APT – Advanced Persistent Threat groups are essentially covert or hidden hacker organizations that perform, “attacks on a country’s information assets, critical infrastructure or other elements of national security or strategic economic importance. Standard methods used to come down to cyber espionage, cyber warfare or cyber sabotage.” These groups are elusive, eminent, highly skilled, and very effective in achieving their objectives.
A good overview of well-known APT (Advanced Persistent Threats) groups can be found here.
What is an APT – Advanced Persistent Threat?
Anadvanced persistent threat (APT) refers to a stealthy threat actor, a nation-state, or a state-sponsored group. These groups typically gain unauthorized access to computer networks and can remain undetected for a very long period. Recently non-state-sponsored groups also started to conduct large-scale targeted cyber attacks. Many business sectors have reported multiple cyberattacks by such actors.
Penetration testing (aka pen testing) is a highly specialized skill and set of methods whereby a red team specialist will run for example a simulation of a cyber attack on your computer system. This is how we find exploits and vulnerabilities before ‘real’ hackers do.
Penetration testing is part of ethical hacking and is done to check the security of a computer system/network. It is NOT the same as a vulnerability assessment.
The purposes of pen-testing are multi-layered:
identify weaknesses & vulnerabilities
check if unauthorized users can access computer systems
evaluate strong points of the system its defenses
after a pen-test, a risk assessment needs to be done
Setting up a good cyber defense is about protecting your mission-critical assets. You have to be able to ensure business continuity after any type of cyber-attack and above all protect your data.
Counter-intelligence is synonymous with counter-espionage.
Counterintelligence will try to protect an agency its intelligence program from an adversary intelligence service. Counter Intell activities consist of:
gathering information on adversaries
conducting activities to prevent espionage
prevent acts of sabotage
prevent assassinations
prevent intelligence activities conducted by foreign powers, organizations, or private entities
Collective counterintelligence will gain intelligence into the adversary (the enemy) their own intelligence-gathering capabilities.
Defensive counterintelligence will try to disable or hinder efforts by hostile intelligence services to penetrate their own intelligence service.
In general private counterintelligence focuses on identifying and neutralizing ongoing active or passive security threats surrounding or targeting your organization or company.
Our AR INTELL Incident Response and Data Breach Investigations team are ready to assist you. When we perform an Incident response operation we follow detailed procedures to handle the data breach or cyberattack. We follow your company/organization’s policy in order to mitigate the cyber-attack / data breach consequences.
Your company its data has leaked, you have been data-breached…
Just imagine that virtually everybody can download your confidential data and use it for all sorts of nefarious purposes. We have barely started to understand the different scenarios of the data abuse that will and has resulted from all these data breaches. We give you a few examples of these hellish scenarios…
Recently in 2021 the following a number of top data breaches have occurred. Just a few pointers should be enough to highlight the seriousness of this topic:
the average cost PER data breach will is estimated to be over $150 million by 2021
the global yearly cost for data breaches is forecast to be $2.1 trillion.
during the 1st 6 months of 2018 more than 4.5 billion records were exposed via data breaches
Example for 2019, 2.7 billion identity records were posted on the web
Numerous companies and organizations had their data leaked online, the security of cloud-based storage was either over-estimated, or security controls were not implemented. One wonders how all these data are being misused and will continue to be used against your interest or the interest of the company that collects and stores these data.
