Breaches typically involve multiple actions by the intruders in order to get to the data they're looking for. How can organizations detect and respond to such intrusions?
Verizon's recently released 2011 Investigative Response [IR] Caseload Review offers a snapshot of findings about the incidents Verizon studied in 2011. In the review, Verizon provides some indicators of a breach and steps organizations can take to mitigate the damage.
"We do try to get a little more prescriptive in hopes that it will help [organizations]," says Verizon's Wade Baker in an interview with Information Security Media Group's Tom Field [transcript below].
The tips and suggestions Verizon provides in its review help "to break this chain of events that mostly comprises a data breach, and whatever is your more efficient and effective route to get there, take it," he says.
Take, for example, a phishing attack. In such an attack, a user needs to click a fraudulent link which then installs malware on a desktop. The malware then opens a back-door and the intruder comes in to scan the internal network and find a file. "There are all these little places in there and if you break that down into those discrete events, you see [that] maybe some training and awareness could help keep the insider from clicking," Baker says.
Of course, that doesn't always work, he acknowledges.
Sometimes, even with training or a spam filter, users will still click e-mails marked as spam, which then triggers a breach. In the event that a breach starts, organizations could have file integrity monitoring in place to keep malware from installing itself on the desktop. If malware is installed, there can be a back-door monitoring solution to review outbound and inbound traffic. "That's another thing that you could detect and possibly put something in place to stop," Baker says.
It's difficult to point out one reason why a breach occurred. "It's usually these series of things," Baker explains. "And sometimes it's a combination of poor security decisions. ... But you certainly get the sense that there are multiple ways that this thing could be stopped at some point."
In an exclusive interview about the Verizon caseload review, Baker discusses:
- The most common types of breaches;
- Breach trends to watch;
- Some effective security measures.
Baker is the director of risk intelligence for Verizon Business. In this role, he oversees the collection and analysis of data relevant to understanding and managing information risk. Intelligence from these activities is used to create and improve products, inform personnel and clients, and publish credible research to the security community.
A researcher at heart, Baker's work on various topics has been published in a number of highly-rated academic journals, professional magazines and books. His research for the President's Information Technology Advisory Council was featured in the 2005 Report, "Cyber Security: A Crisis of Prioritization"" Baker is the creator, author and primary analyst for the Verizon Data Breach Investigations Report series.
2011 Investigative Response Caseload Review
TOM FIELD: We have a view of data breaches this week from Verizon. Explain what the view is as opposed to the annual Verizon data breach report?
WADE BAKER: If you've been following the data breach report over the last several years, you'll know that it's growing in size as we try to collaborate with more organizations. They bring in their case loads and we merge all of these things together in a report that started out with just Verizon at about 100 cases per year. It's now 750-plus last year and it will be 850-plus this year. It's growing and it's getting bigger, and what we wanted to do was give people a little glimpse, a view, into the data of what they might be expecting from Verizon's perspective. If we did 90 confirmed data breaches in 2011, like I mentioned a minute ago - the whole report will cover 855 I believe is the answer - Verizon contributed about one tenth of the full picture, so we're publishing a view into that picture of just our caseload. And again, it's just because people have asked us this. The longer we get into 2012, the farther back 2011 is and so we think we can learn some things from just Verizon's 90 cases and that's what we put out there.
FIELD: So it's an appetizer, but the data might not be very appetizing.
BAKER: I like that a lot.
Top Breach Trends
FIELD: What are the trends that you're seeing in this view?
BAKER: We show some trend graphs in there from several years ago forward, and you can see these trends as they're developing, a continued growing proportion of external attacks. When we first published our data five years ago, that was probably one of the ones that got everybody riled up. We published about an 80/20 split between external attacks and internal and then it was 80 percent external, which there's sort of this mantra in security about 80 percent of all security incidents are insiders. We really never have found anything close to that, so that trend has continued but this year it's 92 percent external. It's even a growing margin over the past several years and it kind of just keeps doing that. That's one of the trends.
I think that synchs if you think about the threats that were top-of-mind for everyone in 2011 and even 2010 where things like your nation state advanced persistent threats - some people called them - the hacktivism and all those things, organized criminal groups depending on what kind of business you are; but all of those are external threats, right? That's not to say insiders don't do anything, but there's just more external people than insiders in your organization. That's a trend.
