Malicious Misuse:  Learning from the DocuSign Breach  

How to prevent suffering from malicious misuse of your data – a risk revealed by the recent breach at DocuSign, where hackers impersonated the electronic document company to distribute malware.

The DocuSign episode is an example of a multi-stage threat.  In the DocuSign case, the multi-stage threat involves malicious misuse of data assets by hackers.  Stage one was the initial data breach.  This was problematic, but on the surface, its potential impact on DocuSign’s business was relatively low.  It was embarrassing, but not deadly.  Stage two was the malicious misuse of DocuSign customer information.  Used for the sophisticated spear phishing that took place, later on, this was a much more serious threat.

If you’ve ever bought or sold a home, you’ve probably used DocuSign, the leading electronic document management company.  The service has over 100,000,000 users.  DocuSign facilitates the execution of legally binding contracts online using electronic signatures.

Now, imagine you got a signature request over DocuSign from someone you know.  It’s routine, or so it seems.  When you download the document, however, your device gets compromised by malware.  What went wrong?

Did a hacker infiltrate DocuSign and embed malware in their code?  That would be quite a feat. But, something like it did happen recently.  As reported in Krebsonsecurity, hackers breached DocuSign’s defenses and stole customer names and email addresses.  A cybersecurity professional might deem this as “low value” data, but the nature of the attack shows this assumption to be mistaken.

The attackers proceeded to impersonate DocuSign with realistic-looking web pages and forms. They sent out signature requests to DocuSign customers by posing as DocuSign.  Unsuspecting users, already familiar with the service, unknowingly clicked on malware links and were infected.

How Multi-Stage Threats Challenge the “Heat Map” Approach to Cybersecurity

The DocuSign episode is an example of a multi-stage threat.  In the DocuSign case, the multi-stage threat involves malicious misuse of data assets by hackers.  Stage one was the initial data breach.  This was problematic, but on the surface, its potential impact on DocuSign’s business was relatively low.  It was embarrassing, but not deadly.  Stage two was the malicious misuse of DocuSign customer information.  Used for the sophisticated spear phishing that took place, later on, this was a much more serious threat.

DocuSign’s exposure is significant, going beyond a mere security incident to encompass damage to brand image and possible legal liability.  Their whole business and brand are built on the perception of integrity.  The breach tarnishes that image in addition to causing direct, financial damage to the firm.  This is the risk that virtually every business faces from multi-stage threats.

A multi-stage threat creates multiple risks.  As a result, they challenge the conventional cybersecurity “heat mapping” process of matching countermeasures to threats.  In a heat map, a security manager identifies your most valuable data assets and systems.  Then, factoring in the probability and potential business impact of an attack, they focus security resources on the areas with the great potential for attack and highest business impact.

Using this approach, the database holding customer names and email addresses would probably receive a lower “heat” level and a commensurately smaller investment in cyberdefense. A more critical system, like the repository of signed electronic documents, would likely be rated “hotter” and get more robust and costly countermeasures.

While the heatmap approach is useful in many situations, it is not well suited to a malicious misuse case like the one suffered by DocuSign:

• It is difficult to predict how “low value” data will be used in a more serious attack.
• Security managers for small to mid-sized businesses have to keep up with evolving threats.

In the DocuSign example, two common and lower-level attacks combine to form a much greater threat.  A simple data breach gave hackers the ability to conduct spear phishing.  The two threats merged.  In spear phishing, the attacker impersonates an individual known to an email recipient.  The intent of spear phishing is to trick the recipient into clicking on a malware link or sharing login credentials to a system.

Spear phishing can be difficult to prevent because its emails are personalized, informal and lacking in identifiable markers of fraud, e.g. “I’m a Prince with a million dollars.  Can you help me?”  Those can easily be flagged by spam and malware filters.  Spear Phishing emails often slip through such filters.

It is highly probable that the DocuSign attack also involved social engineering.  The attackers might have cross-referenced public records of real estate transactions and posed as a realtor or other named individuals that recorded the deeds.  The phishing victim would be getting an email from a person known to be associated with a recent real estate deal.  The email asks the recipient to click on a DocuSign link.  It looks legitimate.  It would take extreme vigilance to detect any sort of wrongdoing in this case.

Are You at Risk for Malicious Misuse of Your Data?

Your business may be exposed to risks of multi-stage attacks like malicious misuse of your data assets.  The exact nature of the attack will, of course, depend on your business, but one can imagine a variety of scenarios:

• A law firm sends emails that lead to the theft valuable personal information from clients.
• A medical practice inadvertently violates patient privacy by hackers who use patient email addresses to steal personal information or exact bogus payments for services not rendered.
• A small business gets impersonated by a hacker who diverts electronic payments to his bank account, not those of the company.

Defending Against Malicious Misuse

As providers of IT security and IT services for small to mid-sized businesses, we can tell you that effective prevention of malicious misuse is quite challenging.  However, there are a number of things you can do to improve your defenses against this kind of threat without spending a lot of money.  These include:

• Enhancing technical countermeasures – One of the best moves you can make is to defend yourself better against the basic data breach that would lead to theft of your information. This might involve beefing up firewalls and intrusion detection systems.  It could mean encrypting data at rest, so even if you get breached, the bad guys can’t get much they can use.  Multi-Factor Authentication (MFA) could help in certain processes – to reduce the risk that a malicious actor can penetrate key systems. Phishing defenses are also useful, given that phishing is one of the most serious attack vectors for data breaches.  There are now some very powerful anti-phishing solutions on the market.
• Addressing the threat through security policy – The structure of your security controls may help or hinder your defense against malicious misuse. You may have vulnerabilities that you haven’t considered in the context of malicious misuse.
• Investigating and remediating legal and insurance aspects of risk management – Understanding the potential impact of malicious misuse, it’s worth reviewing your insurance policies and legal agreements to make sure you are protected as much as possible from the threat.
• Planning for malicious misuse incidents in advance – there’s no excuse for getting caught flat-footed with this kind of attack now. Have your response plans written, your remediation workflows thought through, your customer emails prepared, and so forth.

Conclusion

We work with small to mid-sized businesses to help them improve their cybersecurity postures. In our experience, it is possible to build robust defenses with reasonable, incremental investments in highly targeted solutions.  There is no 100% guaranteed defense against a threat like malicious misuse, but we can help you bolster your protections and preparedness.