Data breach – threat landscape

Unauthorised exposure of an organisation’s critical data

By Dhritimaan Shukla, Partner, Forensic Services, PwC India and Kush Wadhwa, Director, Forensic Services, PwC India

Background

Today, organisations are adopting emerging and disruptive technologies and incorporating data analytics in their decision-making and business strategies to retain their competitive edge. However, even with their data-driven approach, breach of sensitive data and critical intellectual property are a constant threat to them. And despite organisations’ efforts to deploy the latest security measures and data leak-prevention tools, there are an increasing number of incidents of sensitive data leaks due to various reasons—unknown vulnerability, weak access controls or poor configuration of security systems. Additionally, there are zero-day attacks where malwares are configured to ‘exfiltrate’ a company’s sensitive data.

In this paper, we aim to understand the constant threat posed by data breaches, and how such incidents can be handled to mitigate their impact and the financial loss caused.

Data breach threat

As the amount of data stored by organisations increases and they start making the best use of cloud solutions, mobile and web-enabled business services, there are more avenues to steal the data from. There is sufficient information on the internet in the public domain to educate those planning a breach, and threat actor groups have achieved a high level complexity in their attacks. The key is to accept the fact that a breach is inevitable. We recommend that you set up mitigation and response mechanisms to proactively detect breaches, identify their quantum and modus operandi, reduce their propagation, minimise their impact and your exposure to risk, plug all vulnerable areas and ensure your business continuity.

Threat landscape

A robust security infrastructure can significantly reduce breaches, but cannot eliminate them entirely. The data breach threat landscape can be divided into three categories:

1. Unintentional data exposure due to mismanaged configurations, lax security practices and employees’ mistakes such as:

  • Internal databases or networks being exposed to unauthorised external access due to inadequate security configurations or delays in rectification of known vulnerability
  • Adoption of cloud infrastructure without accounting for an increased risk of a breach
  • Employees falling prey to social engineering or phishing, and exposing critical system credentials or data
  • Activities including data centre management, IT administration and email services being outsourced to vendors and third parties without a system-wide risk of a breach being assessed and mitigated

2. External threats penetrating the organisation’s network or infecting it with malware:

  • Such attacks create persistent entry points in organisations and then use these remote ‘backdoors’ to propagate faults in internal networks, infiltrate data including credentials, sensitive project- or strategy-related details and databases of customer-related information that can be sold to competitors on dark web forums or leaked in the public domain

3. Insider threat from employees, who attempt to transfer critical data when they exit from an organisation:

  • This may be due to their sense of ownership of the data, a desire to maintain their knowledge base, collusion with competitors or with the intention of setting up their own businesses
  • Disgruntled employees may cause significant damage and even delete critical data if they are confident that this activity will not be traced back to them. New recruits may carry sensitive data from their previous organisations into the infrastructure of their current organisations, exposing the latter to legal action and reputational damage

Breach response strategy

An organisation’s breach response strategy should be proactive and assessed regularly via drills, learning from past incidents and analysis of relevant information by gathering threat intelligence. An effective strategy should include the following key aspects:

  • Proactive identification of potential vulnerabilities in an organisation and its outsourced services (e.g. cloud and email services) should be performed and corrective steps taken to reduce exposure to breaches and maximise their detection. Points of contact (POCs) should be designated from all departments and functions, and vendors or response teams should have in place a comprehensive responsibility matrix to ease and accelerate the detection and response process
  • There should be provision to ensure that an organisation’s breach of response process enables business continuity to prevent response-related activities from adversely affecting its business processes
  • An effective strategy should outline steps for conducting a breach incident review meeting for all the relevant stakeholders, vendors, and empaneled response and forensic teams. A plan of action should be drafted by using available incident-related information, with provisions to alert the board, regulatory bodies and law enforcement agencies, as required
  • In our experience, we have gained significant insights on data breaches from forensic analyses of artefacts such as USB device listings, recently accessed documents, user-deletion activities, internet browsing, IM chats, cloud usage, analysis of email activity, suspicious usage of applications, registry and event logs, printer spools, logs and data from intranet systems (e.g. SIEM, IPS, IDS, DC, proxy and file share)
  • Availability and integrity of evidentiary data depends on the evidence-handling processes followed in a data breach response. This significantly affects the success of a response-related activity. The strategy should therefore have a comprehensive section on preservation and analysis of potential evidentiary data in a forensically sound and legally acceptable manner from end points, intranet systems, volatile memory and frequently updated data including logs and event entries, which may otherwise be lost
  • The last phase of a response strategy should include an incident review meeting to discuss loopholes identified during the investigation as well as the learning from incidents, to avoid similar occurrences in the future. It should also include implementation of the required security infrastructure within the timelines decided on

Conclusion

Data breaches have evolved from being isolated and occasional threats to premediated incidents perpetrated by tech-savvy employees or sophisticated and persistent attacks carried out by criminal syndicates with skilled ‘threat actors’. Such people are constantly learning and improving their attack arsenal and custom-tailoring their codes, based on their reconnaissance. Such threats are undetectable without the use of filters that have been created based on past attacks. To effectively detect and handle such breaches, organisations need to put in place strategies for constant vigilance and proactive handling of threats.

The time taken to identify and contain breaches has significant financial implications, and most organisations lack the tools and experience to handle increasingly complex incidents single-handedly. Implementation of a comprehensive breach-response strategy, with robust forensic and legal components, considerably reduces the time taken to identify and respond to such incidents, their impact and associated costs.

Their readiness to combat and contain breaches will also demonstrate organisations’ sincerity to the regulatory authorities, help in their audits and assessments, foster comfort in their customers and stakeholders, and substantially enhance their reputation.

Contact us

Gagan Puri

Partner and Leader
Forensic Services, PwC India

Tel: +91 124 330 6412

Follow us