With the release of this year’s Verizon Data Breach Investigations Report, it is clear that the cybersecurity landscape is once again experiencing a drastic change in the types of attacks that are threatening an organization’s intellectual property, financial information and customer data.
In response to this change, this year’s report has added a critical new tactic for addressing how this advanced threat landscape affects an organization by examining incident patterns. As attackers shift their strategies, the cyberdefense industry is too, now moving away from a model built around identifying and remediating single attacks toward an environment where threat actors and their behaviors are identified and blocked globally.
As examples of this changing threat landscape and the new tactics required, FireEye contributed forensic data from three of the advanced attack campaigns we uncovered in 2013:
- Operation DeputyDog
A campaign targeting organizations in Japan that began in August of 2013 that, upon detection and behavioral analysis by FireEye systems, was linked to a group that had executed a successful breach of a technology company earlier in the year. - Operation Ephemeral Hydra
Acting by attacking certain infrastructures shared with the DeputyDog campaign and code shared with the Remote Access Tool used in the Bit9 compromise, this campaign took advantage of an Internet Explorer zero-day to compromise visitors of a website focused on U.S. national and international security. - The Sunshop Campaign
Targeting a range of victims through the sites of Korean military and strategy think tanks and a science and technology journal, FireEye was able to link this campaign to a group responsible for attacking the Nobel Peace Prize Committee’s website in 2010.
In all three of these advanced attacks, behavioral analysis conducted by our researchers utilizing data from the FireEye Dynamic Threat Intelligence™ cloud, allowed us to provide Verizon the context behind these attacks and the patterns that identify their perpetrators. Ultimately, we were able to tie two of the attacks together and attribute one to a similar attack from three years prior. This involved creating a new paradigm in the security community, whereby real-time information sharing of malicious network behaviors between organizations becomes commonplace.
What we saw from these attacks and countless others is that, given the pace and stealth at which threat actors move today, organizations will need to rely less on traditional signatures and defenses and more on intelligence. Including this new intelligence information in this year’s DBIR is a great step toward recognizing this new paradigm and will certainly accelerate the fight against advanced attackers.
To read more about the changing attack behavior download a full version of the Verizon DBIR: http://www.verizonenterprise.com/DBIR/2014.
You can stay up to date with the latest threat research from FireEye Labs at www.FireEye.com/blog and you may also want to visit Verizon’s Security Blog at http://www.verizonenterprise.com/security/blog/.
Editor’s note: Darien Kindlund is director of research science at FireEye.
