For better or worse, a lot of cybercrime sleuthing and forecasting tends to focus on various underground sites and forums across the deep and dark web corners of the Internet. Whenever a report cites passwords, contraband or fraud kits trafficked in these underground dens, it makes elusive fraudsters and extortion players sound tangible.

People instinctively want to infiltrate these spaces to see if their own company and data are up for sale. For time-strapped security professionals, however, the underground’s rapidly multiplying corridors are difficult to navigate and correlate at scale. Achieving the capability to sift through these domains productively, without wasting time – or getting in legal entanglements – is no small feat.

But there are three additional, sometimes overlooked sources of early warning clues of ransomware and breaches I have seen yield more direct, actionable insights in my years as an incident response leader.

1. Public sources and Good Samaritans

Sometimes the biggest risks and clues are hiding in plain sight, making it crucial not to overlook less-notorious places and people bringing important things to light. Today the forces of social media and cloud sync-and-share everywhere mean confidential slide decks, C-level cell phone numbers and sensitive databases can hit the public Web far too easily.

A few configuration swipes on a smartphone can be all that stands between sharing something with a work colleague or with anyone with a search engine. In Verizon’s latest Data Breach Investigations Report (DBIR), “misconfiguration” and “misdelivery” errors jumped dramatically as breach factors, now second only to phishing and credential theft on the leader board.

Fortunately, the security community is full of Good Samaritans reaching out when they see personal or customer data in harm’s way. But are you making it easy for them to find you and are you prepared to act on these discoveries? Many companies do not have clear, publicly-available contact information and processes for handing security issues and vulnerabilities, which hobbles good faith actors trying to make secure, responsible contact – sometimes until it is too late. Get ahead of any gaps here by establishing dedicated, continuously monitored channels for you to collect and vet inbound tips and concerns.

2. Subtle notes in the 24×7 concert of deployed security tools

Paradoxically, the more security and compliance tools an organization deploys – ostensibly to gain metrics and situational awareness – the more operators can feel blinded and overwhelmed by data growing faster than they can process it, decide and act on. A strong “defense in depth” gut instinct assumes that for every new control introduced, the bull’s-eye visible to attackers must be shrinking. But the bigger assumption here is that we even know “what” and “where” the bull’s-eyes are, in the first place. Too often, security tools alone provide data of diminished net value because they are deployed a step behind sprawling cloud systems, IoT devices, increasingly remote employees and other business shifts eclipsing defenders’ current understanding of assets.

At the same time, layered product fatigue promotes reliance on security tools’ pre-configured alert categories and arbitrary contextualizing, subtly tipping time-strapped administrators to look for reassuring “green light” indicators, before darting to the next dashboard. “What”, exactly was detected? Even if it was labeled “low” severity or nuisance activity, does that label change based on what else is being seen on the network? Driving interoperability between tools often trades depth of analysis for speed, burying clues in the process.

Ransomware attacks are a great example: A company typically calls in incident response once an attacker has detonated their ransomware payload and taken infected machines hostage. Yet, the scrambling of data and locking of screens often happens only after a seasoned ransomware gang has gained a foothold in networks for a while and first spent time mapping the size and composition of devices to make sure they hijack every visible device and back-up mechanism.

This precursor activity can get lost in rush-hour noise on the network. Not every security product will classify anomalous indexing and casing of IT systems the same, but setting this activity as critical behavior to recognize helps avert worst-case scenarios by buying time to backup files or initiate other measures as a precaution.

Likewise, keeping an eye on privileged accounts is an invaluable early-warning investment. First, take stock of who has these accounts in your organization – whether IT administrators, C-suite leaders or their staff. Assume you have too many privileged users in the first place and that some might even be shared. Confirm whether any can be restricted or deleted based on employee turnover or consolidation. Then implement rigorous logging of those narrower accounts’ patterns of life.

Attackers rely on defenders having incomplete understanding of dormant and other vulnerable accounts too frequently weaponized before anyone knows a crime is in progress. Is the number of privileged accounts changing? Who uses the accounts? Do their logins and behavior match to their role, time zones and workday routines? All things being equal, anomalies with privileged users demand urgent attention.

3. Intersections of third-party risk

The rise and dynamism of third-party developers, resellers, smart building owners and other partners dramatically affects security and compliance inside and outside a company’s walls. According to recent Deloitte enterprise risk management research, “information security” and “cyber risk” topped respondents’ lists of issues driving budget for greater third-party oversight.

A company may integrate third-party code in its Web site or business applications – meaning when that code is compromised, intruders have an express lane into the network. Network and cloud access granted to remote contractors could be compromised, giving criminals the camouflage of previously approved devices and usernames for entry.

Pinpointing the specific roads business partners have into your environment yields invaluable awareness. Take stock of the partners your organization relies on, concentrating on those with the highest associated risk (e.g., close proximity to crown jewel data or everyday applications offering wide lateral movement if compromised). Confirm norms and roles for these third-party services and accounts, so logging and monitoring tools can flag deviations immediately, which are often crucial early signs that a third-party might be employed in an attack.

