At the root of an attack, and potentially a data leak, is likely to be previously exposed data.
From social networks to the darkweb, sources of useful data for attackers have never been so abundant, especially when it comes to reaching an organization's managers and employees. Human vulnerabilities have always been exploited, either as a means to an end (e.g. destabilization) or as attack vectors (spear-phishing, identity theft, etc.).
The widespread use of social networks means that users and their personal data are increasingly exposed, either voluntarily or against their will (Yahoo: 3 billion data leaked in 2013; LinkedIn: 700 million accounts exposed in 2021).
Leaked data from attacks on companies and public administrations can be identified on data leak sites, forums and blogs of ransomware groups that publish the stolen data. Our daily monitoring and analysis of this data shows that 80% of leaked data linked to ransomware exposes the personal data of employees and customers. This multiplicity of vulnerability sources is difficult for security teams to monitor, but nevertheless inescapable, as each new leak exposes more and more individuals and, with them, their companies.
The reconnaissance phase is the starting point for all cyberattacks. Leaked data represents a gold mine of information for them. It enables them to identify the victim and his or her immediate environment. A target's level of exposure and the amount of data available are also criteria for assessing its level of maturity and vigilance. Attackers will therefore favour "easy targets".
Attackers very often impersonate a relative or superior. They use social engineering to contact the victim by e-mail or telephone. The malicious individual, after studying the company and its news, may, for example, take advantage of a trip abroad by the CEO to launch an attack by impersonating him or her. Fraud involving impersonation of the CEO, or fraudulent bank transfers, is on the increase: over the last three years, it has accounted for 55% of all identity frauds. Indicators of compromise are clues and evidence of data leaks. Not only can they reveal that an attack has taken place, but also which tools were used to carry out the attack. Today, "technical" IoCs as commonly accepted are no longer sufficient to qualify and counter human-influenced threats.
Thus, we call "human indicators of compromise" the compromised and exposed open-source data of an individual. They relate to the civil and digital identity of a physical person, resulting either from the breach of security of an information system, whether accidental or illicit (e.g.: extortion by ransomware), or from the publication of information, voluntarily or accidentally, by users and publishers of online services. This includes physical identity data (first name, last name, date of birth, etc.) or digital data (e-mails, telephone number, etc.), as well as professional, financial or health data. But also all his interests and his circle of family and friends.
Analyzing these human indicators of compromise and correlating them with "technical" IoCs helps to control an organization's digital footprint and, ultimately, to prevent further attacks. They must be fully integrated into current defense strategies.