On the threat action side we talked about threat agents and we usually do a lot about actions as well and what methods they use. Again, we see a growing sort of dominance of hacking and malware used in combination. It really depends on what kind of business you are. In the main report we're going to do some splitting up of smaller organizations versus larger, and trends are very different depending on what you're looking at.
By and large, if you look at the entire data set, hacking in through some way and installing malware to grab credentials or back-doors are all of those kinds of things. Data breaches, very commonly those are both in the 80-90 percent range. Some of the other things, social engineering and misuse, adds to it, but they're almost support roles if you want to look at it that way.
FIELD: So it really is everything behind the headlines we read in 2011?
BAKER: You will see a lot of those things, and I think that's something interesting. It's not so much in this view, because we really wanted to wait until we could show the whole picture, but everybody knows about themes like hacktivism and that was a very prominent theme in 2011 and it was probably one of the larger changes just in terms of hacktivism. [Hacktivism] used to be about making people's websites and putting funny messages on them to show that, "Ha-ha, I've got you." But they got a little bit nastier in 2011 with a data breach being a way to embarrass a company and protest against them.
One of the interesting things you'll find, again, not in this particular view, we don't hit it as much but later on is that we put some numbers behind that. There were all kinds of discussions and stories and things, but really what proportion of the whole picture does that represent and what kind of damages are we talking about due to that kind of activity? That's something we study in detail in the main report.
FIELD: Have you started looking at an industry breakdown yet?
BAKER: Not in this report, and this is one of those things that just quite frankly is difficult to decide what to do. The breach report is already 70-80 pages as it stands now just to get through all the main stuff, and if we started breaking it up into all the industries nobody would want to read it anymore. What we have done is contrast small and large organizations. Occasionally, we do say, "Hey, this seems to affect retail and hospitality-type organizations. This is a little bit more financial and manufacturing." And we show data loss, for instance, according to industries, which industries seem to be losing the most data. We do contrast those things, not across every single data point, but where there are significant differences we draw those out.
FIELD: Are you looking at the toll of some of these breaches in terms of finances and reputational loss, or any of the other metrics that we look at?
BAKER: As best as we can. The best measurement that we have of the toll is just the amount of data stolen. I know that's not a perfect measure of consequences by a long shot, but we can tell how much data was stolen and I think that's at least an indicator of the overall losses.
But then, also, we did add an impact section and again in the full report - not in this glimpse - it's more anecdotal. We try to observe what kinds of consequences we see. Again, we do mostly investigative response so we're showing up and we contain the breach and then we're usually gone at some time after that, and some of those consequences haven't fallen out by the time we leave. But we have tried to view that because probably one of the more commonly asked questions that we get is, "What's the impact of these things?"
FIELD: What can you say from the view the impact is?
BAKER: We had several. By and large, I think people tend to overestimate the impact of a data breach. There's all of this fear about, "Well, if that happens to us then the business is gone and we might as well close the doors." I think that's a pretty rare scenario when you look back at the history of data breaches. I mean there are some companies that have had...
FIELD: Except for DigiNotar.
BAKER: Well okay, sure, yes. We actually had three or four businesses that are no longer operating that we looked at in 2011 that had a data breach. So it does happen where doors do close. ... For instance, there was a smaller e-commerce retail shop that just decided it's not worth trying to secure the website. "We'll just stay the physical. Clicks are too hard; we'll stick with bricks." Again, those are anecdotal observations but if we have 850 victims to analyze, we might as well try to figure out what's happening to them down the road from these breaches.
FIELD: Have we seen any types of breaches go away?
BAKER: That's a good question. Nothing is just absolutely disappearing. What we do see is some things falling down in proportion. I mentioned insiders at the beginning of this. If you look at the data, it will look like insider misuse is just disappearing, and it's not. It's just getting drowned out is probably a better term, because the rise in external incidents is increasing exponentially. Some of that has to do with the automation; we call them industrialized attacks. There are these groups that are scripting attacks that just scan the Internet looking for very low-hanging fruit and we publish in the main report this very interesting sidebar. Of course I'm bias; I think it's interesting. It's a sidebar that takes one two-man hacker team, and we got the dates of all their victims and all of their activities over a six-month period of time and we just take one week and they worked three days during this week. They hit nine or ten different countries and 22 different victims and it just shows the scope and speed at which some of these things can occur.
