4 misconceptions about data exfiltration

Ransomware gets all the fanfare because successful attacks lock victims out of their vital systems. The business interruption coupled with the large sums of money hackers require make these events front-page news and difficult for the victim to hide. Victims then have to do a comprehensive restoration of their network to ensure the threat actor no longer has access.

Some breaches just see the data exfiltrated, but the environment hasn’t been encrypted. Make no mistake: Disaster recovery is necessary in this case, too.

According to cyber insurer Beazley, data exfiltration was involved in 65% of its cyber extortion incidents in the first quarter of 2022. Without the business interruption component of ransomware, the overwhelming majority of data exfiltration cases never make it to news outlets.

This is also common in nation-state attacks, which have picked up since Russia invaded Ukraine. A recent Microsoft report found that Russian intelligence agencies have increased network penetration and espionage efforts targeting Ukraine and its allies. The report calls for “a coordinated and comprehensive strategy to strengthen defenses against the full range of cyber destructive, espionage, and influence operations.”

This highlights why ransomware isn’t the only threat worthy of cleansing an environment. Regardless of whether it was just data exfiltration, it’s critical to gather data forensics and have a disaster recovery partner use the report — including details of how the threat actor gained access and compromised the network — to inform how it builds a new, clean environment.

If a threat actor has gained access to an environment, it should be considered “dirty.” Even if it hasn’t been encrypted, it is vital that the environment be recovered so it is better protected the next time a threat actor attempts to breach it. 

Let’s dive deeper into four common misconceptions about data exfiltration events and why victims should take them as seriously as a ransomware attack.

IT = security

Executives often think that IT is synonymous with security, but in reality, the function of IT is to enable the business functions that create revenue. The misconception misplaces pressure on the IT team and creates a security gap where the board of directors doesn’t get the insight it needs and the security team doesn’t get the direction it needs.

Too often, we see security teams lack a senior officer and instead report to IT directors. That’s like having a defensive coordinator report to the offensive coordinator, who reports to the head coach. Which side of the football team do you think gets to spend more in free agency in that scenario?

Organizations can solve this by having a chief information security officer (CISO) that works with the IT team, but reports to the board and explains the risk to the executives so they can decide what their risk appetite is. The more that security professionals can quantify their risk, the better chance that boards will understand what’s at stake and act accordingly.

We’ve got coverage

Security shouldn’t be an afterthought. For instance, some small and mid-sized businesses don’t have the budget to support substantial security investments and mistakenly believe that having cyber insurance is an acceptable substitute.

Threat actors are smart enough to do reconnaissance on which organizations have coverage and actually read their policies to understand how much would be covered in a ransom payment. This tells them exactly how much they can demand to force the victim’s hand.

Insurers are mandating new controls like multifactor authentication (MFA) or endpoint detection and response to temper their risk in covering clients. However, this isn’t foolproof and can be just another box for a company to check when it’s looking to get coverage.

For instance, if you purchase an endpoint protection tool but don’t properly deploy it or fit it to their specifications, it won’t safeguard your data. According to Beazley, organizations are more than twice as likely to experience a ransomware attack if they have not deployed MFA.

We’re still operational, so we’re fine

If a victim hasn’t been locked out, it’s tempting to try to conduct business as normal and ignore what just happened to the network. What those victims don’t realize is — if they don’t cleanse their environment — the threat actors still have command and control capability.

A company that takes cybersecurity seriously is going to call its insurer and enlist the help of a digital forensics and incident response (DFIR) partner to analyze indicators of compromise and build a new, clean, secure IT environment.

A good DFIR partner can work on a normal maintenance schedule and cleanse your network in phases during your offline hours and weekends to minimize the impact on your production environment and keep the threat actors out.

Lightning won’t strike twice

Many victims don’t understand how bad their data breach was. They assume that, since they weren’t encrypted, they can make minor changes to their firewall and believe they’ll be more secure moving forward.

That simply isn’t enough action to take. According to Cymulate’s recent Data Breaches Study, 67% of cybercrime victims within the last year have been hit more than once. Nearly 10% experienced 10 or more attacks!

Threat actors publish and sell data on the dark web, and if you aren’t sure how they got in to begin with and you don’t build a new, clean environment … well, you can probably guess what happens next. They’re going to come back into your network and they’re going to attack harder than they did before.

Victims of data exfiltration need to understand how real that threat is, take a close look at their network, and deploy the proper defenses to keep threat actors out. The cost of inaction could be devastating.

Heath Renfrow is cofounder of Fenix24.