While enterprises struggle to get their arms around the escalating volume and complexity of cyber-attacks, perhaps analytics can come to the fore as a key in crafting effective preparedness and countermeasure plans.
The DBIR identifies the nine threat patterns as: miscellaneous errors such as sending an email to the wrong person; crimeware (various malware aimed at gaining control of systems); insider/privilege misuse; physical theft/loss; web app attacks; denial of service attacks; cyber-espionage; point-of-sale intrusions; and payment card skimmers.
Three Patterns
Further, the report found that on average, just three threat patterns cover 72% of the security incidents in any industry.
For example, in the financial services sector, 75% of the incidents come from web application attacks, distributed denial of service (DDoS) and card skimming, while 54% of all manufacturing attacks are attributed to cybe-respionage and DDoS. In the retail sector, the majority of attacks are tied to DDoS (33%) followed by point-of-sale intrusions (31%).
“After analyzing 10 years of data, we realize most organizations cannot keep up with cybercrime – and the bad guys are winning,” said Wade Baker, principal author of the DBIR series, in a statement. “But by applying big data analytics to security risk management, we can begin to bend the curve and combat cybercrime more effectively and strategically.”
He added, “Organizations need to realize no one is immune from a data breach. Compounding this issue is the fact that it is taking longer to identify compromises within an organization –, while penetrating an organization can take minutes or hours.”
Knowing the Vector is Key to Discovery
Having some idea of a likely threat vector is also key to discovery. The report found that 75% of attacks took the hackers just days or less (hours and minutes, even) to accomplish. Yet only 25% of compromises were discovered within days or less. Most often, it takes weeks or even months until a security event is uncovered.
“That’s a large gap but unfortunately it’s getting bigger,” said Jay Jacobs, senior analyst at Verizon and DBIR co-author, in an interview. “The attackers are innovators, and it’s clear that they’re getting better at escaping detection and achieving persistence.”
Jacobs also noted that cyber-threats are snowballing in size and ferocity. While Verizon clocked 620 security events for last year’s DBIR, that number has more than doubled to 1,300 this year.
Jacobs also quantified attacker motivation – those who are financially motivated continue to carry out the bulk of the attacks, but espionage and hacktivism also significant factors in the threat landscape.
Businesses can arm themselves defensively according to who might be targeting them. “When you have people looking to break in and steal stuff to convert into cash, you typically see a smash and grab mentality,” Jacobs said. “They know they’ll be discovered fairly quickly but they hope to get the goods out while they can.”
Typically, this type of attack is after credentials and card data, and uses either a web application or malware designed for credential-stealing like Zeus via a botnet configuration, to hit the financial and retail sectors. The use of stolen and/or misused user names and passwords continues to be the No. 1 way to gain access to further, lucrative information. The DBIR found that two out of three breaches exploit weak or stolen passwords, making a case for strong two-factor authentication, Jacobs noted.
POS Attacks Trend Downward
And interestingly, despite the high-profile headlines made by data breaches at Target, Michael’s and others of late, retail point-of-sale (POS) attacks where intruders attempt to capture payment card data continue to trend downward, and have been since 2011.
“In 2005-2006 we saw a lot of retailers hit, with large organizations breached for a lot of data,” Jacobs said. “Then in 2008-2009 we saw a shift to attacking smaller retailers – attackers got less data per attack, but went after more victims—that trend peaked in 2011. Now, the number of victims is actually dropping down and we’re seeing fewer scores, but aimed at larger organizations again. The pendulum is swinging on that.”
Meanwhile, those in the business of espionage carry out what Jacobs called a “low and slow” kind of attack. “These actors are taking their time and identifying trust relationships, trying to maintain persistence—and they want intellectual property,” he said. “APTs are typically aimed at manufacturing, but all of the IP industries—utility companies, professional services, developers, engineers—have been targeted. You don’t see much APT activity in the financial or retail sectors. It’s a very different picture.”
Espionage on the Up
Cyber-espionage is up again in the 2014 report, representing a more than three-fold increase compared with the 2013 report. In addition, these attacks were found to be the most complex and diverse, with a long list of threat patterns, led by the use of backdoors and phishing. As it did last year, China still leads as the site of the most cyber-espionage activity; but the other regions of the world are represented, including Eastern Europe with more than 20%.
The third type of external actor is the ideologically motivated hacker, or hacktivist. “These guys do everything they can to garner attention, DDoS and web attacks mostly, and they’re very technical. And it’s a blurry line—are they state-affiliated or just activists? Either way, they can be a business continuity problem.”
The report also points out that DDoS attacks have grown stronger year-over-year for the past three years. They are common to the financial services, retail, professional, information and public sector industries.
One trend Jacobs saw in the data this year was that of external actors carrying out web application attacks, where they attack a web server opportunistically. “They’ll poke around content management systems, looking for weaknesses, exploiting them, then using compromised machines in a botnet to either host stolen data, carry out further attacks or initiate DDoS attacks.”
And while external attacks still outweigh insider attacks, insider attacks are up too, especially with regard to stolen intellectual property. The report points out that 85% of insider and privilege-abuse attacks used the corporate LAN, and 22% took advantage of physical access.
“It’s fascinating to study what goes wrong,” Verizon said in the report. “But the real purpose of this research is to help you reduce the risk that these bad things will happen to you. At the end of the day, we do this work to support evidence-based risk management. We think the perspective of studying clustered incident patterns enables more tailored strategies to reduce risk.”