OPM Breach: Where is the Data Going?

The OPM breach has drawn national attention and rightfully so. However, at first blush the attack seems typical of a particular threat actor that continues to successfully breach large organizations and steal PII.

In the wake of such attacks, orgs typically look to enhance perimeter based security. However, all their doing is building costly and increasingly ineffective virtual Maginot Lines. Just like the Maginot Line was back in WWII, this strategy is a decade behind and fatality flawed.

The data orgs are supposed to protect, plus their end users/customers, their adversaries, and employees continually drift further and further outside of their defensive perimeter leaving increasingly wider gaps in security.

The impact of the OPM breach extends beyond the act itself. Personal information becomes valuable data to be used down the road for further breach activities or intelligence gathering. The OPM has warned those affected to be on the lookout for email or phone phishing attempts.

iSight senior manager John Hultquist points out, “It looks like they are casting a very wide net, possibly for follow on operations or identifying persons of interest, but we’re in a new space here and we don’t entirely know what they’re trying to do with it.”

The punch line is that none of the stolen data connected to this threat actor has appeared on dark web forums. Meaning that the motivation behind these attacks isn’t to monetize this data. The truth is that no one other than the threat actors themselves — and potentially the nation state they allegedly work for — know exactly what they’re doing with the data.

If improving targeted phishing — so called “spear-phishing” attacks — is the goal of the threat actor, data from the Verizon Data Breach Investigations report offers a bleak outlook. Findings from the report show that it takes just 10 emails to yield a 90% chance of at least one person becoming a victim.

Phishing attempts and targeted attacks can also diversify to incorporate other types of campaigns, including malvertising. Malvertising is attractive to cyber criminals because of the advanced targeting capabilities that come standard with ad delivery. If you know who your targets are, it helps you tailor your attacks to ensnare them. Plus, you can scale attacks to spread malicious ads across dozens or even hundreds of websites your victim is likely to visit.

Regardless of what methods are being used, the ability of defensive security postures to defend against attacks that drift further outside the perimeter is deteriorating. The information used to verify identities online continually falls into the hands of the adversary. The impact will be more targeted attacks and continual success in breaching defenses and accessing critical information.