In all of the noise surrounding security events, it can be hard for organizations to figure out what really matters or who to listen to. In some cases, news outlets grab unhelpful pieces of stand-alone data out of context to create a talking point that will make their readers click out of concern (and, unfortunately, it works). A recent news article, for example, pulled a single piece of information from a traditional threat intelligence vendor report that noted some cyber criminals disagree with the use of ransomware on hospitals. What’s the story there, we ask ourselves? Criminals are not indiscriminately criminal? People have personal morals? Someone, somewhere said something on the internet? This isn’t news, and it distracts from real security issues on which organizations should focus.
In other instances, the unhelpful headlines are simply due to misattribution. Misattribution is an easy thing; an organization or outlet thinks it recognizes the source of data and jumps to a conclusion about the source of the leak. We saw this happen with the major webmail ‘leak’ that made headlines last month. What was presented as a major breach of security at each of the major webmail providers was, it turns out, more likely to be an amalgamation of credentials gathered from various sources and dumps over many years.
More recently in the news was the misattributed Dropbox breach that supposedly impacted more than 100,000,000 users. As Brian Krebs reported, those accounts were mistakenly tagged as Dropbox accounts when they were, in fact, Tumblr accounts. An identity monitoring firm mistakenly determined the credentials matched users’ Dropbox accounts, and sent out notifications alerting users to a Dropbox breach. This simply wasn’t the case.
So, how do we solve the problem of misattribution? We see a huge number of unattributed (or, potentially misattributed) credentials every day. It’s not difficult for someone to grab a set of leaked credentials and claim they belong to a particular site or service. How do you know where the information came from? How do you find the leak?
Organizations need to rely on their own data. That’s one of the reasons we built Matchlight: to create a fully private, fully automated system that allows organizations to know when their information –- and specifically their information – appears online. Even in an instance where Dropbox customers may have had their credentials impacted by a Tumblr breach, Dropbox would have been able to review the matches on their customer information from Matchlight and identify whether or not the list originated from their systems. That information, combined with their own common sense and further investigation (e.g., looking for unusual traffic or login attempts) would alert them to any need for concern on their customer data.
Tying alerts directly to client data is what makes intelligence truly actionable.