Monetizing stolen data has never been easier, fueling more expensive breaches

Recent high-profile ransomware incidents provide a stark illustration of the amount of money to be made in data thievery. Indeed, the profits in digital theft are sizeable enough to have spawned a subterranean industry with cyber crooks specializing in various stages of the 'value' chain, including a zero-day exploit discovery and exploitation, tool packaging, marketing and sales, backend infrastructure services and work-for-hire facilitation. Several recent reports quantify the extent of the problem, but sadly leave the impression that the situation is hopeless, that like death and taxes, cyber intrusions are inevitable and that the time and effort spent in cleaning up the resulting mess is an unavoidable cost of doing business.

The unending cycle of vulnerabilities and their consequences

A mid-year update to a periodic vulnerability report from RiskBased security shows that 2021 continues the trend of a slowly increasing number of reported software vulnerabilities. Specifically, in the first half, the company's VulnDB team documented an average of 80 new vulnerabilities per day. Of these, 849 are the most serious, namely they are remotely exploitable, publicly known, but lack a mitigating solution. Of course, given the lackadaisical approach to software patching in many organizations, the additional 1408 remotely usable vulnerabilities that have published remediations are valid targets, providing ample new material for cybercrooks.

A companion report showing a decline in the number of data breaches shouldn't provide solace since RiskBased Security says it continues a trend of slow or non-reporting of incidents. According to its mid-year data breach report (emphasis added):

Throughout much of 2020, we noted that breaches were taking an unusually long time to be publicly reported. Some of the lag was due to lighter-than-typical media coverage, a trend that has largely reversed itself in 2021. Ransomware also played a role, with its potentially lengthy recovery times that can delay investigations. That said, there are still plenty of examples cropping up in 2021 of unusually slow disclosures from compromised organizations.

Corroborating the theory that an increasing number of cyber intrusions and data breaches aren't publicized is separate data from IBM estimating that the average cost of a data breach is the highest ever in the 17-year history of its report. Although the cost vacillates, over the past six years, it has increased an average of 1.6% annually, primarily due to a significant spike in 2021. The proximate cause is a near-universal switch to remote work resulting from lockdowns and a general aversion to public gatherings. IBM found that costs were about $1.1 million higher "where remote work was a factor in causing the breach." This increase likely results from three factors:

1. Remote employees being more susceptible to hacks against their home environments that can be exploited to attack and breach corporate networks and systems.
2. Organizations with a majority of WFH employees taking significantly longer — an extra 58 days on average — to identify and contain breaches than those with a majority of non-remote employees.
3. The pandemic-induced shift to cloud services which, according to IBM's data, increases the extent of data breach damage by 16.6%. Once again, this is likely due to the added time required to identify and contain an attack spread across in-house and cloud environments.

A recent ransomware attack on Ireland's Health Services (HSE), which its CEO Paul Reid estimates could end up costing almost $600 million, illustrates how the damages add up. Aside from service disruptions that could last months, HSE paid:

• $3 million to Fireeye for remote monitoring and damage minimization.
• $0.5 million to two IT consulting firms for advice and services.
• $0.83 million for an incident war room

HSE's direct costs are almost as much as the annual $5.9 million budget for Ireland's National Cyber Security Center, the entity responsible for the country's cybersecurity with only 25 employees.

A thriving business in enterprise credentials

The escalating number and increasing brazenness of cyber attacks demonstrate that organizations who once considered themselves below the radar of sophisticated groups that were once the exclusive perpetrators of advanced attacks are no longer immune. The reason is the emergence of a thriving market in pilfered credentials that creates a division of labor among cybercrooks. A recent report by Positive Technologies describes and quantifies the trends. They write:

Because the criminal market for initial access is well developed and popular, former distinction between experienced and low-skilled attackers has now been blurred. … Our forecast has been confirmed: cybercrime now offers a new job, 'access miners', which attracts newcomers with the prospects of making a quick buck. Their main goal is to get initial access to a corporate network and then sell it on the dark web.

 

Dark web marketplaces allow low-skill attackers to monetize stolen enterprise credentials, usually accumulated through massively distributed phishing scams, without actually executing an attack. These novices sell credentials in bulk to pros with the ability to stealthily evade conventional security measures, penetrate an entire enterprise network with a multi-stage APT (advanced persistent threat) and exfiltrate (data theft) and/or encrypt (ransomware) valuable data over many months. According to Positive Technologies (emphasis added):

The attacker model is changing: an outside intruder who gains initial access to a corporate network and a criminal who follows through with the attack once inside are completely different in terms of skills. Even if the perimeter is hacked by a novice, the local network will be attacked by professionals. They have all the resources to achieve their goal: triggering the most dangerous events for the company, from theft of account funds to complete and lasting disruption of business operations. This means that a system for protection against cyberattacks must be built with these new realities in mind.

Indeed, the glut of purloined credentials has caused significant deflation in dark web sales forums. Data from Positive Technologies shows that the share of ads with a sub-$1,000 price has tripled in four years, from 10 percent in 2017 to 45 percent this year. It adds:

The share of expensive access lots priced above $5,000 almost halved in the same period. These changes may reflect mass entry into the market by novice cybercriminals.

Consequently, despite the number of listings for sale exploding 6.7-times in one year, the total value of these listings has stayed relatively constant.

My take

We are overdue for an updated security model The sustained level of cyberattacks and their increasing sophistication and boldness come against the backdrop of more than a decade of continually increasing enterprise security budgets. Adding layer upon layer of security technology and scores of specialists and consultants have done little to protect the typical organization. The disconnect between security spending and data protection shows that the efforts are misplaced and amount to doubling down on a losing hand.

IBM's report hints at one promising solution that is increasingly popular with cloud-native developers and hyperscale operators: zero-trust access (ZTA). Its data showed that the average breach cost at organizations with mature zero-trust implementations was 35% lower ($3.28 million versus $5.04 million) than those using conventional usernames-password and network segmentation regimes. Unfortunately, only one-fifth of IBM's sample has fully deployed zero-trust with 43 percent having no plans to implement the technology. Short of zero-trust, even the straightforward use of data encryption can reduce the damage from a data breach by 26 percent ($4.87 million to $3.62 million) according to IBM's data.

I strongly disagree with my diginomica colleague Neal Radan who called zero-trust a "knee-jerk, intrusive solutions." He fears that requiring new methods for accessing systems and data creates too excessive friction that will hamper data analysts and thwart their ability to fully exploit available resources. While ZTA and rigorous authentication systems (2FA, application certificates) do require developers and analysts to learn new ways of doing things, the systems are wrapped in APIs that insulate them from most of the complexity. Those in a ZTA organization won't be able to mount any file share and download a data file to their system for analysis, they will have API access to any necessary databases, flat files, ETL systems, analytics engines and other tools.

As IBM's report shows, enterprises are very early in their adoption of ZTA, but today's continual onslaught of cyber intrusions and data breaches shows that we need a new approach. Adding bigger and stronger bandaids will never stanch a gaping wound and continuing to layer conventional security products atop one another is a flawed strategy.