Know your adversary. It's a classic mantra of information assurance professionals. While it's further reinforced with the release of the 2013 Verizon Data Breach Investigations Report, the report offers a treasure-trove of data that also underscores the importance of organizational self-analysis in determining what attackers want and how they're likely to go after it.
Organizations can't take a one-size-fits-all approach to their defenses; different types of attackers use different methods.
Kyle Maxwell,
senior analyst, Verizon
The report, released late Monday, is Verizon's annual analysis of data breaches and breach investigations conducted in the previous year. In addition to Verizon's own data, this year's Data Breach Investigations Report (DBIR) includes breach incident data from 18 other organizations around the world (see sidebar below), including more than a dozen first-time contributors. Prior to analysis, Verizon once again standardized its breach dataset, this year encompassing 621 breach events and more than 44 million compromised records, using its VERIS incident-sharing framework.
Data points in the 2013 DBIR indicate clear patterns in the motives and methods adversaries used to successfully breach victim organizations. Of the 92% of breaches in this year's data set that were caused by external threat actors, Verizon tied more than half (55%) to purely profit-driven organized criminal groups.
According to Verizon, these profit-driven adversaries are most interested in companies in the finance, retail and food-services industries, and their attacks most often originate from countries in Eastern Europe or North America.
Not surprisingly, attackers seeking immediate profit favor payment data and personal information; for knowledgeable cybercriminals, it remains trivial to quickly convert those commodities into cash.
Increase in state-affiliated cyber-espionage tied to China
Verizon noted a rise in breaches linked to state-affiliated actors, comprising 21% of the breaches in this year's data set. Verizon, however, was reluctant to confirm an industry-wide increase in state-affiliated breaches, despite admitting its own breach investigations included more espionage-related cases than in any previous year.
Nonetheless, state-affiliated actors were active in 2012, focusing on cyber-espionage against victims in industries rich in valuable intellectual property, such as manufacturing, transportation and professional services industries; targets favored by financially driven attackers, namely retail and food-service firms, were ignored almost entirely by threat actors engaged in espionage campaigns.
Malicious actors conducting cyber-espionage campaigns sought out trade secrets, sensitive internal data and system information above all else. Impressively, more than 95% of state-affiliated espionage breaches somehow involved the use of phishing to gain entry into the target organization.
"I think that's big," said Rick Holland, senior analyst with Cambridge, Mass.-based Forrester Research Inc. "That clearly tells you if you're in an IP-rich vertical, you need to take your security controls for anti-phishing pretty solidly."
And it wasn't just Fortune 500 firms that lost intellectual property to attackers: cyber-espionage-related data breaches among companies with fewer than 10,000 employees happened more frequently than at larger firms by an 81-to-19 ratio.
"Small attorney firms or professional services firms are getting compromised because they have sensitive data on clients," said Kyle Maxwell, senior analyst with Verizon. "So rather than try to breach a large, well-defended network, it's easier just to compromise the outside counsel or auditing firm, and get financials statements or plans for M&As [mergers and acquisitions] or other trade secrets from those firms."
Perhaps the most striking finding of all, Verizon said 96% of espionage cases in the 2013 DBIR were attributed to threat actors in China. While Verizon did not indicate how many of the incidents could be classified as state-sponsored cyber-espionage, the findings are no surprise on the heels of the recent Mandiant Corp. APT1 report, which offered compelling evidence indicating that Unit 61398 of China's People's Liberation Army has been perpetrating a massive, years-long cyber-espionage campaign against U.S. interests.
Hacktivists steal less data; no one-size-fits-all defense
The malicious activist or hacktivist archetype, which was featured prominently in the 2012 DBIR, stole far less data last year. Despite being tied to roughly the same number of externally driven breach incidents (about 2%), Verizon believes their decreased prominence is a result of a change in tactics.
"[Hacktivists] stole a lot less data, partly because their attacks have changed," Maxwell said. "They have been using DDoS [distributed denial-of-service] attacks now, which are out of scope for the DBIR because there's no breach involved in a DDoS attack." Maxwell suggested that the arrests of the major players in the hacktivistm community may have also contributed to the decline.
This year's report goes to great lengths to illustrate the differences among various groups of threat actors, and that's no coincidence. Maxwell said organizations must strive to better understand what data attackers want and prioritize their defensive efforts accordingly.
