Verizon Data Breach Report Finds Employees At Core Of Most Attacks


People are most often the first target of an attacker and not technology, as cybercriminals are increasingly using social engineering and phishing attacks to gain a foothold into corporate networks, according to new analysis of hundreds of data breaches to be issued this week.

Social engineering attacks designed to steal account credentials were the most often used technique carried out to gain access to endpoint machines and then pivot to systems containing more sensitive data, according to the 2013 Verizon Data Breach Investigations Report (DBIR). The study, an analysis of 621 confirmed data breaches and thousands of security incidents, found that stolen credentials were used in four out of five breaches, regardless of whether the attack was driven by financially motivated cybercriminals, nation-state-driven cyberespionage activity or hacktivists.

"Attackers are not creating new accounts; they're using the accounts that are already there, and they have broken the passwords and can hide out in regular traffic," said Chris Porter, managing principal at Verizon and co-author of the Verizon DBIR, in an interview with CRN. "The energy used to put out patches extremely quickly probably could be better put toward making configurations stronger."

[Related: 5 Essential Steps To Effective Data Breach Notification]

The analysis found that 78 percent of initial intrusions into corporate networks were relatively easy. Many attackers used a phishing attack, convincing employees to give up credentials, or brute force attack, taking advantage of weak or default passwords on remote services to gain initial access to the network. Investigators found stolen passwords at the core of 76 percent of the breaches they examined.

Verizon added more than a dozen data sources to its 2013 breach report, consisting of more than 44 million compromised records in 2012. The 2013 Verizon DBIR found that financially motivated cybercrime made up 75 percent of all data breaches, followed by nation-state-driven cyberespionage attacks at 20 percent of all breaches. Hacktivist attacks, which had a significant impact on the 2012 analysis, made up a smaller part of the breach statistics as individuals turned to distributed denial-of-service attacks (DDoS) to disrupt business rather than steal data.

Manufacturers, transportation and professional services were frequently the target of nation-state-driven attacks designed to conduct cyberespionage and steal intellectual property, such as design documents, business plans, trade secrets and classified information, the Verizon report found. Meanwhile, retailers, food services and the financial sectors saw the most financially motivated attacks, carried out to steal credit card data and account credentials and drain bank accounts. Public sector organizations and healthcare organizations were a common target of hacktivists, according to the report.

Nation-state-driven targeted attacks have been given a considerable amount of "alarmist news coverage," Verizon said. A common misconception among some organizations is that they are far too small to be targeted, Porter said.

"We're purposely not taking an alarmist tone; we don't think espionage attacks are new," Porter said. "What's interesting is that since the Aurora campaign and Google disclosing that they were hacked by Chinese threat groups that there is a great deal of visibility into this specific threat group."

The data breach report, which has become the industry standard for data breach statistics and attacker techniques, found that most organizations continue to have poor internal detection capabilities. Verizon said 70 percent of breaches were discovered by external parties, and 62 percent took months to discover. In some cases organizations lack network monitoring technologies such as IDS or IPS appliances or a security information event management (SIEM) system, Porter said. But when networking security appliances were in place, they were not properly deployed and maintained, he said.

"Organizations aren't configuring these network devices properly," Porter said. "They're useful tools when used together with other measures, but they have to be tuned properly, and they have to look for the types of things that are unique to your network."

It almost always takes months to detect a breach, even with security technologies in place. Organizations with a strong security culture can reduce the breach detection time from months to hours or days if employees are alert, Porter said.

The length of time it takes to detect a breach stands in stark contrast to how long it takes a cybercriminal to infiltrate an organization and get out with stolen data. Attackers can steal data very quickly, Verizon found. As many as 85 percent of initial compromises were within minutes or less, and 70 percent of breaches took seconds to hours for attackers to steal data, Verizon said.

Malware functionality used in breaches depends on the victim size and attacker motives. For example, in all financially motivated attacks, spyware was used by cybercriminals to capture point-of-sale system terminal transfers, according to the breach data. But in espionage attacks, spyware was used to steal user credentials or take screenshots. Nation-state-driven attacks also used more custom malware in the attacks, Porter said.

PUBLISHED APRIL 22, 2013