By Tim Bandos, VP of Cybersecurity, Digital Guardian
Conventional wisdom says that once an attacker is in the system, moving laterally from network to network, the damage is already done. The adversary has found a way in and more than likely identified the data they’re after. They simply need to exfiltrate it—the last step of the kill chain―to land the final blow.
In some scenarios, however, it’s what the attacker doesn’t do that could have a more devastating outcome on the enterprise.
Data manipulation attacks—attacks in which adversaries don’t take data but instead make subtle, stealthy tweaks to data usually to elicit some type of gain―can be just as, if not more crippling for organizations than theft. The ability of attackers to manipulate and shift data around is a real threat, one that could cause widespread financial and even physical harm, if done successfully.
Consider the stock market. Hypothetically speaking, if an attacker were to successfully breach the IT systems and databases responsible for updating a stock ticker symbol and manipulate data to show a billion-dollar tech giant like Apple, Microsoft, Google, or Amazon taking a nosedive, it would cause immediate chaos, and panic would ensue. It could result in people selling off their stocks in a frenzy—the culmination of a deliberate and effective attack.
Data manipulation attacks don’t always have to result in tangible financial gain. If an attacker managed to carry out a similar attack against health record information for patients in hospitals and altered critical data like drug dosages and prescriptions that need to be administered, it could result in sickness or even death.
These types of attacks are commonly carried out by malicious insiders, individuals who have privileged access to critical data in the first place. If an insider got their hands on blueprints for a manufacturing facility that was being built, they could make minor modifications to drawings that could set the organization up for systemic failure. Understated and difficult to detect, an attack like this could ultimately put a company out of business and give a competitor, perhaps in a nation-state, the ability to take over market share. I’ve seen this play out firsthand. When you have a ‘trusted’ insider as the culprit, it makes it all that more difficult to detect and track down.
Attackers like data manipulation attacks because they’re hard to detect and they undermine trust and confidence; if there’s no way to verify that data, like blueprints, documents, or source code are legitimate, it can erode trust from the inside out. Attacks that compromise integrity can jeopardize an entire supply chain. It only takes one flaw, far down a chain, to disrupt or delay the production of goods in an organization’s cash flow.
Carmaker Tesla sued a former employee last summer after CEO Elon Musk alleged the insider stole confidential and trade secret information after he failed to get a promotion. While the employee purportedly exported gigabytes of confidential data, he also made changes to the Tesla Manufacturing Operating System, the set of basic commands for Tesla’s manufacturing lines―under false usernames—apparently in an act of sabotage. Manipulating sensitive data, like source code, isn’t flashy but is something that can cause the market to slowly unravel over time.
For organizations, it’s inevitable that attackers will take data; it’s more of a challenge to determine when an attacker makes a small change to data, then leaves the scene of the crime. For threat hunters, from a digital forensic perspective, there’s typically always a trace left behind. Anomalies in system logs edit to files at suspicious times, and alarms on threat signatures to detect suspicious techniques and malicious behavior can be telltale signs of data manipulation.
To combat these types of attacks, organizations need to ensure they have endpoint visibility on their IT systems. If an outsider successfully penetrates a network, they’ll need to move laterally through the environment to find the data they’re after. It’s critical for incident responders or threat hunters to be able to follow in their proverbial forensic footsteps, to proactively hunt and detect this type of activity before something irreversible is done.
The MITRE ATT&CK Framework has generated buzz about across the industry lately for good reason. The knowledge base―a living, breathing breakdown of adversary TTPs and behaviors—outlines in great detail each phase of a cyber attack and the best methods for detecting and mitigating each technique. The framework can greatly help threat hunters looking to speed up their hunting cycle.
While attackers may not necessarily leave the endpoint with data in these types of attacks, organizations would benefit from using endpoint detection and response tools to gain better visibility into behaviors and data movement. Organizations can also use file integrity monitoring solutions to identify and track real-time changes to files, folders, and other settings. Logging activity can also help but it’s not a silver bullet. IT teams need to develop internal controls to audit this information and ensure they constantly have eyes on the glass, triaging logs generated by their environment.
Data manipulation attacks can have disastrous consequences and cause significant disruption to a business, country, or even the world in some circumstances. Being prepared is the first step to potentially limiting or preventing the impact of these attacks.
About the author
Tim Bandos is Vice President of Cybersecurity at Digital Guardian. He has over 15 years of experience in the cybersecurity realm with a heavy focus on Internal Controls, Incident Response & Threat Intelligence.