Leveraging breached data to unmask cybercriminals

Outsourcing Data: Don't Take a Fairytale Approach

Companies lucky enough to avoid cybersecurity incidents can no longer turn a blind eye or claim these aren’t their problem. As the saying goes, there are two types of companies: those that have suffered a breach and those that will. In our digital economy, everything is interconnected and if your organization has something of value to a fraudster, they will eventually target your company. Alarmingly, cybercriminals can operationalize and use data that is pulled from a separate breached organization against yours.

How are threat actors so successful? They gather breached data and information from open sources – think social media profiles or even voting records – to build digital profiles of individuals with just a few clicks. This can then lead to, among other attacks, phishing scams such as business email compromise, potentially inflicting a significant financial toll on an organization.

Most credentials stolen from companies are consumer-oriented and are useful on one platform to another – think usernames and passwords. Cybercriminals continue to re-release big combo packages with aggregated credentials gathered from newer, large-scale breaches. Every time these big combo packages surface, billions of email addresses or usernames associated with clear-text passwords recirculate in underground communities, making the data increasingly accessible for malicious use, such as account takeover and other identity-based attacks.

Oftentimes, these attacks are successful not because of lax security protocols, but because poor password hygiene is still an issue – password reuse is rampant. According a 2018 Verizon Data Breach Investigations Report, 81% of company data breaches resulted from poor password security. Companies must balance ease of access and usability with cybersecurity, and this means passwords are not something we can avoid in the near future. An easy preventative measure is mandatory cybersecurity awareness training. In 2019, it was reported that 43% of employees – nearly half – lacked regular data security training, which is too low.

During this extended remote work period, there are already so many threat vectors that companies must account for, and the last thing a company needs is a user error accidentally exposing sensitive information. Individuals must remain extra vigilant to avoid becoming the weakest link in their organization’s chain.

However, bad actors slip up as well. Their data is out there, because many of them are ordinary citizens. There’s a misunderstanding that you need advanced computer skills or sophisticated tools when all you really need is access to computers, data, and persistence. Just as threats actors leverage breached data, so can organizations that hold these treasure troves of data, such as financial and healthcare companies, or government agencies. Through identity attribution, it is possible to piece together the digital footprints of these threat actors to not only understand what the nature of the attack was, but also who was behind the attack and their motivation.

Despite criminals doing all they can to obfuscate their identities, breached data can assist with investigations into fraud, crime and other illicit activities, as well as protecting consumer identities. From unmasking adversaries to domain monitoring to password validation, cybercrime intelligence teams can effectively neutralize and disrupt offensive cyber operations and their infrastructure by utilizing breached data and quickly acting on intelligence.

Of course, speed to actionable intelligence is key. In the time period from occurrence to discovery to containment and remediation, cybercriminals are siphoning through the data, trying to figure out how to exploit it. Instead of playing whack-a-mole, identity intelligence now allows for companies to take a proactive approach to identifying the threat actor – helping thwart future attacks.

Moving forward, leveraging breached data, as well as open source intelligence, makes identity attribution not only possible, but reliable in a swift and efficient manner, especially as companies face reductions to their investments in cybersecurity. Identity information is proliferating in the surface, social, deep and dark webs and bad actors are using this information to launch new attacks. This problem isn’t going away anytime soon. Organizations should take advantage of the tools and data at their disposal and take a more proactive approach.

Luke Wilson is Vice President of intelligence at 4iQ. Luke brings a wealth of knowledge and expertise, with 15+ years working within federal law enforcement, department of defense, and the intelligence community.

Situational awareness should be at the forefront of your security program. It can mean the difference between life and death in a workplace emergency.

Security’s digital transformation is now entering stage 5. Complex security technologies are connected to HR systems, global security operations centers, and other building technologies in a world where employees now work in two places: home and the corporate office.