Attackers are building big data warehouses of stolen credentials and PII
A new type of criminal is combining warehousing and selling stolen data including access credentials and PII that are targeted to specific markets, industries, companies, and purposes, according to the McAfee Labs 2016 Threat Predictions and McAfee Labs’ Director of Threat Intelligence, Christian Beek. McAfee has seen the hacker underground and dark markets moving in this direction over the past seven months, Beek asserts.
Attackers are applying a data warehousing and big data analytics business model to stolen data, increasing its value and the damage it can do. “Leveraging analytic techniques used in the world of big data, these criminals will look for links and correlations throughout their trove of stolen information, reverse engineering personal identities and selling that intelligence to the highest bidder,” according to the McAfee Labs 2016 Threat Predictions.
“This technique will enable thieves to circumvent commonly used techniques to verify identity—Social Security numbers, birthdates, last four digits of credit cards, or answers to typical security questions—and essentially sell legitimate credentials and make it more difficult for security defenses to identify suspicious behavior. Cybercriminals may even be able to use behavioral analytics to figure out what purchases can be made with stolen payment card info that will not trigger an alert,” the McAfee Labs 2016 Threat Predictions clarify.
Indicators of developing attacker data warehouses include the nature of the data offered for sale. “On one of the websites, we saw that you could ask for data and passwords by industry sector,” says Beek. Attackers are also swapping data from different breaches with each other so that they can build up stronger user profiles. “We see discussions in closed forums where one group is exchanging files with another group just to benefit each other’s operations in this way,” he affirms.
These warehouse approaches could grow, using the same kinds of analytics on harvested PII data that legitimate businesses do on their big data stores. They could identify patterns and create robust databases that connect information about the person’s place of employment with their personal profile and quickly reach far beyond the data that the criminal started with. “They could achieve a lot without ever noticeably breaching a company,” says Beek.
The threat, explains Beek, is that an attacker could fly under the radar, so to speak, and mimic the purchasing habits, login periods, and location of the user whose PII they have stolen so well that it would be very hard to detect it.
The more data an attacker already has about a user based on the information they purchased from one of these warehouses, the easier it will be for them to find and collect more user data, complete the user profile, and access anything that user touches.
Christian Beek, Director of Threat Intelligence, McAfee Labs
When attackers can get this information through the underground, they don’t have to go out on the Internet to get it, and they don’t end up creating a footprint that the enterprise can follow, Beek adds. Attackers could prepare in secret, launch a major attack the first time they strike, and the enterprise would not have any early warning signs in order to prepare.
Stay abreast of evolving standards across and within industries on how to protect PII. The ISO/IEC 27018:2014 standard, “Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” is a standard that leaves place for amendments and revisions as the landscape changes. The NIST Special Publication 800-122, “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)” covers determining, reducing the number of instances of PII you really need to store, where you need to store it, and how securely you should store it, says Beek.
Other standards include the DHS “Handbook for Safeguarding Sensitive Personally Identifiable Information”. The OMB, GSA, and other government organizations have PII rules and guidelines. PII standards exist within industries such as finance and healthcare and wherever industry and regulatory requirements demand them.
Adopt the fewest, most affordable security technologies, policies, and enforcements that together meet the broadest array of applicable standards. Then acquire one-off solutions for any unmet standards that remain.
Vendors continue to develop better obfuscation and encryption technologies and techniques for PII even as experts share their thought leadership in how to better leverage existing measures for securing PII. Security questions at logon time are one such measure that needs tweaking. “Enterprises need to obscure default security questions so that people’s answers are not easily retrieved from their public social media accounts or other readily available information,” says Beek.
Meanwhile, the party concerned can be clever with the answers they choose to use in response to those default sign-on queries. Try exchanging your answer to question A with your answer to question C, for example, and then memorize it. Attackers won’t get so far so fast when your pet’s name is ‘ChevySilverado’ and your first car was a ‘Mittens’. Likewise enterprises waiting for better PII security tomorrow should ensure today that any third-party vendor or enterprise customer who even might touch the PII that they are responsible for also enforces PII security measures that meet or exceed acceptable standards.