The shift to hybrid work arrangements further accelerated credential theft as a cyber threat with hackers seeking to compromise logins for VPNs, cloud services, and other remote work infrastructure. This article offers a three-step plan for getting the fundamentals in place to prevent credential theft and keep your most valuable digital assets protected.

Step 1: Employee Training and Awareness 

Many credential theft attacks directly target employees because these methods of stealing passwords don’t require much in the way of technical prowess from a hacker’s perspective. The relatively primitive nature of tactics like social engineering or brute force password guessing belies the fact that they are often very effective ways of compromising credentials. 

One report from 2021 found that phishing attacks alone cost large organizations $15 million per year on average. Similarly, with the top three most commonly used passwords being 123456, 123456789, and qwerty, it’s clear to see why threat actors still employ trial and error methods of guessing passwords. 

Underpinning the effectiveness of employee-focused credential theft attacks is a persistent lack of effective cybersecurity training and awareness covering two key areas. 

1. Social Engineering

Social engineering tactics manipulate or dupe victims into giving away their login credentials to business apps and services. Phishing emails that lead unsuspecting employees to malicious URLs are a commonly used social engineering tactic to steal passwords. These emails seem to come from legitimate sources to the untrained eye. 

Hackers have introduced more sophistication into phishing campaigns by leveraging personal information about targets, much of which is accessible on social media or social networking platforms. These so-called spear phishing attacks are harder to spot, but not impossible. 

Effective training and awareness makes a big difference in preventing credential theft through social engineering. Training modules must comprehensively cover different types of social engineering attacks and ideally use examples and stories that resonate with different business departments/specialties. Ongoing awareness should leverage methods like monthly newsletters, fliers dotted around the office, and re-taking training at sensible intervals. For even better results, incorporate simulated training exercises so that employees improve their social engineering detection capabilities in the kind of unexpected scenarios they’ll encounter with genuine attacks. 

2. Good Password Hygiene

In a sophisticated threat landscape, it’s easy to disregard the importance of good password hygiene. Despite having an armory of highly technical tools and in-depth knowledge at their disposal, cracking weak passwords provides an easy entry point into your networks. These weak passwords are the path of least resistance, so it makes sense to target them. 

Education on improved password hygiene should cover the following points:

• Warn employees about the danger of re-using passwords across different apps and services and dissuade the use of this practice. 
• Encourage complex passwords that use at least 8 characters, combining upper case, lower case, numbers, and symbols. 
• To help avoid password fatigue or productivity impacts from employees forgetting complex passwords and needing to reset them, instruct employees to use password managers for securely storing and seamlessly using a repository of their various passwords. 

From a business perspective, exercise good password hygiene by setting up multifactor authentication (MFA), particularly for privileged or admin users. By using MFA, employees need to provide an extra category of evidence proving their identity before they can log in to a system. MFA ensures that even a brute force attack that guesses and steals the correct password doesn’t grant access to the system that the password protects. 

Step 2: Advanced Email Security Solutions

While improved training and awareness notably reduces employee susceptibility to common credential theft attacks, it doesn’t effectively prevent every threat. Highly sophisticated social engineering scams like whaling or CEO fraud can create such a convincing context that even trained security professionals might be tempted to click an untrusted link and disclose sensitive information. 

In these more advanced cases, advanced email security solutions can assist in preventing credential theft. When employees get directed to a fake login page, anti-phishing solutions leverage deep learning algorithms and computer vision to spot deviations from the authentic login page. Other advanced solutions for email security include next-generation firewalls, which can provide granular control over the specific URLs that employees can submit their credentials to. 

Step 3: Honeypots and Other Decoys

The steps discussed so far focus on the boundary between the external world and your network, but what about threat actors stealing credentials while inside the network? Commonly, this credential stealing uses malware, trojans, or PowerShell scripts to obtain valid credentials, and it’s not just limited to passwords. Threat actors then move laterally or escalate privileges, and the dreaded outcome is often exfiltration of sensitive customer data or encrypting every device on your network with ransomware.  

A particularly prevalent internal threat is compromising password hashes and session tickets rather than the plaintext password itself. Active Directory is a highly-prized target because this infrastructure controls access to other critical systems, apps, and services. 

Honeypots are an excellent tool that let you set up decoy systems or servers to draw attackers into them. Honeypots look like and are named similar to legitimate systems, but they don’t provide attackers with access to anything. By setting up honeypots and monitoring them, you can both draw hackers away from your legitimate systems and prevent genuine credential theft. You achieve all of this while gleaning a better understanding of what password compromise techniques are being used by threat actors inside your network. 

Taking honeypots to another level, also consider the use of honey-hashes and honey-tokens. The idea behind these decoys is to place them in the same locations as legitimate credentials. Since no real user will ever try to authenticate or interact with these fake credentials, their use represents an immediate red flag indicating an in-progress credential theft operation. You can then react on time and shut down the system/server or take other actions to remediate the threat.  

