Signal Versus Noise

Author: Kurtis Minder

The GroupSense team frequently finds evidence of a breach or data exposure for organizations that are not clients. Our policy is to notify those organizations and provide them with all the data, free of charge, as soon as we can. While this can be an interruption and costs our team precious time, we believe it is the right thing to do and serves to build good will. GroupSense takes this mission seriously and does so as a way to foster a safer digital landscape and make users more aware of their place in it.

Unfortunately, much of our altruistic outreach goes ignored because enterprises do not have a clear process or point of contact to communicate such findings. Sure, some companies participate in bug bounty programs, but most do not. This lack of a process or system leaves the company open to negative exposure; even worse, this lack of process can expose their constituents and clients to risk as varied as identity theft, physical harm and even death.

GroupSense finds and alerts organizations of breach activity all the time

In the course of doing some attribution work for one of our clients, our researchers came across chatter involving a major multinational human resources firm. It appeared the firm misconfigured a web server and left open access to thousands of their clients’ CVs and resumes. A simple Google dork by a bad actor uncovered this and the firm became a laughingstock in the cyber underground. The resumes contained volumes of personal information, including the phone numbers and home addresses of the individuals.

A quick skim of corporate web assets did not provide any clear contact information. Our team did some LinkedIn-fu, discovering the names of the CIO, some of the corporate counsel team, a country manager and a handful of other company contacts. LinkedIn InMails explaining the exposure and asking for a contact to provide the full forensic data (at no charge) in a secure manner yielded no responses, though we saw those people looking at our LinkedIn profiles. Their clients are unknowingly exposed and the company appears too busy to do anything about it. Sad face emoji.

*Above is a screenshot of the file directory found containing thousands of CVs.

*Above is a screenshot of one of the thousands of CVs containing the personal details, including physical address, email address, work history, and more. 

In another case it was a government agency….okay, it was really two.  One of our researchers observed threat actors trading screenshots of internal government systems and selling access to those systems. While we cannot be specific with regard to which branch or the system, this is a situation in which people’s lives could be in danger. In this case, we reached out to government contacts, but to no avail.  Taxpayers should be angry! Families with loved ones serving our country should be absolutely livid!

We concede, and are hopeful, that the US government has visibility on these threats and are on top of it.  We do not have evidence to support this hope, however.

There are more examples. A major Asian pharmaceutical company, more government branches, banks, insurance companies…  Could it be that we are at the peak of breach fatigue and the noise is so loud that no one can hear the good guys sounding the alarm?

What can be done?

GroupSense proposes a standardized process for breach or data exposure notification for all enterprises. A simple playbook outlining a process for ingesting, validating and taking the necessary actions based on the data provided by well-meaning security professionals.

In business, there is typically no radical change without one of two things: compensation or consequences.

We have seen legislation requiring companies to report when they are breached. There is a need to balance this with something on the other side – breach awareness. Companies cannot be expected to disclose a breach they do not know about. Many of us in the security and intelligence world have experienced the customer who speaks of what they DO NOT WANT to know. In only requiring breach notification, we are enabling this head-in-the-sand approach and putting individuals at risk. Of course, there are nuances to consuming and processing such notifications, including false positives, false negatives and general noise. We are convinced, however, that we have the resources and the technology to address these items.

We need to change the way we think about data breaches

The attackers have an advantage that far outweighs the resources and time of even the best security teams. The demands on a security team are overwhelming. They must predict, prevent, detect and respond to every possible cyber attack. Yet, an attacker only needs to find a single weak link. We need to foster a culture of understanding – one where we acknowledge the fact that cybersecurity professionals have an impossible job. This doesn’t mean that it becomes acceptable for them to put forward less effort, but does mean that they should be measured not only by their ability to prevent attacks and also how they detect and respond to threats. Today’s culture – full of financial penalties, brand damage and even career damage – motivates cyber security professionals to bury their heads in the sand, to sweep a breach under the rug. A culture where we accept the losing odds and measure cybersecurity professionals on their ability to detect, respond and minimize the damage would put us light years ahead in protecting the privacy and personal information of millions of individuals who are at risk when breaches are ignored or covered up.

At the moment, the GroupSense team is still yelling “…we want to help you…” as loud as we can. It’s up to breach victims and targets to listen.