TL/DR: The ways attackers steal information are probably as many as there are attackers. Attackers are creative and their methods differ depending on the tools, techniques, procedures available to them. Jonas Gille, Head of Information Security at Detectify, breaks down how companies can prevent data breaches, where external attack surface management (EASM) comes in and how IT security teams can manage risks by third party applications.
The attack surface is an organization’s digital exposure that an attacker could exploit to get unauthorized access to a system and extract data or other sensitive information. It could also be used as a point within a chain of attacks. As Organizations increasingly rely on SaaS services and products, the digital attack surface is more than the firewall and network. It is now the sum of available entry points of the different web applications publicly accessible on the Internet – both known and unknown assets. Compromised external cloud assets were more common than on-premises assets in both incidents and breaches, according to Verizon’s 2021 DBIR.
In 2021, data breach costs rose from USD 3.86 million to USD 4.24 million, the highest average total cost. According to IBM’s 2021 Cost of a Data Breach Study, costs were significantly lower for some organizations with a more mature security posture and higher for organizations that lagged in advanced digital transformation areas. Attacks on web applications are the main attack vector in hacking actions, with over 80% of breaches.
In general, the bigger the attack surface, the higher the risk of a data breach. If we compare it to a window, it is easier to hit a large window with a stone than a small one. But it is also a bit too simplified to say that this is always the case. An attack surface is always an attack surface, and a smaller window will be easier to break if the larger one is bulletproof.
Phishing for your data
Present in 36% of data breaches in Verizon’s 2021 DBIR, Phishing is still on the rise as a common attack vector that can break through an organization’s external attack surface and lead to a data breach. It can appear in various forms and, depending on its complexity, it may target users of a specific system, like Office 365 or Google workspace. A large list of systems gives the attacker a better probability of targeting one or multiple systems users by tailoring the content to be more “trustworthy”. It is more common that users get phished by “updating their Gmail account’s password on request by their IT department” than “clicking on a link to claim a 1.000.000.000 € prize”. Business Email Compromises (BECs) were, during 2021, the second-most common form of Social Engineering, according to Verizon’s DBIR. Consequently, it is not difficult to observe the rise of Misrepresentation, which according to Verizon’s DBIR, it was 15 times higher in 2021 than in the previous year.
Cheap, easy to use, and proven effective are just some of the qualities that make phishing one of today’s internet’s most practiced attack vectors. In the end, there is no need for an attacker to find vulnerabilities or even deliver payloads if they can just walk up to the castle and ask the guard for the key, pretending to be the king. Once attackers obtain the key, whether it is account credentials or a file including a list of customers, they can safely withdraw and move on to the next target before the guard realizes what happened. That’s precisely why investigating a breach that resulted from a phishing attack can be difficult since it is nothing rare that a legit user was the one that performed the actions.
Taking over subdomains
Once the attacker gains control over the domain, they can modify the content to create a fake login page. When the targeted users attempt to log in, the attackers steal the credentials without users noticing it. The more domains under an organization’s control, the larger its attack surface becomes.
While it might be vexing to hear about such sophisticated attacks often succeeding, there are mitigation strategies that organizations can implement to frustrate subdomain takeovers. Monitoring and listing all subdomains is crucial; an updated list of subdomains reduces the risk of forgetting subdomains that are no longer in use or about to retire, e.g. a campaign site. Although it might be surprising, it is not uncommon to be unaware of the existence of subdomains even under our own domain. In addition to subdomain listing, organizations should keep track of vulnerabilities targeting DNS and follow best practices to manage said vulnerabilities as soon as possible. Over the past year, a 20% increase was seen in domain takeovers. Out of the scanned assets–including apex domains and subdomains – 25% more vulnerabilities were seen in 2021 than in 2020. Research from Detectify shows that not only there are more domains vulnerable to subdomain takeovers, but above all, apex domains typically contain more vulnerable subdomains now than in the past.
Let’s assume the worst scenario and imagine data has been leaked. Unfortunately, there is no silver bullet solution for all types of data breaches, but the first thing organizations need to do is accept that data has been compromised and should now be considered “breached”. After that, it’s time to reduce the impact of the breach. When it comes to data breaches, EU-based organizations’ procedure is enforced under the General Data Protection Regulation, which entails an obligation to notify the supervisory authority without undue delay and at the latest within 72 hours after having spotted a personal data breach. Also, don’t forget that other authorities, customers and partners may have other legal/regulatory/contractual requirements that demand even shorter notice periods for other types of data as well.
A proper incident management plan will drastically increase the process of getting the right people to work on the issue, whether patching a system or contacting affected users. Pre-defined communication templates will also help you reach affected stakeholders faster and remove the need to write official statements under pressure and stress. Collect evidence along the way, and not in the end, as the chances are that stakeholders such as authorities and customers will want evidence on what happened, and evidence may disappear as you perform mitigation steps. When the storm settles and everything is under control, the final step should be to review all documentation from the investigation, followed by “lessons learned”. Assessing what went wrong and how you solved it is crucial to prevent similar events from recurring.
Don’t go losing control of your attack surface
One of the main driving forces for data breaches is the lack of control. Today’s IT environments are large and complex; this makes it difficult for IT teams to understand all components and even more difficult for security teams to understand the relevant risks and threats. The complex environment also entangles the gathering of the competence needed to understand the risks associated with its components. For instance, using third parties extends your IT environment without necessarily retaining its control. In some cases, this may enhance your security posture if the third party has a more rigid security posture than your own. However, this is not always the case, and the more third parties you add, the bigger your attack surface becomes.
Integrating third-party services into your environment also opens up pathways for attackers if they manage to gain control over the third-party environment. However, it is unavoidable, as third parties are a must for most organizations today. Still, one needs to remember that every new basket means new risks to monitor and manage. An expanding attack surface can only be covered by an external attack surface management (EASM) tool such as Detectify, which can profusely help organizations reduce that knowledge gap by running automated tests that otherwise would have required manual work by IT and security staff.
Security culture, we’re doing better
While it is true security practices are improving, and organizations and institutions are gradually implementing a greater security culture, there is still a lot of work to be done. As an example, the United States admitted to lacking comprehensive cybercrime data and monitoring, which, according to US officials, leaves the country less prepared to combat cybercrime that threatens national and economic security. President Joe Biden signed a bill to create a reporting system through the “Better Cybercrime Metrics Act” to address this emerging need. The goal is to collect cybercrime and cyber-enabled crime reports from Federal, State, and local officials.
On the other hand, European Union regulators have issued about $1.72 billion in fines for violations of the EU’s General Data Protection Regulation (GDPR) since its effective date in May 2018. Undoubtedly, with today’s cloud-based environments and speed of doing business, it’s easy for companies to fall short on maintaining their security posture and eventually fall out of compliance according to the laws. However, using automated tools can equip your IT security team with the ammo they need to deal with breaches.