Data loss (i.e. data exfiltration, data extrusion, data leakage) is the unauthorized transmission of sensitive information from inside a privileged access point. Because it can closely resemble the normal flow of data traffic, it is difficult in practice to detect and therefore right the sinking ship. Traditionally viewed in the context of the network, endpoint or email, data exfiltration can enact huge financial and reputational losses upon victimized organizations and individuals. But when it comes to social media data loss, security practitioners are increasingly finding themselves awash in a deluge of OSINT data.
Social media is a formidable and porous attack surface due to its sheer size. With ever-increasing volumes of data being poured across different networks on a daily basis, detecting data exfiltration posts can be like finding a needle at the bottom of the ocean. The tides have shifted even for the largest and most talented security teams, as it’s become humanly impossible to navigate through this information to identify harmful threats. Social media poses additional risks that are not typically encountered on traditional points of access like email. From hashtags to mentions to lists, it provides a flood of different ways for users to instantly broadcast data to large global audiences. Social media also lacks any industry security precedent as a platform like email, which has weathered wave after wave of high-profile attack.
It comes as no surprise then that organizations both large and small are woefully unequipped to address data loss prevention when it comes to social media. The security industry readily admits these shortcomings too, with 43% of fraud prevention managers and IT directors recently reporting that employee access to social media websites and services is their biggest obstacle when it comes to data loss prevention.
Fig 1. Social media introduces new exit points for data exfiltration. Three
examples illustrated above are denoted by dashed vertical arrows.
Organizations aren’t defenseless though, and there are concrete steps that can be taken to protect and remediate data loss through social media. At ZeroFox, we’ve pioneered machine learning technology that automatically alerts our customers to incoming threats that could cause data loss over these channels. Alerts are also generated on outgoing data that’s already been exfiltrated, in order to minimize damages and costs of the post after-the-fact.
Fig 1 outlines three different ways that data loss can occur through social media. At a high level from left to right, we identify 1) Inadvertent data loss involving sensitive information posted directly to the social network, 2) The Insider Threat involving a disgruntled employee divulging company secrets through encoded social channel data, and 3) Intentional data exfiltration by bad actors looking to hack into the corporate network and establish Command and Control (C&C) to maintain their data siphon.
Inadvertent data loss, or 1) above, is well demonstrated by the Twitter user @NeedADebitCard (Fig 2). This user actively retweets other users who tweet pictures of their own debit and credit cards, exposing it to their 18,000 followers at the click of a button. While seemingly taking a playful approach to educating the public about this risky behavior, this user has likely caused massive headaches for its nearly 200 historical victims and their credit card issuers.
Such accidental social media data loss is an all-too-common occurrence for employees who take selfies at the workplace, which may display personally identifiable information (PII) or sensitive organizational information like product roadmaps, architecture diagrams, software stacks or customer information. The cost of social media data loss can multiply when culprits unknowingly violate industry-wide compliance mandates, potentially resulting in hefty financial penalties for the organization in question. Embarrassing moments have affected one of Instagram’s most followed users2 and the Twitter CFO3. Indeed, if one of social media’s own executives isn’t even immune to this risk – we’re all doomed.
Fig 2. @NeedADebitCard trolls fellow users who tweet pictures of their debit and credit cards.
The Insider threat, or 2) above, involves bad actors tending to be more cautious in divulging sensitive data, in some cases going to great lengths to conceal exfiltrated data. Tactics we’ve observed include encrypting sensitive data into base64, XOR or hexadecimal formats. Malicious actors can even embed data within images, either by superimposing the text or through a data hiding technique called steganography. Many if not all of these methods can be uncovered programmatically, either through pattern matching tools like Regex, optical character recognition or other natural language processing-based machine learning solutions.
Remediation notwithstanding, the insider threat be defeated by footprinting applicants’ social media profiles during the employee hiring process. Perhaps there are worrying trends and interactions they’ve previously posted that could raise red flags within your organization that indicate a higher risk of future insubordination, enabling the employer to nip the problem in the bud.
Intentional data exfiltration, or 3) above, was best demonstrated by HAMMERTOSS. This malware generated a daily Twitter handle using a basename prepended and appended with CRC32 values according to the current date, which could then be indexed by https://www.twitter.com/DDDbasenameDDD (D = CRC32 value). It then visited this website and searched the fake user timeline for a tweet with a URL and hashtag that indicated the location of an image file, which was in some cases hosted on GitHub. Embedded within the image at the URL destination was steganography, which when decrypted indicated C&C instructions to conduct reconnaissance, execute commands via PowerShell or upload victim data to a cloud storage service.
ZeroFox provides a multilayered approach to protecting organizations from social media data loss. First is a protective layer: default platform rules automatically alert customers to incoming phishing and malware links being delivered to your C*O’s and employees, stopping the potentially data exfiltrating attempt in its tracks. This can then be used in your perimeter, email and endpoint protections to defend the network and users. Second is a remediation layer: custom FoxScript rules can be written to alert on freshly posted sensitive data. This data can match customer-input keywords verbatim, or more complex natural language processing and image recognition techniques can be applied to capture abstract and encrypted data patterns in real time. This solution includes compliance classifiers that identify social security numbers, credit card numbers, passport numbers, medical records and much more. Our approaches enable security teams get a leg up on monitoring their organizations’ social media assets, providing the necessary level of visibility to react to social media’s ever-growing threat landscape and data loss risks.