Don’t Neglect Your Digital Footprint

These three steps put your business in a much better place to prevent credential theft. However, with literally billions of stolen credentials on the deep web, dark web, and clear web from previous data breaches, there is a strong possibility that working credentials belonging to someone in your organization are available for threat actors to reuse for malicious purposes. 

With no solution for monitoring their external digital footprint in place, businesses often remain unaware of stolen credentials until it’s too late. Flare’s platform continuously scans all corners of the Internet for exposed credentials and prioritizes alerts so you can take action in real-time. This detection speed helps to mitigate threats from stolen credentials before their theft turns into breaches or other serious cybersecurity incidents. 

Using Flare to scan for password dumps and mentions of your company email or domain, you can rapidly reset accounts for any affected users or take other actions that render any stolen credentials useless. 

Book your Flare demo today.

The post Preventing Credential Theft: 3 Critical Steps appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Constant visibility into your evolving attack surface is a critical step in keeping today’s cyber threats at bay. But manual efforts to map out and track your attack surface are unlikely to succeed due to resource constraints. Organizations need dedicated and unified attack surface monitoring for visibility into emerging vulnerabilities, weaknesses, misconfigurations, and other risks. This article provides a definitive guide on attack surface monitoring, including its benefits, the types of risks mitigated, and more. 

What is Attack Surface Monitoring?

Attack surface monitoring is a proactive security approach that provides constant visibility into vulnerabilities, weaknesses, data leaks, and misconfigurations that emerge in your external attack surface. The external attack surface is the total number of digital assets exposed to threat actors and accessible via the Internet. Hackers can attempt to enter your network through any one of these points, so it’s critical to have a malicious outsider’s perspective on what your attack surface looks like. 

Manual efforts to monitor attack surfaces typically depend on using multiple tools to cover many different channels. The result is usually incomplete coverage. Dedicated attack surface monitoring solutions attempt to provide visibility into your evolving attack surface through a single pane of glass. 

Attack surface monitoring is a central principle of a wider attack surface management approach that also involves asset discovery, inventory, and classification. Standalone solutions are available that solely focus on attack surface monitoring, but it’s more common that monitoring slots into a more comprehensive attack surface management solution that automates other important steps, including asset discovery and inventory. 

A recent study highlighted the need for attack surface monitoring by finding that 43 percent of organizations admitted their attack surface is spiraling out of control and 62 percent have attack surface blind spots that hamper security. 

So, what are the specific functions of attack surface monitoring that can close these visibility gaps and reduce cyber risks? Here are some common features of these solutions. 

• A detection engine that generates real-time alerts when risky changes are spotted, such as a misconfiguration that opens up a cloud storage bucket to anyone with the link, expired or insecure SSL certificates, open ports, software vulnerabilities, or even source code leaks in repositories like Github. 
• Rule-based monitoring that accounts for potential compliance violations when triggering alerts.
• Continuous monitoring of web applications, services, and APIs for vulnerabilities that outsiders could exploit. 

What Assets Should a Comprehensive Attack Surface Solution Monitor? 

In general, any comprehensive solution should monitor the following assets as a bare minimum for vulnerabilities, misconfigurations, and other security risks:

• Cloud computing on public cloud services, including storage, SaaS applications, and infrastructure that you access and configure based on custom needs, such as hosting an application. 
• Company website infrastructure (hosting accounts, SSL certificates, content management systems).
• Entire web application infrastructure, including libraries, dependencies, APIs, and web servers.
• Shadow IT assets that employees use without the approval of central IT departments. This includes physical personal devices, messaging or collaboration apps, and personal cloud storage services. Full-suite external attack surface management solutions usually include features that enable the discovery of these assets, bringing them out of the shadows and into visibility so they can be mapped and monitored.  
• Remote work infrastructure, which includes employee laptops connecting to the corporate network and VPN or RDP applications that provide internal network connectivity. 

There’s a strong argument that organizations should view employee credentials as a type of asset that needs monitoring. After all, these credentials could end up on the dark web, where threat actors purchase them and use them as a way to get inside your network. Many attack surface monitoring solutions don’t extend their capabilities to monitor credentials…more on how Flare differs in that regard later.

Benefits of Effective Attack Surface Monitoring

The outside-in perspective that attack surface monitoring provides is invaluable for effectively managing cybersecurity risks. When you see what malicious actors see, it becomes much clearer what kinds of vulnerabilities and misconfigurations pose the most immediate risks to your data and applications. 

The real-time alerting and continuous monitoring enables much faster remediation compared to the traditional ad hoc or scheduled vulnerability scans that organizations run. Furthermore, since attack surface monitoring focuses on more risks than typical vulnerabilities, coverage is much greater. 

