. but it can also factor in other variables. For instance, in the case of Yahoo!, the imminent merger with Verizon would have heightened the threat level to the company altering the search criteria. Following detection the organisation is then able to swiftly take action to minimise the effects of the attack, put security controls in place and inform and guide the user base.
“The Yahoo! data breach joins the league of mega breaches such as Home Depot, Target and eBay all of which were tardy in both detecting and disclosing the compromise of user data. There has to be both more proactive external monitoring and better systems in place internally for communicating and acting on this information and that means using intelligent security solutions that are capable of policing networks and looking for indicators of anomalous or malicious activity,” said Louise T. Dunne, CEO, Auriga. “A next generation SOC is able to search those resources but crucially it also takes into account those business activities or geopolitical events that are going to have repercussions for the organisation, helping create a context-based search that really could shorten the timeframe between discovery and disclosure.”