In addition to serving as a practical early warning outpost, monitoring of third parties yields awareness and influence cybersecurity leaders can use to force wider, strategic conversations in business about risk tolerance and the criticality of these relationships. In addition to weighing the criticality versus risk aspects of these relationships, those watching the third-party touch points are well positioned to advocate for security terms in partner relationships, such as requiring partners to meet thresholds like multi-factor authentication for accounts touching their customers.

Cybersecurity is a constant struggle of measure-versus-countermeasure and the desire to peer into attackers’ next move is relentless. While exotic malware and infamous crime rings capture attention and deserve recognition, these threats must still discover and exploit the same vulnerabilities, business churn and network blind spots others have to.

Taking stock of a few underutilized, high-yield data sources already in your environment is a powerful way to keep perspective and view all risks on the same plane. This helps keep things in perspective and frame effective decisions about where and how to prioritize finite resources and test incident response readiness.

Medical records command a high value on the dark web due to the large amount of personal information they hold. Cybercriminals can sell stolen healthcare data for a massive profit, up to $1,000 for each record, a fact that encourages them to continue hacking as the payoff is worth it.

While there has been an uptick of attacks on healthcare organizations due to coronavirus, a 2019 Healthcare Data Breach Report found more healthcare records were breached in 2019 than in the six years from 2009 to 2014, indicating that the rise of threats to healthcare records has been an ongoing trend.

Healthcare organizations need to understand the interconnected relationship between cybersecurity and patient care. Investing in cybersecurity ensures organizations have the appropriate controls in place to protect the patient, their data, the brand, and business, all while complying with HIPAA requirements.

Healthcare organizations will remain a top target beyond COVID-19

Healthcare data is of interest to nation-state threat actors looking to steal clinical trials and research data to solve concerns in their country and create economic and political advantage by being first to market on innovation or a critical vaccine.

A patient’s record can also hold insight that could be used to inflict harm to persons of interest. On top of personally identifiable data, patient records contain very sensitive and personal information, such as blood type, allergies, medications, medical devices in use, and past procedures. All of it can be used to commit identity theft, insurance fraud, blackmail, or to cause bodily harm.

Unfortunately, most of this data cannot be changed if stolen. In addition, this information is often stored in legacy systems, not built with security in mind, in multiple disparate systems and different locations, and the organization cannot afford the cost to migrate data to a modern, secure, system.

Biomedical devices have historically been bad at implementing even the most basic security controls, such as encryption, authentication, and access controls. To complicate things further, these devices are often out of scope when it comes to implementing basic protections like anti-virus, endpoint detection and response, and other software that could be seen as intrusive to the system and impact or influence the operation of the device. Technically, the device is a sitting duck for any attacker that can get access to the same network. It has only been about five years since healthcare organizations started pressing and holding device manufacturers accountable to basic security standards.

The unfortunate thing is these biomedical devices and the inherent lack of security controls and protections have been moved directly to the consumer whether that is in their home or installed on their bodies. This has broadened the reach, capabilities, attack surface and potential damage that can be inflected by the malicious threat actor.

Pacemakers are a prime example as hackers have had success interfering with the device. Recently, patients, providers, and manufacturers were notified of a security vulnerability called SweynTooth. The vulnerability, associated with Bluetooth Low Energy, could be exploited to wirelessly target certain medical devices – crash, deadlock them, or bypass their security protections to gain unauthorized access. This makes medical devices a real life and death situation, beyond what we normally would consider.

Patient infrastructure is also not up to par. Telehealth is more integral to healthcare than ever before as it reduces expenses, lowers exposure to illnesses and is more convenient. In March, telehealth visits surged 50% and analysts estimate coronavirus-related virtual visits could top 1 billion globally in 2020.

This surge further complicates the security landscape if hospital groups don’t have the infrastructure in place to protect consumer data as they are often leveraging telehealth platforms that were not built for healthcare; and have expanded the risk by inheriting the existing weaknesses and vulnerabilities of those platforms.

How can organizations combat these attacks?

Organizations should ensure their infrastructure is secure by using platforms that are designed for healthcare use, while meeting legal privacy requirements. The infrastructure systems should be configured according to security standards, with ample visibility and a strategy should be in place for patient owned devices and endpoints. It’s important the healthcare provider has visibility into what is happening across the environment to monitor for signs of suspicious activity in real-time so immediate action can be taken.

Furthermore, as 48% of threat actors in healthcare are internal, organizations must monitor for behavioral changes in users and their data, providing visibility to uncover user-based threats that might otherwise go undetected. There must also be security tools in place that automate common investigation tasks and streamline remediation to halt a breach immediately and in real-time. Detection and response early in the cyberattack lifecycle is key to protecting health records and the company from a large-scale impact.

Organizations that do not have the above security capabilities in place and suffer from a data breach can expect to face financial penalties under HIPAA for not effectively protecting confidential customer information. As a fine could range from $100 to $50,000 per violation (or per record), it is critical companies go beyond the minimal security requirements to avoid such a fate.

Furthermore, a significant incident or breach erodes patient trust and damages the brand, including reduced revenues. Given the current evolving threat landscape and increased focus on healthcare by cybercriminals, companies must commit to improving their security operations to protect patients and the organization.