The 2017 Verizon Breach Investigations Report (DBIR) published today will come as no surprise to seasoned industry watchers: three-quarters of breaches are down to outsiders and a quarter to insiders, and 73 percent are conducted for financial reasons with half involving organised crime.
But the nuances within the data are certainly worth looking at: with 62 percent of breaches feature hacking, it still disappoints to see that 81 percent of hacking-related breaches leveraged either stolen and/or weak passwords. Half of breaches included malware, but physical loss of devices is now down to just eight percent and errors were a factor in 14 percent of breaches.
For all that, criminals are still our main enemy, with inadvertent and deliberate insiders a significant runner-up. State actors also remain an important threat, representing almost one in five successful attacks (18 percent).
As would be expected, financial services are the most targeted sector at 24 percent, while healthcare accounts for 15 percent, the public sector close behind on 12 percent and the combined total of retail and accommodation accounting for 15 percent of breaches.
SC Media UK spoke to Verizon's senior information security data scientist, Gabe Basset, to get some insight behind the data.
Noting that ransomware rose 50 percent compared to last year and accounted for 72 percent of all malware incidents in the healthcare sector, SC asked, why was the healthcare sector attacked so often by ransomware compared to the financial sector?
Bassett told SC, “Ransomware within healthcare is high up, and it's usually a financial motive. Any data that attackers know about, they'll attack. Data that an organisation needs to keep running, and it's been in news that healthcare has data it needs to be able to run.
“Breaches are almost always financially motivated – even a lot of espionage is economic espionage. Attackers are looking for the greatest return on their investment, not just highest income but least expensive to achieve... which makes good economic sense.”
And how might GDPR affect the situation? For example, might attackers threaten to disclose a breach if not given a ransom?
Bassett responded, “If there are a large number of records and if it is more beneficial to sell the data for fraud, the criminals will do so. If it is more financially viable to sell for blackmail, they will do that – but that's not something that would be reported so it's not covered by our report, but we have heard anecdotally that it happens.
“The big impact from GDPR will be regarding breaches due to human error. In the US human error is responsible for 31 percent of all breaches in those industries that have to report – so we will see a lot of those breaches such as the auto-mailer being off by one, so emails to A go to B, B to C etc, or social security numbers published on a website.
“There will be huge numbers of industries to report and industries that currently don't have to track don't know it – until mandatory reporting, those breaches only then become part of the discussion. How they will cope with the volume of breaches will depend on what they do when they report. And the rate of reporting will drive what they (the authorities) can do. The two main drivers of breach costs are legal consultation cost and forensics – not some of the things down the line. It's the upfront costs.”
There were 289 confirmed breaches related to espionage in the report with 90 percent attributed to state-affiliated groups so SC also asked if the report was able to provide any attribution in relation to nation-state breaches.
Nation state attacks are made available if they are reported, says Bassett, telling SC: “We capture it (attribution) if reported, but it's not commonly reported. Good nation states [as in, effective hackers] don't attack from their homeland and we know what nation states are likely to be accepted as a source and capable attackers would use those. [However] Our data tells us that breaches from state-affiliated actors, where reported, are statistically significant – though it is recognised that where it's coming from could be faked.”
It was pointed out that in addition to Verizon forensics, Verizon relies on its partners, including the US Secret Service and other organisations well versed in this area, thus they tend to know if an attack is by organised crime or nation state or if it is simply not known.
Attack motivation beyond financial was characterised by Bassett as being either, “Fun, ideology or grudge”. The report saw a commonality of attacks between espionage attacks and financial attacks – though nation states have a little more persistence. But he added that there is a massive difference between attacks with a financial/state motivation and those attributed to ideology/grudge. Bassett described phishing as being the tool of espionage and of the financial attack, asking, “Why take the hard road? Take the easy route. It's the path of least resistance.”
So how do we stem this growing flow of data breaches? Bassett acknowledged that it's easy for those in an IT department to say, “Why do they click?” but IT doesn't get emails with unknown attachments whereas others may have that as a key part of their job and are required to open them.