Examples of +50 huge data breaches with billions of records exposed online and offered for sale on the dark web
+Billion user accounts
ADULT VIDEO STREAMING WEBSITE CAM4 – MARCH 2020 – 10.88 BILLION RECORDS
YAHOO DATA BREACH – OCTOBER 2017 – 3 BILLION ACCOUNTS
AADHAAR DATA BREACH – MARCH 2018 – 1.1 BILLION PEOPLE
+500 Million users
FIRST AMERICAN FINANCIAL CORP. DATA BREACH – MAY 2019 – 885 MILLION USERS
VERIFICATIONS.IO DATA BREACH – FEBRUARY 2019 – 763 MILLION USERS
LINKEDIN DATA BREACH 2021 – JUNE 2021 – 700 MILLION USERS
YAHOO DATA BREACH 2014 – 500 MILLION ACCOUNTS
STARWOOD (MARRIOTT) DATA BREACH – NOVEMBER 2018 – 500 MILLION GUESTS
+200 Million of users
ADULT FRIEND FINDER DATA BREACH – OCTOBER 2016 – 412.2 MILLION ACCOUNTS
MYSPACE DATA BREACH – JUNE 2013 – 360 MILLION ACCOUNTS
EXACTIS DATA BREACH – JUNE 2018 – 340 MILLION PEOPLE
TWITTER DATA BREACH 2018 – MAY 2018 – 330 MILLION USERS
NETEASE DATA BREACH – OCTOBER 2015 – 234 MILLION USERS
SOCIALLARKS DATA BREACH – JANUARY 2021 – 200 MILLION RECORDS
DEEP ROOT ANALYTICS DATA BREACH – JUN 2017 – 200 MILLION U.S VOTERS
COURT VENTURES DATA BREACH – OCT 2013 – 200 MILLION PERSONAL RECORDS
-200 Million of users
LINKEDIN DATA BREACH – JUNE 2012 – 165 MILLION USERS
DUBSMASH DATA BREACH – DECEMBER 2018 – 162 MILLION USERS
ADOBE DATA BREACH – OCTOBER 2013 – 152 MILLION
MYFITNESSPAL DATA BREACH – FEBRUARY 2018 – 150 MILLION USERS
EQUIFAX DATA BREACH – SEPTEMBER 2017 – 148 MILLION PEOPLE
EBAY DATA BREACH – FEBRUARY/MARCH 2014 – 145 MILLION USERS
CANVA DATA BREACH – MAY 2019 – 137 MILLION USERS
Unintentional data disclosure
A data breach is similar to a data leak. We call this also unintentional information disclosure, information spilling, or data spillage.
A data breach results from a cyberattack. In this instance, cybercriminals obtain unauthorized access to a computer system or network. As a result, your private data, sensitive documents, or other confidential data will have been stolen. These data often contain the personal and financial details of customers.
Thus in the event of a data breach; the attacker will release your secure, private & confidential data onto the public internet, deep web, or dark web. This causes quite some instant and long-term damage to your company or organization.
Ask yourself how you will prevent this type of damaging form of information leakage.
Which type of data could have been exposed?
employee information
trade secrets
intellectual-property
usernames, email addresses
data of birth, social security numbers
passwords, login credentials
cellphone numbers, fixed phone number
postal addresses, private addresses
passport number, I/C numbers, and other customer IDs
bank account numbers
credit card numbers
credit and debit accounts
e-commerce logins
IM chat content (WhatsApp, Messenger, and other systems)
online payment account information
exposed business and consumer data
social media profiles
data points on personal interests and individual preferences
There are many variants possible on the response scenario but we think that this should be the rough timeline of your actions to take when you were hit by a data breach attack.
Did you ever think of doing a simulation? Prepare for the worst, hope for the best!
Who are the actors behind a data breach?
black hat hackers
personal gain hackers
organized crime groups
political activists
nation-state hackers
APT groups
other adversaries
unknown cybercriminals
Data Breach Investigation
A data breach investigation will focus on the:
insider threat
outsider threat
interaction of both
After you have detected the data breach, the 1st step is to contain the data breach with your Incident Response Plan. 2nd step is to minimize your direct losses. But then immediately the intelligence gathering will need to start. So, at that point in time, a thorough investigation can be set up by our independent & experienced forensic investigators.
You can rest assured that we will find the source of the data breach, document the extent, of the effect of the data leak, and hopefully find the perpetrators.
Hence, as you can imagine; we need to investigate the details of what happened. and understand the chronology (when). Later we will see why it happened, who did what, and how it was done (the methodology). Especially the lead-up to the events needs to be thoroughly documented. There is always trace evidence or digital footprint.
timeline of the attack + life cycle of a data breach
profiling of insiders involved
profiling of external parties – suspects
summary of attack vectors
document mistakes, accidents, or misuse by staff or vendors
was this a targeted attack by malicious operators?
identify the attackers
determine the tools and methods used
status of the Intrusion Prevention / Detection System
observation of suspicious behavior
analysis of log-files
collection of breach-related data
conduct interviews with staff and vendors
document all discoveries
how do inform the affected parties?
Who are the targets for this type of cyber attack?
Essentially anybody who hosts a substantial amount of data online and/or offline can become the victim or target of a data breach. Common and popular candidates for data leaks are:
banks & financial institutions
legal firms
consulting agencies
most business corporations, but typically major corporations are prime targets
big hotels
businesses of specific importance
defense industry
computer data centers
governments
hospitals, medical facilities
healthcare organization
social media companies
VPN providers
ISP – Internet Service Providers
Telecoms
cloud storage services
There is a good historical overview of major data breach incidents here. Do take note that many data breaches are never reported, because of confidentiality issues and probably regulatory requirements.
