Find and Access Sensitive Data
Ransomware, insider threat and denial of service are considered the top threats to sensitive data by recent SANS Data Protection Survey. User credentials and privileged accounts represented the most common data types involved in most of breaches. It is just as desirable to them as “sensitive” data being targeted for financial gain or destruction. Organizations need to reduce risk by first understanding their sensitive data, how it flows and where it resides, as well as the threats to that data. With this knowledge, they can establish the appropriate controls that support the organization’s business operations and then identify technologies to reinforce data protection policies and procedures.
Red Team: Attack vectors and Techniques
As part of their normal workflow, employees store sensitive corporate data in many places usually unaware of the security or compliance risk this may create for their organization. Even the data stored at Removable media, unmanaged user-owned and unmanaged organization-owned endpoints apart from major/regular stored data is important when assessing data value. Let’s understand the common targets/industry of cyber-attack:
1. Banking and Finance
2. Government
3. HealthCare
4. Technology
Once the attackers have significant control over the attacker, they try to find/access the sensitive information mentioned below.
- User login ids and passwords
- Privileged accounts
- Personal information
- Intellectual property
- Human resources/Employee data
- Financial data
- Medical information
- Other
Compromise of user names and passwords is a clear vector in preparing to acquire other sensitive data, including personally identifiable information, corporate records and intellectual property.
In short, above all has categorized into 4 shells.
- Personally identifiable information or PII (e.g. Social Security numbers, phone numbers, home addresses, etc.)
In recent times, Marriott International data breach exposed PII & CHD
- Protected health information or PHI (e.g. patient diagnoses, medical treatments, etc.)
- Card holder data or CHD (e.g. credit card numbers, debit card numbers, bank accounts, etc.)
- Confidential data (e.g. financial records, business plans, top secret documents, source code, trading algorithms, etc.)
Insider Trading info — This also comes under confidential data wherein this data leakage directly impacts the organisation income from market value. It completely depends on investors & promoters who are confident about the business prospects. Such insider activity more often than not leads to changes in stock prices. Recent YES BANK crisis is an example but SEBI had put some restrictions on investors to prevent completely downfall.
Combination of malicious insider and unintentional insider vectors could cause the most damage, especially since detection (and subsequent protection) is still not as effective as it should be. For example, the 2017 Verizon Data Breach Investigations Report attributes 81% of hacking-related breaches to stolen and/or weak passwords.
From the attackers perspective determine where it sits within the IT infrastructure. There are two high-level ways data is stored within an organization:
• Structured repositories: Data is organized into structured repositories, such as relational databases, that are typically supported and controlled by the IT organization.
Eg: Mail servers, File servers, Database servers and Code repositories.
- Unstructured repositories: Data is generally end-user driven and stored in less controlled repositories such as network shares, SharePoint sites and workstations.
Threats involved in finding and accessing sensitive data
Spyware — A type of malware that aims to gather information about a person or organization, without their knowledge, and send such information to hack another entity without the consumer’s consent.
Keyloggers — software programs or hardware devices that track the activities (keys pressed) of a keyboard and tries to gain access to your private information.
File Sharing Applications — The threat posed by file sharing, or peer-to-peer, applications manifests itself in a number of ways. These programs are often configured by default to share the contents of common document and media folders without requiring any interaction by the user. This frequently catches people by surprise when they discover that their sensitive documents are available for download by other users
Unencrypted Sessions — Unencrypted sessions refer to network sessions that are not protected by any form of encryption. The attacker can capture the data as it is sent to this device on its way to the destination device. Another possibility is to use malware or an exploit like ARP spoofing or DNS cache poisoning to configure a computer to route packets to another device controlled by the attacker.
ARP spoofing is limited to the hosts on a local network and pretty much can only be used to sniff packets or conduct man-in-the-middle and denial-of-service attacks. DNS cache poisoning, by comparison, is not only capable of those same types of attacks, but can also be used to spread malware and phish for user data, such as credentials. It can be very difficult for victims to determine when these types of attacks are occurring.
Session Hijacking — Session hijacking is a type of attack where a malicious user takes over an existing session from a legitimate user.
web applications protect login pages with SSL to safeguard user account credentials from sniffing, but not protect other parts of the site after the user has authenticated.
