alphaspirit - Fotolia
While enterprises are rightly concerned about their data being encrypted and held for ransom by threat actors, a growing chorus of infosec professionals is raising red flags about potential data manipulation attacks.
One such expert, Illumio Inc. co-founder and CTO P.J. Kirner, believes the threat of malicious actors quietly manipulating sensitive data stored within both private and public entities could be as serious, if not more so, than a typical ransomware attack.
Kirner argues that the threat of data manipulation attacks is especially serious considering the lack of proper data protection practices in place at enterprises that could mitigate such threats. Osterman Research recently surveyed more than 200 technology professionals and found that 47% of organizations had not assigned a team or individual to secure databases.
In this Q&A, Kirner discusses how data manipulation attacks could affect enterprises without security teams detecting them, the motivations of the threat actors behind these attacks, and the best ways to defend sensitive data.
Editor's note: This interview has been edited for clarity and length.
What's different about data manipulation attacks compared to other data-centric attacks, like ransomware?
P.J. Kirner: Data manipulation is interesting for a few reasons. One reason has to do with the attack kill chain. First, the attacker must get in the environment, then they do reconnaissance on the environment, and then they exfiltrate the data. Those are the three stages.
Regarding the first stage, there are so many holes that people can use to get into an environment. I'm not saying we lost that battle, but it's a really difficult one.
Then there are the other two battles to fight -- the recon battle and exfiltration battle. With exfiltration, people can sneak data out a lot of different ways, like secret DNS [domain name system] servers. But to get the data out, there are these egress points that you have to go through, and there are controls that can monitor those points.
But with data manipulation attacks, you don't need to do the third stage. There is a higher likelihood that the attackers can accomplish things because there are fewer steps in the process. It also means that with data corruption attacks, the recon stage becomes more important because the attackers have to find where the data they want is.
What is the objective of these types of data manipulation attacks? Can threat actors extort payments from organizations or are corruption attacks less about financial motives and more about finding a quick and easy way to devastate an organization?
Kirner: The ransom angle is definitely there, and people should be worried about that. But what seems a little scary to me is an attack that corrupts the data and people don't know it.
If you look at some of the public attacks, like the one on the central bank of Bangladesh, they weren't data manipulation attacks exactly -- the attackers were able to get money out through the SWIFT system with transfers and transactions. But if you were able to inject code into a source code repository or manipulate financial balances that didn't have proper checks, then it's really hard to detect those things. And that's scarier -- the subtle data manipulation attacks rather than the mass data manipulation attacks that are similar to ransomware.
You're going to know where your data is encrypted or not, but how would you know if nation-state hackers put a backdoor in your source code repository unless you had good controls in that space? There are a number of supply chain security issues that come into play here, too.
On that subject, if an organization's only copy of sensitive data gets encrypted in a ransomware attack, then how would it know whether the data has been altered once the ransom is paid and the data is decrypted?
Kirner: Exactly. And what if it's just been tampered with on a very small scale? If people have backups of their critical data, then you throw away the data that has been encrypted or touched if you are unsure whether it's been tampered [with] or not. You just restore from the backups, and you have confidence in the data.
So, to answer your question, if there are no backups and all of the copies of your data are encrypted, then you wouldn't know.
This is a hard problem. People have lots of access to lots of different things. The critical thing here is the principle of least privilege. We all talk about it, but it's sometimes hard to implement. Limiting access to assets, whether it's machines in the data center or data files, solves a lot of problems, but those security practices are hard to accomplish.
Besides proper backup, what should companies do to prevent data manipulation? Should they do things that would stop a typical ransomware attack or are there other steps they should take?
Kirner: With the WannaCry incident, the ransomware had spread through a Windows SMB [Server Message Block] flaw. And if you set up your environment where anybody can talk to anybody, those kinds of flaws can allow attackers to freely spread throughout the environment. You want to reduce the blast radius.
One of our customers was able to find WannaCry trying to spread in their environment and identify where it was and then begin to shut it down more effectively. Good least privilege-based access controls were able to limit the spread of something like WannaCry.
You have to back up your data, but it's also about limiting the spread of the attack.
Has Illumio seen any examples of these types of attacks so far? Have any customers experienced these threats?
Kirner: I'll say that it's something people have expressed concern about, but often the customers' internal details are [kept from me]. I see concern, but I don't have any specifics.
What types of threat actors do you think are or will be engaging in data manipulation attacks? Is this something that we'll see more of from nation-state actors?
Kirner: I would imagine that's the case. If I want to make a quick buck, I can just do the WannaCry thing and encrypt some data and see what I get. It's a short game.
Subtle modifications of data would have to be a long game that requires an adversary to take a multiyear strategic view. That feels like more nation-state activity than just cybercriminals wanting to make a quick buck.