Breach! An Analysis of the Modern Digital Breach, with Cyber Defense Lab’s CEO, Bob Anderson

Breach! An Analysis of the Modern Digital Breach, with Cyber Defense Lab’s CEO, Bob Anderson
James Chappell
Read More From James Chappell
August 22, 2019 | 8 Min Read

Just prior to the BlackHat & DEFCON, my colleague Rick Holland and I were fortunate to share some time in the company of Bob Anderson as part of our ShadowTalk podcast. For this two-part episode (see links to the episodes at the end of this post), we’d chosen to discuss the topic of the modern digital breach.  Why have breaches topped the news, and how have our responses to them evolved?

We could not have asked for a better guest speaker than Bob for this topic.  He built a career in law enforcement over the course of 30 years, serving as a Delaware state trooper for 9 of them, progressing to serve 21 years in the FBI, culminating in his appointment as Executive Assistant Director, 3rd from the top.  In that role he ran Criminal, Cyber and Response investigations team under Robert Mueller and James Comey. Upon leaving the service in 2015, Bob has applied his experience in the commercial sector, today leading Cyber Defense Labs, an organization specializing in breach response, training, and cyber managed security services. Since 2015 he’s led and supported responses to thousands of the major breach cases many of which you would recognize in the headlines, effecting hundreds of millions of people all over the world.

 

“Believe it or not, When I first went into the FBI [in 1995], we did not have one single, solitary computer on any desk in the FBI.  The reality was, we literally had teletype machines to communicate around the world, if you compare that to what it was when I left in 2015… it obviously changed a lot.”

 

It clearly did change a phenomenal amount.  I think all our readers would recognize the frequency, scale and impact has made this topic a daily news occurrence that has changed the way we think about our information forever.  Bob and his team lead the investigations into the most serious cases that actually made it to law enforcement.   One example being the wiper attack on Sony Pictures in 2014, a prelude to WannaCry and the first breach where hard evidence that a nation state could turn upon a commercial organization to destroy its operations for political purposes, made it to the public domain.  This is now documented in detail in the 2018 indictment against North Korean, Park Jin Hyok which describes the attack in detail (https://www.justice.gov/usao-cdca/press-release/file/1091951/download ) the same indictment we turned into a blog here: https://www.digitalshadows.com/blog-and-research/indictment-of-north-korean-regime-backed-programmer/

 

So, what happens when a company incurs some kind of breach?

Bob shared with us that he consistently sees business go into full-on crisis mode.  Stockholders immediately launch legal action against boards, Equity holders sue the company.  Typically, general counsels are overwhelmed in a matter of hours by all the crossfire, it places them in a weaker position to actually manage the breach itself. In many cases, key, basic questions arise – like, can we make payroll? Can you actually communicate with colleagues?  Basic functions suddenly turn into major challenges.   This all leaves little time to actually manage, investigate and respond to the breach itself.  Given this chaotic situation, it’s unsurprising that organizations can appear less than coherent whilst all this is going on. Bob then adds: “Don’t assume just because you have insurance that you can expect a payout in a meaningfully short amount of time”.” Clearly a great deal of work has to go in to work out what should be paid and legal wrangling can go on for years.

The point here is, as Bob explains, “An ounce of upfront thought, on what could become a train wreck [..] is worth millions upon millions of dollars downrange”.  Preparation, planning, and preparedness is the right counterbalance to any organization caught up in such a whirlwind.  The problem being that too many organizations discover this after the fact.

 

Data Breaches – No Longer ‘If’, But ‘When’

How have we come to be in living in a world where news of a new breach is almost becoming routine? We’re all familiar that it’s no longer ‘if’, but ‘when’.  There’s certainly more than one factor at work here.  Society is busy increasing its reliance on new technology to impact more effective business, and although we are gradually getting better at securing it, there is more of it to secure.

Bob explains “About 90% of what we see is opportunistic and [not particularly exotic], but often enabled by someone purchasing capabilities that significantly lowers the bar for a criminal”.  Staying ahead of the latest tactics and behavior is key.  “When we talk about the ‘old days’ in cyber, that’s like 2 years ago”, explains Bob. “The degree of technical skill required back then was high, but now criminals can rely on tools and data that significantly lower the bar.”  Certainly, there are examples such as the 14.5 billion username and password combo lists that are routinely used to break into systems or the recent elasticsearch breach at Honda, where accident and misadventure led to exposure of data that was subsequently exploited by an opportunistic attacker.

