This blog provides an overview of our recently-published Data Leakage Detection Solutions guide, which provides best practices and free tools for detecting and analyzing exposed data.
Hunting for Exposed Data
The concept of protecting sensitive data from leaving the network is not new: data loss prevention (DLP) tools, watermarking, document marking schemes all exist to help combat this risk.
Unfortunately, the threat landscape requires new strategies to accompany these existing approaches. It’s no longer enough to try and prevent this data from being exposed–security teams are demanding ways to go out and hunt for this data themselves.
Much of this is urgent. Imagine you are informed of a breach or are targeted by a ransomware actor that threatens to leak your data: security teams need quick access to dark web sources to verify if data is exposed.
Data leakage detection concerns far more than the dark web, however. Our Solutions Guide breaks down this exposure in terms of four areas–all of which have different types of data that can pose a risk:
- Search engines
- Hidden directories and misconfigured online file stores
- Code repositories
- Dark web
For each of these areas, there are free tools available to begin searching for this exposed data (the guide lists more than 15 tools and resources for detecting and analyzing exposed data).
Attackers Leveraging Exposed Data
Exposed data forms a vital component of an attacker’s reconnaissance effort. Think, for example, how useful leaked penetration tests or network schematics would be to your attackers.
Many of their techniques, shown below, rely on the availability of this data. We can turn to Mitre ATT&CK to see many techniques relevant to exposed data that are regularly observed as part of attacker campaigns:
- T1591.002: Gather Victim Org Information: Business Relationships
- T1593.002: Search Open Websites/Domains: Search Engines
- T1596.004: Search Open Technical Databases: CDNs
- T1597: Search Closed Sources
There’s plenty of real-world examples. LockBit, a ransomware group, used credentials stolen from a previous breach to gain access to a new target.
Cybercriminals have been targeting software engineers’ GitHub accounts, who may have exposed sensitive access keys. This is true of extortion actors such as thedarkoverlord and ShinyHunters, who researchers have observed targeting OAuth credentials that provide access to cloud infrastructure.
Exposure of access keys and secrets is worryingly common; our most recent research detected more than 800,000 exposed keys–38% of these were for cloud services and 43% for databases.
Beyond the Breach
Although exposed data is a treasure chest for attacker reconnaissance, some exposed data poses its own risk.
In 2018, one actor discovered a publicly accessible manual for a Reaper Drone due to a misconfigured FTP (file transfer protocol). That same actor went on to sell that manual on a dark web marketplace.
Personal employee and customer information can also be exposed. SearchLight has unearthed many spreadsheets with customer PII that has been exposed via misconfigured file stores. Undetected and mitigated, this type of breach can lead to loss of compliance and accompanying fines.
Free Tools and Best Practices
To gain a view of how SearchLight alerts on exposed data, you can take a spin around Test Drive for free and see the types of alerts you could expect to see from SearchLight. Alternatively, check out our datasheets on detecting exposed documents and access keys.
If you’re interested in getting your hands on the free tools and best practices, please go ahead and download your free Data Leakage Detection Solutions guide.