"We may be able to reduce the majority of attacks by focusing on a handful of attack patterns."
Now when someone reads our report, they're not going to go through a section called 'hacking' and figure out what type of hacking actions are more common.
Marc Spitler, senior risk analyst, Verizon
That's the thought that Verizon used to tantalize readers of the 2013 iteration of its Data Breach Investigations Report, but as it turns out, the 2014 version found that more than nine out of ten data breaches can be described by just one of nine attack patterns, an enticing claim for enterprise information security teams.
The report, set to be released on Wednesday, is Verizon's annual analysis of the previous year's data breaches and breach investigations. Beyond Verizon's own data, the 2014 Data Breach Investigations Report (DBIR) includes breach incident information from 50 other organizations from around the world (see sidebar below), more than doubling the number of contributors in the 2013 version. Using its VERIS incident-sharing framework, Verizon standardized this year's breach data set, which encompassed a total of 1,367 confirmed data breaches and 63,437 "security incidents," described in the report as a "security event that compromises the confidentiality, integrity, or availability of an information asset" but doesn't necessarily lead to a compromise of data.
All of the breach data included in the Verizon report is funneled into one of nine basic attack patterns, with the most prevalent of the bunch -- Web app attacks, cyberespionage and point-of-sale intrusions -- combining to account for more than two-thirds of the confirmed data breaches. Interestingly, looking at the much broader category of security incidents reveals that miscellaneous errors, crimeware and insider misuse are the more likely threat vectors, if more than just the loss of data is important to an organization.
Of course, focusing just on how often those broad threat categories show up overall won't give a specific organization a clue as to what attacks it is most likely to face, a past criticism of the DBIR. To address this, Verizon took those nine classifications and mapped them out to threat actors, types of organizations targeted and the security controls that would be most helpful in fending off each attack type.
"Now when someone reads our report, they're not going to go through a section called 'hacking' and figure out what type of hacking actions are more common," said Marc Spitler, senior risk analyst at Verizon. "Now we're able to do a direct mapping to industry, to these incident-classification patterns, and we really think that's going to be a very actionable way to use this information."
Point-of-sale attacks prominent, but affect few
A prominent example of Verizon's industry-guided DBIR focus this year is attacks on point-of-sale systems, which accounted for 14% of confirmed breaches in the report, but less than 1% of the overall security incidents recorded. The separate category of payment card skimmer attacks shows a similar split, making up 9% of confirmed breaches but less than 1% of security incidents.
In past DBIR iterations, the combination of these two attack types making up nearly a quarter of all the breaches recorded by Verizon would have skewed the overall data set, leaving readers to believe that PoS security should be top of mind for every organization. In reality, only a few specific industries have any real reason to be directly concerned about these attack types.
PoS intrusions, for example, account for 31% of all attacks against retail organizations in the 2014 DBIR, second only to denial-of-service attacks, and 75% of the attack types experienced by accommodation and food services companies. Payment card skimmers make up 22% of threats against companies in the finance vertical and 11% against management organizations, but pose a miniscule risk to other verticals.
The sheer amount of attacks on point-of-sale environments should be no surprise to anyone who pays attention to news headlines, as major retailers like Target, Neiman Marcus and Michaels have recently been pummeled by PoS-related data breaches.
Rick Holland, principal analyst for security and risk management at Cambridge, Mass.-based Forrester Research Inc., said that it may seem intuitive to link this attack type to certain verticals, including retail and accommodations, but in reality, organizations don't always understand which attacks are more or less likely to target them, making the DBIR's take on industry-specific threats a much needed dose of reality.
"There has been a lot of indication from my clients in completely different verticals [from retail] that, just when they saw the Target news, they had to explain to leadership that this did not impact them," said Holland. "I had a lot of CISOs that were having to do some education to their boards and their executives about what was happening at Target when, at least from a point-of-sale perspective, that situation did not impact them."
Further defining the PoS situation, Verizon emphasized in its report that point-of-sale security issues predominantly affect small and medium-sized retailers more so than the major players, despite what recent headlines would suggest. From the 196 PoS intrusions recorded in the DBIR, RAM scrapers were involved in a whopping 85% of the attacks. Exporting data and brute forcing credentials also played a part in more than half of all PoS intrusions.