 

The Dark Web and Data Breaches

It’s not surprising then that incident responders are seeking to get better insights into the threat.  This led our discussion onto the role that monitoring the Dark Web can have on incident response and remediation.  Whilst it’s possible to get into a semantics discussion about what the Dark Web is, we all saw the value in validating capabilities tools, techniques, but also the market for data.  At Digital Shadows we often get asked by customers if data is being offered for sale in the various marketplaces we monitor.  This can provide valuable insight at a critical time in a response plan.  But almost as valuable, it can offer clues about how an incident came to pass, or weaknesses that could have been exploited or sold online to facilitate a breach.  Our own research points to the 2.3 billion files just publicly available on the internet that seem to contain a wide range of sensitive data.

Will we see a drop off in the frequency of these event as we improve security?  At the moment there are unfortunately few signs of that being the case.  To offer some sense of scale, Bob offers that “at any one time there were two to three thousand investigations into breaches in the FBI Cyber division alone.  In my first commercial practice we did 780 investigations into breaches and not one of them resulted in a report to the FBI.  This suggests the scale of the problem is immense with much of what is happening going unreported”.  By the time we read about it in the news, it’s usually due to the class action lawsuits and on average an investigation has been ongoing for 20-25 months.

 

Conclusion – Top Advice to Managing the Risk

So in conclusion, what advice did our panel have for companies looking to manage the risk?  We already described the need to be prepared, to have the right professionals and counsel on hand ahead of time to help with the response process.  Bob gave us his ‘top 3′ areas to focus as:

  1. Appointing someone at board level to be responsible for risk, not just cyber risk, but the risks that impact business including resilience of critical business operations.
  2. Actually train, educate and support your people, through concise, targeted education relevant to their role in the organization.  Well trained people can be your best way to detect when something isn’t right.  It can give a better sense of responsibility and you can instill an innate awareness that significantly strengthens your first line of defense, your people.
  3. Focused technical controls such as two factor authentication can create significant barriers to many attacks, given the number of opportunistic attackers it can significantly lower exposure.

At Digital Shadows, our focus is on helping our customers be aware of the digital footprint, keeping ahead of the threats through monitoring the dark web, understanding inadvertent data loss that might be exploited, preventing disruption of identity online and managing the attack surface proactively; we see this all playing a critical role to play in lowering the risks and supporting effective response programs.

 

We’d like to extend our thanks to Bob and his team at CDL for sparing the time to talk to us, and we’d welcome the opportunity to checking in a year from now to see how things are evolving.

To listen to both episodes, follow the links below or find “ShadowTalk” on your favorite podcast player.

Part 1:

Part 2:

 

Cyber Defense Labs
Cyber Defense Labs specializes in helping clients reduce business risk BEFORE, DURING and AFTER a cyber incident. For more information visit cyberdefenselabs.com.

 

To stay up to date with our threat intelligence content, make sure to subscribe to ShadowTalk or our email list below:

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us

Related Posts

Cybersecurity Awareness Month: Week 2 – Security Devices at Home and Work

Cybersecurity Awareness Month: Week 2 – Security Devices at Home and Work

October 14, 2020 | 7 Min Read

This week, National Cyber Security Awareness...
Clickbait to Checkmate: SMS-based scam targets US smartphones and accesses victim locations

Clickbait to Checkmate: SMS-based scam targets US smartphones and accesses victim locations

October 13, 2020 | 11 Min Read

Since the start of the COVID-19 pandemic,...
Help your development teams keep their keys safe

Help your development teams keep their keys safe

October 7, 2020 | 3 Min Read

Modern development practices are a blessing...
Four Ways to Validate Credentials in SearchLight

Four Ways to Validate Credentials in SearchLight

September 29, 2020 | 3 Min Read

Amid the billions of credentials that are...
Access Keys Exposed: More Than 40% Are For Database Stores

Access Keys Exposed: More Than 40% Are For Database Stores

September 14, 2020 | 6 Min Read

By now, we’ve all heard news about AWS...
Validate Exposed Credentials with Okta to Save Even More Time

Validate Exposed Credentials with Okta to Save Even More Time

August 24, 2020 | 3 Min Read

SearchLight customers can now automatically...
Account takeover: Expanding on impact

Account takeover: Expanding on impact

July 27, 2020 | 7 Min Read

Digital Shadows has collected over 15 billion...
SearchLight’s Credential Validation: Only Focus on What Matters

