Common vulnerabilities and exploits fuel cyber attacks and warfare. We hear about them all the time. Notification and identification of these vulnerabilities used to be a hodgepodge. Information was decentralized. Affected vendors maintained their own, siloed assessments and acknowledgements. Virus detection engines used their own set of identified vulnerabilities. No common language or data representation format existed.
MITRE identified this as a problem in early 1999 [1]. They proposed a centralized repository of identified vulnerabilities. Industry, governments, and researchers would work hand in hand to identify and codify vulnerabilities. Fast forward 20 years. The MITRE Common Vulnerabilities and Exposure (CVE) database [2] has standardized vulnerability reporting. It has led to the development of numerous, other cybersecurity resources. An example is the MITRE ATT&CK knowledge base [3]. It lists adversary tactics and techniques based on real-world observations and matched to CVEs.
The time has come to centralize the reporting of data breaches in a similar, centralized and structured manner.
A Letter in the Mail – You’ve Been Compromised
It happened in March of this year. I received a letter in the mail about a data breach related to my credit card. For those interested, this link points to a letter about the breach. It is actually from the state of Maine [4] but details the same breach. New York State does a poor job of centralizing data breach notifications (the point of this blog post.) and I did not feel like scanning in my letter. Some items of interest about the letter (both NY’s and Maine’s):
- Notification – I received notification of the breach via a letter. This is fine, at least I received notification. It would be nice if these notifications could be pushed to my phone much like notifications of my credit card transactions.
- Information – There is no central repository that houses information related to breaches. I therefore needed to search across the Internet for any information related to the particular breach that affected me. There was not much out there. My best source was states with laws that required breach notifications.
- Duration – The breach existed for at least six months. That is a decent amount of time to go unnoticed.
- Pattern Identification – In December 2022 a clearly fraudulent purchase was made with my card. Immediately I cancelled the card. I am fairly certain the fraudulent card activity was in relation to a purchase made in November 2022 from a vendor affected by the breach. How, in the golden age of AI and deep learning, where every form of pattern matching under the sun is being used, did no one notice what was likely a trivially easy “connect-the -dots” moment. How many people did the exact same thing I did; report a fraudulent purchase and cancel an existing credit card number after a purchase from one of the breached sites? Over 100K people were affected by this breach. No one at the credit card companies noticed this pattern?
Each point above begs for a centralized approach for the notification and assessment of data breaches.
What Exists Today
All states have laws that require notification of consumers when data breaches lead to the release of personally identifiable information (PII). The International Association of Privacy Professionals [5] maintains a list of state sites where breaches are listed and updated by states. Some states with breach notification laws publicly list the breaches, some do not. The granularity of event details vastly differs by state. Some provide tabular data for breaches with only high level details. Others, like Maine [4], provide more granular levels of detail. Here is an example of a Maine data breach submission from June 2, 2023:
This is nice summary of a data breach exposure. Maine’s data breach site gave me more information about the breach that impacted me than did New York State.
CISA’s Critical Incident Reporting seems to be a step in the direction of centralized collection of data breach information[6]. It applies only to critical infrastructure. However, it demonstrates the federal government is interested in collection and maintenance of cyber incident data.
What a Centralized, Common Enumeration of Data Breaches Enables
Understanding – First and foremost, it would provide an understanding of the number and breadth of the breaches. How many are there? Who is breached? For how long? What was breached? Clearly, not all details could be included in a centralized, publicly available data base. Proprietary information would need to be safeguarded. From a research perspective, however, it would be invaluable.
ATT&CK Instance Population – People learn by example. The figure below is a snippet of the MITRE ATT&CK matrix. It documents how advanced persistent threat (APT) groups use vulnerabilities with techniques to achieve goals. Imagine if each data breach were standardized to the ATT&CK framework. Further, imagine if this information were publicly accessible. Cyber security researchers could much more effectively understand how data breaches unfold and persist. The blocks of the matrix below could be directly correlated to known breaches to fully explain the technique and attack landscape.
Consumer Information – This task might be slightly harder. Somehow, U.S. citizens should be able to understand what breaches have affected them and in what way. I utilize a credible PII data monitoring system. It has detected when my consumer information was part of a data breach in the past. It completely missed the breach referenced above (and still continues to do so!)
It’s Time To Standardize
Here is an example of what New York State requires for data breach notification. The document is for recording security breaches. Collected are the basics of the incident. Other states have similar forms pursuant to their breach notification laws.
Two problems with this approach are clear. First, a lack of a federal standard leads to a disparate set of collected information across all 50 states. Second, what is collected is too high level.
Certainly, detailed reports for breach incidents are assembled by the affected companies. Critical details about the event are collected and recorded. These details should be mapped to the MITRE ATT&CK framework. Further, they should be recorded in a central database maintained by a U.S. government organization and disseminated to the cyber security community. This is the next, needed step in cyber awareness.
Footnotes:
[1] The history of how vulnerabilities became standardized – https://www.cve.org/Resources/General/Towards-a-Common-Enumeration-of-Vulnerabilities.pdf
[2] The CVE site – a wonderful resource: https://cve.mitre.org
[3] MITRE ATT&CK – understand how attacks unfold: https://attack.mitre.org
[4] Maine Breach Alerts – https://apps.web.maine.gov/online/aeviewer/ME/40/list.shtml
[5] IAPP site – https://iapp.org/resources/article/u-s-state-data-breach-lists/
[6] CISA Incident Reporting – https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia