An Exclusive Look Behind the Scenes of a Data Breach

Posted on March 16, 2021 by Avishag Yulevich

read the article

No two data breaches are the same, but they all have negative consequences. Financial damage includes legal fines, lost time and revenues, and loss of trust in the brand that can total $3.86 million. According to experts, 60% of smaller organizations that lose data in a breach shut down in six months. That’s why proper risk management and digital asset protection – in addition to information systems security – are crucial for identifying and assessing risk in advance.

One of the best ways to mitigate against these data breaches is through digital risk management and asset protection. That’s in addition to any information systems security it has in place. Together these two monitoring processes work together to identify threats to your organization. It’s these threats that set the backstage for a data breach.

In this post, we’ll take a closer look behind the scenes at how hackers do this. 

You’ve Been Breached, Now What?

Hackers share, trade and offer endless amounts of hacking tools, software exploits, and data breaches for sale on the deep and dark web. These include marketplaces, forums, and chat applications. So it seems as if there should be plenty of opportunities for organizations to identify a data breach in advance. There are, if organizations know the types of threats to look for. 

Here are the signals that continuous dark web monitoring can identify:

  • Any mentions of your organization

  • The sale or sharing of tools pointed against your organization

  • Exposed databases of your organization

  • Exploits that can be used to penetrate your company through a third party

  • Failures in your security and risks your organization is facing before an attack even happens 

But it isn’t as simple as identifying these types of posts on the deep and dark web. It’s when the data is identified that matters.

The ideal time to identify a data breach is before it becomes publicly available for download – and before it is published in the media. But it’s still valuable to monitor its mentions across platforms afterwards. (You can read more about the timeline and importance of when a data breach is identified here). 

The right timing helps to better mitigate the data breach in several ways. First, it gives an organization the opportunity to be much better prepared for how it will manage the press. Second, it can also educate both its employees and customers on the importance of changing their passwords before more data is leaked. Finally, some organizations can even remove the data leaks from places in the dark web. 

3 Signs of an Impending Data Breach in Your Organization

Let’s take a closer look at a few different signals and alerts that point to a possible data breach. 

  1. Published and shared hacking tools pointed directly at your company

Hacking tools are computer programs and scripts that help find and exploit weaknesses in computer systems, web applications, servers and networks. They can indicate a possible data breach of an organization.

Here is a post from a hacking forum in which an actor published a tool to download for cracking the account in a list of domains. These types of tools – configurations, or extensions – allow hackers to test tens of millions of account usernames and passwords and find user names that are still active on the tested platform. The configurations that exist in the tested website or application are considered cracked and leaked. Hackers then use this data to attack a particular website using programs such as Sentry MBA or Silver Bullet. 

If an organization identifies the publication of the hacking tool before it is exploited it can fix the exploitation in time so that the tool doesn’t work.

2. Data breaches available online (both accounts for sale and actual databases)

Data breaches have now penetrated every industry. In 2020 there were 3,932 publicly reported breach events, and personal data was involved in 58% of the breaches. According to our own data, 98% of Fortune 500 companies were mentioned in the dark web in the last 12 months. (Download the full report here for more insights about the cyber threats across multiple industries). 

Data breaches appear online in several different formats: 

  • Cracked accounts related to an online service or site

Many different hacking forums advertise regularly cracked accounts from actors. These accounts are most likely generated from a hacking tool. Published leaks owned by paid users or those with a balance or credit card information leaked to them are then available for login and use by the public.

Here is a post showing an example of sold accounts from Netflix. The account was paid for by a user and is now shared publicly on the forum so that anyone can access it.

Here’s another example of a leaked email from a domain of a known American telecommunications company. The email was leaked as a part of the user database of Netflix, Spotify and other entertainment platforms and services. Employee and customer credential leaks through these types of external platforms and services can both expose confidential information and be used to commit fraud.

Leaked email of database of major entertainment platforms
  • Database breach of a company 

When a company suffers a data breach, its user base is usually exposed. The information that is collected includes usernames and passwords as well as more personal details like an IP address, e-mail, date of birth, address, etc.

These types of leaks can contain hundreds of millions of records, depending on the size of the company. They usually indicate a hacker sharing or selling a database of a specific company, sometimes even before the announcement of the data breach in the news. Continuous monitoring of these posts in the dark web can give answers to who was responsible for the data breach as well as when and where it occurred.

Post leaking the CityBee database

Take the case of the CityBee database leak on February 15th.  A hacker leaked the data of 110,000 Lithuanian-registered users of the car-sharing service in RaidForums. The leak included data of 110,000 clients, their emails, phone numbers, personal codes, and encrypted passwords. It was quickly downloaded by over 320 users.

Both the CityBee company and its users suffered from this breach. It harmed the company’s brand reputation as well as the user’s trust in the brand. Users of the breached accounts also suffered, as hackers are now attempting to use their credentials in other platforms. Since these platforms often have payment credentials connected to them, hackers have the ability to steal their money. And these data breaches also often include business emails, which hackers can then use to gain access to a company’s valuable digital assets or commit fraud. 

As mentioned, database leaks can be significantly mitigated if identified at the right time. For example, the CityBee leak was published on the morning of February 15th. Webhose detected the post and indexed it approximately one hour later. The breach was first published in the news that same evening. That means that organizations with access to the original post had a full day in advance to prepare before the leak was published in the media.

(The original post mentioning the data breach was first identified by Webhose’s Cyber API. That same post was then indexed into our Data Breach Detection API. So if your organization is monitoring leaked posts in the Data Breach Detection API, you’ll be able to retrieve all posts from the Cyber API too).

3. Web or infrastructure exploits (leading to harm the same company)

Vulnerabilities existing in applications, on the web, or in programs expose organizations’ assets to harm. Knowledge of these vulnerabilities gives hackers a free invitation to exploit them. Exploits are programs or codes that are designed to leverage a software weakness (vulnerabilities). Sometimes they can even grant unauthorized access and privileges to the wrong actor. 

Domains must be continuously monitored to identify exploits or vulnerabilities linked to them and fix them before any harm is done.  

Here is an example of a vulnerability linked to the domain military.com sold on Silk Road, a known dark web marketplace. Those with knowledge of the vulnerability can build a tool (such as a malware) to exploit it and gain access to restricted parts of the site. 

Post about vulnerability of military.com domain

The key is to discover the publication of this vulnerability and develop a patch or other solution to prevent its exploitation.

Ramp Up Your External Threat Monitoring with Dark Web Data

Security trends show that companies of all sizes should expect an increase in attempted breaches in the coming years. As hacking is now a profitable field for criminals, risk monitoring needs to advance. 

Organizational Monitoring

There are currently two main monitoring processes for dark web risk management and digital asset protection. The first is organizational-level monitoring. 

Organizational-level monitoring provides deep visibility into an organization’s environment and assets. It detects and mitigates anomalies and sets automatic rules to block ports, IPs, or users based on their activities. Different tactical solutions exist that use both automation and tools (e.g. SIEM and SOAR solutions) as well as managed services.

External Threat Monitoring

The second main monitoring process is external threat monitoring. It includes intelligence feeds that aggregate majors risks of organizational assets. These intelligence feeds deliver insight into emerging threats and planned attacks of hackers.

The best approach to combating cyberattacks combines the two monitoring processes. Continuous dark web monitoring provides another strong advantage: timing. When cyberthreats are identified in advance, it can potentially save organizations time and resources as well as loss of trust in their brand. 

Want to learn more about how your organization can identify and mitigate cyber threats with dark web data? Contact our experts today!