Managing the silent threat of data exfiltration
Here’s what organizations need to know about the latest data exfiltration trends.
With every passing year, cyberattacks are evolving and becoming more complex. As easy as it might be to dismiss this as “something that will never happen to us,” cyberthreats are very real and very prevalent, and companies must keep pace with threat actors’ evolving techniques in order to prepare and protect themselves.
Risk mitigation is more complicated today than it’s ever been.
Data exfiltration is really the silent threat in ransomware. If a security event is not taken seriously, the underlying threat could remain undetected and develop into a more serious attack.
Today, organizations can no longer afford to only worry about files being encrypted on their systems. Now they also need to worry about the fact that multiple threat actors may have access to their data — and the fact that the data is accessible to many means that it may be used in the future by one or more bad actors, even if your organization paid a ransom to de-encrypt.
Unfortunately, data deletion is no longer a guarantee when you are dealing with multiple threat actors. And that means it’s not the same drill in the case of an attack. A number of ransomware groups are now focusing more on data exfiltration and less on the actual encryption. That means the lines separating what is and what is not have been blurred. We can’t just assume that because there isn’t a sign of encryption that a resource is safe. Instead, we have to assume that everything is unsafe. Everything is under attack.
Companies must take a measured approach in the event of a cyber incident.
If you suspect your organization may be a victim of data exfiltration, it’s really important to be organized and document everything. Taking a careful, measured approach can help to mitigate further damage and preserve the evidence.
It can be tempting to run around the office pulling out cables or to immediately wipe the infected devices and reinstall the operating system. That’s a mistake, because you can delete valuable forensic evidence. Instead, we advise organizations to proceed deliberately by responsibly taking suspected resources that may have been infected offline. This preserves the evidence that forensic experts will need to conduct an investigation.
Organizations often overestimate their ability to respond to threats and underestimate the severity of the threats.
It’s all too easy to take the position that an attack has been thwarted and it’s over, not understanding how active the threat really is. Reinfection is incredibly likely in those instances.
Our cyber services team sees these scenarios all too frequently. We recently spoke with a policyholder who believed that an incident was under control, though we thought they might still be dealing with an active attack. They were open to the idea of speaking with some other security professionals within our forensic partner network, but they delayed in having those conversations. We reached out to four of our partners, and all four concurred that this was a serious situation that should be dealt with as soon as possible.
The policyholder declined to move forward and ultimately, ended up dealing with the matter on their own. Their costs turned out to be three times more than the most pessimistic outlook of the forensic firms we had connected them with.
The lesson from this story is to use your resources and risk management advisors. We see these situations day in and day out, and we know the players involved and their tactics. It’s always better to ask us for our opinion than to assume that things are under control.
It’s when organizations are down, that the shortfalls in their plans and processes really come to light.
Attacks happen at the most inconvenient times. And in those moments, people realize, “I don’t know how to communicate with so-and-so because our email is down” or “I don’t know how to get a hold of someone because I’m at a party and I don’t have a paper copy of the plan with me,” or “I’m forced to deal with this at my parents’ place and my work computer is not here.”
For most people, dealing with a breach is something they have never done before. And it’s hard to be fully prepared for something you’ve never experienced.
In the event of an incident, never act out of fear.
Forewarned is forearmed, so educate yourself and your colleagues about the risks of data exfiltration. For more on this trend and specific ways that your organization can protect itself, check out Beazley’s latest Cyber Services Snapshot.
Devon DeFreitas is cyber services manager for Beazley.
Opinions expressed here are the author’s own.
Related: