Cybersecurity Best Practices: How CTI and SOC Teams Can Reduce Internal Data Threats
Introduction and Key Takeaways: Reducing internal data threats
CTI and SOC teams are responsible for addressing data exposures that occur when employees inadvertently open gateways to highly sensitive information. These data breaches can result in significant damage to an organization’s brand, reputation, bottom line, and more.
In this article we’ll review:
- — Why—and how—internal data breaches commonly occur;
- — Prominent examples of key avenues for data exposures, including misconfigured code repositories and network devices;
- — Best practices that CTI and SOC teams can follow to reduce their exposure to internal data leaks; plus
- — How to augment your organization’s threat intelligence infrastructure with a robust altering system.
Employee mistakes, compromised passwords, and misconfigured code repositories and network devices
Understanding potential vulnerabilities associated with data leakage is critical to ensuring that CTI and SOC teams are able to close the aperture of exposure to threat actors, honest mistakes, and insider threats. Many of this year’s highest-profile breaches (including Colonial Pipeline, Nissan Motors and Microsoft and Mercedes) occurred when threat actors gained access to code repositories and connected network devices.
All of these are frequently cited for their exposure to inadvertent disclosure by employees who simply make errors.
These leaks have had serious real-world repercussions for many organizations, from reputational damage to loss of funds to class action lawsuits, that continue to reverberate and influence security teams around the world.
According to the IBM and Ponemon Institute’s 2021 Cost of a Data Breach Report, which surveyed more than 500 breaches, 23% of data breaches in 2020 were due to human error and cost organizations an average of $3.33 million dollars to resolve. Overall, data breaches cost these surveyed companies an average of $4.24M on average—the highest number ever recorded in the report’s 17-year history.
Misconfigured code repositories
Source code leaks due to default credentials
In early 2021, a trove of Nissan data including market research materials, mobile app source code, and diagnostic tools was accessed and leaked by a hacktivist. The data had been stored in a Git repository secured with only admin/admin credentials, leaving it exposed to an unintentional data breach.
According to Verizon’s 2021 Data Breach Investigations Report, 61% of all breaches involved compromised credentials.
A list of data exposed in the Nissan breach, according to ZDNet:
- — Nissan NA Mobile apps
- — some parts of the Nissan ASIST diagnostics tool
- — the Dealer Business Systems / Dealer Portal
- — Nissan internal core mobile library
- — Nissan/Infiniti NCAR/ICAR services
- — client acquisition and retention tools
- — sales and market research tools and data
- — various marketing tools
- — the vehicle logistics portal
- — vehicle connected services / Nissan connect things
- — and various other backends and internal tools
While there have been no major publicly-known incidents following the 2021 leak, it’s important to note that data like this can be used to reverse-engineer code for competitive advantage or to create fraudulent applications to deliver malware.
Protected Health Information (PHI) leak due to unprotected repositories
In late 2020, Med-Data, a third-party medical billing and management services vendor, discovered that sensitive personal data was exposed by an employee: the developer had saved files to their own GitHub folder on a public repository. Med-Data discovered that the exposure had begun in 2019 and included PHI data, including patient social security numbers (SSNs), medical diagnoses, and other sensitive data, which prompted its partners to release statements acknowledging the privacy incident.
According to the IBM report, the healthcare industry incurred the highest costs due to breaches.
Med-Data subsequently offered affected patients free identity theft protection services, but is now facing a class-action lawsuit filed on behalf of those patients whose sensitive medical data was exposed.
Misconfigured network devices
Unprotected legacy device
The biggest recent example of an unexpected network connection is of course the Colonial Pipeline breach, where threat actors accessed a legacy VPN with a stolen password. The VPN was unmonitored and not protected by 2FA (two-factor authentication)—a bottom-line best practice.
The attack forced Colonial Pipeline offline, creating an acute fuel shortage in the United States. They also paid nearly $5 million in Bitcoin to recover access to their systems; their CEO testified in front of Congress; and they are now facing a class-action lawsuit.
Mitigating the risk of an internal data exposure
It’s no secret that your organization’s sensitive, proprietary data can become vulnerable to threat actors from the outside-in. So how can security teams tasked with protecting their organization’s data quickly and comprehensively identify and mitigate data exposures?
Security teams should have access to public repositories that may contain leaked IP addresses and other sensitive assets, such as source code or cloud application domain names—all of which could be used against an organization’s internal systems.
According to our research, misconfiguration of cloud servers contributed to the exposure of 990 million records in 2018. Meanwhile, 83% percent of enterprise workloads are anticipated to move to the cloud in 2020.
Similarly, security teams need insight into all enterprise devices or systems that are connected to the internet. This level of access enables CISOs, and the CTI and SOC teams they manage, to monitor and track its digital footprint by identifying newly observed exposed systems, the services they run, and their potential exploits and vulnerabilities to a cyber attack.
Know in real-time when your data assets have been exposed
Flashpoint’s Data Exposure Alerting identifies customer and company data, source code, or vulnerable systems within open source datasets and public facing infrastructure in order to prevent actors from leveraging exposed data for illicit activity.
This functionality, paired with targeted and immediate remediation, can identify and mitigate exposed data incidents as they appear. CTI and SOC teams that use Flashpoint’s Intelligence Platform can also search for existing threat actor chatter, compromised credentials being sold on the DDW (Deep and Dark Web), sensitive data being shared on paste sites, and other cybercrime-related activities.
Through the Flashpoint Alerting capability, cybersecurity teams can construct targeted queries to ensure swift notification of leaked assets as it relates to their organization and intelligence requirements. Security teams can also directly manage and edit queries in order to address rapidly developing challenges or changes within your intelligence requirements.
Flashpoint’s automated process provides real-time alerts when exposed assets have been identified, saving both time and analyst resources by helping users highlight relevant information and ensure information is not missed. Security teams can view necessary context regarding the leaked data, allowing for quick investigation of the alert, including:
- — the original poster
- — time stamp
- — file name
- — keywords utilized
- — tactic techniques and procedures (TTPs)
- — direct links to the original source
Reduce Risk, Avoid Fraud Losses, and Increase Your Team’s Efficiency
A key component when leveraging intelligence from illicit communities is an ability to proactively monitor and uncover relevant threat-actor conversations and compromised data. Accessing this relevant information in a timely manner can make all the difference for security teams reducing risk, avoiding fraud losses, and saving time while increasing their efficiency. Identify customer and company data, source code, or vulnerable systems within open source datasets and public facing infrastructure in order to prevent actors from leveraging exposed data for illicit activity. To learn more about Flashpoint’s Data Exposure Alerting, start a free 90-day trial today.