He explained, “We have examined data from phishing testing that records who clicks. If someone clicks four times, they're more likely to click five times, and if they click five times they are more likely to click six times and so on. The more they click, the more likely they are to click and IT needs to help them do their job better – whether that's sandboxed equipment or office based email – but start from the assumption they will click. So don't let them.”
What can industry do? Is the UK NCSC right in saying that industry could do more? Basset says, “There's not much ransomware on iPads because it's sandboxed – mobile devices generally are sandboxed. Some laptops are – and people using those devices won't get phished as much. Phishing is mostly attachments or macro enabled objects. Details obtained from malicious websites is rare.”
He says that the solution is thus not just to train staff not to click but also teach them that they must report phishing emails to IT so they can isolate systems, remove malware, conduct reporting and identify vulnerabilities as priorities. Staff won't know if they are simply given a particular device because it is more secure. Other options include a browser-based office service, so emails are opened in a browser set up in a cloud, so people are set-up to succeed.
Given the need for people to be more security aware, SC asked Bassett's view on who he thought should take responsibility – individuals themselves, schools, government or employers. He responded, “Education will decrease the threat but not eliminate it, but it will help solve the general users concerns. There is a need to focus on making the workflow for the general user more secure. When we moved to web and mobile devices, we did so because it's easier, but we also got security gains. Any place where organisations are teaching users how to do something needs to teach how to do it securely, so we should teach the secure way – in schools, in businesses. It's not about teaching security but the secure way to do business.”
In addition Bassett comments, “We perpetuate stereotypes that every attacker is some cyber security special forces attacking 24 hours and it's the opposite, it's a guy in a cube trying to make a buck, spending the minimum amount of time, looking for a quick and easy win. If you are prepared you can prevent it. Mostly by doing the simple easy things – 2FA, etc.
“We need to say that we know the attacker will come after credentials – they are not invincible, they are just another person and you have every ability to beat them. The single most important thing is for security professionals to do something. Whether its champion 2FA or help an organisation look at its strategy and take a strategic approach – how do my risks fit together and how can I stop them? Do I have a risk register? Most companies will look at phishing as widespread but often a low risk, while file server breaches have a high impact but a low likelihood – but they look at them individually. If you look at them together – attackers us ransomware to get in, then get to the file server and there is interplay between the two. We need a strategy for addressing this and just a couple of key interventions can help.”
Among other observations were that many DDoS attacks – such as the Mirai botnet – can be mitigated before getting to their intended target. “Hundreds of millions of attacks are mitigated by ISPs or the network infrastructure itself, when it's seen that the limit is lowered if traffic should not be this fast, so it's mitigated by network itself. Only a subset makes it to the target – lasting two days, mostly not a terabyte but a gigabit per second. Better knowledge of the DDoS ecosystem will help you protect yourself – you need different approaches to protect your web site from protecting your organisation.”
Bassett also believes that based on anecdotal evidence, telephony attacks are on the increase but may be underreported as we tend to think of it as a traditional medium which is reported as fraud and not seen as part of an IT network, but there are analogous attacks such as PDoS rather than DDoS, telephone number spoofing like url spoofing, and SMS phishing (like email phishing).
A trend noted among new attacks is a change to macro enabled malware from plain executables. “And in addition to growth in ransomware, we will continue to see it evolve as attackers will see where companies have their data. Where data is held one hop from the attacker, on a website, database, or exposed by phishing – they will attack directly by ransomware – which will become an accepted threat if you make your data available,” says Bassett.
He also suggested that while we may see more alteration of data it will be an extreme niche – not from those with a financial motive, as it is not straightforward. So it's likely to be an espionage activity, rather than a criminal activity, until it can be scaled and automated to give good return on investment. Meanwhile, criminals will stick to what they know works.
In a closing message, Bassett commented, “To people who do security – ensure you do something. The attacker is a normal person and you can stop them. Use the data to build a strategy to oppose attackers with a holistic approach.”