1. Home
  2. /
  3. Knowledge bank
  4. /
  5. Stolen data: How to protect yourself after a cyberattack

Stolen data: How to protect yourself after a cyberattack

After a cyberattack, not only obvious files are stolen, but also technical data such as passwords and system logs. This 'digital blueprint' of the company is then sold on the Dark Web to new attackers, leading to repeated attacks. The solution is to proactively monitor leaks with Dark Web Monitoring and implement 24/7 surveillance and response with an MDR service to be able to act immediately on threats.

Five attacks in one year

Your company suffers a classic ransomware attack. When the attack is discovered, you act exactly according to the book by not paying, deleting everything and restoring the environment from backup.

Soon after, you are attacked again. The same routine, delete and restore. But then it happens again, a total of five times in one year despite having followed the incident procedure to the letter.

The problem in this case is that the restoration of the systems did not fix the original vulnerability. With each attack, more data was also stolen, giving the attackers new keys and more knowledge about the company.

From intrusion to commodity: How your stolen data is sold on

What happened, and what actually happens to your data after an intrusion?

Data collection of more than just files

When attackers steal your data, it is more than the obviously sensitive information, such as customer information or financial details, that is lost. They also scour the systems for data about data, so-called metadata, such as configuration files, browser history, saved passwords, session cookies, system logs and internal network maps. Information that creates an extremely valuable, digital blueprint of your company.

Refinement and sale on the Dark Web

While your team works on incident management, your stolen data takes on a new, risky life. Log Sellers, data brokers on the Dark Web, buy leaked data from hundreds of attacks, organise it and sell it on in searchable databases as a "starter kit" for new threat actors who want to attack a specific company.

This can involve an old, forgotten service account with a weak password that becomes a new way in or internal project names that are used to create extremely convincing spear phishing emails.

While your team works on incident management, your stolen data gets a new, risky life

Breaking the Cycle: Proactive Steps to Stop Recurring Attacks

Breaking this cycle requires a shift from reactive firefighting to a proactive strategy.

Detect Exposure with Dark Web Monitoring

Dark Web Monitoring is a service that continuously scans the Dark Web, criminal forums, and databases for the company's domains, employees' email addresses, leaked passwords, IP addresses, and other sensitive information.

This can provide an early warning. Instead of waiting for the next attack, you find out that sensitive information is for sale and can act proactively. For example, if it concerns an employee's login credentials, you can immediately ensure that the password is changed and increase monitoring on the account.

24/7 Monitoring and Response with MDR

Managed Detection and Response (MDR) is a security service with experts who monitor the company's network 24/7. This is a crucial complement to more traditional protections. An antivirus looks for known threats. An MDR service identifies abnormal activity in your environment, such as when someone tries to use an old login or move laterally within the network.

But perhaps even more important than identifying threats is being able to act quickly. The MDR team is on hand to rapidly isolate parts of your network or disable an account within minutes, around the clock, every day.

With the right tools in place, you can more quickly identify and act on the initial vulnerability and stop subsequent attempts at an early stage.

Only restoring the system without fixing the original vulnerability is like leaving the door unlocked after a break-in.

Make your company an uninteresting target

A cyberattack is often part of a process, not an isolated event. Stolen data lives on and is reused. Simply restoring systems without fixing the original vulnerability is like leaving the door unlocked after a break-in. It invites new attacks. The only way forward is proactivity and visibility.

Investing in proactive security solutions takes you from being an easy target to a resilient and uninteresting target. When you know what is being shared about your company through Dark Web Monitoring, and with experts monitoring your systems around the clock, you can break the vicious cycle.

