Penetration testing (aka pen testing) is a highly specialized skill and set of methods whereby a red team specialist will run for example a simulation of a cyber attack on your computer system. This is how we find exploits and vulnerabilities before ‘real’ hackers do.
Penetration testing is part of ethical hacking and is done to check the security of a computer system/network. It is NOT the same as a vulnerability assessment.
The purposes of pen-testing are multi-layered:
identify weaknesses & vulnerabilities
check if unauthorized users can access computer systems
evaluate strong points of the system its defenses
after a pen-test, a risk assessment needs to be done
Our AR INTELL Incident Response and Data Breach Investigations team are ready to assist you. When we perform an Incident response operation we follow detailed procedures to handle the data breach or cyberattack. We follow your company/organization’s policy in order to mitigate the cyber-attack / data breach consequences.
Your company its data has leaked, you have been data-breached…
Just imagine that virtually everybody can download your confidential data and use it for all sorts of nefarious purposes. We have barely started to understand the different scenarios of the data abuse that will and has resulted from all these data breaches. We give you a few examples of these hellish scenarios…
Recently in 2021 the following a number of top data breaches have occurred. Just a few pointers should be enough to highlight the seriousness of this topic:
the average cost PER data breach will is estimated to be over $150 million by 2021
the global yearly cost for data breaches is forecast to be $2.1 trillion.
during the 1st 6 months of 2018 more than 4.5 billion records were exposed via data breaches
Example for 2019, 2.7 billion identity records were posted on the web
Numerous companies and organizations had their data leaked online, the security of cloud-based storage was either over-estimated, or security controls were not implemented. One wonders how all these data are being misused and will continue to be used against your interest or the interest of the company that collects and stores these data.
Examples of +50 huge data breaches with billions of records exposed online and offered for sale on the dark web
+Billion user accounts
ADULT VIDEO STREAMING WEBSITE CAM4 – MARCH 2020 – 10.88 BILLION RECORDS
YAHOO DATA BREACH – OCTOBER 2017 – 3 BILLION ACCOUNTS
AADHAAR DATA BREACH – MARCH 2018 – 1.1 BILLION PEOPLE
+500 Million users
FIRST AMERICAN FINANCIAL CORP. DATA BREACH – MAY 2019 – 885 MILLION USERS
VERIFICATIONS.IO DATA BREACH – FEBRUARY 2019 – 763 MILLION USERS
LINKEDIN DATA BREACH 2021 – JUNE 2021 – 700 MILLION USERS
YAHOO DATA BREACH 2014 – 500 MILLION ACCOUNTS
STARWOOD (MARRIOTT) DATA BREACH – NOVEMBER 2018 – 500 MILLION GUESTS
+200 Million of users
ADULT FRIEND FINDER DATA BREACH – OCTOBER 2016 – 412.2 MILLION ACCOUNTS
MYSPACE DATA BREACH – JUNE 2013 – 360 MILLION ACCOUNTS
EXACTIS DATA BREACH – JUNE 2018 – 340 MILLION PEOPLE
TWITTER DATA BREACH 2018 – MAY 2018 – 330 MILLION USERS
NETEASE DATA BREACH – OCTOBER 2015 – 234 MILLION USERS
SOCIALLARKS DATA BREACH – JANUARY 2021 – 200 MILLION RECORDS
DEEP ROOT ANALYTICS DATA BREACH – JUN 2017 – 200 MILLION U.S VOTERS
COURT VENTURES DATA BREACH – OCT 2013 – 200 MILLION PERSONAL RECORDS
-200 Million of users
LINKEDIN DATA BREACH – JUNE 2012 – 165 MILLION USERS
DUBSMASH DATA BREACH – DECEMBER 2018 – 162 MILLION USERS
ADOBE DATA BREACH – OCTOBER 2013 – 152 MILLION
MYFITNESSPAL DATA BREACH – FEBRUARY 2018 – 150 MILLION USERS
EQUIFAX DATA BREACH – SEPTEMBER 2017 – 148 MILLION PEOPLE
EBAY DATA BREACH – FEBRUARY/MARCH 2014 – 145 MILLION USERS
CANVA DATA BREACH – MAY 2019 – 137 MILLION USERS
Unintentional data disclosure
A data breach is similar to a data leak. We call this also unintentional information disclosure, information spilling, or data spillage.
