The Storm Before the Storm: Hackers Gather Data Prior to Deploying Ransomware

Here at IntSights, a Rapid7 company, our goal is to ensure organizations everywhere understand the threats facing them in the current cyber landscape. With this in mind, we took a focused look at the insurance industry — a highly targeted vertical due to the amount of valuable data these organizations hold. We've collected our findings in the “2022 Insurance Industry Cyber Threat Landscape Report," which you can read in full right now.

During the course of this research, we reviewed a data security event that took place at the US insurance broker Arthur J. Gallagher (AJG). The organization suffered a ransomware attack, but what's curious about this particular breach is the duration of the event — an unknown party may have accessed or acquired data within certain segments of the network between June and September 2020.

If you put yourself in the shoes of a hacker, you might think you'd want to deploy your ransomware as quickly as possible to avoid being caught or kicked out of the environment. So why are hackers spending extra time collecting data before deploying their malicious software? Let's take a closer look at potential hacker motivations, what data is most valuable to them, and how you can better protect your security perimeter.

What Is Dwell Time?

The time between an attacker's penetration of an environment and when they are discovered and removed is known as dwell time. Ideally, your organization will want to keep dwell time as short as possible in the event of a breach. Hackers, on the other hand, want to remain undetected within your network as long as they can — and they often do.

Dwell time can range anywhere from a few minutes to hundreds of days. In the case of the AJG incident, the dwell time may have spanned several months; the unknown party could have been hiding in the network anytime between June 3 and September 26, 2020. That's 115 days total.

But why do bad actors want to stay within a breached network for so long? While hacker motivations can vary from incident to incident, the duration of the AJG breach suggests that spending time collecting data from the compromised network before deploying ransomware on it was equally or more important to the attackers. They're hungry for data.

What Data Is Most Valuable to Hackers?

Insurance companies possess a great deal of personally identifiable information (PII) on their retail business-to-consumer (B2C) policyholders that bad actors can use for fraud and other malicious purposes, including insurance fraud. Exposure of policyholder information can occur both at insurance companies themselves and at third parties that handle it, particularly healthcare providers (which store highly valuable protected health information on individuals).

The PII of B2C policyholders is also useful to state-sponsored threat actors because of the amount of detail it contains. For example, foreign intelligence services collect PII and ingest it into searchable databases against which they conduct targeted queries in support of human intelligence (HUMINT) operations or signals intelligence (SIGINT) collection. In addition, hacktivists may target insurance companies for ideological reasons, with the goal of undermining the political and socio- economic power structure.

Insurers that provide cyber insurance coverage, in particular, are attractive targets to ransomware operators. Compromises of their networks could give ransomware operators a way to identify and obtain policy details and security standards for their cyber insurance customers. With this information in hand, bad actors could identify policyholders who are more likely to pay ransoms if their insurers cover it and exploit them into paying the maximum ransom amount the cyber insurance policy will cover.

In our full research report, we take a deep dive into each of these examples, but let's take a focused look at the AJG incident. In this case, compromised PII data sets included:

• Social Security and tax identification numbers
• Identity document numbers
• Dates of birth
• Usernames and passwords
• Bank account and payment card numbers
• Medical and biometric details
• Electronic signatures

Some affected individuals filed a lawsuit against AJG for allegedly failing to protect their PII and to notify them of its compromise in a timely manner, claiming that they had suffered identity theft as a result.

PII is just the tip of the iceberg — the list of valuable data stored by insurance companies goes on from there. Documents ranging from email correspondence and scans of passports or drivers' licenses to invoices, loan forms, and reports from agents are at risk. PII serves as a key ingredient in identity theft operations, such as fraudulent credit applications, and along with all other types of sensitive data, it must be protected at all costs — both for the sake of your customers' livelihoods and your organization's.

How You Can Better Protect Your Sensitive Information

To cybercriminals, data is like ammunition. They want to gather as much as they can to fuel their exploits and open up as many avenues for attack as possible. Therefore, it's business critical to prevent data leakage.

PII can sit dormant for years, just waiting to be preyed upon, and it's one of the most valuable data sets criminals and threat actors seek in their attacks on insurance companies. As such, it's critical to implement layers of protection, such as encryption and network segmentation. Public-facing web applications and other infrastructure, such as automated quote tools, should also undergo testing to avoid bugs and misconfigurations that could inadvertently expose consumer data.

In addition, third parties are an unavoidable source of risk. Third-party risk management solutions can mitigate risk from external sources and protect against key enablers of insurance fraud.

You should also consider the context of the business onto which you're applying those additional layers of protection. For example, B2C security measures will have significant differences when compared to business- to-business (B2B) security practices, and the healthcare industry may require different types of security protocols than the automotive industry.

Finally, threat detection should be part of any truly holistic security strategy. With cyber threat intelligence, your organization can learn about specific threats facing the company and set up protections against them. For insurance companies, threat intelligence can also help IT and security leaders understand the types of data they store that will be the most valuable to bad actors. You can learn what methods they will attempt to leverage to obtain that data, giving you a chance to stay a step ahead.

By utilizing threat intelligence and following these security recommendations, you can better protect your sensitive data. Just remember: The longer a bad actor sits in your network undetected, the more data they can collect. It's up to your organization to make sure they can't gain access in the first place and, if they do, to find them and kick them out as soon as possible.

To learn more about the threats facing the insurance industry today — and some recommendations to protect against them — read the full research report here: “2022 Insurance Industry Cyber Threat Landscape Report."