Three places for early warning of ransomware and breaches that aren’t the dark web

For better or worse, a lot of cybercrime sleuthing and forecasting tends to focus on various underground sites and forums across the deep and dark web corners of the Internet. Whenever a report cites passwords, contraband or fraud kits trafficked in these underground dens, it makes elusive fraudsters and extortion players sound tangible.

People instinctively want to infiltrate these spaces to see if their own company and data are up for sale. For time-strapped security professionals, however, the underground’s rapidly multiplying corridors are difficult to navigate and correlate at scale. Achieving the capability to sift through these domains productively, without wasting time – or getting in legal entanglements – is no small feat.

But there are three additional, sometimes overlooked sources of early warning clues of ransomware and breaches I have seen yield more direct, actionable insights in my years as an incident response leader.

1. Public sources and Good Samaritans

Sometimes the biggest risks and clues are hiding in plain sight, making it crucial not to overlook less-notorious places and people bringing important things to light. Today the forces of social media and cloud sync-and-share everywhere mean confidential slide decks, C-level cell phone numbers and sensitive databases can hit the public Web far too easily.

A few configuration swipes on a smartphone can be all that stands between sharing something with a work colleague or with anyone with a search engine. In Verizon’s latest Data Breach Investigations Report (DBIR), “misconfiguration” and “misdelivery” errors jumped dramatically as breach factors, now second only to phishing and credential theft on the leader board.

Fortunately, the security community is full of Good Samaritans reaching out when they see personal or customer data in harm’s way. But are you making it easy for them to find you and are you prepared to act on these discoveries? Many companies do not have clear, publicly-available contact information and processes for handing security issues and vulnerabilities, which hobbles good faith actors trying to make secure, responsible contact – sometimes until it is too late. Get ahead of any gaps here by establishing dedicated, continuously monitored channels for you to collect and vet inbound tips and concerns.

2. Subtle notes in the 24×7 concert of deployed security tools

Paradoxically, the more security and compliance tools an organization deploys – ostensibly to gain metrics and situational awareness – the more operators can feel blinded and overwhelmed by data growing faster than they can process it, decide and act on. A strong “defense in depth” gut instinct assumes that for every new control introduced, the bull’s-eye visible to attackers must be shrinking. But the bigger assumption here is that we even know “what” and “where” the bull’s-eyes are, in the first place. Too often, security tools alone provide data of diminished net value because they are deployed a step behind sprawling cloud systems, IoT devices, increasingly remote employees and other business shifts eclipsing defenders’ current understanding of assets.

At the same time, layered product fatigue promotes reliance on security tools’ pre-configured alert categories and arbitrary contextualizing, subtly tipping time-strapped administrators to look for reassuring “green light” indicators, before darting to the next dashboard. “What”, exactly was detected? Even if it was labeled “low” severity or nuisance activity, does that label change based on what else is being seen on the network? Driving interoperability between tools often trades depth of analysis for speed, burying clues in the process.

Ransomware attacks are a great example: A company typically calls in incident response once an attacker has detonated their ransomware payload and taken infected machines hostage. Yet, the scrambling of data and locking of screens often happens only after a seasoned ransomware gang has gained a foothold in networks for a while and first spent time mapping the size and composition of devices to make sure they hijack every visible device and back-up mechanism.

This precursor activity can get lost in rush-hour noise on the network. Not every security product will classify anomalous indexing and casing of IT systems the same, but setting this activity as critical behavior to recognize helps avert worst-case scenarios by buying time to backup files or initiate other measures as a precaution.

Likewise, keeping an eye on privileged accounts is an invaluable early-warning investment. First, take stock of who has these accounts in your organization – whether IT administrators, C-suite leaders or their staff. Assume you have too many privileged users in the first place and that some might even be shared. Confirm whether any can be restricted or deleted based on employee turnover or consolidation. Then implement rigorous logging of those narrower accounts’ patterns of life.

Attackers rely on defenders having incomplete understanding of dormant and other vulnerable accounts too frequently weaponized before anyone knows a crime is in progress. Is the number of privileged accounts changing? Who uses the accounts? Do their logins and behavior match to their role, time zones and workday routines? All things being equal, anomalies with privileged users demand urgent attention.

3. Intersections of third-party risk

The rise and dynamism of third-party developers, resellers, smart building owners and other partners dramatically affects security and compliance inside and outside a company’s walls. According to recent Deloitte enterprise risk management research, “information security” and “cyber risk” topped respondents’ lists of issues driving budget for greater third-party oversight.

A company may integrate third-party code in its Web site or business applications – meaning when that code is compromised, intruders have an express lane into the network. Network and cloud access granted to remote contractors could be compromised, giving criminals the camouflage of previously approved devices and usernames for entry.

Pinpointing the specific roads business partners have into your environment yields invaluable awareness. Take stock of the partners your organization relies on, concentrating on those with the highest associated risk (e.g., close proximity to crown jewel data or everyday applications offering wide lateral movement if compromised). Confirm norms and roles for these third-party services and accounts, so logging and monitoring tools can flag deviations immediately, which are often crucial early signs that a third-party might be employed in an attack.

In addition to serving as a practical early warning outpost, monitoring of third parties yields awareness and influence cybersecurity leaders can use to force wider, strategic conversations in business about risk tolerance and the criticality of these relationships. In addition to weighing the criticality versus risk aspects of these relationships, those watching the third-party touch points are well positioned to advocate for security terms in partner relationships, such as requiring partners to meet thresholds like multi-factor authentication for accounts touching their customers.

Cybersecurity is a constant struggle of measure-versus-countermeasure and the desire to peer into attackers’ next move is relentless. While exotic malware and infamous crime rings capture attention and deserve recognition, these threats must still discover and exploit the same vulnerabilities, business churn and network blind spots others have to.

Taking stock of a few underutilized, high-yield data sources already in your environment is a powerful way to keep perspective and view all risks on the same plane. This helps keep things in perspective and frame effective decisions about where and how to prioritize finite resources and test incident response readiness.