If encryption is not utilized for the entire network session, and the cookie is not properly marked with the secure flag, when the session cookie is sent to back to the server as a part of any future requests from the user’s client anyone capable of capturing the packet traffic can obtain it. Cross-site scripting vulnerabilities in web applications, where attackers take advantage of unverified inputs in web pages to inject their own code, provide another way for an attacker to capture a session cookie. This exploit, which does not even require the ability to intercept network traffic, allows the attacker to instruct the user’s browser to return a copy of session cookie.
Data Left Behind — User activity often results in temporary data being created or stored on a computer. For instance, the common task of browsing the web may result in the creation of and modification to a number of files that may remain on the machine for some length of time. Cached files and cookies are two examples of files that are commonly created from browsing web sites. Cookies in particular may contain sensitive session information or other personal data related to user’s visit to a site. Improperly configured sites may not instruct the browser to avoid caching specific pages, which can lead to sensitive data being stored in the cache folder. Additionally, many browsers keep track of the sites visited by users with history and favorites databases. Any future users of the computer may have access to this information.
Document editing software often creates temporary copies of opened documents. Many applications, after experiencing an error, will create event log entries that could contain user data. Even system event logs will usually detail at a minimum when users log in and out.
Above explained threats would deal the data in various forms name it as Data at motion, Data in use and Data at rest.
PowerView has a lot of useful modules for finding data on the network.
i) Invoke-ShareFinder #Finds (non-standard) shares on hosts in the local domain
ii) Invoke-FileFinder # Finds potentially sensitive files on hosts in the local domain.
Linux has find to find data
• find / -type f -perm -o=r \( -name “*.conf” -o -name id_rsa \) 2>/dev/null #World-readable files
• find / -perm -u=s -type f 2>/dev/null #setuid executables
BLUE TEAM: Detective and Preventive Controls
The first step in determining how to protect sensitive data is understanding the threat associated with each.
Endpoint & Network Level
For users considering working with data remotely, there are two things to understand about man-in-the-middle attacks. First, public wireless networks present a great opportunity for those interested in conducting man-in-the-middle attacks as it is relatively easy for an attacker to set up a rogue access point that looks legitimate and wait for users to join. This sets up part of the attack, wherein the user connects to a device controlled by the attacker and the attacker is able to intercept the users traffic. Second, any application that does not do an adequate job of verifying the identity of a remote host when setting up a session is vulnerable to this type of attack.
- Virtual Private Networks Defends against: Session hijacking, Unencrypted sessions
- Secure Shell- SSH Tunneling Defends against: Session hijacking, Unencrypted sessions
- When securing the data, we must focus on 3 levels
a) Data at motion — Focus on Perimeter Security, Network Monitoring, Internet access control, Data collection and exchange with 3rd parties, Use of Instant messaging, Secured remote access to the company
b) Data in use — Focus on Privileged user monitoring, inappropriate usage/access monitoring, Export/Save restrictions.
c) Data at rest — Focus on Endpoint security, disk encryption, Mobile device protection, Physical media control.
Technologies like DLP, Proxy Servers, Content filters, secure email, secure FTP, secure APIs , Encrypted remote access, workstation restrictions on IM apps — all these can be implemented for data at motion.
Endpoint DLP Technology, application controls, SIEM monitoring, Data redaction tools — all these can be implemented for data in use.
Endpoint DLP Technology, Full disk encryption tools, Workstation restrictions, Preventing use of Data wiping software — all these can be implemented at data in rest.
- Add a tool/mechanism that protects sensitive data by building an additional layer of data security and privacy into your data workloads.
- Microsoft OneDrive provides an preventive option from ransomware attacks by syncing data to their OneDrive account.
- Implement defending tools which are obliged to GDPR, HIPPA, PCI-DSS and related compliance that secures your data.
- Implementing Honeypots, Tarpits and Canary tokens.
Process level
IT and security teams to educate their employees and coworkers about company policies for storing and sharing data in cloud services, and enforce those policies without inhibiting employee’s productivity. Policies about the sensitive data are considered the most effective controls overall in protecting data,
- Administrative policies and procedures
- Employee training
- Separation of duties/Admin controls
- Review of logs for violation or compliance with data-related policies and procedures
- Data-sharing or use agreements
- Cyber insurance
- Consolidate and isolate sensitive data stores
- Implement incident respond procedures for handling security incidents, breaches, and cyber threats