SearchLight’s Credential Validation: Only Focus on What Matters

July 14, 2020 | 4 Min Read

Of the many use cases associated with threat...
Reducing technical leakage: Detecting software exposure from the outside-in

Reducing technical leakage: Detecting software exposure from the outside-in

June 16, 2020 | 6 Min Read

Modern Development Practices Leads to...
The 2020 Verizon Data Breach Investigations Report: One CISO’s View

The 2020 Verizon Data Breach Investigations Report: One CISO’s View

May 19, 2020 | 6 Min Read

Sadly, Marvel’s Black Widow release date was...
A NEW DECADE OF CYBER THREATS: LOOKING BACK AT THE TRENDING CYBER TOPICS OF Q1 2020

A NEW DECADE OF CYBER THREATS: LOOKING BACK AT THE TRENDING CYBER TOPICS OF Q1 2020

May 14, 2020 | 10 Min Read

Q1 2020 was packed full of significant...
How to minimize cybersecurity breaches in 2020

How to minimize cybersecurity breaches in 2020

April 8, 2020 | 9 Min Read

Seriously, don’t click back or close – I...
COVID-19: Third-party risks to businesses

COVID-19: Third-party risks to businesses

March 31, 2020 | 5 Min Read

As social distancing becomes more prevalent...
Threat Model of a Remote Worker

Threat Model of a Remote Worker

March 25, 2020 | 7 Min Read

Threat models are an often discussed but...
Want to Control Your Ever-Changing Perimeter? Focus on Integrations.

Want to Control Your Ever-Changing Perimeter? Focus on Integrations.

March 4, 2020 | 5 Min Read

An ever changing perimeter? Over the past few...
How Digital Shadows Helped Find and Remediate an Exposed Admin Password on Github

How Digital Shadows Helped Find and Remediate an Exposed Admin Password on Github

January 23, 2020 | 5 Min Read

  I often get asked to share examples of...
Third Party Risk: 4 ways to manage your security ecosystem

Third Party Risk: 4 ways to manage your security ecosystem

January 16, 2020 | 5 Min Read

  The digital economy has multiplied the...
2020 Cybersecurity Forecasts: 5 trends and predictions for the new year

2020 Cybersecurity Forecasts: 5 trends and predictions for the new year

December 18, 2019 | 10 Min Read

  If all the holiday fuss isn’t...
2.3 billion files exposed across online file storage technologies

2.3 billion files exposed across online file storage technologies

December 3, 2019 | 17 Min Read

Originally published May 2019 2.3 billion is a...
Understanding the Consequences of Data Leakage through History

Understanding the Consequences of Data Leakage through History

October 24, 2019 | 4 Min Read

One of the most interesting aspects of...
Honeypots: Tracking Attacks Against Misconfigured or Exposed Services

Honeypots: Tracking Attacks Against Misconfigured or Exposed Services

October 17, 2019 | 9 Min Read

Honeypots can be useful tools for gathering...
ANU Breach Report: Mapping to Mitre ATT&CK Framework

ANU Breach Report: Mapping to Mitre ATT&CK Framework

October 11, 2019 | 14 Min Read

Introduction This week, the Australian National...
DevSecOps: Continued Database Exposures Point to Growing Challenges

DevSecOps: Continued Database Exposures Point to Growing Challenges

September 24, 2019 | 5 Min Read

Last week, we learned that millions of...
Your Data at Risk: FBI Cyber Division Shares Top Emerging Cyber Threats to Your Enterprise

Your Data at Risk: FBI Cyber Division Shares Top Emerging Cyber Threats to Your Enterprise

September 17, 2019 | 8 Min Read

Data breaches are not slowing down. Nobody...
Capital One Breach: What we know and what you can do

Capital One Breach: What we know and what you can do

July 31, 2019 | 5 Min Read

Monday blues. It’s a thing. It’s when you...
Harnessing Exposed Data to Enhance Cyber Intelligence

Harnessing Exposed Data to Enhance Cyber Intelligence

July 11, 2019 | 7 Min Read

  An illicit and lucrative trade has...
Leaky SMB File Shares – So Many Bytes!

Leaky SMB File Shares – So Many Bytes!

