Alastair Paterson, Digital Shadows: criminals capitalize on the confusion
The rise of cybercrime has been echoing across the globe, with financial losses estimated at $6 trillion by the end of this year alone. It seems like there is no better time to start thinking seriously about cybersecurity, yet many enterprises are still struggling to establish appropriate defenses.
It’s barely surprising that cybercriminals have used the pandemic to exploit fears and vulnerabilities during the global shift to remote work. With a growing number of companies struggling to adapt to the new environment, the risk of becoming a target of ransomware increases. However, there are measures businesses can take to help prevent such incidents.
We have reached out to Alastair Paterson, co-founder and CEO at Digital Shadows, to learn more about the current cybersecurity landscape and understand how companies can efficiently protect themselves from cybercrime.
You recently celebrated the 10th anniversary of Digital Shadows. What was the journey like?
It seems like a long time since we started from a kitchen table in London back in 2011, that’s for sure! The early years were spent refining the product and proposition. We instinctively knew that the digital footprints of organizations generally were rising exponentially. Cloud computing was taking off, as were social media and e-commerce. The perimeter that had never really existed between a company and the outside world had completely broken down with outsourcing and virtual teams becoming the ‘norm.’ So, we knew that organizations were becoming increasingly exposed, but we just had to find a way to solve the challenge. We had several big ‘breaks.’ Securing seed funding helped us on our way but becoming part of the inaugural Accenture FinTech Innovation Lab in London was a game-changer.
It gave us an office in Canary Wharf but, more importantly, access to potential expert clients at the top banks who really helped us fine-tune our offering. Securing our ‘Series A’ in 2015 was massive for us and enabled our expansion to the US – half our clients and staff are now based there. Moves to Singapore and Germany followed thereafter.
The industry we helped to define now looks very different than it did ten years ago. It’s been exciting to see Digital Risk Protection being widely adopted by security teams of all sizes. By adding new delivery channels (particularly our valued MSSP partners), we have grown to support more than 400 customers across the world.
You take pride in your Searchlight solution. Can you tell us more about this service?
SearchLight protects against external threats, continually identifying where our client’s assets are exposed, providing sufficient context to understand the risks and options for remediation. We think it’s different from other solutions on the market because it doesn’t just cover the dark web or social media but also looks at the deep web (sites on the open web but behind a registration) and the open web. It often surprises people that we track just as much criminal activity on the open web as the dark, so it’s very important to analyze all platforms where cybercriminals may collaborate.
But as much as it is a highly technical solution, it’s backed up by human expertise. Our analysts come from all corners of the globe and have native language expertise – this is vital to understanding the nuances in how criminals communicate. Because they vet a large number of alerts, our clients only receive the ones that require their attention. It’s more valuable for clients to receive fewer, meaningful alerts rather than an overwhelming volume of meaningless ones. We pride ourselves on being an extension of our client's team, providing context, remediation options, and assisting with takedowns.
More recently, we’ve introduced new forms of automation within our portal that are focused on saving teams even more time responding to external threats.
Were there any new threats that you had to adapt to as a result of the pandemic?
Criminals capitalize on the confusion and disruption to processes, and the pandemic continues to offer plenty of that. It’s perhaps not ‘new’ threats as such, but a greater ability to carry out existing attacks. For instance, Business Email Compromise gets easier to commit. If you’re an employee in finance asked to authorize a wire transfer from your CEO, then you can’t walk up to them and ask, ‘is this OK’? Same if you get an email from ‘IT support’ or similar.
Second, we noticed an explosion in fake PPE, COVID-19 ‘cures’, vaccines, and vaccination certificates on criminal forums throughout the pandemic. Not a ‘threat’ to our clients as such but a depressingly predictable potential danger to the public.
We have seen a significant uptick in ransomware attacks which have, in part, been facilitated by the increased use of vulnerable remote services. Unfortunately, we’ve reported on thousands of ransomware victims who have had their data exposed on dark web forums. It’s not going to slow down any time soon, either.