Why do a data breach investigation?
prevent future data breaches
we try to understand what can be done with the stolen information
future risk mitigation and remediation
minimizing the current and future losses
successful containment strategy
100% disaster recovery
do a proper post-attack recovery
provide a good explanation to your customers about the data breach
deliberate exploitation of computer systems, technology-dependent enterprises, and networks
the use of malicious code to alter legit computer code, logic, or data (which does not belong to the attackers)
a digital exploit that results in disruptive consequences such as for example data-breaches
a cyberattack is related to all sorts of cybercrimes, data theft, and identity theft.
a cyber attack can be associated with cyber warfare or cyberterrorism
performed by APT groups, state actors, or independent operators / unknown organizations
You can read more about Cyber Attacks here:
CISCO
A cyberattack is a malicious and deliberate attempt by an individual or organization to breach the information system of another individual or organization. Usually, the attacker seeks some type of benefit from disrupting the victim’s network. CISCO Cyber Attack Definition
CheckPoint
A cyber attack is an assault launched by cybercriminals using one or more computers against a single or multiple computers or networks. A cyber attack can maliciously disable computers, steal data, or use a breached computer as a launch point for other attacks. Cybercriminals use a variety of methods to launch a cyber attack, including malware, phishing, ransomware, denial of service, among other methods. CheckPoint Cyber Attack Definition
In addition to cybercrime, cyber attacks can also be associated with cyber warfare or cyberterrorism, like hacktivists. Motivations can vary, in other words. And in these motivations, there are three main categories: criminal, political and personal. Cyber Attack – IBM Definition
Unisys
https://www.unisys.com/glossary/cyber-attack/
WikiPedia
“A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, society, or organizations, and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon.” Cyber Attack WikiPedia Definition
Crypto ransomware or encryptors will encrypt your files and data. you need a decryption key to access your data.
Lockers will lock you out of your computer. Files & applications are not accessible. Ransom demand is requested via lock-screen with a countdown clock.
Scareware will claim false positives and requests money.
Doxware or leak-ware will threaten you to distribute your data online unless you pay
RaaS (Ransomware as a Service) is a complex malware system that uses anonymous command and control centers to distribute ransomware & collect the ransom payment.
Red Flags of a potential Cyber Attack. Suspicious symptoms & indicators.
The red flags depend on the type of cyber attack. These are the 1st elements to investigate and keep track of.
what happened?
chronology of facts, incidents, based on verifiable and relevant reports
how did it happen? documentation of the cyber kill chain that was used.
what was the effect?
damage report, the current state of digital assets
did you notice anything beforehand? If not, why not?
early indicators, warning system.
what countermeasures did you (not) deploy?
are you listening to your staff & employees? what do they report?
can you detect a denial of service (DoS) and distributed denial of service (DDoS) attack?
symptoms that you are under a cyber attack could be:
increase of pop-ups in browser windows
sudden crashes and/or stalling of systems
breach of computer network, data leaking out
too many users (IP numbers) on your network (as compared to your internal staff)
unknown processes and programs running on your computers
phishing emails & suspicious attachments
email hacking
malicious links in SMS or chat messages
suspicious and infected pdf-files in WhatsApp messages
too many unknown contacts in your WhatsApp or messenger
software running in erratic ways
users resisting updating software and systems
social engineering attempts
Cyber Attack Investigation Process
This can be a very complex and time or resource-consuming process. It’s not just a matter of checking the “most wanted” list of cybercriminals… Many times cyber attacks are done by trained cyber criminals or other bad actors, who are masters in obfuscation, misinformation, and disinformation techniques, which makes it hard or impossible to attribute a cyberattack to a specific person or group. Meaning it’s not simple or straightforward, which makes a professional independent cyberattack investigation even more valuable. It’s important to understand and document the “cyber kill chain“.
Action plan during a Cyber Attack Investigation
analysis and recovery of critical forensic data
investigate all networks & devices involved in the attack (enumeration, inventory)
determine how & when the interactions occurred
get a full understanding of what happened
understand why it happened
document when it happened – timeline and chronology
of who performed the cyber attack?
how the cyberattack was done?
what was the cyber kill chain?
who are the primary and secondary victims?
did the countermeasures kick in?
was the cyber attack detected in time? if no detection, why not?
was there any internal involvement at play? (sabotage, insider threats?)
have the targeted digital assets been recovered?
did the recovery strategy and SOP work in reality?
what are the damages (short term, mid-term, long-term)
what is the total cost of the cyberattack?
how to prevent a future similar attack?
protection and detection to put in place
During and After a cyber-attack and/or cybercrime investigations we work closely together with: