Securezoo Articles
Article Topics   
By Frank Crast and Andrew Pierce, 5/11/2016


Verizon issued the 2016 Data Breach Investigation Report (DBIR) that highlights breach trends and incident classification patterns from over 64 thousand incidents and 2,260 breaches affecting organizations in 82 countries. According to the report, 89% of breaches had a financial or espionage motive. We’ve highlighted several of the themes from the report along with best practices to help organizations prevent similar breaches in the future.


According to the DBIR report, the time to compromise is getting quicker:

“Attackers are getting even quicker at compromising their victims. When you review the leading threat actions again, this really won’t come as a surprise. The phishing scenario is going to work quickly, with the dropping of malware via malicious attachments occurring within seconds. Physical compromises of ATMs and gas pumps also happen in seconds. In the majority of confirmed data breaches, the modus operandi of nation-states as well as financially motivated attackers is to establish control via malware and, when successful, it is lightning fast.“

We have highlighted a few of the major “themes” from the report to include points of focus, breach trends, classification patterns and recommended controls.
 

Vulnerabilities: “Oldies are still goodies”

Older vulnerabilities are still being targeted. In fact, attackers automate their weaponized systems and spray them across the internet to target and exploit vulnerabilities.

“Hackers use what works and what works doesn’t seem to change all that often,” according to the DBIR.

The top 10 vulnerabilities make up 85% of successful exploit traffic. Adobe vulnerabilities are typically exploited quickly, while Mozilla vulnerabilities take much longer to exploit after vulnerabilities are disclosed. Half of all exploits happen between 10 and 100 days after vulnerabilities are published.

Recommended controls: “methodical patch approach that emphasizes consistency and coverage” is more important than expedient patching.  Establish patch process to remediate vulnerabilities exploited in the wild, followed by known exploits or proof of concept code.

For those that can’t be patched right away, configuration hardening, system isolation or replacing assets can all be good additional controls.
 

Phishing

According to DBIR 2015 stats, 30% of phishing messages were opened and 12% went on to click malicious attachments, up from 23% and 11% respectively from 2014. The main perpetrators for phishing attacks are organized crime syndicates and state-sponsored attackers.

Recommended controls include filtering messages before users can interact. Awareness training and even a means of reporting suspicious messages (such as button on taskbar) should also be part of security program. Protect the rest of the network by segmenting your network that hosts sensitive systems/data from users and enforce strong authentication to sensitive systems from user network.

See more advanced email security controls in recent blog here.
 

Stolen Credentials

Static credentials continue to be targeted by several of the top hacking action varieties and malware attacks. 63% of confirmed data breaches involved leveraging weak/stolen/default passwords.

Two-factor or multi-factor authentication is recommended for access to sensitive systems or for privileged access, although can be harder to implement.
 

Incident Classification Patterns

90% of breaches fell into 1 of 9 buckets of “classification patterns.” 

The top 3 patterns resulting in incidents: miscellaneous errors (18%), privilege misuse (16%), and physical theft (15%).

However, the top 3 resulting in breaches: web attacks (40%), POS intrusions (23%) and miscellaneous errors (9%). Web attacks rose from 31% in 2014, a significant bump especially for financial services sector.

Crimeware dropped from 3 to 6. Mainly due to Dridex takedown, there was more data involving stolen credentials, which caused a spike in web attack patterns.
 

Web app attacks

Out of 5,334 incidents attributed to web app attacks, 908 were confirmed data disclosure. 95% were financially motivated.

According to the DBIR, the typical web attacks looks like this: “These breaches, uncovered through the forensic analysis performed on several C2 servers tell the tale of phish customer > C2 > Drop Keylogger > Export captured data > Use stolen credentials."

Attacks against ecommerce servers also take advantage of “web shells” exploits: “We have seen content management systems (CMS) as the vector for installation of web shells, 19 which are also classified as a backdoor in our framework. Either exploiting a remote file inclusion (RFI) vulnerability, or abusing insecure upload functionality, the web shells are injected and used as the gateway to additional mayhem.”

The age-old SQL injection also continues to be a critical vulnerability that is exploited.

