Security

Matchlight finds breaches faster by scouring the dark web for stolen data

Matchlight detects data breaches faster, more accurately, and in a way you might not expect. TechRepublic spoke with Terbium Labs about how Matchlight works.

Figure A: Matchlight relies on these components
Image: Terbium Labs

Consider this: According to Verizon's 2015 Data Breach Investigations Report, attackers, on average, required less than two days to breach an organization's network. The report mentions, "In 60 percent of the cases, attackers were able to compromise an organization within minutes."

terbium2.jpg
Image: Terbium Labs

Defenders (75%), however, took much longer to find the data breach. Target staff required nearly three weeks to discover the compromise to the company's network.

What if it was faster to find information stolen from a data breach than it was to detect the breach?

Terbium Labs' CEO Danny Rogers and CTO Michael Moore, two gentlemen well-versed in large-scale computational analysis, cyber-intrusion analysis, and quantum cryptography, did just that.

"We have developed Matchlight, a data-intelligence system that scours the internet for clients' sensitive data, alerting them the instant elements of their information appear in the wild," says Rogers. "Matchlight is built on two technologies: a digital fingerprint technique that computes one-way fingerprints of data, and a dark web spider that crawls the internet with a focus on areas where stolen data is most often traded."

Rogers and Moore have experience with the dark web, the digital underground where criminal transactions, such as selling stolen credit-card information, take place. "With Matchlight, we can discover unexpected appearances of stolen data on the internet immediately and automatically," notes Moore. "Our technology compares fingerprints of your data against our database of other fingerprints collected from dark web marketplaces and elsewhere across the internet, alerting you when elements of that data appear."

The Terbium Labs website says that Matchlight is sensitive enough to recognize 14 bytes of a client's fingerprinted data on the internet and the dark web. Matchlight's features also include:

  • No modifications to existing data are required, and cryptographic hashing is used to make sure that no one, not even Terbium Labs, can decipher the originating data.
  • Fingerprint comparisons are sensitive down to text samples of only 14 characters.
  • Matchlight collects fingerprints from across all places on the internet where stolen information is traded, including all the popular dark web markets.
  • Matchlight can provide alerts to any of the popular SIEM systems already in place.

How Matchlight works

Matchlight relies on two components ( Figure A). The Matchlight platform crawls the internet including the dark web. It then uses a digital-fingerprinting technique (patent-pending) to break the data up into small pieces and store one-way "signatures," or hashes, of those pieces in a database.

Clients are then able to compute the same signatures of their own data and continuously search the database to see if any of their data appears. This not only allows clients to decide if any of their data has been leaked, but it enables them to monitor data they would normally consider too sensitive to enter into other search engines. Most companies read the underground forums individually, which is a large part of why breaches take so long to discover.

"When you can bring that breach detection time down from months to seconds or minutes, then you can really minimize the damage and reduce the risk of the data being out there in the first place," mentions Rogers.

One potential snag

Ted Bridis in the Phys.Org article US wonders: Why stolen data on federal workers not for sale? affirms a concern I raised to Rogers. I asked, "What if a nation state is responsible for the breach? It might not place the information on the internet, and then there is no way to locate it, right?"

Rogers replied, "Data taken in espionage campaigns like this often end up for sale on the dark web, as the threat actors serve both intelligence-gathering and economic motivations, sometimes using the latter as cover for the former."

Rogers had a good point. Recent history proves that most data breaches have financial motives.

Also read

Note: TechRepublic and ZDNet are CBS Interactive properties.

About Michael Kassner

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks

Free Newsletters, In your Inbox