C-level briefing: Should companies be worried about data exfiltration?
With recent Infoblox research finding that the first quarter of 2016 saw a 3500 percent increase in creation of ransomware domains compared to the year before and a slew of stories hitting the headlines, it wouldn’t be an exaggeration to call 2016 the year of ransomware.
Why is this? Infoblox CEO Jesper Andersen says he fears that ransomware as a criminal industry has not yet reached maturity and will continue to grow.
Yet, a number of factors have come together for ransomware to become a central focus in a way it hasn’t been before.
Ransomware is malware that encrypts files on a victim's device and forces them to pay a ransom to the attacker before they can access the files.
“There has been a fair bit published about it, with very public cases of companies and organisations that have had to pay a fair amount of money to unlock their files so they can go on with their business,” says Andersen.
He says that because everybody reads about ransomware, including wannabe cyber criminals, it is self-fulfilling.
“When you research it a little bit further, you find that the exploit kits that you can buy or rent on the dark net or public internet make it really easy for a young cyber criminal sitting at home to create ransomware.
“It’s proving to be quite lucrative. Generally, the social nature of the internet is good for sharing but it can be used in bad ways too.”
The fact that a cyber criminal can simply build to order ransomware and launch a crippling attack on a company has been a big factor in its proliferation.
As for its relatively high profile as a type of cyber attack, this is driven partly by the fact that it can happen to any consumer. In addition, the high-profile attacks on video streaming site Pirate Bay in April and on Los Angeles hospital Hollywood Presbyterian Medical Center in February have given ransomware celebrity status.
At the same time, Andersen says, companies are at risk of being bamboozled by an army of vendors that claim to have the solutions.
This week, for example, scientists at the University of Florida claim to have developed software called CrypyoDrop that can detect ransomware in action and prevent it from completing its task.
Infoblox sells a firewall that can compare URLs with blacklists of all the threat intelligence that they pick up. Since ransomware requires communication with a command and control server with Domain Name System (DNS) servers being included in every call, the company can monitor DNS traffic to detect possible ransomware operations.
Detecting this kind of traffic involves using contextual knowledge, such as how recently a URL was created, alongside intelligence about specific threats, such as the URls that have previously been linked to malware.
However, if ransomware is the threat for this year, Andersen says that the potentially more sinister threat of data exfiltration is looming on the horizon.
Data exfiltration means that the data is stolen from the company rather than simply encrypted, as in a ransomware attack.
He reasons that the ransom in ransomware is intentionally priced at an affordable level.
With data exfiltration, on the other hand, the costs could be catastrophic.
“If you have a whole company and a whole product that you’ve built, someone could steal your patented applications and designs,” says Andersen.
He cites Coca-Cola or Lego as companies that could be crippled by such data theft.
More worryingly, the techniques used in data exfiltration are becoming more sophisticated, says Andersen.
“Nowadays if people steal a word document, the malware on the server can cut it into lots of different pieces, encode them so that you can’t see it is a word document and stick it in the header of a DNS query.”
This will allow a sensitive word document to get through a DNS server to be reconstructed at the other end.
Unlike with ransomware, though, data exfiltration will keep the victims in the dark as much as possible
The initial infection might be the same: clicking a dodgy link or opening a malware-infected document.
But unlike with ransomware, says Andersen, “the objective for them is to remain hidden as long as possible. They want the company to never know that they infected them.”
For the time being, tackling ransomware should be a priority. But of Andersen is correct, data exfiltration might be the next threat and companies should get ahead of it before it becomes the next buzzphrase of the year.