Data leaks or exposures only become full-scale breach incidents when an unauthorized outsider accesses and/or downloads the information. These leaks present threat actors with low-hanging fruit, and it’s usually a race against time before someone finds exposed data on the Internet. In a world of increased regulatory oversight where various regulations protect customer data and data breaches cost upwards of $4 million, it’s pivotal to have processes in place to detect the kinds of errors that leave sensitive data exposed. Attack surface monitoring provides the rapid detection needed to remediate misconfigurations that leave data exposed. 

High-Profile Incidents That Attack Surface Monitoring Could’ve Mitigated 

To better understand the powerful difference attack surface monitoring can make to your cyber defenses, it’s worth analyzing a couple of high-profile recent security incidents and pointing out how dedicated attack surface monitoring could’ve mitigated them. 

Securitas S3 Misconfiguration

In January 2022, cybersecurity research and technical product review site SafetyDetectives reported on a major data leak affecting Securitas. The company provides security services, including airport security, in well over 50 countries. 

The leak in question came from an exposed AWS S3 cloud bucket which was left unsecured without any password authentication. The exposed information included sensitive data about airport employees in both Colombia and Peru. With one million files, this data leak totaled 3 terabytes of data.

It remains unclear whether any threat actors managed to find and download the exposed data. But it is likely that the cloud misconfiguration went unnoticed by Securitas for a considerable length of time. With an effective attack surface monitoring solution in place that monitors cloud assets for security risks, the Securitas IT team would’ve received an immediate alert about this misconfiguration and been able to rapidly mitigate the risk.

Colonial Pipeline VPN Compromise

An enforced shutdown due to a ransomware attack on The Colonial Pipeline was one of 2021’s most discussed security incidents. The initial entry point that led to panic-driven gas shortages came from a legacy VPN system being broken into by compromising an inactive user’s account with a leaked password. 

Much has been spoken and written about this incident, but the actual root cause went somewhat under the radar. It’s critical to bear in mind that VPNs are Internet-exposed digital assets that cybercriminals often focus on, especially in a landscape where remote workers use these services to connect to company networks. 

Since this legacy VPN account belonged to an inactive user, comprehensive attack surface monitoring would have alerted IT about the risk of this account. Swiftly deprovisioning the account or revoking access in response to this high-risk alert would’ve prevented the incident and its subsequent fallout.

Flare: External Attack Surface Management 

Our platform provides all the features you’d expect from external attack surface management but with extra monitoring capabilities. Reflecting the fact that employee credentials continue to provide an entry route into corporate networks, Flare monitors the dark web, Pastebin, and other external sources for leaked credentials from previous breaches. You can then prevent data breaches by resetting accounts that have the potential to be compromised.     Get your Flare demo today.

The post Attack Surface Monitoring: The Definitive 2022 Guide appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

What is an Attack Surface? 

An attack surface is the total number of possible entry points into a network or system that an unauthorized person can attempt to exploit and infiltrate. This attack surface spans digital assets accessible via the Internet and devices only accessible with physical access. 

While the physical attack surface is relatively stable and controllable, the digital attack surface changes often and expands widely. The remainder of this article concentrates on the digital attack surface; particularly the external-facing elements because this is where the majority of malicious cyber attacks come from. 

Some important reasons that attack surfaces today are more challenging to monitor and reduce include:

• Employees provisioning shadow IT assets without the approval or knowledge of IT departments. 
• Complex hybrid infrastructures dissolving traditional network boundaries as businesses migrate more workloads to the cloud.
• Innovative threat actors tweaking their tactics and techniques to come up with new methods of exploiting weaknesses and vulnerabilities. 

In fact, the top security operations challenge cited by security professionals and leaders in one report was monitoring security across a growing attack surface.  

Attack Surface Visibility 

Too often, cybersecurity defense strategies focus on an inside-out perspective. Businesses attempt to put in place controls, devices, and tools that are hopefully all-encompassing enough to prevent people from getting in. But this approach neglects the valuable perspective that comes from viewing the company’s network in the way an attacker actually sees it. 

The ever-evolving nature of modern attack surfaces means that without sufficient visibility, gaps emerge without you knowing about them. A misconfiguration might open up a risky port or expose a sensitive database in the cloud. 

Without attack surface visibility, threat actors are likely to find and exploit these attack vectors. Seeing as just 9 percent of organizations monitor their entire attack surface, it’s clear more needs to be done to improve visibility. 

So, how can you get visibility into your attack surface? One approach is for network security architects or pen testers to manually map out your attack surface. A faster, cheaper, and more dynamic approach uses dedicated software solutions to collect relevant data and keep track of your attack surface. Visibility discovers all the digital assets that attackers see so that you can then take action to identify and remediate their potential intrusion points, including:

• Misconfigurations in servers, ports, cloud permissions, or cloud infrastructure
• Stolen user credentials appearing on dark web forums or Pastebin 
• Remote access connections such as RDP or VPN lacking in multifactor authentication
• Vulnerabilities in web applications or APIs
• Source code leaks in repositories such as Github
• Company websites and the SSL certificates used to secure them

Comprehensive visibility is a critical step towards shrinking your attack surface where possible and reducing cyber risks. 

