A threat actor advertises data of a Turkish gold mining company called Anagold in breached.co. breached.co is a forum created as an alternative to raidforums.com.
Anagold is a mining company which is a partner of Canadian SSR Mining company and has gold mines in Turkey. In the past months, there have been allegations of cyanide leaks in Turkey regarding the mining company.
According to the threat actor’s post, they are now sharing only 8GBs of data for now and more will be shared later. This data is also including some survey maps of gold reserves.
The company has not yet made a statement about the allegations.
As organizations, and security teams, we purchased many security devices for providing both network and endpoint security. However, attacks continue at the same pace, even we faced bigger attacks last year, and they are getting more sophisticated. So, what is the next step for organizations?
NDR market guide was shared last year by Gartner. As the idea, NDR uses (or must use) artifical intelligence to detect malicious behaviors, both from external threat actors and insider threats. This means, we will no longer just store the huge network traffic data via full packet capture products, but also detect the anomalies in these captured traffic. So, NDR will play a major role in helping security team to response quicker.
Unfortunately, the only obstacle to the teams last year was not the more sophisticated attacks, but also the “new normal” made security teams so hard. Now, more users are reaching to organization’s sources, getting e-mails and downloading files out of office. Control over users’ behaviors is less and less. When that happens, the need for more sophisticated technologies is also increasing.
Even if we implement many security technologies to our structure, attacks are still going on. Now it is necessary to detect whether there is anyone inside as much as protecting the border. Honeypot technologies and EDRs have been used for this for years but these are not enough to decrease the dwell time. If you failed to prevent and detect an attacker inside your network, or an insider threat, it is always difficult to prevent data exfiltration, or your file from being encrypted.
Machine learning is the key here. The main idea is anomaly detection inside the network. The first step is to profile entire organization’s network and users’ and computers’ traffic. After having such a profiling, it will be easier to detect anomalies inside the network. Anomalies can be in different forms like data exfiltration to some rare destinations, uploading files to IP addresses without hostnames, login attempt from strange destinations (for cloud or vpn), and copying in large number of files from an smb share. We expect the NDR to catch all of that, of course more.
More otganizations are using cloud infrastructure more and more. Public, private, or hybrid, cloud infrasturctures are also a part of us. Critical files are stored and applications work there, and the responsibles are the customers for the data’s security.
Think of a scenerio like that; you have users storing files in cloud and they are working with a few of these files during their work. A user, has a permission to reach these files, downloading most of the files in a very short time, then resigns from work. Or, this user’s credentials have been compromised, and someone connected to your cloud from a country that non of your users normally connect and made anomalous behaviors. NDR must cover also cloud and detect these incidents. It is hard to implement a UEBA solution, thus, NDR can be implemented to detect insider threat.
THE NEW NORMAL
Most of the organizations were caught unprepared for Covid situation. Users had to work at home and connected to organizations’ network or cloud from home. That means, users can connect to internet less controlled. An NDR with endpoint capabilities will also cover users at home, corralate users behaviors with your network traffic and can detect threats.
DLP is a technology we use more than one decade. The starting point of DLP was protecting IP (Intellectual Property) of the organizations and became very popular for too many sectors. Organizations spent, and still spending millions of dollars for DLP solutions, to protect their private data. However, Gartner says; “They become an annoying or toothless technical control rather than a component in a powerful information risk management process” about it. But why?
According to some surveys, the biggest challenge of the professionals is difficulty to keep policies up to date.at rate of business. The others are that inhibition of the employee productivity because of these policies, and limited data visibility. Also, too many false positivies are also very big problem for IT professionals.
If we talk step by step, requiring policies is really one of the biggest problem of DLP solutions, regardless of manufacturer. Before anything else, organizations have to know what data they must protect. For this, they have to know which data is sensitive for the organization. Most of the organizations started their DLP Project without knowledge of their sensitive data. It is very clear that it is impossible to know what the sensitive data is without data classifications. Again, most of the organizations learnt that after implementing the DLP, and started a data classification Project maybe years later. And of course, only starting or implementing a classification Project is not enough to classify the data. It is a very broad and continuous process, needs wide awareness by users.
So, because of this obscurity about their own data, organizations got their policies from others’ experiences, instead of their own needs. Industry experience became very important at this step then. Created and run the policies with hoping they will protect their data.
At the same time, just knowing what to protect is not enough, also you must know how to protect these data. If you do not know which channels can people use to leak data, it is also impossible to protect it. These channels also added the policies according to industry experiences. Even if the Security Risk Management professionals know what if they miss a required policy, they run these with the with the thought of preserving as much as they protect. Everybody knew that this is not enough for protetion all the data, then the slogan became like; “DLP prevents the user from doing wrong things, does not prevent the data leakage against the malicious users.”
One of the other weaknesses of DLP is focusing on content to identify the data. Even if the last features like AI, it determines the file with the content of it, using pattern match (like regex) or exact match. Very limited context examination is used. So, DLP is not effective against malicious users again since the conten can be changed very easily to leak, also in a living organization, the content of the sensitive data will be changed inevitably, and this situation requires that policies are constantly updated. But as I said before, new policies means that more possibility to inhibition of the employee productivity, more spending time to optimize these rules and more exclusions. More exclusions mean more vulnerability against data protection. More context focus is needed to prevent the data.
In big organizations, false positives are can be the biggest problems since number of employees, sensitive data and policies. A large number of incidents produced every day, requires more time, and sure more employee to review these incidents. And if you make a survey with these teams who are viewing the DLP incidents, they could say hundreds of incidents could be ignored. Actually, I believe that it would be a good situation if the organization can catch one or two real incidents in a year. The organization hopes that the captured incidents gets an acceptable ROI. Meanwhile, this organization never can be sure that nobody leaked any data.
Every IT Professional that used DLP know that there are many other annoying situations of DLP. For example, if you do not want someone leak data using endpoint channel like printer or USB, every PC needs an agent installed, and of course these agents should work as it should. This is a very big challenge against all IT personnel managing endpoint solutions. These requires focusing very strange situations, spending too much time on one PC sometimes, in a case of a problem, and a continuous testing of the agent. Not only incident analysis, also management of the DLP solution requires really many sources.
One last thing I want to mention, DLP inspects only at the point of egress. On the endpoint, printer or USB, in network layer; the internet access and in email channel, the emails sending outside of the organization. Data protection must also include inside the network like file servers. As we saw that the protection at the egress point is difficult and can be possibilities to leak the data (this can be because of policies, an agent with a problem, changing the content of the data, etc.), this item becomes very important.
As the result, DLP is not an efficient solution as expected. It must be continuous process, not a single Project by it is own. Despite all these, I do not believe that DLP will die. At least, in many countries, there are many regulations in different industries, DLP is compulsory. Regulations are requiring to have a DLP solutions including both endpoint, network and email channels. And still we do not have more efficient solution by itself. But, organizations must think to support their DLP solutions with some other solutions like UEBA or DaBA. Especially, DaBA solutions can provide a complete visibility of the movement of the sensitive data, in all over the network. Even if the users do not try to leak data outside the organization (so, it is impossible to catch it then), it is very important to know who is using this data in organization. So, the data can be followed with the need to know approach. If someone does not need a data for his job, he should not reach to this data. UEBA and DaBA solutions can provide this visibility and add a new layer to data protection mechanism.