It is no secret that data breaches and cyber attacks have become increasingly common in virtually every industry and sector. It is rare that a week goes by without news of another breach.
These attacks impact us as security professionals as well as individuals. Professionally, we must adapt our security practices to detect and quickly respond to these stealthy threats. As individuals, we must constantly be on the lookout for fraud resulting from the theft of our personal information.
But we also must be aware that attacks don’t occur in a vacuum, and that each breach has the potential to enable the next attack. While the theft of Personally Identifiable Information (PII), can be used by criminals to commit fraud, stolen information is also valuable for setting up the next major breach.
Passwords are always a prize
Hackers always attempt to extend their attack or enable the next one, and stealing passwords offers a clear path to that goal. Even at the individual level, one of the first things an attacker will do to a compromised host is to dump its passwords. Botnets and malware can automate this process in a distributed fashion, and allow attackers to obtain a trove of credentials from large numbers of infected devices.
However, a successful cyber attack can allow hackers to steal user credentials in bulk instead of one at a time. Depending on how those credentials are stored, attackers can often use stolen usernames and passwords to gain access to other sites, applications or networks.
This creates a feedback loop of breaches where one breach helps facilitate the next. Worse yet, a stolen password enables an attacker to gain entry without using exploits or malware. Consequently, security teams must be prepared to proactively recognize unusual or anomalous behavior from users that might indicate that their credentials or devices have been compromised.
Context is key
While passwords may provide an attacker with immediate gratification, other types of stolen data can be even more useful with a little work. Attackers can obviously leverage stolen personal data to steal an individual’s identity.
But this information is also often used to create highly convincing and targeted spear-phishing emails. These spear-phishing techniques are the hallmark of the most sophisticated targeted attacks. When armed with stolen private information, it can be very difficult for a user to recognize the phishing attempt, even if they are properly trained.
Likewise, PII can provide invaluable human intelligence to nation-state attackers who are often behind the most sophisticated attacks. The recent breach at the U.S. Office of Personnel Management (OPM) not only exposed the data of more than 25 million federal employees, but also potentially provides a nation-state actor with a blueprint of individuals and their families as well as their associated clearance.
In this case, attackers would not only know personal information that would help them know how to attack a victim, but would also show them who to attack to infiltrate a particular organization and its data.
In this case, attackers have the personal information and unique knowledge about how to attack a victim, as well as who to attack to infiltrate a particular organization and steal its data.
Such a breach provides a potential avenue for bribery, blackmail and other forms of coercion. It’s another area where breaches can have a compounding effect. By cross-referencing information exposed in other breaches, nation-state attackers can find signs of financial difficulties and other information that could be used against an individual.
As a hypothetical example, consider the recent breaches against Ashley Madison and Adult FriendFinder. Leaked data from these breaches could clearly damage and embarrass individuals who used these sites.
Worse yet, a nation-state attacker could cross-reference names from the Ashley Madison breach with names from the OPM breach. Any matches would give foreign intelligence teams with the means to coerce specific individuals who have desired levels of clearance.
These are just a few examples of the far-reaching impact that breaches have on information security. We often think of the clean-up phase of a breach being complete after the threat has been identified, remediated and new controls put in place. But the effects of a breach often extend well beyond the walls of the individual organization that was affected.
The more private data that is exposed, the more that data can be used to facilitate subsequent attacks. Whether through stolen passwords, convincing spear-phishing or outright coercion, we must be aware that end-users are increasingly vulnerable. While training and prevention are still vital, we should realize that these methods alone cannot stem the rising tide of breaches.