Earlier this summer we researched the cyber insurance industry and the darknet and reviewed basic policies, first- and third-party coverage and looked at a sample of the type of data insurers might want to monitor the darknet for. We discovered there is an increasingly complex interrelationship between data from the darknet and the organizations involved in issuing cyber liability insurance policies and managing claims.
Surprisingly, we also discovered that most cybersecurity liability insurance policies exclude incidents caused by human error or negligence and events easily preventable by a stable and secure IT defense posture – proving that security professionals cannot become lackadaisical about their security posture simply because they have procured a comprehensive cyber insurance policy.
Organizations should not be fooled into thinking that cyber insurance is a substitute for robust cybersecurity defense and response.
Some popular exclusions of cyber liability insurance include:
Cyber insurance policies should augment organizational security processes, not replace them. Insurance carriers must carefully analyze all potential policy holders’ security posture and insist on robust security position prior to issuing the policy. Cyber insurance underwriters should carefully consider the security posture of policy applications through thorough pre-policy questionnaires and employee interviews, evidence of robust and regular employee security training, domain network scanning, darknet monitoring and exposure analysis.
Evidence of a policy holder’s prior breaches, organization credential exposures, and and the risk of insider attacks can be evaluated using a robust darknet database, like DarkOwl Vision.
DarkOwl has observed numerous darknet threat actors actively recruiting disgruntled employees a.ka. ‘insiders’ to help carry out their attacks and shorten the attack timeline; notably in the ransomware/extortion-as-a-service model of the criminal underground. Banking and financial fraud specialists have advertised they were seeking banking insiders and cyber criminals have offered $500 – $1,000 USD to AT&T and other mobile carrier providers who can assist with sim-swapping. Some recruitment offer payment on swap or a percentage commission on the value of the fraud conducted.
On Telegram, LAPSUS$ openly recruited insiders to help with their attacks calling for employees at telecommunications, software and gaming corporations, call centers, and web/server hosting organizations. They specifically asked for the employees to have remote access via VPN, Citrix or anydesk applications.
Government, healthcare, and Insurance carriers are also targeted for insider recruitment in a recent deep web post captured by DarkOwl (below).
In early July, in an unusual insider-threat example, a HackerOne employee exploited their internal access to bug reports to duplicate the reports and gain financial payment for the bug bounty program. In this scenario, the fraudulent payments could not be recovered by their cyber liability insurance, unless specifically stated in their policy.
In addition to monitoring for mentions of organizational credential data, like email addresses, hashed and cleartext passwords, and authentication data like session tokens and API keys, DarkOwl Vision can also provide indication of prior breaches and leaked data.
Cyber criminals regularly offer to sell or share organizational information they obtained on the darknet. Such data could indicate a potential prior breach occurred at the organization. In August 2020, a post on Telegram indicated a cybercriminal had obtained significant confidential data from the Intel Corporation. The leak allegedly included over 20GB of documents and product roadmaps for multiple technology programs in Intel for only $ 200 USD.
In the middle of an attack or immediately thereafter, threat actors often openly shame the victim and their associated IT security departments for haphazard network security, ‘poor digital hygiene,’ and private information protection. We recently captured a threat actor sharing proofs of exfiltrated victim data – in an apparent ransomware attack – and simultaneously stated this was not the first time they had been targeted and the personal data of clients compromised.
The threat actor even alleged they had tried to reach out to the company and provide recommendations on how to secure their corporate network.
Ransomware gangs show no slowdown in targeting the insurance industry with several new attacks independent agents and family-owned insurance-affiliated businesses around the world in recent weeks. REvil’s stated intention to gain additional information about insurance policyholders for the sake of exploiting that information for future gain in negotiations and targeting is apparent. We continue to witness proofs and announcements of attacks against independent agents and family-owned insurance-affiliated businesses around the world regularly posted by some of the most active and successful ransomware gangs in operation.
Any entity that interacts with insurance companies are also at risk of cybersecurity incident or ransomware attack. We have seen ransomware gangs target business processing companies, insurance brokerage network and underwriting service providers, as well as legal firms that support the insurance industry.
DarkOwl recently observed a legal firm that focuses on representing insurance carriers in disagreements with their policy holders shamed on the LockBit ransomware blog. Earlier the same group shamed the insurance company Risk Strategies – calling their web domain out on another victim’s announcement for not paying a more significant amount for their attack against the policyholder, another legal services company.
In this piece, we reviewed how cyber liability insurance is not a substitute for solid corporate network security protocols. We reviewed a number of cyber insurance policy exclusions such as war-time, insider threats, and prior breaches, and looked at some examples where the insurance industry itself continues to be targeted by darknet threat actors.