FIELD: They had a good three days.
BAKER: Yeah, absolutely, a nice three-day work week. But it shows how that kind of activity can sort of drown out some of your other types of attacks, and I don't want to give the impression that insiders are just not stealing data anymore. They do. They're harder to catch. That's probably one reason why they're not seen. But to make a long answer out of your question, there are some things that are de-emphasized in the statistics but we always try to draw those out a little bit and show what's really going on and why it might be getting buried.
Effective Security Techniques
FIELD: Are you taking a look in the view at least at some effective security techniques and technologies?
BAKER: Absolutely. I don't know if you might remember, I think it was in 2009 we did this supplemental report.
BAKER: In that supplemental report, we took the top 15 threat actions and for each one we gave a description and we gave some commonalities and all of these things. We gave some indicators and we gave some mitigators, ways to prevent those things from happening and we kind of revisit that again this time. We take the top attacks that we saw in 2011 and we try to give very specific ways that a company might detect that attack was taking place or had occurred on their networks or in their systems, and then ways that they can prevent it from happening. We do try to get a little more prescriptive in hopes that it will help because a lot of times we give a broader, more general recommendation and we're really trying to say, "There are ten different ways that you might be able to prevent this from happening. We're not saying you have to do all ten, take your pick." You're really trying to break this chain of events that mostly comprises a data breach, and whatever is your more efficient and effective route to get there, take it.
FIELD: Give me an example on a particular breach that you might offer some prescriptive advice on?
BAKER: We have a scenario in the methodology section just showing how our VERIS [Verizon Enterprise Risk and Incident Sharing] framework works. It's the way we classify breaches. On average, I think we see about three, what we call, threat actions involved in a breach which doesn't mean there are just three very same level steps, but three main phases. Let's just take a scenario where there's a phishing e-mail. This one is pretty common in the media. Phishing e-mails you need to get somebody to click on it and then that thing is going to install some malware on a desktop, and then the malware on the desktop is going to open up a back-door, and then the bad guy is going to come in the back-door and do something else and they're going to scan the internal network and they're going to find a file server that has some intellectual property and then they're going to take it. There are all these little places in there and if you break that down into those discrete events, you see [that] maybe some training and awareness could help keep that insider from clicking, or we could do something to filter it from ever getting there. That doesn't always work.
We had one case where a user went into a spam filter and clicked on something that had been marked "spam" and started a breach; so you can't always fix that kind of thing. Then, let's just pretend they click on it, you could also have something that could keep that malware from being installed on the desktop, some type of file integrity monitoring or something that says, "Nope, that's not allowed to run on this system; sorry." If it does get installed, then most back-doors beacon out to say, "Hey, I'm live and listening." If you could see that outbound traffic, that's another thing that you could detect and possibly put something in place to stop. You could stop the inbound traffic of the attacker coming back in through the back-door. The scan of the internal network - if we had better segmentation on our networks and didn't just have these big open flat networks internally, they would have a harder time finding those file servers that have the intellectual properties.
When you study these things, it's hard to point [out] the one reason why this breach occurred. It's usually these series of things and sometimes it's a combination of poor security decisions. Sometimes it's our intelligent adversaries. It's often a mixture of both, but you certainly get the sense that there are multiple ways that this thing could be stopped at some point during that.
FIELD: How can people get a hold of this view or learn more about it?
BAKER: I would check securityblog.verizonbusiness.com and there's a post right up there at the beginning and there's a link there [where] you can download the report.
FIELD: And when do you expect the full data breach report will come out?
BAKER: I don't think we have an exact date, but it's sooner rather than later. It will be in the spring time here and you'll be hearing about it before most people expect.
BAKER: We look at this topic every year and we're not seeing a lot of mobile devices that are involved in data breaches. We kind of expect it to start edging up, but we're just not seeing it yet. I think the main threats, the most common threats against mobile devices, are loss and physical theft, and you're not likely to call us to do forensics in a case like that. I think that has something to do with it. I also think that, as we begin to use them for more financial transactions and they have more of our data, and our mobile device becomes less of a thing we just talk on and get some e-mail to where it's really storing data and being a platform for all the other things that we do, I can't help but think that the attacks are going to start going there as well.