Recommended controls include two-factor auth (2FA). Don’t just rely on single factor or passwords for accessing critical applications. Make sure to validate inputs, such as making sure upload is actually an image and not webshell, or make sure users can’t pass commands to database via a customer name field.

Don't forget to establish a patch process for CMS platforms and third party plug-ins (in addition to OS and application code).
 

POS intrusions

525 of the 2260 confirmed breaches were result of Point of Sale (POS) intrusions. Headlines shifted from large retailers (2014) to hotel chains (2015).

Command and control were reported at much higher rate. RAM scrapers continue to be a threat, but keylogging malware also had significant role in POS attacks.

DBIR summarizes the typical POS attack on small business like this: “1) POS server is visible to the entire internet, 2) POS has default login, 3) Bad guy leverages 1) and 2) to install malware and 4) Malware grabs the payment card data as it is processed. This scenario was, and still is, a small business problem.”

Another important note is 97% of breaches that featured stolen credentials leveraged partner access.

Recommended controls again feature 2FA as single factor auth is significant weakness. Make sure partners or third parties use 2FA or strong authentication to access your POS environment. Track remote logins and verify any/all logins that may be against the norm.

Segment your POS environment from the corporate LAN and ensure POS systems are not visible from the internet.
 

Insider and privilege misuse

Of 10,489 total incidents, 172 resulted in confidential data disclosure. One third of insiders were end users who had access to sensitive data as requirement to do their job. Privileged abuse (152), data mishandling (30) and unapproved hardware (24) rounded out top 3 categories of the misuse pattern.

According to the report, organizations should keep “a healthy suspicion toward all employees.”

Misuse pattern is one of the few that includes collusion between internal and external actors.

Recommended controls include monitoring your employees authorized daily activity, especially access to financial data, personally identifiable information (PII), payment card data and medical records.

Be wary of USB drives as well. Some audit uncovered evidence of USB drives used to transfer data prior to departure. Finally, be aware of exactly where your data is.
 

Miscellaneous errors

Although many incidents (11,347) were attributed to miscellaneous errors, 197 resulted in actual data breach. The top 3 categories of miscellaneous errors include capacity shortage, misdelivery and publishing errors.

Other types of errors include misconfigurations, such as mistyping firewall rule allowing access to sensitive file servers. Others include disposal errors, such as not properly wiping hard drives after decommissioning devices.

The report recommends organizations learn from their mistakes and implement new training materials to help limit potential errors. Also, map most common errors to effective controls. Finally, make sure that all assets go through a rigorous check by the IT group before assets are disposed of.
 

Physical theft and loss

Of 9701 incidents related to physical theft and loss, 56 were confirmed data breaches. Assets were lost 100 times more frequently than stolen. Laptops were the most common target.

Recommended controls include whole disk encryption on laptops. Also, include physical security and situational awareness as part of new employee orientation and ongoing awareness training.

Remember “dead trees” as described in the DBIR report: “Rein in the paper as much as feasible given your business. Establish data classification and make it a policy violation, with potential consequences, to print and transport sensitive data. Consider tokenizing to replace sensitive information with an alternate unique identifier when printed copies are required.”
 

Crimeware

Crimeware resulted in 7,951 incidents with 49 confirmed data disclosure. Crimeware includes C2, Ransomware, Spyware/keylogger, backdoor and export data as top 5 malware varieties. This pattern frequently affects consumers and is where most malware infections land.

Effective controls include patching vulnerabilities, especially those with known exploits of OS and applications.

In order to defend against malicious software, do not allow programs to run scripts/macros (e.g., document-based programs) and use your email server to filter/remove executables or other file extensions as attachments in emails.
 

Other categories and conclusion

Other honorable mention patterns mentioned in the report include payment card skimmers, cyber-espionage, and denial-of-service attacks.

It is important to point out that actions taken by attackers are not exclusive to a single pattern.

DBIR sums it up nicely:

“Having an understanding of how patterns can complement each other and share portions of event chains can help direct your efforts as to what to prioritize your limited resources against. That is, knowing the processes used by the Actors, the tools (Actions) to accomplish their goals and how many of these patterns begin with the same or similar bag of tricks.”

 

Topic: General Security Awareness, Security Awareness and Training