We’ve looked to provide new ways to help customers during this challenging time. For example, last year, we released a package specifically designed to combat risks related to the unique threats associated with remote work.
Tell us more about the recent spike in social media fraud. Are these channels usually used to target individuals, or can they also do harm to a business?
Absolutely they can. Impersonation of companies on social media is rife. Criminals will often establish fake ‘customer service’ accounts on social media that can look very professional. They’re then only one step away from ‘DM’ing’ a customer and encouraging them to part with their password or other credentials.
This is something that has been widely reported on, and there are even words of caution from government bodies that aim to raise awareness of these risks. In April this year, it was reported that tens of thousands of UK nationals were targeted on LinkedIn by fake profiles.
Several company CEOs have had their Twitter accounts compromised and used to promote a variety of scams.
You mention brand protection a lot. Why is it important, and what’s the worst that can happen when one’s brand is compromised?
For most organizations, their brand(s) are everything. They will have spent years and a significant proportion of their revenue cultivating them and establishing their reputation and trust with their customers. Cybercriminals can tarnish this painstaking process in just a few hours. Brands are attractive to cybercriminals because they know that consumers naturally associate a level of trust with them. Spoofing a brand is, unfortunately, quite easy to do. Fake domains can be registered in seconds, with little checks and for very little outlay. Experienced criminals can clone a website without great difficulty, and indeed, ‘off the shelf’ tools exist on many criminal marketplaces to enable them to do this. Those fake websites then have a window of opportunity to trick consumers until they can be spotted and taken down. Spotting them quickly and initiating this process is key.
But of course, it’s not just fake websites. Social media handles can be spoofed the same way, executives can be impersonated, and so on. The most popular brands are high-value targets for ongoing cyberattacks, including ransomware, DDoS, and data breaches. What’s the worst that can happen? Of course, it depends on the incident. In the worst data breach incident, the firm could go out of business. Equally, their share prices can take a huge hit, and they can incur heavy fines from regulators. In terms of impersonation, millions of customers’ financial information could be at stake, and they could incur financial losses. Yet, it’s important to say that brands are resilient. They can recover provided the right steps are taken, but it can take time and involve ownership and management team changes.
The research team at Digital Shadows highlights ransomware in the latest cyber-threat report. What are the main trends when it comes to this type of threat, and what can we expect to see in the near future?
The biggest trend over the last two years or so has been the emergence of double-extortion tactics – criminals don’t just encrypt a firm’s data; they steal it and threaten to leak it. This started with the Maze ransomware group, which introduced the data leak site concept. This trend has been adopted by a large portion of active ransomware groups. These pages are often hosted on the dark web and are utilized by threat actors to name their victims publicly and release data stolen during a ransomware attack.
Digital Shadows has reported nearly 2,600 victims who have been named to a data leak site (DLS) since the broader ransomware landscape adopted the tactic. Whilst in the early part of the year, we saw the so-called ‘disappearance’ of a few different ransomware operations. It is difficult to identify whether the groups simply went into hiding, were arrested, rebranded, or are now operating with a different ransomware group. In the aftermath of the Colonial Pipeline incident, the ‘heat’ was certainly on these groups – even up to the presidential level. Now, however, groups might feel this has dimmed somewhat and have increased confidence to ramp up their operations once again.
It’s such a lucrative business, and ransomware operators are enabled by the growth of initial access brokers – cybercriminals who dedicate their time to simply break into organizations and sell the access to them. There is every reason to predict that threat actors will likely continue to operate brazenly through the rest of the year and beyond, giving limited thought as to who they are targeting and more to how much money they might make.
Besides more conventional methods, you also research the dark web forums to improve your services. Can you tell us more about this practice? What are these forums like?
