Verizon DBIR Shows Attack Patterns Vary Widely By Industry
It’s not always the newest or the most sophisticated threat you need to worry about, Verizon’s breach and security incident data for 2016 shows.
April 27, 2017
Among the many key takeaways in the 2017 edition Verizon’s annual Data Breach Investigations Report (DBIR), released Thursday, is that there are significant differences in why and how organizations across different industries are attacked.
Data that Verizon collected from security incidents and data breaches that it investigated in 2016 showed, for instance, that financial and insurance companies suffered about six times as many breaches (364) from web application attacks as organizations in the information services sector (61).
Similarly, Verizon’s dataset showed healthcare organizations suffered about 13 times as many breaches involving privilege misuse in 2016 compared to manufacturing companies—104 breaches to 8.
Point-of-sale breaches affected organizations in the accommodations and food service space disproportionately moreso than retail organizations. Manufacturing companies—and somewhat interestingly—educational institutions were the biggest targets of cyber espionage campaigns.
The data provides further evidence that organizations can benefit from having a better understanding of the threats that are specific to their industries and sectors, says Gabriel Bassett, a senior information data scientist with Verizon.
“It’s the kind of thing you would assume. But it is not thought about enough in industry,” he says. “If you are a financial firm are you putting botnets on top? Or are you putting PoS? If you are in education, do you realize just how starkly espionage has gone up,” in this sector, Bassett says.
What the breach data shows is that every organization should mitigate its own risks, he said. “It’s very easy to look at the newest attacks. But if it is not one of your risks, you need to prioritize the things that are,” and apply the appropriate controls and mitigations, Bassett says.
[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where a speaker from Verizon Business will discuss the real impacts of a data breach.]
The Verizon report highlights some other trends as well. Last year's data for instance showed that cyber espionage has emerged as a major threat for manufacturing companies, public sector entities, and to a lesser but still significant degree, for educational institutes as well.
In total, Verizon investigated 115 incidents involving cyber espionage at manufacturing companies, 108 of which resulted in a data breach. The total number of breaches at public sector organizations and educational institutions where cyber espionage was a motive was 98 and 19 respectively. Much of the interest in these sectors stems from the propriety research data, prototypes, and other intellectual property that such organizations typically possess, Verizon’s report noted.
Cyber espionage campaigns tend to be targeted, stealthy, and persistent since the effort is on stealing as much data as possible, says Brian Vecci, technical evangelist at Varonis Systems. “Attackers will follow the cyber kill chain once they compromise an account, which includes accessing the data they can get to, elevating their privileges to access more data, and then obfuscating their tracks,” he says.
Businesses often make it easier for such attackers, Vecci says. He pointed to a recent data risk report that Varonis released, which showed 47% of organizations had 1,000 or more files containing sensitive information open to every employee at any given time. “That’s making it pretty easy for the attacker to steal information.”
While organizations in the targeted sectors need to pay attention to the cyber espionage trend itself, the mitigations against the threat are not very different, Bassett notes.
“Espionage is one of those things where it feels like we need to do something different because it sounds like it is some super-duper elite cyber hacker somewhere that’s attacking,” he says.
In reality, the actual methods that attackers used to get at the data they were after were similar to the tactics used in attacks driven by financial and other motivations.
For example, the three most common actions used by attackers to target organizations in the manufacturing, public, and education sectors were hacking, social engineering, and malware. These were the same tactics that were most commonly used in attacks against organizations in almost every other sector in the Verizon study.
“The thing is espionage is the motive. It is the ‘why’ and it drives the ‘what’ gets stolen,” Bassett says. “But it not the ‘how.’ The ‘how’ stays very consistent,” across industries.
The Verizon report also showed that for yet another year, phishing, malware via email, and credential misuse, were among the most commonly used methods by attackers to try and gain access to target networks and systems. Distributed denial-of-service attacks were another major issue especially for organizations dependent on the Web, such as those in the entertainment, professional services, financial, and information sectors.
Verizon responded to a total of 11,246 denial-of-service incidents in all last year. However, only five of them across all sectors resulted in actual data disclosure.
Web application incidents increased last year as well compared to 2015, but the actual number of breaches resulting from these incidents was lower. A vast majority of web application attacks involved the use of botnets, most notably Dridex. Stolen credentials, SQL injection attacks and brute-force attacks were some of the other most commonly used tactics in web application attacks.
“Compared to network services, web applications tend to be much more vulnerable,” says Ilia Kolochenko, CEO of High-Tech Bridge. “Web applications are often developed in-house and accumulate dozens of vulnerabilities and weaknesses because of flawed, or simply missing, SDLC [secure development lifecycle] and insufficient security testing,” he says.
Many organizations continue to significantly underestimate the importance of web application security and perceive web apps as simply a web front-end to their organization. “However, as DBIR clearly states, the main attack vector is insecure applications.”
Related stories:
About the Author
You May Also Like