June 19, 2019 | 5 Min Read

Everyone loves a sequel. If you’re an avid...
Managing Digital Risk: 4 Steps to Take

Managing Digital Risk: 4 Steps to Take

June 18, 2019 | 9 Min Read

Organizations are finding it increasingly...
Enabling Soi Dog’s Digital Transformation: A Case Study

Enabling Soi Dog’s Digital Transformation: A Case Study

May 8, 2019 | 3 Min Read

At the beginning of this year I was introduced to...
Reducing your attack surface

Reducing your attack surface

April 9, 2019 | 4 Min Read

What is an attack surface According to OWASP, an...
Detecting Exposed Company Data: The What, Why, and How

Detecting Exposed Company Data: The What, Why, and How

March 12, 2019 | 3 Min Read

What is data loss detection? A fundamental...
Introducing Our Practical Guide to Reducing Digital Risk

Introducing Our Practical Guide to Reducing Digital Risk

February 12, 2019 | 5 Min Read

Download a copy of A Practical Guide to Reducing...
Understanding Digital Risk Protection

Understanding Digital Risk Protection

February 8, 2019 | 3 Min Read

There has been a lot of talk recently about...
SingHealth Breach Post-mortem: Key Findings

SingHealth Breach Post-mortem: Key Findings

January 29, 2019 | 5 Min Read

On 10 January 2019, Singaporean authorities...
Law Firm Uncovers Exposed Sensitive Details About Top Attorney Online

Law Firm Uncovers Exposed Sensitive Details About Top Attorney Online

November 15, 2018 | 2 Min Read

VIPs and executives who are critical to your...
81,000 Hacked Facebook Accounts for Sale: 5 Things to Know

81,000 Hacked Facebook Accounts for Sale: 5 Things to Know

November 2, 2018 | 5 Min Read

This morning, the British Broadcasting...
Cyber Security Awareness Month: Week 1 – Credential Hygiene

Cyber Security Awareness Month: Week 1 – Credential Hygiene

October 3, 2018 | 5 Min Read

It’s the opening week of the annual National...
GAO’s Equifax Post-mortem Report

GAO’s Equifax Post-mortem Report

September 11, 2018 | 5 Min Read

It’s common for the exciting and novel issues...
Digital Shadows Contributes to Insider Threat Research

Digital Shadows Contributes to Insider Threat Research

August 9, 2018 | 5 Min Read

On July 30, Forrester published its latest...
Reducing Your Attack Surface: From a Firehose to a Straw

Reducing Your Attack Surface: From a Firehose to a Straw

July 5, 2018 | 6 Min Read

What is Attack Surface Reduction? Attack Surface...
Keys to the Kingdom: Exposed Security Assessments

Keys to the Kingdom: Exposed Security Assessments

April 24, 2018 | 4 Min Read

Organizations employ external consultants and...
Out In The Open: Corporate Secrets Exposed Through Misconfigured Services

Out In The Open: Corporate Secrets Exposed Through Misconfigured Services

April 18, 2018 | 4 Min Read

For organizations dealing with proprietary...
When There’s No Need to Hack: Exposed Personal Information

When There’s No Need to Hack: Exposed Personal Information

April 17, 2018 | 4 Min Read

With Equifax‘s breach of 145 million records...
Leveraging the 2018 Verizon Data Breach Investigations Report

Leveraging the 2018 Verizon Data Breach Investigations Report

April 10, 2018 | 5 Min Read

Today, the 11th edition of the Verizon Data...
When Sharing Is Not Caring: Over 1.5 Billion Files Exposed Through Misconfigured Services

When Sharing Is Not Caring: Over 1.5 Billion Files Exposed Through Misconfigured Services

April 5, 2018 | 4 Min Read

Our recent report “Too Much Information”,...
Ransomware in 2018: 4 Things to Look Out For

Ransomware in 2018: 4 Things to Look Out For

March 8, 2018 | 4 Min Read

Ransomware remains an active threat for...
Data Privacy Day: 8 Key Recommendations for GDPR Readiness

Data Privacy Day: 8 Key Recommendations for GDPR Readiness

January 26, 2018 | 4 Min Read

This Sunday is Data Privacy Day, “an...
Don’t Rely on One Star to Manage Digital Risk, The Key is Total Coverage

Don’t Rely on One Star to Manage Digital Risk, The Key is Total Coverage

January 16, 2018 | 5 Min Read

This post originally appeared on...
GDPR: Why You Need to Consider the Personal Data That Lies Outside of Your Organization

GDPR: Why You Need to Consider the Personal Data That Lies Outside of Your Organization

