Fighting Exfiltration with Data Classification and Encryption
As threat actors continue to launch blistering ransomware attacks, organizations that focus on healthcare and critical infrastructure are getting hammered particularly hard. In the worst cases, attackers exfiltrate and leak the data they’re holding hostage.
In one recent example, REvil threat actors posted data from the New Jersey Dental Hygienist Association (NJDHA) and Beacon Health Solutions while the Clop ransomware hacking group did the same with data from Nova Biomedical, a manufacturer of blood testing analysis technology. The leaked data included employee Social Security numbers, birth dates and ages, hiring dates and contact details.
Meanwhile, the FBI’s Cyber Division warned its private-industry partners of increased Ragnar Locker ransomware activity. The ransomware was used in an attack in April, when Energias de Portugal (EDP) -- one of the largest European energy sector operators with over 11,500 employees that delivers energy to more than 11 million customers in 19 countries on 4 continents -- was targeted. The attackers exfiltrated 10TB of confidential information on billing, contracts, transactions, clients, and partners. Also stolen was a KeePass password manager database export with EDP employees' login names, passwords, accounts, URLs, and notes.
In cases like these, data classification -- combined with strong encryption -- can make a significant difference.
This article explains:
- Why ransomware has been so severe in those industries,
- How the right mix of data classification and encryption can help block future attacks, and
- How Atakama works to help customers achieve a more effective balance between the two and, in the process, a stronger defense.
Why So Vulnerable?
Healthcare and critical infrastructure organizations are particularly vulnerable because they often lack the resources of companies in such industries as banking and finance, where security teams tend to be larger and often have more budget to spend on high-end security solutions.
With tighter budgets and smaller security teams, healthcare and infrastructure entities often run on antiquated, misconfigured systems, and the ransomware of 2020 was just the latest in a long history of attacks.
During the 2017 WannaCry onslaught, for example, attackers heavily targeted hospital systems in the UK that were still running Windows 7 and were unpatched against a vulnerability in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks.
Since then, attack techniques have grown in sophistication and data has become tougher to track, classify and protect as organizations become increasingly cloud based amid the frantic pivot to remote operations during the pandemic.
Data Classification and Encryption: A Symbiotic Relationship
In the effort to keep tighter reigns on the flow of digital assets, data classification can help. But it is insufficient by itself. Organizations need strong encryption alongside it.
Data classification helps organizations understand the specific types of information they store and where it is located. It is essential in helping companies develop and manage governance, risk and compliance procedures and prioritize security measures and budget requests. The accuracy at the heart of data classification and identification tools allows organizations to eliminate end-user error and take advantage of protection that is optimized for the sensitivity of their data.
Once an organization has a fix on its data flow, it can apply encryption more effectively.
Researchers from a variety of organizations have explored the importance of data classification and encryption and their findings are well documented.
In one example, researchers from Carnegie Mellon University’s Software Engineering Institute (SEI) included the benefits in an article about 3 ransomware defense strategies organizations should be implementing. The third strategy in the article stresses the importance of properly accounting for one’s high-value assets and where they reside. The analysis noted the changing nature of ransomware techniques and how defenses that were considered adequate even a couple years ago no longer cut it. Data back-ups are one such example.
“Even if your company has data backups and is able to recover and respond to a typical ransomware attack that encrypts your files, without proper data encryption measures, organizations are still vulnerable to a data exfiltration attack,” the SEI explained in its analysis. “At this time, the only reasonable mitigation is to strongly encrypt data at rest that might, for your organization, justify paying a ransom. By incorporating strong data encryption on sensitive data, the stolen data is unrecognizable and not usable. “
How Atakama Combines Classification and Encryption
To provide its customers with data classification, Atakama works in partnership with leading vendors in the space.
After their data classification tools scan and tag the data, Atakama encrypts it. Here’s how the process works:
- Clients choose the discovery and classification tool they want to use.
- The tool they select scans and identifies sensitive data.
- That data is tagged with company specific policies.
- Immediately upon application of the tag, Atakama encrypts files per policy regardless of where the data is stored, thereby making the data accessible to Atakama-enabled users only, and rendering the data useless to an attacker.
The Broader Atakama Approach
The average security team understands by now that a common way to protect sensitive data is to restrict access to only the specific individuals that require it. Rights management or encryption tools define groups based on their department, role, location or something like security clearance.
Encryption solutions keep prying eyes away from unauthorized data.
Data classification helps ensure that encryption is applied everywhere it is needed and ensures the process is more accurate and complete -- with no data left unaccounted for.
Traditional encryption solutions depend heavily on identity and access management controls. Login credentials, which allow authorized users to access encrypted data, represent a single point of failure.
Atakama enables the encryption of files at a granular level without reliance on usernames and passwords.
Atakama encrypts at the file level with each file receiving its own unique AES-256 bit key. Each key is then fragmented into “shards,” with the shards distributed across physically separate devices, included, but not limited to, users’ workstations and their smartphones. The single point of failure has been removed and the data remains accessible only by those individuals or groups it is intended for. And Atakama accomplishes all of this without disrupting existing workflows or creating user frictions.
By seamlessly integrating with leading data classification tools, Atakama helps organizations stay ahead of shifts in the modern threat landscape by delivering solutions that focus directly on the data without reliance on an increasingly porous perimeter.
Compatibility and Outreach
Atakama solutions are compatible with network and cloud storage services including Box, Dropbox, Google Drive and OneDrive.
Request a live demo with one of our engineers to see how Atakama can protect you from exfiltrative extortive ransomware.