Over the years the cyber-threat landscape has evolved into one of, if not the, most widely discussed topics of the business world. In many ways data breach scenarios have become highly complex, intricate and hard to predict, with various challenges involved in response, investigation, containment, eradication, notification and recovery when the worst happens and an attack hits. Whilst they do often have certain common factors such as an entrance vector and a goal to make money, their diverse nature can make one quite unique from another, affecting every department within an organization and no longer confined to the IT department - leaving a lot to digest.
This was the message shared at a Verizon press briefing in London this week in which the firm presented its Data Breach Digest, revealing that not only are there a finite set of scenarios that can occur with data breaches but that many permutations ensue within each.
“Data breaches are growing in complexity and sophistication,” said Bryan Sartin, executive director, the RISK Team, Verizon Enterprise Solutions. “In working with victim organizations, we find that breaches touch every part of an organization up to and including its board of directors.”
So, just how diverse are things getting in reality? How can, say, one type of insider breach differ from another, and how is that separate from a denial of service attack, or a crime-ware issue?
Well, Verizon has set to the task of compiling a 16-strong list highlighting the most common or lethal breach scenarios based on anonymized, real-world data breach responses.
Divided into four distinct types each of the 16 different scenarios has been given its own personality and description, with tips on how to prevent it.
The Human Element
The four scenarios that Verizon identified as making up the human threat are:
1. Financial Pretexting – the Golden Fleece: Specific; financially motivated; targeted at financial, information and retail industries; uses stolen credentials, phishing and pretexting.
2. Hacktivist Attack – the Epluribus Enum: Specific; motivated by grudge/ideology; targeted at financial, public and information industries; uses DDoS, unknown hacking and backdoors.
3. Partner Misuse – the Indignant Mole: Specific; motivated by financial gains and grudge/espionage; targeted at accommodation, financial, retail and healthcare industries; uses data mishandling, net misuse and privilege abuse.
4. Disgruntled Employee – the Absolute Zero: Specific; motivated by grudge/espionage; targeted at public, financial and healthcare industries; uses export data, privilege abuse, capture stored data and disables controls.
Tips for tackling the human threat:
• Know the treat actors; recognize their methods
• Know your employees; sensitize them to threat actor tactics and techniques
• Train your IR stakeholders to respond as a team
Conduit Devices
The four scenarios that Verizon identified as making up the device threat are:
1. C2 Takeover – the Broken Arrow: Specific (espionage), Opportunistic (financial); motivated by financial gain, espionage/grudge; uses backdoors, C2, rootkits and scanning.
2. Mobile Assault – the Secret Squirrel: Indirect; motivated by espionage; targeted at professional, administrative, information, manufacturing and financial industries; uses export data, capture stored data and exploit vulnerability.
3. IoT Calamity – the Panda Monium: Opportunistic (IoT devices), Indirect (DoS attack victim); motivated by grudge, ideology and financial gain; uses brute force, privilege abuse, scanning and exploit vulnerability.
4. USB Infection – the Hot Tamaale: Specific; motivated by financial gain and espionage; targeted at accommodation, financial and manufacturing industries; uses unapproved hardware, spyware/keylogger, backdoors and exploit vulnerability.
Tips for tackling device threats:
• Know your devices, monitor and log activities
• Reduce their exposure through patching
Configuration Exploitation
The four scenarios that Verizon identified as making up the configuration exploitation threat are:
1. Website Defacement – the Hedley Kow: Specific (hacktivist attack), Indirect (Vulnerability); motivated by ideology, grudge and financial gain; targeted at financial, retail, information and administrative industries; uses backdoors or C2, brute force, privilege abuse and exploit vulnerability.
2. DDoS Attack – the 12000 Monkeyz: Specific; motivated by grudge, ideology and financial gain; targeted at entertainment, professional, educational, administrative, information, manufacturing and retail industries; uses brute force, privilege abuse, scanning and exploit vulnerability.
3. ICS Onslaught – the Fiddling Nero: Specific; motivated by grudge, ideology and espionage; targeted at utilities, public, manufacturing and transportation industries.
4. Cloud Storming – the Acumulus Datum: Specific (espionage), Indirect (vulnerability); motivated by financial gains and espionage; targeted at utilities, public, manufacturing and transportation industries; uses export data, privilege abuse, capture stored data and exploit vulnerability.
Tips for tackling the configuration exploitation threat:
• Know your systems; configure them properly
• Patch and patch often; review code ad configurations
• Conduct security and application scans regularly
• Know your network environment; segment and configure it properly
Malicious Software
The four scenarios that Verizon identified as making up the malicious software threat are:
1. Crypto Malware – the Fetid Cheez: Opportunistic; motivated by financial gain and grudge; targeted at various industries (opportunistic); uses phishing, ransomware, C2 and exploit vulnerability.
2. Sophisticated Malware – the Pit Viper: Specific; motivated by espionage and financial gain; targeted at public, manufacturing, transportation and information industries; uses backdoors or C2, spyware/keylogger, backdoor downloader, capture stored data, scanning, password dumper, exploit vulnerability and rootkit.
3. RAM Scraping – the Bare Claw: Indirect (vulnerability); motivated by financial gain; targeted at retail, accommodation, healthcare and administrative industries; uses export data, RAM scraper, spyware/keylogger, capture secured data and data exploit vulnerability.
4. Unknown Unknowns – the Polar Vortex: Specific, Indirect, Opportunistic; motivated by espionage and financial gain; targeted at manufacturing, transportation, public and healthcare industries; uses stolen credentials, backdoors or C2, backdoor downloader, scanning, password dumper, exploit vulnerability and toolkit.
Tips for tackling the malicious software threat:
• Know the threat actor tools and capabilities; adjust your defense accordingly
• Employ File Integrity Monitoring; keep anti-virus updated
“The Data Breach Digest is designed to help businesses and government organizations understand how to identify the signs of a data breach, important sources of evidence and ways to quickly investigate, contain and recover from a breach,” Laurance Dine, managing Principal, investigative response, Verizon, told Infosecurity. “Knowing which incident patterns affect a given industry more often than others provides a solid building block for identifying where attackers are coming from and understanding their motives. This helps businesses to allocate their cybersecurity resources most effectively.”