5 Steps to Shrink Your Attack Surface and Reduce Risks 

With your attack surface mapped out and monitored, follow these steps to reduce the number of potential entry points for intruders to exploit. 

Build an Effective Vulnerability Management Strategy

Vulnerabilities in web applications, operating systems, or services listening on ports provide adversaries with low-hanging fruit to exploit and get inside your IT environment. It’s trivial to scan for open ports and any vulnerable services running on them. Technically astute hackers know exactly where to look for vulnerabilities in web applications. 

Without proper vulnerability management, there’s a high likelihood that some opportunistic actor will exploit any vulnerabilities in your external-facing systems. Vulnerability management regularly scans for vulnerabilities and helps to prioritize, and fix them, usually by applying a security patch. By dealing with vulnerabilities swiftly, you reduce your attack surface and close off these highly exploitable weaknesses.

Monitor for leaked credentials

News reports from 2020 revealed an astonishing number of stolen passwords circulating on the dark web—15 billion in total. Without other strong security measures in place, stolen credentials provide an easy route into your network. 

Monitoring for leaked credentials across the dark web, clear web, and other sources like Pastebin has a high likelihood of paying dividends by shrinking your attack surface. Ideally, you’ll use a solution for this because nobody has the resources to manually monitor for leaked credentials. When you identify leaked credentials, you can move quickly to reset those accounts and close off a potential gap that threat actors would eventually exploit.  

Provide effective cybersecurity training and awareness

The extent to which the human factor plays a role in cyber attacks is such that some sources identify a social engineering attack surface. The total number of employees and users on your network provide a surface area through which security errors occur, particularly when threat actors coerce untrained users into making mistakes. This coercion typically falls under the umbrella of social engineering techniques that includes phishing and other manipulative psychological tricks.

Effective cybersecurity training and awareness programs promote a security-first culture that reduces your attack surface. When you equip employees and users with security knowledge, there are fewer possible entry points into your network through social engineering methods. 

Enhance authentication security

The simplistic ways intruders gain access to networks often belies the sophistication of many types of cyber attacks. And one of the most common methods of entry is to gain access to an employee’s account either by reusing stolen credentials or otherwise compromising password details. 

A case-in-point was the advanced SolarWinds breach which saw Russian threat actors lurk inside US federal government systems for months undetected. Sure enough, the initial access that set this attack in motion began by compromising a Microsoft 365 account. 

Strengthening the security of access and authentication is a solid strategy for reducing your attack surface. At the least, require multifactor authentication for logins to important business apps and services so that compromised passwords don’t necessarily mean network intrusions.

Segment your network

Network segmentation breaks your network down into several zones with the aim of tightly controlling traffic between zones. In terms of how this reduces your attack surface, it’s worth a reminder that the attack surface is a view of your network from an intruder’s perspective. 

When your network is flat, and every device or server can communicate without restriction, attackers know that they can easily move laterally. When you segment your network effectively, hackers can only intrude into one area, which limits the damage they do. 

Understand Your Attack Surface with Flare

Flare’s digital footprint monitoring and external threat protection platform uses AI-powered techniques to manage your company’s external cyber risks. Unparalleled visibility into a disparate variety of leak sources and actionable findings help you easily reduce your attack surface based on what the platform detects. 

Get your Flare demo today.

The post Attack Surface Reduction: 5 Steps to Reduce Cyber Risk appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Adequately defending against and dealing with ransomware and other data breaches calls for a more intelligent approach to security that provides clear proactive warning signs and accelerates responses. Often, these warning signs stem from sources outside your business on the Internet. Keep reading to find out how monitoring external sources of information and activity enables intelligent security in today’s threat landscape. 

Ransomware, Data Breaches, and External Sources 

Across various forums, marketplaces, content-hosting services, and communities, the Internet is a hive of malicious activity (if you know where to look). Threat actors congregate online in the hopes of finding businesses worth targeting and stealing data from. Other people visit these marketplaces wanting to buy sensitive information, such as customer credit card details stolen in previous ransomware attacks or other breaches. 

So, where exactly does all this malicious activity happen online?

• Occasionally, signs of malicious intent hide in plain sight on forums and websites accessible using any standard web browser and indexed in search engines. 
• A huge amount of compromised information resides on deep web sources that search engines don’t index, such as Pastebin. 
• Most often, bad actors lurk and exchange stolen information on the dark web, which they connect to using special browsers like Tor or I2P that anonymize their activity by passing traffic through decentralized peer-to-peer networks. 

Whether relevant information aiding the prevention of or investigation into an attack on your business ends up on the clear web, dark web, and deep web, these external sources require close monitoring. But being able to manually monitor potentially thousands of external sites requires resources beyond the purview of most security teams. That’s where dedicated external monitoring solutions come in. 

What is External Monitoring? 

