Too Much Remains Unknown About Data BreachesAttempts to Accurately Track Breaches and Ransomware Hampered by Scarce Details
Ransomware attacks and data breaches: One thing both have in common, besides the former often causing the latter, is the challenge of attempting to accurately understand their true scale and impact.
A principle problem is that while some organizations report certain types of breaches, oftentimes their breach notifications lack useful detail. How they were hacked, exactly what attackers stole or the identity theft risk facing individuals whose details were exposed all remain secret.
"... 40% of the data breach notices issued in the first half of the year did not include basic information like attack vector or victim count."
Likewise, many organizations never reveal when they've been affected by ransomware, never mind if they paid a ransom to attackers, and so they perpetuate the criminal business model.
So what do we know? Well, there's hopeful news on the data breach front. Based on a review of U.S. breaches known to have occurred during the first half of this year, the overall count of victims declined from prior years, reports the Identity Theft Resource Center, a nonprofit organization based in San Diego, California. It provides no-cost assistance to U.S. identity theft victims to help resolve their cases.
"We also see a decrease in the number of publicly reported data breaches and the number of data breaches linked to ransomware attacks," says Eva Velasquez, president and CEO of the ITRC.
The ITRC has so far counted 817 known U.S. data breaches during the first half of the year with 53.3 million total victims, compared to 1,862 total known breaches in 2021 and a victim count of 298 million.
Comparing the second quarter of this year to the first quarter, the number of ransomware attacks listed as the cause of a data breach declined by 20%. The quarterly decline is a first since ITRC started tracking ransomware in 2018.
In terms of how organizations get breached, cyberattacks continue to be the leading cause, with business email compromise and phishing - including variants such as SMS phishing - dominating.
Unfortunately, these findings are based on what's known, and much remains unknown. "The declines could be misleading since 40% of the data breach notices issued in the first half of the year did not include basic information like attack vector or victim count," Velasquez says. "Also, these trends could quickly be reversed simply by a few large breaches or a handful of smaller compromises."
How Did Attackers Get In?
Even if they fail to publicly detail how they were breached or exactly what was affected, hopefully businesses know such details.
Organizations that fail to understand how they were breached do so at their peril, especially when it comes to ransomware. Indeed, the appearance of crypto-locking malware on systems typically comes at the end of a much longer attack, during which time attackers might have been eavesdropping, stealing data and installing ways of getting back into the network later, says Raj Samani, chief scientist at Rapid7.
"They're getting inside the environment. They're learning about what's happening. They're maintaining persistence, and they'll hit you again and again and again and again, unless you know what's happening," Samani told me in an interview at last month's RSA Conference in San Francisco.
"Especially if you pay, by the way, if you pay, they will come back and hit you, have you pay again, then they'll hit you again and again and again," he says.
Ransomware-wielding attackers pressure victims into paying a ransom as quickly as possible, not least to avoid getting named on the attacker's data leak site and having stolen data leaked. Thus when an attacker goes the criminal's way, they get a payoff and police are none the wiser about the true scale of the problem.
Cybersecurity firm Group-IB has estimated that 30% of ransomware victims pay a ransom. A recent, self-reported survey of 5,600 midsized organizations conducted by Sophos reported similar figures. Many of these payoffs never come to light.
For a subset of victims who don't pay, if attackers run a dedicated data leak site, the victim may end up getting listed there. But not all do.
Solution: Mandatory, Detailed Reporting
One solution to getting a better view of the actual impact of data breaches, as well as ransomware attacks, would be legislation that mandates reporting such incidents and lists the details that must be included, not least to ensure organizations are gathering them in the first place.
Legislation in the United States signed into law in March by President Joe Biden requires owners and operators of critical national infrastructure to report "substantial" cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency within 72 hours. Any "covered entity" that makes a ransom payment must also report this to CISA within 24 hours.
Exactly who must disclose incidents to CISA under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 and how exhaustive those reports must be is something to be determined through a rule-making process. How much of this information might end up in the public sphere also remains to be seen, although the law already shields industry reports from disclosure under America's open records law. Even so, such information can and will help the FBI and U.S. allies better track, combat and disrupt ransomware and other types of cybercrime.
This is crucial information for helping an organization avoid repeat attacks and helping authorities understand how attackers are operating, to better combat them. If organizations won't gather and share this information on their own, for the good of us all, why not require them to do so?