In the dead of night, an ominous message hits your inbox: "Your company's sensitive data is for sale on the dark web." As the Chief Information Security Officer (CISO), this scenario is your ultimate test, a moment where every decision leading up to this point is scrutinized under the unforgiving lens of a potential data breach crisis.

On March 31, 2024, AT&T admitted that a data set that had been for sale in the dark web since 2021 was actually theirs, despite initially saying it wasn't theirs. AT&T claims that information compromised in this hack includes Social Security numbers and passcodes, which are numerical PINs that are normally four (4) digits long as opposed to passwords. However, these details vary depending on the consumer and account. It's also possible that full names, phone numbers, email addresses, mailing addresses, dates of birth, and AT&T account numbers were compromised. According to the company, the affected data is from 2019 or before and does not seem to contain call history or financial data.

As a CISO, how can I make sure my organization has implemented the correct controls and systems if a situation like this happens?

Proactive Data Management: Knowing Your Treasure Map

Imagine your data as treasures scattered across a vast digital landscape. Knowing the exact location of these treasures is the first step in safeguarding them.

After successfully implementing a robust Asset Management program that integrates seamlessly with vulnerability management systems, organizations must focus on meticulously mapping out the locations and types of data stored across these assets. This critical next step involves not just identifying where the data resides but also understanding the nature of the data itself.

Once all locations of business critical data have been identified, the organization should proactively classify and map this information, delineating clearly where each type of data resides across the network and systems. This initiative enables the swift pinpointing of a data leak's source and narrows down the specific systems for targeted investigation during threat hunting activities, especially after a suspected data theft.

It's also imperative for the organization to actively involve and assess partners who access or host any portion of its data. By doing so, the organization not only enhances its data security posture but also ensures a rapid response capability, effectively minimizing the impact of a data breach and maintaining the integrity of the information ecosystem.

Here are the top five (5) considerations to keep in mind:

1. Sensitivity and Confidentiality: Evaluate the data's sensitivity, paying particular attention to personally identifiable information (PII), financial information, intellectual property, and any other information that, if exposed, could have a substantial negative impact. The value and risk of the data increase according to sensitivity.

2. Compliance Requirements: Take into account the legal and regulatory obligations pertaining to the data that your company possesses. Higher security is necessary because data covered by regulations like GDPR, HIPAA, or PCI-DSS has intrinsic value due to the penalties and legal implications for noncompliance.

3. Business Impact: Consider the potential impacts on your company that might arise from data compromise, alteration, or destruction. Consider both the direct consequences, such as financial loss and legal ramifications, and indirect consequences, such as reputational damage and loss of customer trust.

4. Data Usage and Availability:Recognize who needs access to the data and how it is used inside your organization. Data that is important for everyday operations or decision-making procedures is more valuable. Restricting access to such information to those who require it lowers the possibility of unintentional or purposeful breaches.

5. External Sharing and Partnerships: Determine which information is accessible to or shared with outside parties, such as partners, customers, and vendors. The expanded chain of custody and the possibility that third-party flaws could affect the security of your data make externally shared data more valuable and risky.

The Audit Trail: Your Cybersecurity Black Box

Like a plane's "black box," auditing and logging offer priceless information about what went wrong in the wake of turbulence. We'll delve into how thorough logging systems function as the foundation of incident investigation, assisting in deciphering the series of events that precede a breach.

Focusing on gathering pertinent and useful data is crucial when determining what to log as part of a cybersecurity program, particularly for spotting possible data theft and enabling efficient threat hunting. The following factors should be considered:

1. User Access and Authentication Logs: All user access and authentication attempts, including successful and unsuccessful logins, logout durations, and password changes, should be tracked and recorded. This data is essential for tracking down possible sources of a data breach, detecting unwanted access attempts, and making sure that only authorized individuals are accessing sensitive data.

