Cyber-attacks not so advanced after all, finds Verizon

News by Doug Drinkwater

The information security industry constantly warns of the latest 'advanced' or 'in-the-wild' malware but new analysis from Verizon suggests that infosec pros face the same or similar threats year in, year out.

Releasing its 70-page 2015 Data Breach Investigations Report earlier today, Verizon revealed a number of headline findings, from the rise of phishing and exploitable software vulnerabilities to data breaches costing up to  £162 per lost record.

Meanwhile, the firm indicated that cyber-crime activity remains – as it was in 2014 – split into the same old categories. Over the last ten years, 92 percent of all 100,000 security incidents fell into nine basic patterns, with that increasing to 96 percent this year.

These were: miscellaneous errors (29.4 percent), crimeware (25.1 percent), privilege misuse (20.6 percent), lost and stolen assets (15.3 percent), web applications (4.1 percent), denial of service (3.9 percent), cyber-espionage (0.8 percent), point-of-sale (0.7 percent) and payment card skimmers (0.1 percent).

“While the threats against us may “seem” innumerable, infinity varied, and ever-changing, the reality is they aren't,” said researchers of the report. “This certainly doesn't diminish the significant challenges faced by defenders, but it does imply a threat space that is finite, understandable and at least measurable.”

The report further notes that people are ‘90 percent of the problem, and reveals that POS accounts for most data breach disclosures, followed by crimeware, cyber-espionage – featuring in DBIR for the second year running, privilege misuse, web applications, miscellaneous errors, lost and stolen assets, payment card skimmers, denial of service.

Researchers noted that “there has been a definite evolution in POS attacks” and that malware is now “part of the event chain in virtually every security incident” – with malware launching DDoS attacks rising significantly, though not ahead of C2 (command and control) as the preferred method of crimeware attack.

Elsewhere and it seems like old habits die hard – bank records and data are the most sought after by cyber-criminals, with stolen credentials most often used for web applications attacks.

The research acknowledges, as other reports have done recently, that the number of DDoS attacks has increased significantly, but finds that most other faults are easier to distinguish; over half of lost and stolen devices are taken from the work area while the same percentage of insider misuse incidents are down to excessive privileges. Meanwhile, 60 percent incidents under miscellaneous errors were attributed to errors made by sysadmins, with most down to sending data to incorrect recipients, putting non-public material on public web servers, and not securely disposing of personal and medical data.

Interestingly, two of the most-talked about attacks in recent months, cyber-espionage and those against mobile devices, were not considered serious. The report indicated that mobile attacks are common, but don't cause breaches, and also stated that two-thirds of those who cited cyber-espionage attack had no proof of attacker attribution whatsoever.

Lorenz Kuhlee, principal consultant at the Verizon EMEA RISK team, told that despite the ‘newness' of mobile and espionage, most security failings are down to the same old story of patching, stolen credentials (24 percent of attacks) and no logging.

 “It's about taking security seriously. That's the first step”. Using the analogy of burglars trying to break into a physical front door, and leaving scratches, he added that the response is vital.

“Many companies see the scratches on the log file, but they're not doing enough about it. Next time [the attackers] might get in.”

He added that too few firms have adequate defences in place, digital forensics capabilities, vulnerability scanning. “It's about reacting fast, being forensically ready, know where your critical data is, and knowing if it's compromised.

Chris Boyd, malware intelligence analyst at Malwarebytes, said in an email to SC: “Most of the attacks seen on a day to day basis are not hugely different to what's gone before - the primary areas of sophistication tend to be the ways in which attackers convince people to double click on an executable file, or agree to confusing terms and conditions.”

“Much of the damage done by ransomware / crimeware could be minimised by proper backup procedures, and many businesses would likely reap the rewards of a solid and easy-to-understand security basics training course. Having said that, exploit kits in tandem with Malvertising are a lethal combination at the moment with many high profile sites falling victim to malicious ads passed onto their visitors. 

“There's never been a better time to invest in a layered approach to security. While a lot of these attacks may seem "old hat" far too many businesses and individuals continue to keep falling for them.?”

Dr Gareth Owen, senior lecturer at the School of Computing, University of Portsmouth, added: “The report shows that the threat networks faced are largely staying the same and that the majority of these attacks can be prevented by following good security practice. 

“Preventing intrusion is not magic - educating users can prevent phishing attacks and employing external penetration testers can detect easy routes for access.  Defending against determined Government actors will always be difficult and not always possible - thankfully, most organisations largely face attackers casting a wide net looking for low-hanging fruit.”

Amar Singh, an independent cyber-security expert and former CISO, told SC: “The problem is that most organisations or the humans involved are always looking for the next big thing to save them from the next big attack - the basics are almost always overlooked as they are not “sexy” and in many cases it's not easy justifying money for say “I need money to find out all the critical assets in our business”

“The basics like: 

  • Know about your assets - where are your crown jewels, who manages them?
  • Vulnerability management
  • Patch management
  • Identity management - who can access what when? 
  • Having trained, skilled people doing the job
  • Managing your outsourcers
  • Training, education and awareness for all end users - some of the most advanced attacks begin with the most basic methods - like phishing emails and social engineering.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews