Roman Sannikov, Director of Cybercrime and Underground Intelligence at Recorded Future
In today’s digital world, databases are one of the most valuable assets for an organization. They store large swaths of sensitive information such as personally identifiable information (PII), credentials, payment information, and proprietary data critical to successful operations. Unfortunately, the number of cyber attacks that threaten these assets continues to grow every year, with Norton reporting that there were approximately 3,800 publicly disclosed breaches in 2019, exposing 4.1 billion records. While measures to thwart these attacks have improved significantly, the risk posed by a potential database breach and release continues to be one of the biggest challenges facing organizations given the immense value these assets hold.
Defining the Attack
A database breach is not an attack on its own, though some may result from attacks, but rather a result of cybercriminals obtaining unauthorized access to a network. To obtain this access, cybercriminals use a variety of different tactics, techniques, and procedures (TTPs), such as phishing, malware, social engineering, business email compromise, exploiting existing vulnerabilities in software, insider threats, and password reuse.
Once the network is breached, there are numerous possibilities that lie ahead for the cyberattacker such as privilege escalation or data exfiltration. For example, ransomware operators can encrypt devices in the compromised network, and hackers can exfiltrate databases with PII, payment data, protected health information (PHI), corporate documents, email addresses, job titles and organizations, social media profiles and account usernames, and passwords.
The combination of TTPs and activities that cybercriminals can take once a network is breached makes the work of IT security professionals exceedingly difficult. Not only do they need to monitor all aspects of the network for suspicious activity, but they must also stay on top of the latest trends used by threat actors, such as new families of ransomware or new automated tools being sold on the dark web to assist less-skilled cybercriminals in conducting an attack.
Beyond the security team, a breach can quickly wreak havoc on victimized individuals and the organization, and can carry significant legal implications. In addition, the newly released information provides the underground economy with valuable new sources of information that can be used to gain further access and can facilitate subsequent malicious or fraudulent activities, as well as additional breaches.
Data – The Fuel Behind Future Threats
My team recently researched the database breach process and found that leaked databases are primarily monetized via their sale through open auctions, direct sales, or subscription-based services. But, what happens once the data is in the hands of new threat actors?
Database breaches provide the underground economy with an inflow of new data that can be used in various ways, including:
- New spamming and phishing resources through exfiltrated corporate and personal email addresses.
- Using newly breached email and password information to conduct large-scale automated login requests to gain access to protected networks through credential stuffing attacks.
- Taking advantage of PII to conduct social engineering attacks where a cybercriminal attempts to impersonate an employee.
- Business email compromise (BEC) which allows cybercriminals to “spoof” others into thinking they are communicating with a colleague.
- Using PII to commit tax and financial fraud.
It’s common that once an organization is breached it will experience an uptick in attacks – both from the original cybercriminal and others attempting to take advantage of a vulnerability. As a result, security teams have to quickly triage the original vulnerability while keeping a close eye on new attacks to their network which will come in a variety of forms.
The threat landscape is constantly evolving and the work of IT security professionals has never been more daunting. However, there are steps security teams and IT departments can take to mitigate network compromise and keep their database more secure. These techniques vary in technicality, but include:
- Keeping all software and applications up to date; in particular, operating systems, antivirus software, applications, and core system utilities.
- Making regular backups of your system and storing the backups offline, preferably offsite so that data cannot be accessed via the network.
- Adhering to strict compartmentalization of company-sensitive data. Look at which data anyone with access to an employee account or device would have access to. Verify access control for users, and ensure employees have a business need to access resources.
- Applying data encryption standards for stored databases to protect them from being used maliciously by individuals who were able to get unauthorized access to the internal network of the organization.
- Reset passwords regularly and enable two factor authentication. This can reduce potential damage in the event of a breach.
Securing Databases for the Future
Taking the necessary steps towards mitigating cyber risk is a crucial step to securing an organization’s network and database. By gaining a full understanding of your entire threat landscape, including the most likely methods of and motivations for attacks, the most vulnerable attack surfaces, and the status and location of sensitive or mission critical assets, IT professionals can significantly up level the security of the data for which they are responsible. Having a comprehensive rundown of all relevant security intelligence will not only assist the security team on how to best prioritize the remediation of risks, but it will also help educate the security team on the latest TTPs being presented by cybercriminals. While database breaches will always be a top threat for organizations, providing security teams with the latest insights on cybercriminal activity is one of the best ways to mitigate this threat without losing focus on other pressing IT challenges.
Roman Sannikov is the Director of Cybercrime and Underground Intelligence at Recorded Future. A fluent Russian speaker, Roman has spent nearly two decades studying cybercriminal activity within the Russian underground and has extensive experience working as both a translator and cyber intelligence analyst in the public and private sectors. During his 21-year career with the FBI, Roman served as a translator for numerous major cyber cases involving Russian-speaking actors. He has also had the privilege of interpreting for several high-profile individuals, including former FBI Director Robert Mueller and former U.S. Attorney General Eric Holder. Most recently, Roman supported Russian-language data collection and intelligence reporting as a Senior Intelligence Analyst at CrowdStrike.