It seems as if we are awash with ransomware stories these days. Many caused by users inadvertently clicking on a link within an email triggering the ransomware program and hey presto, the user is then unable to access their data without paying for it. Ransomware victims paid an average of $6,733 in the fourth quarter of 2018, according to ransomware incident response firm Coveware.
A more insidious attack is now appearing, where a company’s data or network is compromised by a cunningly hidden attack. A company’s data may include secret formulas or recipes that a product depends on and should someone alter that data, they haven't theoretically stolen it, but suddenly the product is not being made to the correct formula or recipe.
Such attacks fall under the banner of commercial espionage and attackers range from competitors, disgruntled employees and even nation states. Once in the network, the attacker remains hidden and takes various approaches dependent on what the attack is to achieve. We have seen attacks where data has been monitored and fed back to the competition when a tender has been submitted, or a change to pricing. Such information can be very valuable when governments are placing large contracts. It is not the intension of the attacker to tell the victim that they have their data, but to remain hidden, indefinitely.
Equally we have seen a rise in data modification that has resulted in very expensive product recalls and loss of market confidence, which ultimately could have led to the business failing. It is likely that such attacks will evolve into a blackmail scenario, where the victim is advised of the infiltration and possible data modification ramifications, should on-going payment not be forthcoming.
These attacks generally occur due to the poor monitoring of network access and missing unusual events that are happening within the infrastructure. Frequently, incidents are flagged up, but due to the busy nature of many IT departments, they go unchallenged.
The difficulty in preventing these data protection rackets is that the route into the system can be varied. It is no longer simply about a user clicking on a link within a random email, these attacks are targeted to order. They can come from carefully crafted email infiltration, by manipulated links on what appears to be genuine websites or they could be physical attacks where access to the network is gained from within and the exploit payload delivered, effectively by hand.
Dependent upon the form of the attack, companies can protect themselves by being more proactive in stopping the unknown, rather than relying on known attack vectors which endpoint security solutions focus on.
As well as advanced detection, another action companies can take is to follow the revision of any form of data and apply file integrity monitoring. With this, you create a hash of the file and then can compare that hash. If it is the same, then you know no revisions have been made to that file. Furthermore, you can apply classification, such as “Secret”, and should these types of files move, change or leave the organization, an alert is sent to the data owners.
Companies face a continual stream of threats including, reputation, revenues and future market share. Equally, there are many businesses that want to grow and will take every opportunity to gain the upper hand on their competition. With data very often the key to a company's success, it is easy to understand why such data is targeted and exploited, not just as a one off, but over time.
Sadly, it often takes companies years to even realize they have had a breach, let alone know what data was affected. We need to stop thinking only in terms of data being taken and understand that it may also be manipulated. Planning for the consequences of both scenarios is critical.