Another Day, Another Breach: A Few Thoughts on How We Can Do Better

Author: Kurtis Minder

Breach announcements come with such frequency these days that it is hard to keep track. When a major finance company was breached last week, most of us in the information security industry assumed the usual vector and outcomes. This one was different, and much noise is being made about the methods and infrastructure affected. For now, I only want to highlight a couple key take-aways.

While many articles have focused on the infrastructure (cloud), it is largely irrelevant.  The attack, in my honest opinion, is infrastructure agnostic. The attacker *did* have inside knowledge of the data location but exploited a firewall misconfiguration to reach it. This could occur on any infrastructure – public or private.

Some journalists have pointed out that the accused attacker was bragging about having access to the data in forums and chat rooms for months. Some have pointed out the need for active monitoring of these illicit forums for dialogue related to data leakage as part of an early warning system. In my experience, large and prominent enterprises, especially financial institutions, have these capabilities in place, which begs the question – how was this missed? 

In my work with customers, I have found they face two primary challenges that ultimately lead them to partner with GroupSense. I believe these same challenges could have contributed to the alert gap: 

First, many organizations subscribe to a number of intelligence platforms to do the mining of the data. These platforms are not a magic bullet. They require that the organization’s internal intelligence teams know AND ask those platforms the right questions in order to find the alerts that are meaningful. Many organizations do not have the internal staff or the correctly trained staff to do this effectively.  Further, the results that are returned typically require some manual effort to decipher what is real and what is noise. A bit of a needle in the haystack problem.

Second, is source quality. You can crawl, scrape, and mine millions of “sources” but many of those sources are useless and contribute to the aforementioned noise. The key is quality and efficacy over quantity and noise. When you are given precise information, it helps the decision making process move more quickly. This especially rings true when a company wants to take action and get a wrap on potential data breaches or vulnerabilities in their network. In cyber security “quality over quantity” dominates. How is this achieved? Human intelligence actively engaged in the necessary mediums is required to keep on top of the ephemeral marketplaces, chat locales, and other dubious or infringed board or forum.

I often tell our prospects and clients that you want to get a call from a GroupSense analyst alerting you to a leak or potential attack rather than from a customer, partner, law enforcement, or the media. It is undoubtedly frustrating, then, when a company like the affected, pours money and resources into this kind of monitoring and still gets that unwanted call from a bystander.

GroupSense provides cyber reconnaissance and counter intelligence services to some of the largest financial institutions in the world, plus manufacturers (protecting intellectual property), healthcare (pharma counterfeit and fraud), and governments (elections and nation state threats.) Our research and analyst teams have one mission: to protect and alert our clients. We employ some of the best intel experts and cyber researchers in the world, so that our customers don’t have to. You tell us what your needle looks like, and we will hand you only needles…. all day long.

The latest headlined breach does shine a light on the need for counter intel as part of the larger security program. I would argue that, like other information security implementations, simply checking the box with a product will not protect the organization. Efficacy and value are paramount to realizing the goal with counter intelligence. Partner with your provider, let them become an extension of your team and part of your program. Make sure the intel you are receiving is meaningful and complimentary to your overall mission.