Good for nothing breach: Lowering exposure by making stolen data harder to monetize
International travel in a holding pattern but travel industry hacks are in full steam.
Before 2020 much of my life was spent traveling for business. As with many other frequent flyers, maintaining the much-coveted Star Alliance “Gold Status” was top of mind.
It has been a year since I last traveled on a plane. So much time has passed since I (and the world) have been grounded by COVID19 so an unexpected email from my favorite airline caught me off guard for a brief moment.
Apparently, SITA Star Alliance 3rd party vendor got breached and my data was part of the booty.
Needless to say this breach is dwarfed compared to the Massive Global Hacks targeting Microsoft Business Accounts that is happening in parallel.
Hackers are not in the business of stealing data. They are in the business of monetizing the data they steal.
It’s interesting to note the language used to notify me of the breach. Care was taken to frame the severity of the breach and the value of the data that was stolen.
The authors of the email are correct in the sense that certain types of data such as credit cards, access credentials are far more useful to hackers than other types of data.
In fact, the recently published Dark Web Price Index 2021 shows huge differences between various types of stolen data ranging from only 2$ for US social security number to thousands of dollars for better quality data such as passports.
Why is one type of stolen data less valuable than others? Simple, the value of the data is directly tied to the ability to monetize it.
Stolen data is less valuable if hackers cannot trust it
MITRE’s Dr. Stanley Barr put it really well in a recent TEDx talk
“ We impose cost on the attacker and we assert that maybe, just maybe, the data you steal won’t be real.”
Fidelity is a far less discussed aspect affecting the value of data in the dark web. In simple terms if hackers cannot trust that the data they have stolen is valid and usable they are less likely to successfully monetize it.
Poisoned data is hard to monetize. It is specifically created to deceive attackers and its use triggers an alarm exposing the malicious actor. Think about a credit card or login credentials whose use immediately identifies its user as a malicious actor.
This concept has been used to great success with dye packs to tackle physical bank robberies. By adding the risk of both the robber and the stolen money being colored by the exploding dye pack the robber is more likely to be caught and the stolen money harder to pass around.
Deception technology use as “exploding dye packs”
Cyber-Deception is a category of cybersecurity that provides behavior agnostic threat detection at low cost. Cyber-Deception utilizes lures and decoys to entice, engage, misdirect attackers.
Cyber-Deception’s evolution from legacy honeypots is driven by two main technology advances:
Scale – adoption of emulation technology has enabled creation of fake attack surfaces replacing the legacy approach of using resource-guzzling virtualized honeypots. This innovation allows thousands of traps to be deployed with a fraction of the effort/computing power required to deploy and maintain a real OS and its accompanying software.
Automation – Platforms able to automatically manage an integrated grid of lures and traps to create an entire deceptive environment and its related architectural elements. This approach has greatly increased the efficacy of deception, especially as compared to the use of standalone alone honeytokens.
Those recent advances in deception technology allows cyber defenders to not only mis-direct attackers but to also feed them poisoned data. Traps camouflaged as databases or applications allow defenders to deceive attackers into taking and using data that has been “tagged” to raise an alarm. A virtual dye pack
A Simple Example
- In a data center containing credit card information Traps camouflaged as a databases are deployed and loaded with tagged credit card numbers. The Traps are designed to be easier to hack then the real databases
- A Malicious actor breaches the data center but instead of stealing real credit card numbers steals the “fake” credit card data from the trap. By interacting with the trap the malicious actor reveals his presence and valuable information about his tradecraft is collected to prevent future hacks
- The malicious actor then attempts to use the stolen credit card data, however he fails to monetize and raises an alarm that compromises the infrastructure he has setup to do so monetize the data.
- The Malicious actor was unable to monetize on an otherwise successful hack. For selfish economic reasons he is not likely to go after the same target again