As you may have seen by now, Verizon’s Data Breach Investigation Report (DBIR) 2013 is out. First and foremost, we wish to congratulate Verizon’s RISK team on yet another excellent and informative report. Although this report was released a few weeks ago, there are several points I felt deserved further attention, including the sudden increase in file server compromises and how automated tools are making it increasingly easy for anyone to become a hacker.
This year Verizon’s database grew substantially from 855 confirmed data breaches to more than 47,000 reported security incidents and 621 confirmed data breaches. While the basis for most of the statistics presented in the report is the 621 confirmed data breaches, statistics for all 47,000+ incidents are also provided. This year the RISK team decided to analyze the dataset of breaches by attack motive; state-affiliated espionage, financially motivated crimes, or activism. Looking at data breaches through this prism sheds light on several points worth mentioning.
“AM I A TARGET FOR ESPIONAGE?”
stated in the report - “Who wants my proprietary info?” is probably a better question than “Am I a target of espionage?”
Every organization has some form of proprietary or internal information it
wants to keep private. This information, which is almost always tied to an
organization’s competitive advantage, is inevitably of interest to someone,
somewhere. As the DBIR report clearly demonstrates, everyone is a potential
target for data theft regardless of the type and size of the organization,
or the specific motivation of the attacker.
RAISING THE BARA data breach starts with an initial compromise that grants the attacker access to the network, and leads to credential theft and data exfiltration. In about 70% of the data breaches the actual theft (credential and data) require few resources and little expertise – feasible with automated tools and scripts; basic methods that need no customization. Placing security measures around the data center will easily raise the bar on the required resources and the minimum level of expertise required by the attacker, thus reducing the impact of the initial compromise.
While automated tools have made it possible for just about anyone to become an attacker, a lack of data center security and monitoring has resulted in a huge blind spot where malicious activity is concerned. The DBIR 2013 still supports the common truth that organizations do not detect breaches on their own, but rather are informed of them by an external third party. Furthermore, in many cases this detection is accidental, stumbled upon while investigating something else, and the alert is merely a courtesy.
Lack of visibility into attacks and malicious activity allows attackers to operate undetected for months.
the window of time available to detect the initial compromise is very small
(seconds to minutes) and such compromises leave little-to-no evidence, the
window of time available to detect malicious data access and exfiltration is
much larger (hours to months). This is due to the time it takes for an attacker
to explore the network, locate relevant systems, exploit those systems, and
then collect and exfiltrate the data.
READY, AIM… SHOOT!There’s a clear correlation between threat actor motives and the variety of data compromised. Unsurprisingly, the financial criminal’s motives are payment and personal information - information that can be easily monetized. The state-affiliated espionage motives however, tend to be trade secrets, internal organizational data, and system information, while hacktivists focus on personal information and internal organizational data. Despite the difference in end game, or motive, all three attackers must first acquire credentials in order to successfully breach the data they desire.
Another notable finding in the DBIR was a marked increase in incidents of file server compromise (22% in versus just 1% in 2012). A plausible explanation for this sudden, and significant, increase is the recent, extensive exposure of espionage cyber campaigns (19% of incidents) that are usually after the intellectual property of the target. Intellectual property information is usually stored as unstructured data in files rather than structured data in databases. The cyber campaigns exposed in 2012-13 (e.g. Flame, Rorca/Red October and China’s Unit 61398 and APT1) went undetected for several years which means that file servers have probably been compromised for years. Despite the fact that these incidents occurred years ago, evidence of these compromises was discovered only recently, resulting in inaccurately low incident reports of file server compromise in previous years.
Directory servers are also a target for espionage motivated attacks since APT attacks use them to create new users, grant permissions, and prolong the access to the network.