A data breach results from a cyberattack. In this instance, cybercriminals obtain unauthorized access to a computer system or network. As a result, your private data, sensitive documents, or other confidential data will have been stolen. These data often contain the personal and financial details of customers.
Thus in the event of a data breach; the attacker will release your secure, private & confidential data onto the public internet, deep web, or dark web. This causes quite some instant and long-term damage to your company or organization.
Ask yourself how you will prevent this type of damaging form of information leakage.
Which type of data could have been exposed?
employee information
trade secrets
intellectual-property
usernames, email addresses
data of birth, social security numbers
passwords, login credentials
cellphone numbers, fixed phone number
postal addresses, private addresses
passport number, I/C numbers, and other customer IDs
bank account numbers
credit card numbers
credit and debit accounts
e-commerce logins
IM chat content (WhatsApp, Messenger, and other systems)
online payment account information
exposed business and consumer data
social media profiles
data points on personal interests and individual preferences
There are many variants possible on the response scenario but we think that this should be the rough timeline of your actions to take when you were hit by a data breach attack.
Did you ever think of doing a simulation? Prepare for the worst, hope for the best!
Who are the actors behind a data breach?
black hat hackers
personal gain hackers
organized crime groups
political activists
nation-state hackers
APT groups
other adversaries
unknown cybercriminals
Data Breach Investigation
A data breach investigation will focus on the:
insider threat
outsider threat
interaction of both
After you have detected the data breach, the 1st step is to contain the data breach with your Incident Response Plan. 2nd step is to minimize your direct losses. But then immediately the intelligence gathering will need to start. So, at that point in time, a thorough investigation can be set up by our independent & experienced forensic investigators.
You can rest assured that we will find the source of the data breach, document the extent, of the effect of the data leak, and hopefully find the perpetrators.
Hence, as you can imagine; we need to investigate the details of what happened. and understand the chronology (when). Later we will see why it happened, who did what, and how it was done (the methodology). Especially the lead-up to the events needs to be thoroughly documented. There is always trace evidence or digital footprint.
timeline of the attack + life cycle of a data breach
profiling of insiders involved
profiling of external parties – suspects
summary of attack vectors
document mistakes, accidents, or misuse by staff or vendors
was this a targeted attack by malicious operators?
identify the attackers
determine the tools and methods used
status of the Intrusion Prevention / Detection System
observation of suspicious behavior
analysis of log-files
collection of breach-related data
conduct interviews with staff and vendors
document all discoveries
how do inform the affected parties?
Who are the targets for this type of cyber attack?
Essentially anybody who hosts a substantial amount of data online and/or offline can become the victim or target of a data breach. Common and popular candidates for data leaks are:
banks & financial institutions
legal firms
consulting agencies
most business corporations, but typically major corporations are prime targets
big hotels
businesses of specific importance
defense industry
computer data centers
governments
hospitals, medical facilities
healthcare organization
social media companies
VPN providers
ISP – Internet Service Providers
Telecoms
cloud storage services
There is a good historical overview of major data breach incidents here. Do take note that many data breaches are never reported, because of confidentiality issues and probably regulatory requirements.
Why do a data breach investigation?
prevent future data breaches
we try to understand what can be done with the stolen information
future risk mitigation and remediation
minimizing the current and future losses
successful containment strategy
100% disaster recovery
do a proper post-attack recovery
provide a good explanation to your customers about the data breach
deliberate exploitation of computer systems, technology-dependent enterprises, and networks
the use of malicious code to alter legit computer code, logic, or data (which does not belong to the attackers)
a digital exploit that results in disruptive consequences such as for example data-breaches
a cyberattack is related to all sorts of cybercrimes, data theft, and identity theft.
a cyber attack can be associated with cyber warfare or cyberterrorism
performed by APT groups, state actors, or independent operators / unknown organizations
You can read more about Cyber Attacks here:
CISCO
A cyberattack is a malicious and deliberate attempt by an individual or organization to breach the information system of another individual or organization. Usually, the attacker seeks some type of benefit from disrupting the victim’s network. CISCO Cyber Attack Definition
CheckPoint
A cyber attack is an assault launched by cybercriminals using one or more computers against a single or multiple computers or networks. A cyber attack can maliciously disable computers, steal data, or use a breached computer as a launch point for other attacks. Cybercriminals use a variety of methods to launch a cyber attack, including malware, phishing, ransomware, denial of service, among other methods. CheckPoint Cyber Attack Definition
In addition to cybercrime, cyber attacks can also be associated with cyber warfare or cyberterrorism, like hacktivists. Motivations can vary, in other words. And in these motivations, there are three main categories: criminal, political and personal. Cyber Attack – IBM Definition
Unisys
https://www.unisys.com/glossary/cyber-attack/
WikiPedia
“A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, society, or organizations, and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon.” Cyber Attack WikiPedia Definition
Crypto ransomware or encryptors will encrypt your files and data. you need a decryption key to access your data.
