The reality of state-affiliated espionage dominates this year's Data Breach Investigations Report from Verizon.
Drawing on data from 47,000 instances and from 621 confirmed data breaches, the report now considers state-sponsored hacking to be a serious matter, with state-affiliated espionage campaigns accounting for 20 per cent of all breaches in comparison with cyber crime, which accounts for 75 per cent of breaches.
The 60-page report also found that the amount of data stolen has decreased, while 92 per cent of data breaches were attributable to outsiders, and 14 per cent committed by insiders.
Chris Porter, managing principal at Verizon, told SC Magazine that this was not really a surprise, as year-on-year it was much the same. He said: “One of the things I believe is that insider statistics are higher than what we have here; if you look at a data breach a lot of the time an organisation doesn't know what happened if it wasn't for third parties letting them know.
“With an insider there is no easy way to find them and no fraud algorithm to identify this and if you catch the person, you don't call the police and don't have forensics to know what happened, and that is why this has showed up in the data set.
“If insiders are involved, it is usually for a lost laptop of mis-delivery of an email. This is more down to error.”
Porter said that in this year's report, there was not one standout statistic, as it had looked at large and small businesses and what was new was the espionage factor, and that was where the attacks showed up.
He said: “Espionage actors come from different locations and go after different assets, and we are seeing a clear difference between spyware and state-affiliated espionage. We wanted to shine a light on this and show the data on this.”
The report discovered that in terms of attack methods, hacking was the number one way for breaches to occur, with hacking a factor in 52 per cent of data breaches and 76 per cent of network intrusions exploiting weak or stolen credentials. Porter said: “With organised crime we call it a ‘smash and grab' where the attacker looks for open remote servers and brute force attacks on credentials.”
Also, the compromise-to-discovery timeline continues to be measured in months and even years, as opposed to hours and days. This year found that the number of breaches that remain undiscovered for months or more rose from 55 per cent in 2011 to 66 per cent in 2012, while discovery time was months for 62 per cent of respondents.
Porter said that people need to be able to identify that something has happened, and be able to react to it, and this requires having an incident response in place.”
Asked why there was such a strong focus on state-affiliated espionage campaigns, Porter said that there was no real decision to focus on this, it was just that the data was so strong, as the data set changes year-on-year.
Despite high-profile reports by companies such as Mandiant on APT1 and Kaspersky Lab on Flame and Red October, Porter said that state-affiliated espionage is "not a new problem", just that there was greater visibility on the issues.
“We got data at the time of the Mandiant report and did not take an alarmist tone, as we did not want to spread fear, uncertainty and doubt as this is not a new problem, it is just that we had data on it,” he said.
Wade Baker, principal author of the Data Breach Investigations Report series, said: “The bottom line is that unfortunately, no organisation is immune to a data breach in this day and age. We have the tools today to combat cyber crime, but it's really all about selecting the right ones and using them in the right way.
“In other words, understand your adversary – know their motives and methods, and prepare your defences accordingly and always keep your guard up.”