4 misconceptions about data exfiltration

Ransomware gets all the buzz as successful attacks lock victims out of their vital systems. The business interruption coupled with the large sums of money required by hackers make these events front page news and difficult for the victim to hide. Victims must then perform a comprehensive recovery of their network to ensure that the threat actor no longer has access.

In some breaches, the data is only exfiltrated, but the environment is not encrypted. Make no mistake: disaster recovery is also necessary in this case.

This is reported by cyber insurer Beazleydata exfiltration was involved in 65% of cyber extortion incidents in the first quarter of 2022. Without the business interruption component of ransomware, the vast majority of data exfiltration never make the news outlets.

This is also common in nation-state attacks, which have increased since Russia invaded Ukraine. a recent Microsoft report found that Russian intelligence agencies have increased network penetration and espionage efforts targeting Ukraine and its allies. The report calls for “a coordinated and comprehensive strategy to strengthen defenses against the full range of cyberdestructive, espionage and influence operations.”

This highlights why ransomware isn’t the only threat worth cleaning up an environment. Whether it was just data exfiltration, it’s critical to collect forensic data and have a disaster recovery partner use the report – including details of how the threat actor accessed and compromised the network – in order to inform how it builds a new, clean environment.

Like a threat actor has has been given access to an environment, it should be considered “dirty”. Even if the environment is not encrypted, it is vital that the environment is restored so that it is better protected the next time a threat actor attempts to breach it.

Let’s take a closer look at four common misconceptions about data exfiltration events and why victims should take them as seriously as a ransomware attack.

IT = security

Executives often think that IT is synonymous with security, but in reality, the function of IT is to enable the business functions that generate revenue. The misconception puts the wrong pressure on the IT team and creates a vulnerability that prevents the board of directors from getting the insight it needs and the security team from getting the direction it needs.

Too often we see security teams lacking a senior officer and instead reporting to IT directors. That’s like having a defensive coordinator report to the offensive coordinator, who reports to the head coach. Which side of the football team do you think gets to spend more on free agency in that scenario?

Organizations can solve this by having a Chief Information Security Officer (CISO) who works alongside the IT team but reports to the board and explains risk to executives so they can decide their risk appetite. The more security professionals can quantify their risk, the more likely boards will understand what is at stake and act accordingly.

We have cover

Security should not be an afterthought. For example, some small and medium-sized businesses do not have the budget to support substantial security investments and mistakenly believe that having cyber insurance is an acceptable alternative.

Threatening actors are smart enough to research which organizations have coverage and actually read their policies to understand how much would be covered by a ransom payment. This tells them exactly how much they can demand to force the victim’s hand.

Insurers are mandating new controls such as multi-factor authentication (MFA) or endpoint detection and response to reduce their risks when covering customers. However, this is not foolproof and may just be another box for a company to check when looking for coverage.

For example, if you purchase an endpoint security tool but don’t implement it properly or don’t customize it to their specifications, your data won’t be protected. According to Beazleyorganizations are more than twice as likely to experience a ransomware attack if they have not implemented MFA.

We are still operational, so things are going well

If a victim hasn’t been locked out, it’s tempting to just try to get on with business and ignore what just happened to the network. What those victims don’t realize is that if they don’t clean up their environment, the threat actors still have command and control capabilities.

A company that takes cybersecurity seriously is going to call its insurer and enlist the help of a digital forensics and incident response (DFIR) partner to analyze indicators of compromise and build a new, clean, secure IT environment.

A good DFIR partner can operate on a normal maintenance schedule and clean your network in phases during your offline hours and weekends to minimize the impact on your production environment and keep the threat actors out.

Lightning won’t strike twice

Many victims do not understand how bad their data breach was. They assume that since they are not encrypted they can make minor changes to their firewall and think they will be more secure in the future.

That’s just not enough action to take. According to Cymulate’s recent Investigating data breaches, 67% of cybercrime victims have been hit more than once in the past year. Nearly 10% experienced 10 or more attacks!

Threat actors publish and sell data on the dark web, and if you’re not sure how they got in at first and you don’t build a new, clean environment…well, you can probably guess what happens next. They come back into your network and attack harder than before.

Victims of data exfiltration need to understand how real that threat is, scrutinize their network, and deploy the right defenses to keep threat actors out. The cost of inactivity can be devastating.

Heath Renfrow is a co-founder of Fenix24.