immediate chaos, and panic would ensue. It could result in people selling off their stocks in a frenzy—
the culmination of a deliberate and effective attack.
Data manipulation attacks don’t always have to result in a tangible financial gain. If an attacker managed
to carry out a similar attack against health record information for patients in hospitals and altered critical
data like drug dosages and prescriptions that need to be administered, it could result in sickness or even
death.
These types of attacks are commonly carried out by malicious insiders, individuals who have privileged
access to critical data in the first place. If an insider got their hands on blueprints for a manufacturing
facility that was being built, they could make minor modifications to drawings that could set the
organization up for systemic failure. Understated and difficult to detect, an attack like this could ultimately
put a company out of business and give a competitor, perhaps in a nation state, the ability to take over
market share. I’ve seen this play out firsthand. When you have a ‘trusted’ insider as the culprit, it makes
it all that more difficult to detect and track down.
Attackers like data manipulation attacks because they’re hard to detect and they undermine trust and
confidence; if there’s no way to verify that data, like blueprints, documents, or source code are legitimate,
it can erode trust from the inside out. Attacks that compromise integrity can jeopardize an entire supply
chain. It only takes one flaw, far down a chain, to disrupt or delay the production of goods in an
organization’s cashflow.
Carmaker Tesla sued a former employee last summer after CEO Elon Musk alleged the insider stole
confidential and trade secret information after he failed to get a promotion. While the employee
purportedly exported gigabytes of confidential data, he also made changes to the Tesla Manufacturing
Operating System, the set of basic commands for Tesla’s manufacturing lines―under false usernames—
apparently in an act of sabotage. Manipulating sensitive data, like source code, isn’t flashy but is
something that can cause the market to slowly unravel over time.
For organizations, it’s inevitable that attackers will take data; it’s more of a challenge to determine when
an attacker makes a small change to data, then leaves the scene of the crime. For threat hunters, from
a digital forensic perspective, there’s typically always a trace left behind. Anomalies in system logs, edits
to files at suspicious times, and alarms on threat signatures to detect suspicious techniques and malicious
behavior, can be telltale signs of data manipulation.
To combat these types of attacks, organizations need to ensure they have endpoint visibility on their IT
systems. If an outsider successfully penetrates a network, they’ll need to move laterally through the
environment to find the data they’re after. It’s critical for incident responders or threat hunters to be able
to follow in their proverbial forensic footsteps, to proactively hunt and detect this type of activity before
something irreversible is done.