"Organizations can't take a one-size-fits-all approach to their defenses; different types of attackers use different methods," Maxwell said. "Organizations of all sizes and all sectors need to understand their threats and plan accordingly rather than assume they can set up static defenses that'll work for everything."
The insider threat: Significant or over-emphasized?
The 2013 DBIR offers some contradiction regarding data breaches caused by insiders: The 2013 data set features the highest percentage of insider-driven data breach incidents since 2009 (14%), yet within a larger sample of security incidents Verizon examined, nearly seven out of every 10 were caused by an insider acting carelessly, though not necessarily maliciously.
"When not dealing with breaches per se, certainly insiders rule the roost if you will in that larger data set," Maxwell said. "We do believe that overall more attacks occur by outsiders, but that doesn't mean what an insider does may be any less damaging."
In the report, Verizon noted that previous years' data sets may have over-emphasized what it calls "highly scalable remote attacks that essentially overwhelmed the external-internal ratio" and that a broader set of data from its new partners this year has likely restored a more accurate picture of the industry-wide internal-external balance.
Still, certain data points may be cause for renewed concern regarding insider threats. The majority of insider breaches, according to Verizon, continue to be intentional, profit-driven acts, though organizations are also plagued by a surprising number of low-tech events, like lost and misdirected documents.
In smaller organizations, Verizon found that employees directly involved in handling payments, namely cashiers, waiters and bank tellers, were most often responsible for insider breaches, often at the behest of external parties in support of a larger fraud ring.
Separately, Verizon noted the less-frequent but ongoing risk of mistakes by administrators or programmers that lead to data exposure, particularly in large organizations. It offered up a specific example of an application debug setting that inadvertently caused sensitive financial data to be stored insecurely, and in turn become exposed to unauthorized parties.
Philip Alexander, founder of Chandler, Ariz.-based consultancy Data Privacy Network, said the risks of disgruntled or careless employees are ever-present and shouldn't be ignored. He said organizations should combat those risks with ongoing awareness and a policy that restricts data access. He also recommended the use of data auditing.
"People are much less likely, maliciously or just lazily, to mishandle data if they know it could be tracked back to them," Alexander said. "Auditing is not a preventative control, but it will track misuse and let you respond accordingly."
2013 DBIR expands beyond breaches, de-emphasizes record tally
A new twist in this year's DBIR is the inclusion of more than 47,000 reported security incidents, yet Verizon carefully delineated data points from that larger data set from those drawn from confirmed data breaches.
Rich Mogull, analyst and CEO with Phoenix-based research firm Securosis, lauded Verizon for making two key decisions that he said really enhanced the quality of the 2013 DBIR.
"The first was the choice to drop record counts almost completely from the report. These are fairly meaningless overall and merely distracted from the incident-oriented nature of the data," Mogull said. "The second was to focus only on confirmed breaches, even though they had a much larger data set of incidents. This allows readers to make informed decisions on what will actually cause damage vs. what they might merely see that doesn't actually hurt them."
"This is definitely the best year [yet]," Mogull added, "with an insane amount of useful data."
Despite Verizon's efforts to improve how it quantifies breach data, perhaps the most frightening data point in the entire report involves organizations' inability to quantify data loss.
According to Verizon, of the breach events comprising its data set, organizations had a complete and reliable count of compromised records only 15% of the time. In other words, in 85% of breach incidents, the organizations could not determine the full extent of the breach.
Alexander said Verizon's findings highlight how important it is for organizations to conduct a baseline inventory of sensitive data, so it's easier to discover what's missing or what has been tampered with in the wake of a security incident.
"I'm a big fan of not only knowing what data you have, but also putting it only on approved sites, because putting security controls on tired systems can be more expensive," Alexander said. "I may have 1,000 servers with sensitive data across all of them, but if I only have sensitive data on 20 servers, it's a lot cheaper to secure just those 20."
Holland advocated for a greater enterprise focus on network visibility, using a variety of gateway, endpoint, Web and email security technologies.
"Customers always ask us, 'Where am I going to put my advanced threat budget?' and they want to direct it toward one technology, but they can't," Holland said. "But it starts with having increased visibility, because we all know prevention is going to fail."