Following news that the names and medical histories of 8,000 Allegheny Health Network patients might have been leaked in a data breach last month after an employee opened a phishing email that compromised their account (triblive.com/local/regional/
Modern cyberattacks reliably leverage data exfiltration of sensitive information for extortion or data resale. One of the main reasons these types of attacks are so prevalent are that even in an otherwise well secured organization, average unprivileged users can have access to mass quantities of sensitive data to perform their job duties. This means that an attacker that can compromise even a non-administrator account can do tremendous amounts of damage quickly. If normal users have access to large quantities of sensitive data, there’s no need for an attacker to perform secondary attacks like privilege escalation or pivoting. It really can be the proverbial “one click compromise” situation.
It's a hard problem to solve but given the risk and prevalence of data exfiltration attacks, it’s one worth pursuing. One of the problems with data exfiltration attacks is they often piggyback on legitimate user access so there can be little in the way of suspicious actions to trigger alerts on. Two key differences between normal user and attack behavior that organizations can look to monitor are the rate and times of data access. For example, if a user that normally accesses 50 records a day suddenly begins accessing 500, it could be cause for alarm. Similarly, a user that typically access data from 8am to 5pm that begins logging in at 2am can signal the presence of an attacker.