Attacks targeting the intellectual property of an enterprise are often highly targeted, aided with the help of an insider and go undetected for years long after the damage is done, according to new data breach statistics released by Verizon this week.
Typically we think of the DBA admin or someone with administrative type privileges, but it's really the typical end users –someone that is not aware of the security space who is approached by an external agent with incentives to participate.
Jay Jacobs, principal, Verizon RISK Intelligence team
The Verizon Data Breach Investigations Report (DBIR) Snapshot on Intellectual Property Theft (.pdf), a follow-up on the DBIR issued in March, provides analysis of 85 data breaches investigated by law enforcement and forensics teams over the last two years. Companies in the financial services and public administration industry made up two-thirds of the breaches in the study. It found that outside attackers often solicited insiders to get at the intellectual property of a targeted organization. Stolen account credentials and malware was also frequently used in attacks.
More than half of the intrusions took place at companies North America. Most of the breaches were the work of external attackers, professional criminal rings, activist groups, competitors, and state-sponsored actors, according to the data. About 87% of the breaches analyzed by Verizon involving intellectual property included external attackers. In 46% of the cases, insiders were involved.
"About 30% to 35% of cases involved some type of collusion," said Jay Jacobs, a principal on Verizon's RISK Intelligence team and co-author of the Verizon DBIR. "An external agent specifically solicited an internal agent either by bribing them or convincing them for some reason to work with them for profit."
Detection took months, years
Database and file servers contained 80% of the compromised assets in the breaches analyzed in the study.
Intellectual Property Protection
Trusted insiders often play a role in IP theft, according to the Verizon DBIR Snapshot. Spot the warning signs and apply the right data protection, say experts.
It often took only hours for attackers to compromise systems, gaining account or privileged access. Meanwhile, it took months and sometimes years for organizations to detect that the systems had been accessed and intellectual property had been stolen. In nearly half (48%) of the cases analyzed in the report, from the time of the initial compromise to the time of discovery took months and sometimes years.
"In the payment card industry we've got things common point of purchase and fraud detection that are being used and a lot of those breaches are being notified by the payment card vendors themselves," Jacobs said. "We don't have that on intellectual property so we see a longer timespan which is unlike anything that we've seen."
Internal monitoring systems often failed to detect anomalous activity or weren't being proactively monitored. In many cases enterprises learned of a leak of intellectual property from law enforcement, Jacobs said.
Determining the scope of the breach and containing it was also a lengthy process. In 53% of the breaches it took months before forensics teams could contain the breach and restore the systems to normal condition.
Social engineering, stolen passwords
In many cases, attackers use stolen login credentials and often targeted low and mid-level employees to gain a foothold into the organization. Investigators found evidence of keylogger malware on the systems of some breached organizations. The malware is designed to log the keystrokes of victims to detect account credentials and other sensitive information. Once inside, the cybercriminals seek out privileged users in an attempt to get closer to database servers and file servers containing intellectual property.
"The use of stolen credentials is completely consistent across all of the attacks we've seen," Jacobs said. "It's clear that attackers are going after valid login credentials when they're trying to get access."
Social engineering was at the core of many of the initial attacks, duping employees out of their passwords. Brute force and dictionary attacks were also regularly used by cybercriminals to gain access to applications, database and file servers.
"Authentication and use of passwords is definitely an Achilles heel across all the sectors that we looked at," Jacobs said.
End users made up most insider breaches, not system admins
Regular employees accounted for about two-thirds of the breaches involving insiders followed closely by financial staff and executives. System and network administrators were involved in less than 10% of the breaches.
Employee misuse of account credentials and privileges made up more than half of the breaches involving intellectual property theft. Embezzlement or skimming accounted for 28% of breaches of intellectual property.
"Insider involvement was typically someone who works with the data and the process," Jacobs said. "That was kind of astonishing because typically we think of the DBA admin or someone with administrative type privileges, but it's really the typical end users –someone that is not aware of the security space who is approached by an external agent with incentives to participate."
The study highlights the difficulty of identifying and keeping track of sensitive organizational data and trade secrets, experts say. Jeff VanSickel, a senior consultant at network security consultancy SystemExperts Corp. said organizations with very mature security programs conduct a risk assessment to better understand the location of sensitive intellectual property. Knowing what data needs to be protected and its location is a good first step, he said.
A data assessment is a lengthy and often costly project that involves both the business side and IT teams. Many firms choose the more expedient way to protect data by instead identifying highly sensitive applications, systems and workstations and placing monitoring and tougher access controls around them.
"Above all else, find out where your sensitive data is and then segregate that data off so you can add that appropriate level of controls around that data," VanSickel said.
Logging and monitoring, antivirus, intrusion detection, encryption and access control must also be a part of a comprehensive security program. A system assessment to address configuration errors and eliminate default settings and passwords will also improve the company's security posture.
"With enough time and enough money anyone can break into your company," VanSickel said. "If you can make it extremely difficult to break in then you are doing a good thing."
Verizon has been expanding its data, by including information from the U.S. Secret Service, and European law enforcement agencies. The firm has acknowledged that the majority of its forensic team's case load involves theft of credit card data driven by financially motivated cybercriminals.
Only 20% of the breaches analyzed in the study released this week involve the theft of both intellectual property and financial data, such as credit card and bank account information. However, the 89 breaches were mostly made up of cases conducted by the U.S. Secret Service, which investigates a high number of ATM, point-of-sale terminal and corporate white-collar crimes.