External monitoring solutions use a combination of human security expertise, automation, and AI to build a data collection engine that scours external sources for suspicious activity associated with your company. Swift notification about detected employee credentials, internal documents, or customer data provides security teams with intelligence into potential threats or breaches that would otherwise be unavailable. Some platforms only focus on monitoring the dark web while others take a broader view and integrate both clear web and deep web sources into their monitoring capabilities. 

The need for dedicated monitoring solutions becomes quickly apparent when you consider the challenges involved in a manual approach. In the dark underground of the Internet, new forums, marketplaces, and illicit actors constantly emerge. Incriminating evidence pointing to a potential breach on Pastebin might disappear within minutes or hours. And there are thousands of potential sites to monitor, most of which require you to sign up to get access. 

How External Monitoring Works 

Each external monitoring solution has its own design, but the three broadly similar components across these platforms are collection, processing, and alerting. 

Collection

The first important step is to mine data at scale from web pages from relevant target forums, marketplaces, paste sites, and other sources. Efficient data collection at the necessary scale calls for high levels of computational power. Target sites might also have rate limits on resource consumption, so some solutions might employ parallel connections to get around those limits. 

Processing

The raw intelligence gleaned from the data collectiion step exists in an unstructured format (typically text or HTML files). In order to make any sense of this information, the platform needs to process and analyze it in a way that makes the data easier to sift through in order to get swift intelligence and insights. Typically, frameworks like Apache Spark prove useful here. 

Alerting

The core of an external monitoring solution from the perspective of your IT and security teams is alerting. Ideally, intuitive user interfaces or dashboards let you set custom alerts when different signals are detected within the gathered data. And alerts should arrive promptly in front of relevant personnel so you can quickly use this intelligence to prevent a data breach or appropriately respond. 

How External Monitoring Helps Prevent and Respond to Ransomware 

Prevention

Most ransomware attacks require multiple phases of execution starting from an initial network intrusion, establishing a foothold, moving laterally, exfiltrating data, and then encrypting systems or files. The initial intrusion becomes much easier when threat actors get their hands on email addresses, password lists, and other login information that gives access to and control over user accounts. 

The high-profile Colonial Pipeline breach in 2021 started with a login to an employee’s dormant VPN account, and the password protecting that account was available from a previous leak. Knowing about the compromised credentials and acting to de-provision the account on time would’ve prevented the ransomware attack and subsequent fallout. 

Stolen credentials regularly end up on dark web marketplaces or published in Pastebin posts. The visibility into this relevant information that external monitoring facilitates provides invaluable intelligence for preventing ransomware attacks and data breaches. 

Response

The kind of proactive intelligence provided by monitoring externally for leaked passwords and other credentials is nice, but what happens if your business is unfortunate enough to suffer a data breach? Well, external monitoring still contributes important intelligence here. 

It’s almost the norm now for horrified CISOs and other executives to only find out their company has been breached when a news report about it appears in the media. This unpalatable scenario reflects a lack of insight into the type of external activity that signifies data breaches, such as stolen data being offered for sale on forums or uploaded to Pastebin. 

While a data breach from ransomware or any other cyber incident spells a definite crisis moment given average costs of $4,24 million per breach, how you respond plays a significant part in the damage done to your reputation. By informing customers personally (before they hear about it elsewhere) and advising on suitable actions to take following a breach of personal data, you minimize the reputation hit from a mismanaged response. The kind of intelligence powered by external monitoring facilitates better-managed responses to data breaches and helps to protect your brand. 

External Monitoring with Flare

Flare’s AI-driven technology constantly scans the online world, including the dark, deep, and clear web, to discover unknown events, automatically prioritize risks and deliver actionable intelligence you can use instantly to improve security. 

Book your demo today. 

Sign up for a free trial to learn more about ransomware readiness with Flare.

The post Ransomware Defense: How External Monitoring Can Enable Intelligent Security appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

An organization’s digital footprint includes any publicly available information about them, whether it’s credentials, exposed services, intellectual property, or any other kind of data. Although monitoring your digital footprint is key to understanding what malicious actors see when they plan a targeted or untargeted attack, choosing a solution to do so can be a challenge. 

The steps below outline how to make this process efficient and successful.

1 – Identify gaps 

The first step in choosing the right solution is identifying where the gaps lie with the current tools and processes that are already in place. 

Case 1: You have no external visibility

Simply put, if there are no resources (tools, professional services, cybersecurity analysts) allocated to looking outside your known infrastructure and perimeter, any solution outlined here will help your organization progress in the right direction. 

If you have a very small cybersecurity budget, and no one dedicated to cybersecurity,  managed offerings should be seriously considered instead of operating a platform yourself. This will help you access the advantages of digital footprint monitoring without limiting your ability to allocate resources to other fundamental security challenges.

If you have between 1 and 10 people allocated to cybersecurity, a number of options are available depending on the factors outlined below.

