Data Breaches Today
Unless you’ve been hiding under a rock, external attacks focusing on data breaches are one of the most common threat vectors organizations are facing today. With cyber-criminal organizations focused on the highest payout possible for their efforts, the lure of exfiltrating hundreds of thousands of records containing credentials, personal information, or health data to be sold on the black market means the focus is on breaching your organization’s security and, ultimately, your data.
In 2017, over 174 million records were stolen as part of publically acknowledged data breaches1. While that seems like a very large number, that’s only the documented known number of exposed records – the vast majority of breaches are attributed with an unknown number of exposed records1. What makes this criminal activity more daunting is the fact that most exfiltration’s of data are measured in minutes2, while the discovery of data breaches is more often measured in terms of months or years2.
IT organizations need a means by which to detect inappropriate access and activity quickly to avoid becoming a statistic.
Where does all this data reside?
In almost every industry vertical, servers remain the primary asset of choice for attacks2, giving organizations a clear choice in where to place their preventative and protective efforts. When it boils down, attackers are looking for one thing – files. Files that contain data of value, which includes:
- Credit card or bank details
- Personal health information (PHI)
- Personally identifiable information (PII)
- Trade secrets of corporations
- Intellectual property
Depending on the business processes of the organizations being attacked, this data can reside in databases, office documents, files used as part of data transfer operations, and more – making files (and, therefore, file access) the focus of a data breach.
But, is it as simple as making a copy?
The Role of Files in a Data Breach
There are two distinct roles files play in the data breach process.
- The first of these is very obvious – the files (which can be databases) containing data of value are copied by attackers and are transferred externally by some form of file transfer. This is known as exfiltration.
- The second, and somewhat forgotten, is the manipulation of Operating System files and file systems to provide access to a given endpoint. Malware used to gain initial access to an endpoint often places (and, in some cases, replaces) files that are called upon bootup to maintain persistence. Additionally, certain techniques that involve the copying, replacing, and renaming of files are used to provide access to additional endpoints to facilitate lateral movement within your network.
You may be thinking you need a complex set of security solutions to identify and protect against a data breach – endpoint detection, firewalls, vulnerability protection, data loss prevention, SIEM solutions and more (all, of which are important in an overall security strategy).
But, at the end of the day, the file system will be used as either a target or an asset to further malicious activity, making file auditing a key part of your data breach security strategy.
How to leverage file auditing to help spot and stop a Data Breach?
At its core, file auditing is simply the logging of every action taken against the file system. Copies, moves, reads, deletes, as well as changes to names, permissions, and ownership all can be logged, analyzed, and reported on. This is the basis of its usefulness in a data breach situation.
It should be noted that because file auditing usually exists as an Operating System level exercise (that is the audit log data is processed and provided as individual acts as the OS sees it), the intelligence needed to see multiple file activities as a single action normally requires the use of third party solutions.
There are two points within a data breach where file auditing can play a role – spotting the breach and stopping one.
Spotting a Data Breach with File Auditing
With a majority of data breaches not being discovered until well-after the breach activity has ceased, the obvious goal is to reduce the time it takes to identify a breach.
Despite claims by security solution to identify data breaches, two simple truths exist that apply to any exfiltration that involves lateral movement within the organization:
- The attacker MUST logon/authenticate at some point
- The attacker MUST access an endpoint’s file system
Logons can be viewed as a leading indicator to breach activity, with file access an indicator of present breach activity – which makes file auditing a viable part of your data breach protection strategy.
So, what should you be looking for?
In short, abnormal file activity. What that is, for your organization, needs to be determined by looking at the regular patterns of access around files with data of value. The same user accounts will largely access the same files, with the same regularity, during the same periods of day and days of week, from the same systems – so anything outside this should be considered potential red flags.
Some of the unusual activity aspects you should be looking for include:
Are files being accessed multiple times more than is normal? An unsure insider having second thoughts about stealing data may make several access attempts before finally taking data.
Normal user access can likely revolve around an average daily use. The presence of a mass copying or bulk deletion or movement of data is worth looking into.
A user accessing data at 10pm on Friday night who normally only accesses files Monday - Friday during business hours seems suspect.
Access from a machine outside the company network, or one that doesn’t normally access a given set of files can be a clear sign of improper use.
Attackers like to ensure persistence, both on endpoints and to data. The reassignment of permissions to accounts (those recently created in specific) is a tactic regularly used.
Attackers may use their own tools to exfiltrate data, so seeing processes other than Explorer, Word, etc. accessing files can indicate a problem.
File auditing, mixed with an ability to alert IT and Security teams of the presence of suspicious file access activity can easily put proper attention on what may equate to a data breach.
But spotting a breach – even minutes after it has occurred – may be a case of too little, too late. What IT organizations also need is an ability to stop a breach before damage is done.
Stopping a Data Breach with File Auditing
To get to a place where IT is stopping a breach, we first need to look at auditing as a, typically, reactive exercise. As with any auditing, an action in question must be taken, the OS must log the activity, and the auditing solution must trigger an alert based on the already-occurred action. So, it initially stands to reason that file auditing can’t stop a data breach.
Or can it?
There is one clear way to stop a breach – spot it before the actual data theft takes place. Sounds easy enough. And there are ways file auditing can help stop a data breach, but it involves changing IT’s thinking about how they go about file auditing.
So, what can IT do to leverage file auditing to stop a data breach?
Changing file auditing from a reactive to proactive security measure involves three steps:
- Stop thinking about auditing only critical files – every IT organization does it: they identify the critical files and configure file auditing on those files only. That’s like staring constantly at your one really expensive watch, unaware that someone is stealing everything else in your house. once you’re informed those files have been accessed, it may be too late.
- Start widening the auditing scope – Think like a hacker on this one. They don’t know where the “good data” is, so they’re going to be looking around a bit in an effort to identify data of value. Additionally, lateral movement activity (as previously mentioned) often requires the manipulation of OS files to provide the attacker proper access. File auditing that looks at OS-specific files, as well as a broader spectrum of data files (not just the “important” ones) will help to identify an attacker potentially before they find your data of value.
- Start using intelligence to identify suspicious behavior – Putting the previous two steps into action will generate an absolute ton of data to sort through. So, looking at single actions is only going to bury IT in the wave of audit data. What’s needed is an ability to leverage several of the access factors previously mentioned to spot suspicious file system activity well-before any access to data of value is achieved.
By putting these three steps into play, you effectively change file auditing from a reactive “they’ve already got our data” exercise, to one where IT is being notified of suspicious leading behavior (e.g. a user looking at many, many folders they normally don’t look at), empowering IT to temporarily disable the account and… well – stop the data breach before it happens.
Getting a Handle on Data Breaches… Before and After They Happen
It’s a simple fact: those determined to steal data must access the files they wish to steal. It’s like your server’s most precious files are sitting in one of those clear bulletproof glass boxes in the middle of a large gallery with a light shining down on it. You know exactly where the thief needs to strike. But you want to catch the thief before they ever reach the box, so you need to watch the entire room.
File auditing – when done correctly – can be used to both identify a data breach (watching the glass box) as well as to potentially stop a breach (watching the room). It will require some changing in the way IT approaches the use of file auditing as part of a data breach security strategy, as well as the use of a third-party solution to provide the centralized monitoring and analysis of file activity data necessary to quickly and intelligently identify and report on potential breach activity.
1 ITRC, 2017 Data Breach Report (2017)
2 Verizon, Data Breach Investigations Report (2017)