Lockers will lock you out of your computer. Files & applications are not accessible. Ransom demand is requested via lock-screen with a countdown clock.
Scareware will claim false positives and requests money.
Doxware or leak-ware will threaten you to distribute your data online unless you pay
RaaS (Ransomware as a Service) is a complex malware system that uses anonymous command and control centers to distribute ransomware & collect the ransom payment.
Red Flags of a potential Cyber Attack. Suspicious symptoms & indicators.
The red flags depend on the type of cyber attack. These are the 1st elements to investigate and keep track of.
what happened?
chronology of facts, incidents, based on verifiable and relevant reports
how did it happen? documentation of the cyber kill chain that was used.
what was the effect?
damage report, the current state of digital assets
did you notice anything beforehand? If not, why not?
early indicators, warning system.
what countermeasures did you (not) deploy?
are you listening to your staff & employees? what do they report?
can you detect a denial of service (DoS) and distributed denial of service (DDoS) attack?
symptoms that you are under a cyber attack could be:
increase of pop-ups in browser windows
sudden crashes and/or stalling of systems
breach of computer network, data leaking out
too many users (IP numbers) on your network (as compared to your internal staff)
unknown processes and programs running on your computers
phishing emails & suspicious attachments
email hacking
malicious links in SMS or chat messages
suspicious and infected pdf-files in WhatsApp messages
too many unknown contacts in your WhatsApp or messenger
software running in erratic ways
users resisting updating software and systems
social engineering attempts
Cyber Attack Investigation Process
This can be a very complex and time or resource-consuming process. It’s not just a matter of checking the “most wanted” list of cybercriminals… Many times cyber attacks are done by trained cyber criminals or other bad actors, who are masters in obfuscation, misinformation, and disinformation techniques, which makes it hard or impossible to attribute a cyberattack to a specific person or group. Meaning it’s not simple or straightforward, which makes a professional independent cyberattack investigation even more valuable. It’s important to understand and document the “cyber kill chain“.
Action plan during a Cyber Attack Investigation
analysis and recovery of critical forensic data
investigate all networks & devices involved in the attack (enumeration, inventory)
determine how & when the interactions occurred
get a full understanding of what happened
understand why it happened
document when it happened – timeline and chronology
of who performed the cyber attack?
how the cyberattack was done?
what was the cyber kill chain?
who are the primary and secondary victims?
did the countermeasures kick in?
was the cyber attack detected in time? if no detection, why not?
was there any internal involvement at play? (sabotage, insider threats?)
have the targeted digital assets been recovered?
did the recovery strategy and SOP work in reality?
what are the damages (short term, mid-term, long-term)
what is the total cost of the cyberattack?
how to prevent a future similar attack?
protection and detection to put in place
During and After a cyber-attack and/or cybercrime investigations we work closely together with:
May 9, 2022 “Ransomware gangs are “alarmingly similar” to legitimate organizations with their management structures and HR policies, and there is a clear logic to the way to target companies that they are certain would pay for the ransom to decrypt their data, a new report by Check Point Research” News-Link on Ransomware Gangs
Conti Cybercrime Gang
May 08, 2022. “The U.S. State Department has announced rewards of up to $10 million for any information leading to the identification of key individuals who are part of the infamous Conti cybercrime gang.” >> News-Link on Conti cybercrime gang
College shuts Down after Ransomware Attack
May 09, 2022 “A university that originally opened its doors the same year that the American Civil War ended will shut down later this month. Lincoln College administrators have put the blame on a ransomware attack, which they say hindered admissions and fundraising activities during a period when the school was already struggling.” >> News-Link: Ransomsware Closes College Permanently
The threat of ransomware has grown over the years. Millions of organizations and companies have been hacked. The costs amount globally to billions of USD and the number of future ransomware cases is projected to rise even more.