2. Network Traffic and Data Flow: Maintain thorough records of all network traffic, including protocol versions, data quantities, source and destination IP addresses, and port numbers. It is possible to spot odd trends that could point to illegal data access or data exfiltration by keeping an eye on how data moves across the network. This includes firewall logs and NetFlow information.

3. Changes to Systems and Files: Keep track of all alterations made to important files, software installs, upgrades, and crucial system configurations. Monitoring these alterations can assist in spotting unapproved changes that might point to a security breach or an attempt to steal data.

4. Application Activity Logs: Keep track of everything that happens in vital apps, especially when it comes to sensitive data. This covers user behavior, data export and access operations, and any abnormalities in the way the application behaves. Application logs are essential for figuring out how users interact with programs and spotting potentially dangerous activity.

5. Incident and Alert Logs: Keep records of every security event and warning produced by security equipment such as firewalls, antivirus (AV) programs, and Endpoint Detection and Response (EDR). These logs are necessary to detect possible threats quickly and to carry out in-depth investigations both during and after an incident to identify the tactics, techniques, and procedures (TTPs) that the attackers employed.

Threat Hunting: The Game of Chess

Threat hunting is a strategic chess match with possible opponents rather than a reactive tactic. It involves planning ahead and constructing traps to capture dangers before they escalate. We'll go into the specifics of assembling a knowledgeable Threat Hunting team that has the resources and know-how to proactively identify and neutralize threats.

Building a threat hunting program within an organization involves a structured approach to detecting and mitigating advanced threats that evade existing security measures. We help customers in building a Threat Hunting program and also provide training. Here are the key steps to consider when building a program:

• Define Objectives and Scope:
  • Establish clear goals for the Threat Hunting program, e.g., covering the scenarios of access to data and exfiltration.
  • Identify critical assets and sensitive data to prioritize protection efforts. Attackers will work on lateral movement to reach these assets and to then exfiltrate the information.
• Assemble a Skilled Team:
  • Recruit individuals with a mix of cybersecurity, analytical, and investigative skills.
  • Provide ongoing training to keep the team updated on the latest threats and techniques.
• Gather and Integrate Data Sources:
  • Aggregate data from logs, network traffic, endpoints, and external intelligence feeds. As exercises are performed, the data sources used should be refined to ensure we are logging what is needed and excessive un-useful data is not sent to the centralized platform or platforms used for analysis.
• Deploy the Right Tools:
  • Utilize Security Information and Event Management (SIEM) systems with a collection of refined queries and alerts based on previous exercises and also on Cyber Threat Intelligence (CTI) on TTPs of actors that are known to target your market or region.
  • Implement automation where possible to assist with data analysis and pattern detection.
• Develop and Refine Hunting Hypotheses:
  • Create hypotheses based on known threats, industry trends, and emerging vulnerabilities.
  • Continuously refine these hypotheses based on the latest intelligence and organizational context. Learning to analyze and prioritize CTI information is very important in the creation of hypotheses in order to ensure we are targeting techniques at the correct stages of an attack path.
• Conduct Proactive Hunts:
  • Regularly perform hunting activities to search for indicators of compromise (IOCs) or suspicious behavior.
  • Document processes and findings for each hunting exercise to refine techniques and share knowledge.
• Establish Procedures for Incident Response:
  • Develop protocols for when a potential threat is identified, including escalation paths and remediation steps.
  • Ensure seamless integration with the Incident Response team for effective threat mitigation. Make sure key decision makers participate in exercises in order to identify gaps or areas of improvement before a real incident happens.
• Measure and Report Outcomes:
  • Track key performance indicators (KPIs) to measure the effectiveness of the hunting program.
  • Regularly report findings, trends, and security improvements to stakeholders.
• Foster a Continuous Improvement Culture:
  • Encourage feedback and lessons learned from hunting exercises to improve methodologies.
  • Stay informed about the latest cybersecurity developments and incorporate them into the program.

By following these steps, organizations can establish a proactive and effective Threat Hunting program that enhances their overall cybersecurity posture.