In the Middle Ages, when a lord, duke, or king wanted to defend his castle against marauders he built a moat and high walls. But this outward-looking strategy fell apart when the invader brought boats, ladders, and siege machines.
So it is with cyber security whose tactic is to protect from within. Due diligence requires companies to deploy perimeter defenses like malware detectors, firewalls, intrusion detection devices, and log monitoring. But if all of that worked then the list of companies that have been hacked would not keep growing.
A UK government’s survey says that 81% of companies in the country have been hacked. It only takes one person on the inside of the firewall to click on a phishing email to grant hackers unfettered access to the corporate network rendering all of your intrusion detection tools and processes worthless.
Another approach to cyber security is something that could be called cyber intelligence. If we cannot find hackers, because they have left no discernible traces of their hacking activities or they have but we cannot see that, then we can track them down by looking for what they stole.
Carrying that idea one step further, if we look for our private company and customer data on the internet and find any of that there then we know that we have been hacked. Obviously if you look where hackers sell stolen data and you find your credit card number, email, or name then you or your company have suffered a security breach.
There are a couple of free ways to do this as we explain below. But there are more sophisticated tools and much more costly services and data feeds to do that too.
Governments and corporations with deep pockets have begun to pay cyber intelligence firms and even hackers themselves to scan hacker black markets and forums for any reference to their data or chatter about someone having hacked them. This is the cyber intelligence business.
[See Also: Skyport Secure and Hyper-Security]
Former police and spies have set up these firms in countries like Israel where presumably former Mossad spies offer this kind of service. These firms tap into public sources of information, like the Interpol and Department of Homeland Security database, as well as the Dark Web and the paid data feeds of other security firms. They also use big data text analytics to read newsfeeds to look for threats against particular industries or companies, like, say “all power companies.”
The deeper one goes into the darker corners of the internet the more difficult it is to gain entrance. Those hacker forums and criminal black markets require an invitation from someone with demonstrated hacking credentials. It can take years for cyber spooks to gain the confidence of real hackers so they can pass their vetting process, which is designed to keep law enforcement out.
But one does not need to go too deep into the dark web to find credit cards listed for sale, botnets for rent, access to compromised servers, hackers for hire, and emails and passwords for sale.
The most restricted forums are for items that are much more valuable, like zero-day defects. The customers for those are often governments as they can cost $500K and more.
An article in The Guardian recently profiled some websites that mine seemingly benign sources of information like Pastebin and Twitter looking for data that has been stolen.
Pastebin lets people upload data anonymously. Hacktivists who want to crow about their achievements, as opposed to criminals who want to profit from those, often paste passwords there. Hacktivists put it up and leave it. Criminals put it up and take it down quickly.
To be a victim like this is to have been pwned. That word “pwned” is not spelled wrong. It is video game slang for taunting someone who has been thoroughly trounced. Now its definition has been expanded to taunt those who have had their computer secrets stolen.
The HIBP site scans the Pastebin data every few minutes and saves it. You enter your name or email into their website and they tell you whether any of that has been pasted onto Pastebin now or in the past. HIBP publishes an API too. Those connect to a series of web services hosted on their site. HIBP also publishes an RSS feed.
The company, which runs on donations, list sites that have been pwned including:
@dumpmon Dump Monitor is an individual, Jordan Wright, who scans different databases and posts Tweets with links to security breach data and news like this list of stolen email credentials posted on Pastebin. Here is another one, passwords and all, of logins to paid porn sites.
[See Also: Cloudify Your Network Using Open Source]
Here is a rather ominous post that purports to be from Anonymous about Operation ISIS:
Lenny Zeltser has a rather low-tech approach on his site that simply runs a Twitter query in the browser like this one:
I’m not sure why they mentioned his site, as using a Twitter API would be more effective, except that Lenny works for the SANS institute which is one of those governance-oriented security think tanks that write lots of policy documents but not much code.
The takeaway message from all of this is that common sense would say to search for your company’s data in places
where hackers might store it or talk of security breaches of your company in hacker chatter in addition to deploying the usual defenses to see if you have been hacked. That’s obviously a good idea if we know that most companies have already been hacked and many do not even know about that. Or you could sit back and wait for news of your hacking to be printed in The New York Times and watch your stock price fall to zero or wait until unauthorized charges start showing up on your customer’s credit cards. Kidding aside, the most costly approaches to using this kind of security would probably only be affordable for larger businesses. Smaller businesses can continue with a managed security services provider who should be looking at Pastebin for you.
Everything you need to know about outsourcing technology developmentAccess a special Introduction Package with everything you want to know about outsourcing your technology development. How should you evaluate a partner? What components of your solution that are suitable to be handed off to a partner? These answers and more below.