Case 2: You do external assessments from time to time

If you do external assessments with a service provider annually, bi-annually or quarterly, the gap lies in the time between the assessments where an issue can arise and be leveraged by a malicious actor. In this case, the priority should be to move to continuous monitoring capabilities to reduce risk in real-time instead of waiting for a certain date in the year.

Case 3: You have certain continuous external monitoring capabilities

If you have cyber threat intelligence (CTI), digital risk protection (DRP) or external attack surface monitoring (EASM) solutions, this step should serve to identify if there are any areas of risk that are not covered by the existing solutions. For example, a threat intel solution will typically not monitor for accidental data leaks by employees and will focus instead on the threat landscape and the threat actors. The coverage section below describes the areas to keep in mind in that regard.

Case 4: You have a very strong external coverage

If you have a set of CTI, DRP and EASM solutions in place, chances are that your organization is highly mature in cybersecurity, but also has critical assets to protect that make you an attractive target for malicious actors. In this case, the challenge relies on identifying very precise areas of risk that may be slipping between the capabilities of the various tools and platforms in place. Running trials or proof-of-concepts of other platforms can help uncover what new innovative solutions can identify when they take a different approach to external threats monitoring.

2 – Identify areas of risk

Whatever the cybersecurity maturity of your organization, there are areas that can pose more risk due to the nature of your business. For example, a software development company may have more exposure to risks of source code and intellectual property leak than a bank, who will have a higher risk of customer accounts being taken over through phishing attacks.

The best way to identify areas of risk is applying some or all components of a risk framework. A service firm can also help with this process if the expertise is not available in-house.

3 – Explore internal development options

In certain cases, it may be efficient to build a solution in-house. This applies especially if the use-case is highly unique and where no solutions on the market are available to reliably reduce the risk. This comes with a number of challenges to keep in mind:

1. Resources are needed to build, optimize and maintain these tools: these projects can have a long tail where employees have to keep allocating time and cannot focus on their core work. For example, an organization might choose to build a small tool to monitor a dangerous dark web market, but will underestimate the time and costs needed to keep it running and update it as the market changes and evolves.
2. Coverage is limited to the tool’s capabilities: As the digital threat landscape evolves, organizations must follow trends and keep an eye on new and growing risks.
3. Expertise is often tied to 1 or 2 employees: In the current hiring landscape, employees can easily find alternate workplaces. Having processes and knowledge depending on key individuals can pose a risk of these capabilities completely disappearing with just a few weeks notice.

4 – Compare internal vs managed offerings

Two options are available to operationalize digital footprint capabilities: internal use of a solution and outsourcing to a managed service provider (MSP or MSSP).

Similar to other security solutions, there are advantages and disadvantages for both.

Internal solutions generally come at a lower initial cost, but require resources to operate. They will provide more control and flexibility and have the potential of delivering more value by being better optimized for your business. Having fewer service providers also reduces the risk of third-party data breaches impacting your organization.

On the other hand, managed service providers generally have the right expertise to operate the platform and can provide additional services in case of an incident. The subscription cost may be higher, although it can be combined with other services to, in the end, provide a positive ROI for the business.

5 – Evaluate solutions

There are a number of key criteria to keep in mind when evaluating a digital footprint monitoring solution.

Coverage

Each solution has different capabilities in terms of coverage, both in depth and in breadth. The right solution for your organization will map to the risks identified in the earlier step. For example, an organization at higher risk of source code leaks will prefer to opt for a solution having a strong coverage for sources such as GitHub. A financial institution looking to prevent account takeover will make sure the solution has strong capabilities in terms of identifying leaked customer credentials.

Coverage is hard to evaluate – numbers and statistics on websites or shared by salespeople may or may not be accurate and relevant for your business. The best way to validate coverage is by doing a trial or proof-of-concept and comparing the data between the platforms. The section below gives more insights on the benefits of trials and proof-of-concepts.

Large coverage (many sources or websites) may not equal quality coverage. Coverage depth is also critical: the number of pages collected per source, the structuring of the data, the mapping to actual risks, etc.

Finally, look at the transparency of the vendor: some solutions are transparent with their coverage, and help you understand what you know and what you don’t know. Others are opaque and cannot help you confirm that all angles are covered.

Features and functionalities

Various platforms have different features. The technical team that will operate the platform should ensure that it matches their expectations. Key features to look for include:

• Alerting
• Searching
• Tagging and filtering events
• Case management
• Collaboration
• Reporting
• Single-Sign-On

Integrations with SIEM, SOARS and ticketing systems are also key in streamlining and optimizing threats and issues found. Making sure the solution is compatible with your existing stack will help reduce the overhead of operating the platform.

Context and Prioritization

All Digital Footprint Monitoring solutions find threats and issues and send out alerts in one way or another. A key differentiating factor is the context that is added around the events, and the capability of the platform to reduce the noise and help your team focus on important issues. When trying out the platform, you will generally be able to see if the context is sufficient for your team to take action, or if significant work is required to investigate and process each alert.