Firstly, it’s very important to clarify that not all criminal forums and marketplaces are on the dark web. Many exist on the regular ‘open web.’ Others are on the ‘deep web’ – they will be behind a registration wall, but you can still find them on the open web. And yes, there is the ‘dark web’ – you need a special browser, normally Tor, to access it, and the content is anonymized. Broadly speaking, criminals ‘hang out’ within two different kinds of services. Forums are meeting places where criminals meet to chat and discuss topics. They might share knowledge but also the tools they use. There will be advertisements for criminal wares such as malware and tool kits. Then, there are marketplaces. These are more transactional with feedback based on legitimate auction sites that we’re all familiar with. A wide variety of goods will be traded – everything from drugs, guns, malware, and ‘how to’ guides. We’ve even seen online courses for various types of cybercrime delivered like online university modules!
The dark web is difficult to search. It is not indexed like the open web, and sites appear and disappear with great regularity. Therefore, it’s quite difficult for an organization to keep up with what is going on. They might not know that (for example) a ‘dump’ of their customers' data has suddenly gone up for sale or that criminals might openly be discussing how to infiltrate their organizations. That’s where companies like Digital Shadows come in. We’ve developed a tool that can search for this info and alert them quickly about any such danger. We support the technology with a team of incredibly smart multi-linguists who gain access to new closed sources and ensure we’re keeping up to date with the latest places where cybercriminals lurk.
Getting on top of this quickly is key. It becomes much easier to remediate an issue or even prevent an incident if you find it early.
What are the key measures businesses should take to avoid threats before it is too late?
Think like an attacker. Firms should continually put themselves in their shoes and take an ‘outside’ perspective of their organization. They should start by conducting searches for where they might have data exposed. It’s very common for organizations to accidentally leak data. When we last ran a study, Digital Shadows detected 2.3 billion files exposed across SMB-enabled file shares, misconfigured network-attached storage (NAS) devices, File Transfer Protocol (FTP), and rsync servers, and Amazon S3 buckets. It’s there accidentally, but in the wrong hands, it could be dangerous.
Similarly, Digital Shadows has discovered 25 billion exposed credentials – that is, usernames and passwords across the open, deep, and dark web. Any one of them could represent a way of infiltrating an organization. They’re out there now but can be found by the companies affected and changed, hence nullifying the threat. Many attacks result from using these passwords to gain access to a target, so resetting these credentials as if they were exposed is critical.
There is no substitute for being proactive – firms must find these threats before they can impact them. Detect all forms of digital risk, including the spoofed websites and social media handles we talked about earlier. It’s a big job, but thinking like a cybercriminal is the best way to understand their mindset and defeat them. Most cybercriminals just want to make money, so if you make it harder and more expensive for them to target you, most will simply move on to an easier target.
And finally, what does the future hold for Digital Shadows?
We’re firmly in the growth phase now. We have recently been named as the ‘top performer’ in the digital risk protection (DRP) market by Quadrant Knowledge Solutions, a global advisory and consulting firm. By ranking #1 in the analysis of 19 vendors, we’re really pleased that our investment in R&D is gaining recognition. However, this report also acknowledged the growth of the DRP market as a whole, noting that trends such as cloud-based computing, remote working, and growing interaction with customers online have all increased an organization’s digital footprint (and a need for DRP).
We are continuing to make threat intelligence accessible to all organizations by emphasizing automation, context, ease of use, and sending a small number of relevant, actionable alerts that can be addressed even by stretched security teams.
We want to stay on the cutting edge of DRP as well, striving to find new ways to save more time, automate the boring stuff, and further integrate this intelligence into other parts of the business. The buzz around the XDR (eXtended Detection and Response) area in the security industry provides additional opportunities for Digital Shadows to supply relevant, contextual intelligence and alerts that power many other parts of the security ecosystem.
So, whilst no one can predict the future, we will continue to innovate and help our customers adjust to the range of online threats that they face. If we get these things right, then the company will continue to grow rapidly, opening up a range of possibilities.