January 4, 2018 | 3 Min Read

In 2010, reports emerged that the Information...
GDPR – Not Just a European Concern

GDPR – Not Just a European Concern

November 20, 2017 | 6 Min Read

This post originally appeared...
Why “Have a Safe Trip” Is Taking On Greater Meaning

Why “Have a Safe Trip” Is Taking On Greater Meaning

November 14, 2017 | 5 Min Read

This post originally appeared...
equifax research report

2017 Equifax Breach: Impact and Lessons Learned

September 28, 2017 | 3 Min Read

Equifax experienced a data breach that occurred...
equifax breach update

An Update on the Equifax Data Breach

September 13, 2017 | 8 Min Read

The credit reporting agency Equifax...
Equifax Breach Assessment

Equifax Breach: The Impact For Enterprises and Consumers

September 8, 2017 | 9 Min Read

What we know about the Equifax breach On...
Credential Exposure Data Loss Blog

Bitglass: Compromised Credentials are Just One Way Your Corporate Data is Being Exposed

August 18, 2017 | 2 Min Read

A guest blog from Bitglass, read the original...
NIST Authentication

Authentication Nation: 5 Ways NIST is Changing How We Think About Passwords

May 9, 2017 | 4 Min Read

Passwords have taken a beating over the past...
Brand Reputation Digital Risk

The 3 Pillars of Digital Risk Management: Part 3 – The Top 5 Main Risks of Reputational Damage

April 27, 2017 | 2 Min Read

In this 3-part blog series, we discuss how each...
Cyber Threats

The 3 Pillars of Digital Risk Management: Part 1 Understanding Cyber Threats

April 13, 2017 | 3 Min Read

What is Digital Risk Management? The National...
Five Tips To Make Your Passwords Better

Five Tips To Make Your Passwords Better

September 26, 2016 | 4 Min Read

While security is everyone’s responsibility,...
breached data

The Industrialized Uses of Breached Data

September 21, 2016 | 4 Min Read

In our first blog, we outlined a number of...
credential compromise

Beauty and the Breach: Leaked Credentials in Context

September 21, 2016 | 4 Min Read

Our analysts recently researched credential...
New report: 97 percent of the top 1,000 companies suffer from credential compromise

New report: 97 percent of the top 1,000 companies suffer from credential compromise

September 20, 2016 | 2 Min Read

Data breaches and credential compromise are not...
Shadow Brokers

Four Things We’ve Learned From the Alleged Equation Group Code Leak

August 22, 2016 | 4 Min Read

The wake of the deeply bizarre auction of...
Wall of Sheep

Gambling with Security in Vegas: Not Your Best Bet

July 27, 2016 | 4 Min Read

With BSides Las Vegas, Black Hat, and DEF CON...
thedarkoverlord

Thedarkoverlord – losing his patients?

July 26, 2016 | 4 Min Read

In late June 2016, we observed a spate of attacks...
breach disclosure

5 Key Lessons From The FDIC’s Breach Disclosure Debacle

July 18, 2016 | 4 Min Read

Last week, the United States House Science, Space...
thedarkoverlord

10 ways to prepare for credential leak incidents

June 30, 2016 | 2 Min Read

From LinkedIn to MySpace, threat actors like...
OpAfrica

Data breaches targeting financial services: 2016 so far

May 26, 2016 | 3 Min Read

It’s been a busy year for data breaches...
Bozkurt Hackers

Bozkurt Hackers continue to leak bank data

May 13, 2016 | 4 Min Read

A threat actor calling itself “Bozkurt...
DBIR

Analyzing the 2016 Verizon Data Breach Investigations Report

May 2, 2016 | 4 Min Read

Last week Verizon released the 2016 Data Breach...
Hacking Team

The Hacking Team breach – an attacker’s point of view

April 22, 2016 | 3 Min Read

On 17 April 2016, two posts were added to...
ransomware

Emerging Markets: Online Extortion Matures via DDoS Attacks

November 9, 2015 | 5 Min Read

Unlike scenes from books or movies where shadowy...
TalkTalk

TalkTalk: Avoiding The Hype

October 28, 2015 | 4 Min Read

There has been no shortage of media coverage on...
Adult Friend Finder

The Adult Friend Finder Breach: A Recap

September 7, 2015 | 5 Min Read

27th May 2015: Last week, news quickly...
Al Hayat

Saudi Arabia MOFA Breach

September 7, 2015 | 5 Min Read

Introduction As of April 2015 there were more...