One of the standard cybersecurity tools today is to relentlessly monitor the Dark web – the favorite place to work for bad actors globally – for any clues about your company secrets and more intellectual property they were exfiltrated.
The problem is that too many Chief Information Security Officers (CISOs) and Security Operations Center (SOC) managers assume that whenever they find sensitive company information, it explicitly means that their enterprise systems have been successfully attacked. It very well could it means this, but it could also mean a hundred other things. The data may have been taken from a corporate cloud site, a shadow cloud site, an employee’s home laptop, a corporate backup company, a corporate disaster recovery company, a smartphone, a supply chain partners or even from a USB stick. which was stolen from a car.
When dealing with routine intellectual property – including customer personally identifiable information (PII), health data, payment card credentials, or blueprints for a military weapons system – it is helpful to learn that some version of it has been captured. But until we know where, when and how the theft occurred, it’s nearly impossible to know what to do about it.
In some cases, the answer may be “nothing.” Consider some of the most sensitive files on your system: secrets such as API keys, access tokens, passwords, encryption/decryption keys, and login credentials.
If everything is tracked and logged correctly, your team may discover that secrets found on the Dark Web have already been routinely deactivated. There would therefore be no need for further action.
That said, most companies monitor the Dark Web without sufficient coding or other tracking details to be able to effectively determine appropriate next steps if and when they find something.
Get the details right
Most CISOs understand that discovering secrets on the Dark Web means they are compromised. But without adequate detail, they often overreact – or inappropriately – and make costly, disruptive changes that may actually be completely unnecessary.
This may also extend to the disclosure of regulatory compliance information, including the European Union’s General Data Protection Regulation (GDPR) and the Securities and Exchange Commission(SEC) based on incorrect assumptions. This can potentially expose the business to stock reductions and compliance penalties where they are not necessary.
The lifecycle of a secret on the Dark Web (value, use, and relevance) changes over time. Understanding this lifecycle can help CISOs make informed decisions about which secrets to prioritize for rotation or additional protections. Secrets related to temporary projects, for example, could become irrelevant faster than those related to long-standing infrastructure. Monitoring the Dark Web, understanding whether your secrets are there, and adding metadata and context to those secrets is key to understanding which secrets are currently valuable to attackers and require immediate action.
The danger of false assumptions
The situation is slightly different when the discovered material consists of sensitive data files, especially highly regulated data such as personally identifiable information (PII), health and financial data. But the discovery should trigger further investigation. If the next step is action, your team may commit to the wrong action based on faulty assumptions.
First, how much data was found? Is your company the only place this data might exist? Could this data also exist within the systems of related companies? Were they the ones violated? This is one of the main reasons why everything must be precisely coded and labeled.
Once we have confirmed that the data has indeed been taken from your company’s systems in some way, we need to get back to coding. Is the stolen file the one found in local operations? On a cloud? If cloud, then what cloud? Is this data provided to your marketing team a month ago for analysis?
Every time data is copied and shared, it can be traced back using logs and metadata enrichments to determine how, why and when it was stolen. This will, ideally, tell your team where a gap exists that needs to be addressed.
Let’s go back to the secret tools. If that key has already expired, you probably don’t care if it’s on the Dark Web. (You probably want to know because it could still be a clue to an as-yet-undiscovered breach, but the answer is much less of a concern.) Suppose the car keys discoveries are still active. This is obviously a problem. The solution – what to do about it – is far from obvious. Programmatic access keys can provide access to much of your infrastructure. From the thief’s perspective, this is the most valuable data possible. Those are the proverbial keys to your kingdom. If not handled correctly and quickly, it can be game over.
What’s the problem? Once the stolen data or keys are discovered, it is too late. If critical context isn’t created and added to each key the instant it’s created – and modified the instant it’s moved anywhere by someone – discovering the details of the breach later will be an infinitely more difficult task. It will take years before the world’s best forensics teams can trace the history of a key if it wasn’t added in the first place.
Establish best practices
You must maintain a strictly controlled inventory of all your secrets, including elaborate and meticulous hashing mechanisms to track all usage and activity. This is the only viable way to monitor all your machine’s credential activity in real time. If you do this aggressively, you should be alerted to the credentials of a stolen machine long before it hits the Dark Web and is sold to the highest bidder.
Another good practice is to regularly bombard the Dark Web – and other dens of evildoers – with fake files to add a lot more noise to the equation. This could cause some bad actors to avoid your data altogether if they are not sure whether it is valid or not.
Bottom line: Tracking everything on the Dark Web is crucial. But if you haven’t tagged all your sensitive data ahead of time, your team may be making decisions that are the exact opposite of what they should be. On the Dark Web, stolen secrets are your enemies and tons of context are your friends.