COMMENTARYOne of the standard cybersecurity tools today is to relentlessly check the Dark Web - the preferred workplace for bad guys globally - for any hints that your enterprise's secrets and other intellectual property have been exfiltrated.
It could be that the data was grabbed from a corporate cloud site, a shadow cloud site, the home laptop from an employee, a corporate backup company, a corporate disaster recovery firm, a smartphone, a supply chain partner, or even a thumb drive that was stolen from a car.
When dealing with routine intellectual property - including customer personal identifiable information, healthcare data, payment card credentials, or the blueprints for a military weapons system - learning that some version of it has been captured is helpful.
If everything is being tracked and logged properly, your team might discover that the Dark Web secrets found have already been routinely deactivated.
That said, most enterprises track the Dark Web with no coding or other tracking details sufficient to be able to effectively determine appropriate next steps if and when they find something.
Getting the Details Right Most CISOs understand that discovering secrets on the Dark Web means that they are compromised.
This might even extend to making regulatory compliance disclosures - including the European Union's General Data Protection Regulation and the Securities and Exchange Commission's cybersecurity requirements - based on flawed assumptions.
The life cycle of a secret on the Dark Web - its value, usage, and relevance - changes over time.
Monitoring the Dark Web, understanding if your secrets are there, and adding metadata and context over those secrets is the key to understanding which secrets are currently valuable to attackers and require immediate action.
The Danger of False Assumptions The situation is slightly different when the discovered material is sensitive data files, especially highly regulated data such as personally identifiable information, healthcare, and financial data.
Once it is established that the data did indeed somehow get taken from your company's systems, we have to go back to the coding.
Every time the data is copied and shared, it can be traced back using logs and metadata enrichments to determine how, why, and when it was stolen.
If that key has already expired, you probably don't care if it's on the Dark Web.
From the thief's perspective, that is the most valuable data possible.
If you do that aggressively, you should have a heads-up about a stolen machine credential long before it finds its way to the Dark Web and is sold to the highest bidder.
Another best practice is to routinely bombard the Dark Web - and other dens of evil-doers - with bogus files to add far more noise to the equation.
This might make some discriminating bad guys avoid your data entirely if they aren't sure whether it's valid or not.
The bottom line: Tracking everything on the Dark Web is mission critical.
If you have not tagged all of your sensitive data beforehand, your team may make decisions that are the polar opposite of what they should be.
On the Dark Web, stolen secrets are your enemy, and tons of context your friend.
This Cyber News was published on www.darkreading.com. Publication date: Mon, 18 Mar 2024 14:05:09 +0000