Terbium Labs chief research officer Munish Walther-Puri outlined the pathways that hacked data can travel, and who’s involved in prevention efforts.
TechRepublic’s Dan Patterson talked with Munish Walther-Puri, chief research officer of cybersecurity services provider Terbium Labs, about how personal and company data ends up on the dark web.
Patterson: It’s no secret that stolen data ends up on the dark web, but how does it get there and who are the parties involved. … Let’s start with the incident. When a data breach occurs and sensitive data, whether it’s (personally identifiable information) PII or intellectual property or anything else, is exfiltrated from an enterprise company’s site, or even an SMB and a startup, who takes that data, and then where does it go? What is the transit path?
Walther-Puri: That’s a good question. The first thing I would say is there’s a few pathways. Some of them are quite hidden and narrow, and some of them are relatively more visible. So there’s multiple pathways that that information can take into the hands of cyber criminals.
A few of those pathways involve transit through the dark web, and when there is a breach of some kind, or let’s say there’s some PII stolen, depending on how recently it’s happened and the size and the number of records and the intent of the attacker, it may not make it onto open forums on the dark web, or forums on the dark web immediately. It might take some time, because that is precious and data on the dark web is valued in many ways by its scarcity and the freshness of it.
Payment card data is a different story all together, in that regardless of where it comes from it finds its way onto the underground economy on the dark web relatively quickly and relatively actively.
Patterson: So how is this … Let’s take stolen credit card data. How is that packaged and resold, even marketed? Is it the actor, the threat actor, the villain who steals this that then packages it and puts it up for sale? Tell me about the mechanics.
Walther-Puri: Sure. I’m glad you’re asking about it in that way, because I think that there is a few different players, and I would never aggrandize cyber criminals. I think it’s important to think of them as entrepreneurs and business people, because that’s how they’re running their carding markets and their online eCommerce sites, is they look at stolen data as a good, and they operate with lots of the same principles and ideas that legal, conventional eCommerce does.
So what does that mean? They focus on marketing, customer service, advertising, having a consistency of supply. So a number of things that we think that a cyber criminal would focus on they definitely think about. They use analytics to look at activity and which kinds of cards are being sold where. It’s pretty mature and fairly sophisticated.
Patterson: Who are the various actors in this supply chain? Obviously when I think about the mechanics of what you just explained, marketing and metrics, I can think of legitimate professions that do that and do it really well. Are these criminals recruiting say experts in analytics? Are they trying to flip and turn normal people who have good skills?
I mean this is really 101, but help us understand beyond just organized crime who is performing these actions and how do they get these skills.
Walther-Puri: Yeah, that’s a good question. So what we try and focus on is how that data moves along, so understanding the who is important for us in two ways. One, that there isn’t … There aren’t a totally unique set of skills for maintaining, like you said, analytics, metrics, those kinds of things. On the dark web it’s also a community where people can network and find other resources that they need and connect with each other and find someone who has those skillsets.
Some of the more specialized aspects of cyber crime and fraud, there not only are actors on the dark web that have those capabilities, there are services out there that provide tutorials and explain how to perpetrate certain kinds of fraud, and in some cases will provide that fraud as a service.
Patterson: Fraud as a service. That’s a fascinating emerging business. What about law enforcement? Where do they come in? How are they investigating dark web channels? We know the FBI is there, but what other alphabet soup agencies are involved with dark web tracking?
Walther-Puri: Yeah, so that’s where the … starts to become really important, but they are trying to map out the networks, and as you probably know, and your viewers and otherwise know, attribution is difficult on the dark web. There’s in some cases anonymity, in other cases pseudonymity, so attribution is pretty difficult, so that’s definitely law enforcement’s challenge.
At the same time, they have embedded resources… We have the writ to investigate and try and take down some of these operations. So to that end you mentioned the FBI. Definitely anyone that’s dealing with the opioid crisis, because there’s a fair amount of that activity on the dark web, so drug enforcement agency. Then we also see a number of other kinds of security concerns that Homeland Security would be involved as well.
Then in some cases local police. Local police are involved, especially if their jurisdiction is a hotbed of drug activity or fraud, anything where they’re stealing cards en masse. We continue to see arrests happen where someone is trafficking in drugs on the dark web and at some point they have to go pick those up, right? Or if there’s other physical goods, they have to go pick those up.
What’s dangerous, what’s challenging for law enforcement is where a transaction is completely digital, there’s no physical good, there’s no paper trail. That’s where we see the challenge around stolen data.
Patterson: So what do I do if I’m a business, if I’m a consumer and I want to not just prevent my own data from being stolen, but understand more about the economy so I can enact preventative measures that are systemic?
Walther-Puri: Good questions. I say questions because I think there’s two in there, what does a business do, what does a consumer do? Let’s start with businesses. Businesses, the first thing is not going to be very surprising. Understand their risk profile. So the dark web provides a number of risks and I think for a lot of people it’s a scary, spooky place where they don’t know very much of what’s happening. They think it’s a Craigslist for hit men or a meetup for terrorists, and there’s a lot more that happens there that has an impact on business operations, particularly around data and security of assets.
The first thing is to understand our risk profile and to take a risk based approach. We think that’s the most effective way to allocate your resources and determine if your security controls are being affective. If you believe that sensitive data is not getting out there you need to go test that notion and understand what that exposure looks like. So that’s I think the very first step, is understanding that risk profile and then understanding controls.
For consumers it’s definitely challenging. The two things I will say not to be first, so not to be motivated by fear. Fear is not a good way to push someone towards action. You can use fear to get me to join the gym. You can’t use fear to get me to go to the gym. We need people to go to the gym. So that’s about similarly understanding their risk, but really understanding their own profile and their own data. I think people are starting to understand that their data is worth something. That’s the first thing I’d say to consumers, is value … To have some data self-worth. Your data is worth something.
The second is to take some basic preventative measures. Two aspects … I think many people have talked about them and I will encourage them as well, to use a password manager and to use multifactor authentication. But a good place to start is a password manager.