Security Experts:

Analyzing the Verizon Breach Report

Network attacks and breaches have dominated the technical and mainstream news for the past 18 months, as attacks have grown both in volume and significance. Hacktivists used data breaches to embarrass their enemies, nation-states used intrusions to steal secrets and even directly attack infrastructure, and organized crime used breaches for good old-fashioned theft.

Verizon Data Breach Investigations Report AnalysisHowever it is important to understand that between these groups there are stark differences in who they target, how they attack, and what we, as security professionals, will need to do in order to defend against them. The recently published Verizon Data Breach Investigations Report (available here) provides some of the best data available on attack trends and shows that today’s attack landscape is dominated by external attackers. Specifically, 98% of reported breaches were attributed to external attackers compared to only 70% of attacks in 2007. However, the report also showed that all attacks are not the same with attackers and their strategies are becoming increasingly stratified based on the types of organizations that they target.

Organized Crime Picks On the Little Guy

The Verizon report found that small and medium enterprises were overwhelmingly targeted by organized crime, which has big implications in terms of how these attacks are performed and how businesses need to protect themselves.

Criminal organizations will typically target information that can quickly and easily be converted to hard currency, such as credit card information, banking details or other personal information that could be used to steal an identity. Furthermore, since a dollar is a dollar regardless of who it comes from, criminal organizations typically don’t care whom they are stealing from. As a result, criminal orgs tend to go very broad in search of the easiest targets. Small and medium enterprises often make very enticing targets simply because they often lack the security infrastructure and skills found in a larger enterprises.

This strategy of hitting lots of smaller businesses lends itself to a very automated approach to hacking. In this schematic you see a vey automated, script-driven approach to hacking that can scour the globe looking for poorly secured assets.

In terms of mitigation, this means that smaller businesses need to focus on the basics of security – firewalling, patching systems, and implementing basic network and intrusion monitoring. Smaller businesses have often assumed that they might be under the radar of hackers, and the Verizon report shows that this simply isn’t the case. In a networked world, criminals can easily scan the web looking for vulnerable targets, so even smaller networks are on the front lines.

Targeted Attacks are Very Real for Large Enterprises

While the Verizon report showed that criminals prefer smaller enterprises, it was the larger enterprises that were the nearly exclusive focus of targeted attacks. This makes intuitive sense, given that if you are going to go to the trouble of planning out an organized attack, you are probably going to focus on a fairly high value target. However, the surprising stat was just how common targeted attacks were in large enterprises. 50% of the attacks against large enterprises were targeted as opposed to opportunistic, with 22% of breaches targeting sensitive corporate data and 12% targeting trade secrets.

This really highlights just how common the worst-case scenario has become in terms of IT security. The security industry has notoriously been somewhat seen as the boy who cried wolf, always warning companies about the dangers of hackers while often overselling the risk. The Verizon analysis shows that we have likely come full circle with sophisticated, targeted attacks becoming far more common than many seasoned veterans might expect. This puts significant pressure on larger enterprises to adopt next-generation security measures that have the ability to detect evasive attacks and customized malware and anomalies in the network that can expose attempted attacks. While such technologies may be on many CISO’s roadmaps, organizations will likely need to adopt sooner rather than later given how quickly the threat landscape has evolved.

The Verizon report is full of important information for anyone working in information security. But one of the very important concepts to keep in mind is that both automated and targeted approaches to hacking have become very common and successful. Modern security will require us to be able to detect and defend against both of these types of strategies, and to continually expand our definition of hackers and hacking.

Wade Williamson is a Senior Threat Researcher at Shape Security. He has extensive industry experience in intrusion prevention, malware analysis, and secure mobility. He has extensive speaking experience having delivered the keynote for the EICAR malware conference and led the Malware Researcher Peer Discussion at RSA. Prior to joining Shape, he was Sr. Security Analyst at Palo Alto Networks where he led the monthly Threat Review Series and authored the Modern Malware Review. He has also led the product management team at AirMagnet where he helped to develop a variety of security and network analysis tools targeted to WiFi networks. He has been a steady and active researcher of new threats and techniques used to compromise enterprise networks and end-users.