For all the industry discussion about the evolution of so-called advanced cyberattacks, data from the Verizon 2013 Data Breach Investigations Report indicates a select few attack types are responsible for the majority of last year's reported breaches. Despite that consistency, the majority of organizations fail to identify breaches until months after the initial compromise.
Particularly in cases of espionage attacks, investigations from one organization lead to other organizations that have been attacked.
senior analyst, Verizon
The report, released late Monday, is Verizon's annual analysis of data breaches and breach investigations conducted in the previous year. In addition to Verizon's own data, this year's Data Breach Investigations Report (DBIR) includes breach incident data from 18 other organizations around the world.
Must read: Companion article
The 2013 DBIR showed that just three attack types -- ATM skimming, what Verizon calls "POS smash-and-grab" involving a combination of brute force and malware, and a combination of phishing, malware and hacking -- were used in 68% of the breaches in this year's data set.
"While there is still some wiggle room for the baddies to be creative," Verizon wrote in the report, "this is an indication that treating our adversaries as random and unpredictable is counterproductive. We may be able to reduce the majority of attacks by focusing on a handful of attack patterns."
According to Verizon, hacking -- defined for the purposes of the report as all attempts to intentionally access or harm information assets by circumventing logical security mechanisms -- played a role in slightly more than half of the breaches Verizon analyzed; those incidents were dominated by the use of stolen account credentials, a backdoor or a brute-force attack. As Verizon noted, the use of something other than a single-factor username-password credential would have likely thwarted 80% of the hacking attacks reported last year.
Countries represented in the combined caseload (Verizon and partners) Source: Verizon DBIR 2013 - used with permission
Rick Holland, senior analyst with Cambridge, Mass.-based Forrester Research, said organizations must be aware of the significant number of attacks that don't involve malware and hence don't have any signature that can be used for detection.
"Organizations shouldn't get hyper-focused on malware. Get ready for incidents involving password theft and abuse of credentials," Holland said. "That's why network visibility is so critical; to look for anomalous behavior."
However, malware -- malicious software, script or code -- was involved in 40% of the breaches in its data set. The majority of malware installations were either direct or via email, though large organizations saw a small but notable uptick this year in Web "drive-by" malware downloads.
In cases where attackers had largely financial motivations, spyware -- including keyloggers and form-grabbers -- was the malware variety of choice. In cyber-espionage-related breaches, attackers used a variety of types of malware with no predominant type.
Compromise taking longer; so is breach detection
The 2013 DBIR detailed the typical timespan of a breach. In 60% of the breaches in this year's data set, the initial compromise took place over a period of multiple hours, a small window indeed, but slightly longer than in years past.
Top 10 origin countries of external data breach actors Source: Verizon DBIR 2013 - used with permission
However, organizations struggled mightily with breach detection: a majority of breach events (62%) were not discovered until months after the initial compromise; discovery time in 4% of the breaches was measured in years. Additionally, seven out of every 10 breach events were initially discovered by someone outside the breached organization.
"Victims regularly do not discover breaches themselves," said Kyle Maxwell, a senior analyst with Verizon. "They are either notified by law enforcement or card brands, or other organizations that are doing breach notifications. Particularly in cases of espionage attacks, investigations from one organization lead to other organizations that have been attacked."
TechTarget special coverage: Verizon DBIR
"I don't think a lot of organizations have the appropriate technology in the right spots," Holland said. In particular, he referenced the difficulty enterprises have in securing third-party software like Java; attackers seeking a way into an organization often take advantage of the many enterprises that struggle to quickly implement third-party patches.
"Even though we know when the Microsoft Patch Tuesday releases come out … by the time we can get a patch out, there's always going to be a lag," Holland said. "If I were an attacker, I'd go after third-party applications all day long."
The report, not without a touch of irony, noted that the most effective means of detecting a breach internally proved to be end users. Often the weak link in the information security chain, the data showed run-of-the-mill users were first to discover suspicious activity and report it to IT or management.
"Enterprises have a difficult time managing the threat landscape and operational impact of security in terms of staffing and resources," Holland said. "People want the easy button and there is no easy button."