Cost

Cost for digital footprint monitoring solutions vary greatly. The more affordable options are generally offered by MSP or MSSPs: these can go as low as $500 per month for a single domain name and limited use cases, which can be sufficient for a small business with 1-50 employees. For SMBs between 50 and 1000 employees with an average digital presence, the cost can vary between $1000 and $3000 per month. For organizations with 1 000 – 10 000 employees, vendors would typically provide the solution for $2000 – $5000 per month. Finally, an organization with over 10 000 employees and a large digital presence would be looking at an expense of over $5000 per month, which can go significantly higher in the six digits depending on the use cases and how the solution is priced.

Ideally, the cost of a digital footprint monitoring solution should scale with the size of your digital presence. This model makes it straightforward to align the value with the business risk it reduces and the expense it involves. Certain vendors will use seat-based or module-based pricing – in these cases, make sure the value of each seat/module aligns with the risk reduction it provides.

Justifying the ROI of a digital footprint solution internally often involves using cost approximation for potential breaches and comparing it to the cost of the platform. Fortunately, in many cases, a trial of the platform will help identify threats and issues that can be presented in the business case. 

Additionally, to build a stronger business case among the key stakeholders in the purchasing decision, certain solutions will provide a report of your digital footprint and provide direct visibility on areas of risk, and opportunities for improvements (risk reduction) if the platform were implemented.

6  – Run trials and proof-of-concepts

A number of elements in the evaluation require a hands-on analysis of a platform. Most solutions will provide access to the platform for a number of days to try out the features and evaluate the different criteria outlined above. 

In general, this does require starting a process with sales representatives, which can help tailor the experience to your business context. In the case where a sales-rep-free process is preferred, Flare is the only solution to provide a complete access to digital footprint data in a free trial directly accessible by simply creating an account.

The post How to Choose a Digital Footprint Solution appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Organizations are concerned about the proliferation of threats on the dark web. Even as cybersecurity budgets have increased dramatically over the past decade, ransomware, phishing and other cyber threats have grown in intensity and frequency. For example, Flare’s Research team identified a surge in ransomware attacks from 2020 to 2021 – a total increase of 437%. Naturally, the number of victims of ransomware attacks have  also been rising rapidly. Clearly, a vast and opaque underground economy has developed that deals in stolen passwords, stolen credit card numbers, ransomware as a service, and other illicit goods and services.  

The size of darknet markets has grown exponentially alongside the increase in threat actors. Despite repeated law enforcement victories such as the shutdown of the empire market and the shutdown of Pirate Bay and White House Market, the darknet is larger than ever with an estimated monthly transaction volume of more than $150 million USD. In fact, Forbes has also reported that 2021 is on track for a groundbreaking year for data breaches as we’ve already surpassed last year’s numbers. Even though not all data breaches can be accounted as malicious intent, we still must be mindful. Undoubtedly, visibility into the dark web still lags despite organizations now having increased visibility into their internal networks and security posture.

This article will provide insight into how your organization can monitor the dark web for potential account-takeover schemes and other criminal activities that could impact your company. Dark web monitoring enables you to take a proactive approach to cybersecurity, and actively hunt threats before they become data breaches and ransomware attacks. 

What Exactly Is the Dark Web?

The internet can be split into roughly three parts. The first section is what we would call the public web or clear web – essentially all information that is publicly available to an average user. The second is the deep web which comprises all information hidden behind a login wall and not indexed by a search engine. This comprises the vast majority of the internet (Facebook being a prime example). Estimates put this at hundreds of times the size of the clear web. Finally, there is the dark web, which requires a specialized browser such as TOR to access. Learn more about the difference between the dark web vs deep web.

TOR started as a U.S. Navy project to enable hidden communication between naval bases but quickly took on a life of its own. TOR uses a series of relays which make it extremely difficult to track packets as they traverse the internet. While this does not provide for complete anonymity, it does make it far more difficult for law enforcement and other users to identify specific people and servers.

For this reason, the dark web exploded in popularity as it enables criminals and other users who require a high degree of anonymity to transact business and communicate with far less risk. The dark web is a common place for criminal actors to meet and barter although it is not exclusively used for criminal enterprises. In 2018, we took the time to map the darknet. You’ll notice that not all of the dark web is malicious – many individuals and organizations use it for legitimate purposes as well. You can see the results below:

What Types of Information Are Sold on the Dark Web?

The dark web is surprisingly small by the standards of the clear and deep web, with only about 60,000 pages at any given time. However, on these pages, vast amounts of information are sold for cryptocurrencies such as Monero and Bitcoin. Here are some common types of data you might find on the dark web:

• Personal Health Records (PHI)
• Social Security Numbers
• Exposed Technical Data & Source Codes
• Names, Birthdays, and Security  Question Answers
• Email Address Credentials
• Other Compromised Credentials 
• Personally Identifiable Information (PII) such as home addresses 
• Financial data, bank accounts, and credit cards
• Software Source Code 
• Company Proprietary information 

Here’s a look at ‘We The North’ dark web marketplace. On the left hand side, you’ll see the numerous categories of illicit content and materials users can purchase. Including 113 items under ‘fraud,’ where stolen data is sold. 