In fact, RAM scraping malware was so prominent in this year's data set that it overtook the most common threat action from last year's report: keyloggers.
"Our theory was the more common keyloggers were easier to detect. They were less elegant, grabbing all kinds of information," said Spitler. "RAM scrapers are written for specific processes, are a little bit leaner and more efficient, and just maybe are a better mousetrap than keyloggers."
The Verizon report highlights a number of security controls that can be applied to PoS environments, including limiting remote access by third-party management vendors -- a threat highlighted in the Target breach -- deploying antivirus software and more closely monitoring network traffic for anomalous behavior.
Cyberespionage: A persistent scourge
Verizon noted that state-affiliated breaches rose again in this year's data set, up to 22% of all confirmed breaches in 2013 from 21% last year, though the report cautioned that such numbers may just reflect an increasing number of participants that see such attacks.
2014 Verizon DBIR Contributors
The following organizations contributed breach incident data to the 2014 Verizon Data Breach Investigations Report. First-time contributors are denoted with an asterisk.
Australian Federal Police (AFP)
*Center for Internet Security (MS-ISAC)
*Centripetal Networks, Inc.
CERT Insider Threat Center at the Carnegie Mellon University Software Engineering Institute
*CERT-EU European Union
*Commonwealth of Massachusetts
*Computer Emergency Response Team of Ukraine (CERT-UA)
*Computer Incident Response Center Luxembourg (CIRCL), National CERT, Luxembourg
*Council on CyberSecurity
*CyberSecurity Malaysia, an agency under the Ministry of Science, Technology and Innovation (MOSTI)
Danish National Police, NITES (National IT Investigation Section)
*Defense Security Service (DSS)
Deloitte and Touche LLP
Dutch Police: National High Tech Crime Unit (NHTCU)
Electricity Sector Information Sharing and Analysis Center (ES-ISAC)
European Cyber Crime Center (EC3)
*Financial Services ISAC (FS-ISAC)
G-C Partners, LLC
*Identity Theft Resource Center
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
Irish Reporting and Information Security Service (IRISS-CERT)
*Mishcon de Reya
National Cybersecurity and Communications Integration Center (NCCIC)
*Netherlands National Cyber Security Centre (NCSC-NL)
*Policia Metropolitana (Argentina)
*Policia Nacional de Colombia
*Public Transit ISAC (PT-ISAC)
*Real Estate ISAC (RE-ISAC)
"Like a streetlight illuminating cars parked along the street, more contributors allow us to see more cars," said the Verizon report. "Unfortunately, we can also see that those cars have broken windows and stolen stereos."
Cyberespionage is again far more likely to affect industries that are rich in intellectual property, with the public, professional, mining and manufacturing verticals the most likely to be hit by state-backed hackers. Over half of the cyberespionage-related breaches in the data set targeted U.S.-based organizations, though again, that number may reflect the organizations that participated in the report as much as anything.
As for which countries are behind the majority of state-affiliated breaches, eastern Asia, particularly China and North Korea, still accounts for almost half of all such attacks, but has slipped quite a bit when compared to last year's data set. In comparison, the number of attacks attributed to Eastern European hackers rose this year, with more than 1 in 5 cyberespionage events linked to predominantly Russian-speaking malicious actors.
Speaking to the targeted nature of cyberespionage, state-affiliated attackers tend to rely on a much broader set of tools when compared to Verizon's other eight attack patterns. Attack techniques including phishing, backdoors, malware downloaders and command-and-control communications were each utilized in more than half of the recorded cyberespionage incidents.
The report advised organizations to focus on a few "blocking and tackling fundamentals" to defeat state-affiliated attackers, including applying software updates regularly, segmenting corporate networks and logging all relevant activity, a move to make incident response efforts more efficient.
"Isolating the root cause of an espionage-related breach is a bit of a snipe hunt. Sure, victims make mistakes (minor and otherwise) that are exploited in the process," said the Verizon report, "but the real root issue is a determined, skillful, patient, and well-resourced adversary who will keep poking until he finds (or makes) a hole."
Is device security a problem in healthcare?
Reversing the statistical trend seen with PoS intrusions and cyberespionage, the physical theft and loss of devices made up 14% of the total security incidents recorded in the 2014 Verizon DBIR, but less than 1% of the confirmed data breaches.
