In the past few years, enterprise data breaches have become a huge threat affecting businesses and consumers alike. As the spotlight on cybersecurity amplifies, so do questions related to network security strategies, preventative measures and the source of cybercriminal activity. I sat down with Marc Spitler, senior consultant, network and information security, Verizon, to get answers to key questions pertaining to recent data breaches analyzed in the Verizon 2015 Data Breach Investigations Report (DBIR). Here’s what he had to say.
Marc Spitler, Senior Consultant, Network and Information Security, Verizon
Do cybersecurity trends vary from region to region or by geographic location?
Marc Spitler: We haven’t seen any trends based on victims’ geographic locations. The variances in types of cybercriminals, the tactics that they use and the assets they target are much more tied to the hacker’s motive than the country or location of the organization suffering the incident. Even with the ATM skimming incident classification pattern, we have seen skimmers used and payment card information captured in countries that have adopted chip-and-pin technology. The subsequent fraudulent transactions occurred in North America but the data was captured abroad.
The general rule used to be that 80 percent of intrusions came from internal users, yet we keep hearing about third-party breaches leading to data disclosure of B2B customer information. What’s the truth?
Marc Spitler: We found that approximately 90 percent of intrusions came from external users, but this figure is limited to confirmed data breaches and our corpus has continued to show that external cybercriminals (also known as threat actors) are most responsible. Many of the incident patterns (POS Intrusions, ATM Skimming) lend themselves to a many-to-one relationship between victims and threat actors. A single organized criminal group can compromise hundreds of companies’ POS systems, while an internal actor will have 1:1 ratio.
When expanding this to security incidents without confirmed data loss, internal users may have a larger representation due to the prevalence of lost devices. Moreover, the nature of employee misuse — using their normal and sanctioned physical and logical access in an inappropriate way — is much harder to discover than external payment card breaches where the card fraud provides the evidence to determine a data breach.
As far as Partner actors, we only identify someone as a threat actor if they actively performed the action that resulted in a breach/incident. So if a third party that aggregates your customer data is hacked and the data is lost, we still apply the threat actor label on the external hacker.
Does this mean that enterprises should not focus on internal users?
Marc Spitler: Monitoring of internal user behavior should be conducted to help identify employee misuse that might be under the radar. When external actors gain a foothold on a corporate asset, they will seek out additional valid user credentials to advance their attack. Reviewing user activity can also lead to the discovery of compromised user accounts. Think of it more as user account monitoring not just user monitoring.
Are you seeing different criminal tactics used this year?
Marc Spitler: We didn’t see significant changes when we classified our data set into the nine classification patterns. The percentages were similar and the methods (or threat actions) used were in line with what we have seen in prior years. Use of stolen user credentials continues to be a prevalent tactic that is used and that phishing is trending upwards, as well. The lack of any “aha moments,” as we call them in the DBIR, led us to the decision to devote less ink to the attack patterns, and focus more on the other research topics that fall before and beyond the traditional data breach.
The defender-detection deficit visual is extremely concerning, are we destined to always to be fighting an uphill battle?
Marc Spitler: Yes and no. The predominant attack patterns all feature methods that if successful, are quick compromises. Using default or stolen credentials to compromise POS systems is by nature very quick. “Drive-by-downloads” of malware, which are common in the crimeware pattern, are instantaneous. Even the sophisticated state-sponsored attacks, more often than not, begin with a phishing campaign and it doesn’t typically take long for one user to take the bait.
Focus should be placed on disrupting attack chains after the initial foothold. A compromised user device should not lead to quick access to sensitive information stored deeper within the network. The initial compromise, in many cases, will still be quick but limiting what an adversary can do with a compromised user device is key.
The “Phishing” chapter in the DBIR states that 23 percent of users opened phishing messages, and 11 percent clicked on the malicious link, but 50 percent of users opened and clicked within one hour. How is this possible?
Marc Spitler: The 50 percent of users that click within one hour is from the subset of the 11 percent that do click. For users that end up interacting with the phishing mail, about half of them do it very quickly, which does not leave a large window of opportunity to identify a campaign and initiate reactive controls to prevent the attack from being successful.
Read the “Verizon 2015 Data Breach Investigations Report” and get the latest information to help protect your enterprise organization from a data breach and safeguard your customers’ personal information.
Visit Verizon’s Security Products and Services portfolio to learn more about cybersecurity and how to protect your network and data against cyberthreats.
