The concept of the “enterprise attack surface” refers to the sum of all possible security risk exposures for a business. Traditionally, securing this attack surface was a task focused primarily on direct IT infrastructure vulnerabilities, such as network systems, software applications, and endpoints.
Aspects like exposed personally identifiable information (PII) on data broker sites, which can be exploited in social engineering and credential-based attacks, were often overlooked.
Now, however, after years of PII-based attacks being the top source of organizational breaches, there’s growing recognition that securing exposed PII is just as crucial as securing networks and endpoints.
Today’s enterprise attack surface goes far beyond firewalls and servers. It includes publicly exposed employee data, which attackers leverage to breach an organization.
External Attack Surface Management (EASM) traditionally focuses on identifying and securing publicly exposed digital assets, such as internet-facing systems, domains, and IP addresses. While external attack surface management has historically focused on technical assets, employee data is what is most often exploited by malicious actors and should be included in any comprehensive attack surface management strategy.
Social Engineering and Credential Compromise Rely on Exposed PII
For years, social engineering and credential-based attacks have consistently remained the top two sources of organizational breaches. These attack vectors rely on exposed personal data, which can be easily accessed through data brokers with a simple Google search. This data provides attackers with what they need to infiltrate organizations by impersonating trusted individuals, manipulating employees into providing credentials, or finding and cracking passwords.
Removing exposed employee data from data brokers is therefore critical to minimizing risk and preventing attackers from gaining unauthorized access.
Employee PII: The Most Exploited Attack Surface
Employee PII, such as phone numbers, emails, addresses, and other identifying information, is a goldmine for attackers. Once accessed, this data can be used for smishing (SMS phishing), vishing (voice phishing), spear-phishing, and credential-based attacks, allowing attackers to bypass technical defenses and directly target individuals within the organization.
For example, email addresses can be used to launch spear-phishing attacks that impersonate high-level executives, leading to credential theft or unauthorized transfers of funds. The Cybersecurity and Infrastructure Security Agency (CISA) and U.S. Coast Guard (USCG) recently released their FY23 Risk and Vulnerability Assessment (RVA) Report, which identified spear-phishing as the second most common successful attack technique. Spear-phishing remains a top threat because it exploits personal data to craft highly personalized messages, making it easier to manipulate a single target into unwittingly performing harmful actions.
Phone numbers can be exploited for smishing and vishing campaigns that trick employees into divulging sensitive information. Due to tightening email security measures for bulk senders, mass email phishing has become more difficult for attackers. As a result, they are increasingly relying on alternative social engineering methods like SMS-phishing (smishing).
Threat actors such as Scatter Swine harvest mobile phone numbers from data brokers that link phone numbers to employees at specific organizations (i.e., ZoomInfo, Clearbit, and Apollo.io). This data is then used for credential harvesting, such as occurred in the infamous 0ktapus campaign of 2022 that targeted around 130 organizations.
The personal data exposed on data broker sites can also be used to find and crack employee passwords and take over accounts. According to the FY23 RVA Report, Valid Accounts were the most common successful attack technique, responsible for 41% of successful attempts. A common method under this tactic is cracking password hashes, which was successful in 89% of USCG assessments to access Domain Administrator accounts.
Before cracking password hashes, attackers must first obtain them. One of the easiest ways to do so is to leverage exposed personal information found on data broker sites and enter that info on breach repository sites. These sites often return cleartext passwords and password hashes that are associated with the accounts linked to the target’s personal data. Once obtained, attackers can then crack the password hashes using specialized tools and wordlists.
As the boundaries of organizational perimeters continue to expand, so too must the approach to attack surface management. The human attack surface—including employee contact info and other personal details—must be protected. By proactively removing publicly exposed employee PII, organizations can reduce the amount of data available to attackers and make it more difficult for them to launch successful attacks.
Personal Data Removal And Attack Surface Management
Incorporating employee data removal into attack surface management practices is essential for minimizing potential entry points and attack vectors. Optery’s patented search technology finds more exposed employee profiles than anyone else, and proactively reduces your attack surface for PII-based threats in the most comprehensive way possible by removing these profiles from the web.
Reading to start minimizing your attack surface and significantly reducing the volume of attacks against your organization? Create a free Optery for Business account today!