The Verizon report partially explains that number, indicating that, unlike some of the other incident patterns, that devices are 15 times as likely to be lost than stolen.
"That’s important because it suggests the vast majority of incidents in this pattern are not due to malicious or intentional actions," noted the Verizon report. "Thus, the primary challenge is to a) keep employees from losing things (not gonna happen) or b) minimize the impact when they do."
Intriguingly, this incident pattern also seems to overwhelmingly affect healthcare organizations, with such incidents accounting for 46% of all the attacks seen by that vertical. In comparison, device theft and loss didn't rise above 19% for any other industry.
A board member of the National Health ISAC (NH-ISAC), who asked to remain anonymous as he wasn't speaking for his own organization, said there were two driving factors behind the healthcare and device security trend. First, he said that healthcare organizations tend to be more mature than other verticals when it comes to reporting lost or stolen devices, which leads to a natural deviation in such statistics.
The other factor, according to the NH-ISAC board member, is that the delivery of healthcare in the U.S. is still largely performed by locally and regionally based healthcare entities, which he said often rely on physical devices like USB sticks to transfer protected health information between the two. The Verizon report bears witness to that line of thought, with the loss or theft of such flash drives among the five most common threat types in this incident pattern.
"Given the small-scale and distributed delivery of healthcare, one of the best ways to fight back is to share information through an ISAC," said the NH-ISAC board member. "The healthcare industry got a later start [to information sharing] than other verticals like financials, but the DBIR shows that we need to take this stuff just as seriously as other industries."
A number of security controls are recommended by the Verizon researchers to minimize the impact of lost or stolen devices, including encrypting the devices, backing up data and even using "unappealing tech" so as not to pique the interest of attackers.
"You know, the very first recommendation they have on there is to encrypt. It's shocking to me when I hear about the loss of a device and then learn that it has not been encrypted," said Forrester's Holland. "I'm not surprised by the number of lost or stolen devices at all, but I am surprised to hear that organizations still struggle to deal with full-disk encryption that could help mitigate that loss."
Stolen credentials a problem across the board
While Verizon focused this year's DBIR on giving industry-specific security advice, one overarching theme crops up across a number of different verticals and incident patterns: attackers across the board are relying on stolen authentication credentials.
Stolen credentials have in fact become so popular with malicious actors that it was the most common threat action in the Verizon report by a wide margin, tallying over 422 incidents. The next closest threat action -- data exportation -- showed up 327 times.
Spitler said it should not be surprising to anyone that stolen credentials are used in such a variety of attacks, nor that attackers value legitimate user credentials so much. Finding and exploiting vulnerabilities in an enterprise environment is more time consuming for attackers, he noted, than simply utilizing credentials to navigate through a network ransacking data, all while "flying under the radar."
"Obviously, payment card data is very sought after by financially motivated attackers, while plans, emails and schematics are sought after by espionage-related attackers," said Spitler, "but the use of stolen credentials is a means to all of that, and a lot of the actions underneath ultimately lead to stealing those credentials and being able to use them."
Holland said that awareness around the need to protect user credentials should be on the rise, considering that stolen credentials have been a top five threat in the Verizon DBIR for three years running. Still, there are plenty of organizations that have yet to implement the controls necessary to shut down this avenue of attack, particularly two-factor authentication.
"There are several different areas in the DBIR where Verizon talks about implementing two-factor authentication [as a general security control]. With that, at least if someone steals your credentials, they need another piece of information," said Holland, who noted that two-factor authentication is an inexpensive option when compared to other technologies being implemented in enterprise environments. "Two-factor authentications is one of those fundamentals companies ignore when they put in an expensive malware analysis platform."
Overall, Holland compared the 2014 Verizon Data Breach Investigations Report positively to a choose-your-own-adventure book, noting that organizations could read the sections that pertain only to them and take away methods for improving the security of their environments.
"When you talk about decision support, this is tailored to that organization where, if I'm in entertainment, I can read the types of attacks that are relevant to me," said Holland. "This is the type of data that can make it to the board level. This can be used for the building of the budget, explaining what is happening to our industry and generally understanding which metrics I should focus on the most."