DATA SOURCE LOCATIONS & DESCRIPTIONS: WHERE DO WE FIND DATA?
- Dark Web Chatroom: compromised data discovered in a hidden IRC;
- Hacking Site: compromised data exposed on a hacked Website or data dump site;
- Hidden Theft Forum: compromised data published within a hacking forum or community;
- P2P File Leak: compromised data leaked from a Peer-to-Peer file sharing program or network;
- Social Media Post: compromised data posted on a social media platform;
- C2 Server/Malware: compromised data harvested through botnets or on a command and control (C2) server.
IDENTIFIED METHOD USED TO CAPTURE/ STEAL DATA: HOW WAS THE DATA STOLEN OR COMPROMISED?
- Tested: the compromised data was tested to determine if it is live/active;
- Sample: the compromised data was posted to prove its validity;
- Keylogged or Phished: the compromised data was entered into a fictitious website or extracted through software designed to steal PII;
- 3rd Party Breach: the compromised data was exposed as part of a company’s internal data breach or on a 3rd party Website;
- Accidental Exposure: the compromised data was accidentally shared on a Web, social media, or Peer-to-Peer site;
- Malicious / Doxed: the compromised data was intentionally broadcast to expose PII.
SOME OF THIS DATA IS OLD AND INCLUDES EMPLOYEES THAT ARE NO LONGER WORKING FOR US. DOESN’T THIS MEAN WE ARE NOT AT RISK?
While employees may have moved on from your organization, their company issued credentials can still be active and valid within the 3rd party systems they used while employed. In many cases, the 3rd party systems or databases that have been compromised have been in existence for 10+ years holding millions of “zombie” accounts that can be used to exploit an organization. Discovery of credentials from legacy employees should be a good reminder to confirm you’ve shut down any active internal and 3rd party accounts that could be used for exploit.
WHAT DOES IT MEAN WHEN A PASSWORD HAS A LONG SERIES OF RANDOM NUMBERS AND LETTERS?
This means the password was published as “hashed” (still encrypted). Hundreds of encryption dictionaries are readily available on the Web, and it’s not uncommon for these passwords to be “cracked” or decrypted and available on multiple 3rd party websites.
I SEE FAKE EMAILS (FALSE POSITIVES). WHY IS THIS IMPORTANT?
Fake email accounts are routinely created by employees as a “throw away” when wanting to gain access to a system or piece of data. However, fake email accounts are frequently created to facilitate well-crafted social engineering and/or phishing attacks. Often, the identification of fake email accounts indicates that an organization has been targeted by individuals or groups in the past.
I’M SEEING MULTIPLE USERS WITH THE SAME PASSWORD BEING EXPOSED ON THE SAME DAY, WHAT DOES THAT MEAN?
In most cases, someone is testing a password against a series of users to gain access.
I’M SEEING OLD PASSWORDS THAT WE ARE NO LONGER USING:
This report provides historical as well as live real-time data. At one point in time, there was risk associated with these credentials and there could still be. 39% of adults in the U.S. are using the same or very similar passwords for multiple online sources. These passwords (whether active or not) are being used in phishing exercises and can be very compelling. Employees often recycle passwords throughout their work and personal networks. If your internal requirement is to have a capital letter and special character, it’s common practice for employees to use a password they are familiar with and add a capital letter and exclamation mark. (Example: Exposed Password: cowboys, Variation: Cowboys!, Cowboys1, Cowboys!1, and so on.) Knowing this, hackers will run scripts using metasploit frameworks (hacking and pen-testing tools) to “brute force” their way into an unsuspecting system.
IF YOUR PERSONAL DATA IS FOUND ON THE DARK WEB, CAN IT BE REMOVED?
Once the data is posted for sale within the Dark Web, it is quickly copied and distributed (re-sold or traded) to many cyber criminals, within a short period of time. It is generally implausible to remove data that has been disseminated within the Dark Web. Individuals whose PII has been discovered on the Dark Web are encouraged to enroll in an identity and credit monitoring service.