But the targets for espionage aren't just the giant corporations and government entities of the world: The Verizon 2013 Data Breach Investigations Report found that many of the targets have fewer than 10 employees. In addition, the majority of the attacks were initiated via a simple method: spear-phishing emails.
“There are a number of reasons for our noting the state-affiliated increase in attacks, but the main reason is the mind share around this,” explained said Jay Jacobs, one of the DBIR authors and a principal at Verizon, in an interview with Infosecurity. “All of the research and intel around this particular type of adversary has meant that the C&C infrastructure has become more well-known, and people are able to identify this more.”
State-affiliated cyber-espionage campaigns were responsible for one-fifth of all data breaches recorded by Verizon last year, with targets ranging from the very large (think Saudi Aramco) to the very small. Interestingly, espionage campaigns appear to have left the retail sector alone, so the latter group consists of companies that mainly fall into the manufacturing and professional services camps, which are typically populated by engineering consultants.
When it comes to the very small targets, consultancies are typically working with larger organizations, and it’s the intellectual property housed for those business partners that the attackers are likely after. “This is a hunch,” Jacobs said, “but we think it’s likely that consultancies are a way to get at larger organizations’ data.”
Whether large or small, organizations are being targeted with a well-developed cyber-espionage attack pattern that doesn’t seem to have evolved very much in the past year. Most of the time, it begins with a phishing mail. The proportion of breaches incorporating social tactics such as phishing was four times higher in 2012, which, according to the breach report, is directly related to the tactic’s widespread use in targeted espionage campaigns.
“We’re seeing a rather well-oiled approach to this,” Jacobs said. “The first thing that happens is spear-phishing, because these attacking entities are able to understand the relationships within the sectors and can create a convincing email. That tactic just doesn’t vary.”
Spear phishing, unfortunately, can be relied upon to work. Verizon calls it “the inevitability of the click.”
“There is a very high probability of getting at least one click out of a phishing campaign,” Jacobs said. “You’re almost guaranteed to get at least person to click on something, and awareness training just moves the bar a bit. Phishing will succeed eventually.”
So where’s a company to go from there? The answer to that depends on the company in question, Jacobs said.
“There isn’t a single solution that we should apply across the board, but understanding the kill chain – the chain of events of the breach – will help organizations prioritize the controls,” he explained. The kill chain, post-phishing success, involves plenty of steps: a piece of malware is loaded onto the machine either via a download or a compromised webpage, which then sets up a backdoor and C&C channel. From there, hackers gain access and permeate across the network, sniffing for relevant data to exfiltrate. It’s a series of steps, and they have to happen in order. That provides plenty of opportunities for organizations to enter the process and shut it down.
“If you can’t filter mails at the gateway, your next bet is to do awareness training,” Jacobs said. “Once a phishing link is clicked, keeping up with patching can thwart efforts on the part of the malware to try to communicate back out, establish a back door or a command and control environment, let alone try and move horizontally.”
To that point, Jacobs also said that attackers are focusing on stealing valid user credentials, which makes it very difficult to thwart attacks. Thus, strong password security becomes critical. “This is something that we saw emphasized across types of attackers, because all of them are trying to get into an environment that allows them to move from system to system,” Jacobs noted. “So identity management is being targeted and exploited across the board.”
Looking for anomalous system behavior can catch espionage hacks in any of the stages, he explained. “Stepping in there will prevent the exfiltration of data, which is the last step in the chain,” Jacobs said. “ Any move to disrupt the chain reduces the probability that all of these will happen in a row, to get to the data extraction stage.”