Data exfiltration: The art of distancing
We have all seen the carefully prepared statement. A cyber incident has occurred, we are investigating but please do not worry since no data has left our network. Perhaps we will also see the obligatory inclusion of a ‘sophisticated’ threat actor by way of explanation as to how the company protecting our data was able to be compromised.
This assertion is necessary since it can be critical in the light of regulatory fines, and for some time was a claim that was often used in public admittance of ransomware incidents.
Not any more.
Since late 2019, an evolving tactic to publicly demonstrate that not only were criminals inside a company’s network, but their unfettered access allowed them the opportunity to leave with data (which is regulated) began to emerge: the threat to leak sensitive content if ransom wasn’t paid. Indeed, such was the ferocity of the claims by victims, that the tactic was perceived as a way to extort more money.
This sadly of course has proven to be very successful and has led to multiple ransomware groups building similar capabilities and leak sites. According to Coveware for example, “nearly 9% of all cases it worked on involved ransomware attackers stealing and threatening to leak data.”
This represents a significant problem with the defence that data was not accessed.
Indeed, the very concept of a ransomware attack, or even any other type of cyber incident, needs to be considered not in isolation but potentially as part of a wider campaign. For example, a recent investigation into the use of Hermes ransomware drew the conclusion that it was a vehicle to make evidence gathering more difficult rather than extort money (since the financial systems themselves were already compromised).
This concept, that we originally cited as pseudo ransomware, began to emerge circa WannaCry, but particularly with NotPetya when ransomware payments did not result in the provision of a working decryption key. This of course is a conscious intent, as opposed to bad development from the criminal.
What this emergence represents is a level of innovation designed as a vehicle to extort larger payments, but moreover the terminology we use such as a ransomware attack is no longer accurate. These are breaches (and indeed often the initial entry vector points to this), and with data exfiltration now the modus operandi for many of the more capable criminal groups we must reconsider reframing our initial assertions.
This equally will extend beyond ransomware, to the DDoS attack which may have been a smokescreen while the ultimate purpose was to extort money from victims, or indeed any variety of threats.
As we consider how the threat landscape has changed, how we address and define each attack will become more critical to articulate the importance of cybersecurity. Simply denigrating something to a technical description fails to communicate the impact such campaigns have to a wider society. For example, the use of trolls to spread false information is more likely an attempt by a capable adversary to spread misinformation to influence the democratic process. A ransomware attack may be a direct attempt to cause a shutdown within an organization, to force a company or academic institution to pay seven figure sums in order to continue operations.
Cybersecurity (or infosec) is a critical function within our society and ensuring it is articulated as such is one of our biggest challenges.