5 common questions and answers about stolen data and how you protect yourselves after an attack

  • What is Dark Web Monitoring?
    Dark Web Monitoring is a service that actively scans hard-to-reach parts of the internet, including criminal forums, for leaked information related to your company, such as employees' passwords or internal documents. It provides an early warning so you can act before the information is used in a new attack.
  • What is the difference between antivirus and MDR (Managed Detection and Response)?
    Antivirus reacts to known threats, such as a specific malicious file. MDR is a service where security experts monitor your network 24/7 to detect and respond to suspicious behaviour, such as unauthorised login or unusual data traffic. MDR can thus stop completely new and unknown attacks.
  • Isn't it enough to restore from backup after an attack?
    No. Restoring from backup does not solve the original vulnerability that made the attack possible. Additionally, data stolen during the attack, such as passwords and network maps, can be used to immediately attack you again.
  • How is stolen data used to create new attacks?
    Stolen data, such as internal project names or information about your systems, is used to create very credible and targeted phishing emails (spear-phishing). Old, forgotten login credentials can also be reactivated to give attackers an easy way into your systems.
  • Why do companies continue to be attacked by the same group?
    Once an attacker has learned how your company’s IT environment works, you become a "comfortable" target. They know where the weaknesses lie and can reuse their knowledge. Furthermore, they can sell this knowledge on to other criminals, creating a vicious cycle of attacks.
Read more about our security offering and contact us for advice
En person i grå hoodie ler medan hen tittar på en mobiltelefon utomhus.

Subscribe to our newsletter!

Så behandlar Nordlo dina personuppgifter och använder cookieliknande teknik

Vi på Nordlo Group AB kommer att behandla den information du tillhandahåller för att svara på din förfrågan och för att tillhandahålla marknadsföringsinformation. Vi använder också informationen för att identifiera dina intressen för att anpassa vår kommunikation till dig.

När vi skickar nyhetsbrev använder vi även cookies och personuppgifter för att förbättra våra epostmeddelanden. Vi gör detta genom att analysera information om din IP-adress och information om interaktioner med våra nyhetsbrev.

Genom att klicka på "skicka" samtycker du till vår behandling av dina personuppgifter för ovanstående ändamål. Att ge ditt samtycke är alltid frivilligt, och du kan när som helst återkalla ditt samtycke genom att kontakta oss på info@nordlo.com. Du har även flera andra rättigheter, t.ex. rätten att få tillgång till de personuppgifter vi behandlar om dig och rätten att invända mot anpassningen av vår kommunikation.

Läs mer i vår integritetspolicy och vår cookiepolicy.

Related articles

Blog
Digital business development
Security

Social engineering: How to prevent attacks on your company

Read more
Blog
Digital business development
Security

AI in cyberattacks: What does it mean for you as an IT manager?

Read more
Blog
Manufacturing industry and logistics
Cloud and infrastructure

Cloud strategy for industry and logistics: Create control in a connected reality

Read more
All knowledge posts

This website uses cookies and personal data

When you visit https://nordlo.com, we at Nordlo Group AB use cookies and your personal data. Some cookies and some processing of personal data are necessary, while you choose whether to consent to others. You make your choice below. Your consent is entirely voluntary.

You have certain rights, such as the right to withdraw your consent and the right to lodge a complaint with a supervisory authority. Read more in our cookie policy and our privacy policy.

Manage your cookie-settings

Cookies and personal data that we use for analysis

Check to consent to the use of Cookies and personal data that we use for analysis

To analyse how you use our website, we use cookies from Google and HubSpot's analytics service. We also process your personal data, e.g. your encrypted IP address, your geographical location and other information about how you use the website. 

Cookies and personal data that we use for marketing

Check to consent to the use of Cookies and personal data that we use for marketing

We use cookies and your personal data to display relevant marketing and to follow up on such marketing when you visit other websites or social media. We do this with the aid of Google, Facebook, HubSpot and LinkedIn. The personal data that we process for marketing purposes include your IP address, information about how you use the website and information that these services already have about you.  

Ad measurement user cookies

Check to consent to the use of Ad measurement user cookies
In order to show relevant ads we place cookies to tailor ads for you

Personalized ads cookies

Check to consent to the use of Personalized ads cookies
To show relevant and personal ads we place cookies to provide unique offers that are tailored to your user data