Ransomware attacks are now a very common type of tool used by attackers. Organized crime groups and criminal ransomware gangs will use targeted ransomware attacks which can cost organizations millions of dollars. Besides that, your data might still be appearing on the dark web in data breaches. Even when you have paid… Getting back on your feet will require many days, if not weeks or months to have your computers working again and regain full access to the servers and your data.
Is your company & customer data protected from ransomware?
ransomware attackers can threaten to publish the victim’s personal data online
ransomware can block access to your device until you pay the ransom fee
ransomware will extort the victim (extortion attack)
ransomware will publish your files on the dark web if you don’t pay or cooperate
Do you want to pay the ransom?
The tracking and prosecution of suspects can prove to be a challenge since cybercriminals use cryptocurrency to collect the ransom fee (difficult to trace) and other techniques remain anonymous.
The main types of ransomware are:
Encrypting ransomware
Non-encrypting ransomware
Data Exfiltration ransomware
Crypto ransomware or encryptors will encrypt your files and data. you need a decryption key to access your data.
Lockers will lock you out of your computer. Files & applications are not accessible. Ransom demand is requested via lock-screen with a countdown clock.
Scareware will claim false positives and requests money.
Doxware or leak-ware will threaten you to distribute your data online unless you pay
RaaS (Ransomware as a Service) is a complex malware system that uses anonymous command and control centers to distribute ransomware & collect the ransom payment.
Most ransomware infections are spread via phishing emails, or by attachments with fake invoices or other deceiving fake information. Be careful what you click on, be careful which attachment you open.
Whatever type of cybersecurity measurements you have in place, no system is perfect and humans are not perfect. Neither are computer systems. Hence a good risk management strategy must start with a ransomware risk assessment.
This is where AR INTELL can assist you with a ransomware investigation.
Malware can hide at many levels in your IT systems. It is difficult to pinpoint the symptoms of infection due to the obfuscated nature of malware and the different methods it uses. It is important to look at all the places where malware is hiding.
1st we will do a Malware analysis which is the process of understanding the behavior and purpose of a suspicious file or web link. In stage 2 we will proceed with the detection and deal with the threat itself.
This is important for the incident responders and cyber security team.
Identity theft can be defined as a crime of obtaining the personal or financial information of another person by useing their identity to commit fraud. There are many types of identity theft. The target is mostly your your credit, your money and real life reputation. Identity thieves, privacy hackers and cyber criminals increasingly use computer technology to obtain your personally identifiable details (PID).
Different types of identity theft:
Financial identity theft
Social Security identity theft
Medical identity theft
Synthetic identity theft
Child identity theft
Tax identity theft
Criminal identity theft
How to prevent identity theft?
Have you put your company or personal identity online? If so did you consider privacy and security? There are many things to consider today.
Our cybercrime investigators will recover forensic evidence. from any digital device. We also consult many online resources, the dark web, and the deep web. This collective information is then preserved for later use and analysis.
What is Cyber Security?
The term Cyber Security is related to (or synonymous) computer security, or information technology security (IT security). Both types of security aim to protect computer systems and computer networks from information disclosure, theft of, or damage to computer hardware, networking devices, software, or electronic data. Regularly companies or organizations will suffer disruptions or misdirection of their services. The Cyber Security teams are tasked with the investigation, mitigation, and prevention of these cyber nuisances.
AR INTELL also can assist you in defending your computers, server architecture, mobile devices, diverse electronic systems, computer networks, and data from malicious cyber attacks.
There are many different security categories to look at:
Network security: protect your network from intruders, targeted attacks, or malware.
Application security: keep software and devices clean and uncompromised.
Cyber Crime investigators are thus assisting in the collection of crucial evidence. We assist you in helping to solve or understand specific cyber crimes and document what the cyber kill chain was, how all this happened and what you can do to prevent the same occurrences in the future. This is called cyber risk mitigation.
Is your security posture weak or strong?
Always check your cybersecurity posture and apply proper Security Risk Management practices. It’s not just your computers, smartphones, etc that you need to be checking but also the human element, the insider threat. Regular threat assessments are needed to develop actionable threat intelligence. Be aware of social engineering schemes also.
Cyber Attack Types
Are Cyber Criminals targeting you?
Be aware of different types of cyberattacks by cybercriminal groups, criminal hackers, APT Groups (Advanced Persistent Threats), organized crime operators, ransomware gangs, global adversaries, cyber terrorists, and other bad actors.