Compiling 10 years of information and 100,000 incidents, Verizon [VZ] has found that the vast majority of data breaches follow nine basic patterns.
“The techniques to exploit computer vulnerabilities are actually dropping in complexity,” said Bryan Sartin, director of the Research, Investigations, Solutions, Knowledge (RISK) Team at Verizon Enterprise Solutions.
The company’s 2014 Data Breach Investigations Report (DBIR) charts attacks across industries and found that the most common incidents occurred via these patterns: denial of service (DOS); insider privilege misuse; physical theft or loss of devices; cyberespionage; attacks through Web applications; crimeware (malware that gains control of systems); point-of-sale intrusions; payment card skimmers; and miscellaneous errors, including sending an email to the wrong person.
Along with these patterns, Verizon found the time between the initial intrusion to the first data theft is “shrinking fast.” In other words, the bad guys are getting faster, which Sartin called the “single greatest weakness in security.”
For the public sector, insider threats, physical loss, crimeware, DOS attacks, miscellaneous errors and cyberespionage were the top patterns. The study charted a rise in insider misuse of credentials, which corresponded with an upward trend in cyberespionage.
“A lot of that privilege misuse is the result of insiders,” Sartin said.
Passwords or other forms of authentication falling into the wrong hands provide an “easy way in” for attackers, he said. Two out of three network breaches exploited weak or stolen credentials.
For crimeware and DOS attacks, the report also charts a major shift this year from individual criminals to organized groups of criminals acting in concert. Sartin said this should be a concern of government agencies that are prime targets for coordinated attacks between nation-states and criminals. Last year’s DOS attacks against the U.S. financial sector serve as an example of what may come in this realm.
“It’s never just a single attack happening in a vacuum,” Sartin said. “So much is organized groups in campaigns that are pooling resources.”
Verizon partnered with 50 organizations to gather data for the 2014 DBIR–30 more than last year. The company also organized its findings and recommendations around the nine patterns to make the data more actionable for readers. Sartin said organizations should examine their breach information and create a quantifiable risk profile. He recommends that companies begin with incidents they have experienced and plot them on a scatter chart. Next they should analyze what others in their sector and globally have seen as preparation for worsening attacks. Organizations can then apply the recommendations that Verizon makes for each pattern.
“You can take this universe of data now and really scientifically measure it,” he said.
Sartin said the most important lesson for security is being on the offensive, as opposed to monitoring sensors on the network warning of intrusions that have already occurred.
“If you’re trying to react to the noise that these things generate and act on it quickly enough…that is the definition of reactive,” he said. “That’s a recipe we’ve known for 10 years that doesn’t work.”
In general, Sartin said organizations need to improve their methods of discovery. This includes the importance of notifications from others under attack, grassroots intelligence exchanges and communication among law enforcement, telecommunications carriers and the private sector.