How Can You Prevent Your Information Being Sold on the Dark Web?

A mature cyber security program can dramatically reduce the risk of your information being stolen and sold, however, no program is perfect. We recommend most companies conduct regular dark web scans or engage in real-time dark web monitoring to identify stolen credentials. Both of these methods play an important role in data leak prevention and detection, which are always best practices for organizations and should always be a priority. Here are a few quick tips that can help prevent your corporate information from exposure on the dark web.

Manage Your Passwords Well

You’ve probably heard this before, but you should avoid reusing passwords and you should change passwords regularly. Many people have accounts on dozens or even hundreds of different sites. When one of these sites suffers a data breach, the email and associated password will likely end up being sold on the dark web. If the site that is breached has additional information such as phone numbers or home addresses, the information may be sold together to facilitate identity theft. 

Our employees recommend investing a small amount in a password manager, either for yourself, your team or organization. Then, employees can easily save randomly generated passwords and access them seamlessly. Some examples include 1Password, KeePass, and Bitwarden.

Be Careful With BYOD Policies

In many cases companies allow employees to bring and use their own desktops, laptops, and cell phones for business. While this can reduce upfront costs and allow employees to work on machines they have a level of comfort with, it can also open them up to a range of attacks that could bypass your organizational cybersecurity program. Oftentimes users who bring their own computer may forget to patch systems, fail to update anti-malware, or may have other security lapses. 

Although these are great tips to start with, this is only the tip of the iceberg when it comes to data leak monitoring. To protect your organization’s information, we must also consider how to prevent S3 bucket leaks, GitHub repo leaks, and centralize key and secrets storage. All of which have been broken down in our Information Leakage: What You Need to Know Guide.

What Are The Benefits of Actively Monitoring the Dark Web?

Dark web monitoring has traditionally been seen as a function of a threat intelligence program. Unfortunately, aside from a few large organizations, most companies don’t have the resources or personnel to make use of a full-fledged threat intelligence operation. However, that doesn’t mean that dark web monitoring provides no value. Instead, it can be used by companies to find out whether criminal actors have compromised employee accounts, as part of account takeover schemes, or discover if your organization’s financial information is for sale.

Prevent Security Incidents from Becoming Data Breaches

Finding out whether your organization’s account credentials have been exposed or are for sale on the dark web can provide innumerable benefits. First, it provides you with a valuable first warning sign that a security incident may have occurred. SIEM Solutions, anti-malware, and anti-phishing can be valuable, but even the best cybersecurity programs have flaws. Actively monitoring the dark web can alert you to an incident that other tools missed, and by doing so help you prevent a larger data breach or ransomware attack.

Get Visibility Into External Threats

The first step for many fledgling cybersecurity programs is to get visibility into the types of data they collect, the amounts of data collected, and the security measures on their network. However, many organizations fail to consider the information that may be living outside of their internal network. Beginning to actively monitor the dark web can provide invaluable insights into your organization’s risk profile, and whether you are a target, or have been targeted by malicious dark web actors.

Prioritize Your Efforts

Once you have visibility into your organization’s digital footprint and level of risk, it’s time to prioritize your risk mitigation efforts. In many cases, you can apply a risk matrix to understand risk severity. Using DRP software can make risk prioritization easy through risk scoring using machine learning and automated remediation. Assign each instance of exposed data a score, based on the formula threat times likelihood. This can lend clarity to your risk mitigation efforts as you can systematically work to reduce the most unacceptable risks. 

Discover Technical Information for Sale

Stolen credentials and personal information isn’t all that is for sale on the dark web. Malicious actors will also at times steal proprietary corporate technical data such as source code, API keys, and other confidential technical data. Actively monitoring the dark web can help you identify whether proprietary corporate data is for sale.

How to Get Started with Dark Web Monitoring?

Getting started with your own dark web monitoring program may seem overwhelming. Even though the dark web is comparatively small when compared with the clear web, there are dozens of markets spanning thousands of pages. Many large enterprises fund entire threat intelligence programs designed to identify ATO schemes and other threats to their organization. Small and mid-size organizations may have difficulty funding a fully-fledged threat intelligence program. 

Fortunately, Digital Risk Protection (DRP) software can help them get visibility on threats both in and out of their organization. A DRP Solution can enable your organization to scan the dark, deep, and clear web and quickly identify exposed credentials, account takeover schemes, technical data leaks, and other critical external security threats.

If you’re interested in learning more about how Digital Risk Protection software can enable your security team to actively hunt threats and reduce your overall risk profile, set up and try out our free trial in less than 15 minutes.

The post Dark Web Monitoring: A Quick Guide appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.