Nation state actors, affiliates behind increasing amount of data breaches
Cyberattacks by nation states and parties affiliated with them represented 23% of data breaches, up from 12% in 2018 and 19% in 2017, according to Verizon's Data Breach Investigations Report (DBIR).
The 12th annual data breach report were based on 41,000 cybersecurity incidents and more than 2,000 data breaches. At a high level, the DBIR report outlined the following:
- A quarter of all breaches were associated with espionage;
- C-level executives were 12x more likely to be the target of social incidents and 9x more likely to be a target of social breaches;
- Ransomware is the No. 2 ranked malware type and accounts for 24% of cases;
- Cybercriminals were targeting cloud-based email accounts and leveraging stolen credentials.
Must read
- Naming and shaming nations that launch cyberattacks does work, say intel chiefs
- Ransomware: The key lesson Maersk learned from battling the NotPetya attack
- Cybercrime and cyberwar: A spotter's guide to the groups that are out to get you
The nation-state actors and espionage takeaways highlight how the security threat game is changing in many respects. Espionage was an issue across most of the industries in the DBIR. Gabe Bassett, co-author of the Verizon DBIR, said companies need to plan for what happens after a data breach.
Bassett said companies are being targeted for intellectual property and secret theft by cybercriminals looking to leverage credentials instead of mapping a network and gaining access over time. "The theft of personal information and credentials is a primary vehicle is a different approach. The target is the same," said Bassett. Log-in information, social attacks and pretexting are primary techniques used to gain access to IP.
Educational institutions are also good targets, but the motives are more spread out. Yes, nation-state actors are interested in research, but databases full of student information also have profit potential. Cybercriminals are also targeting web applications and email to steal credentials.
Among other key trends:
There's a decrease in card present breaches as e-commerce rises. Card not present hacks are surging. Verizon noted that point-of-sale attacks are declining, but that's just because web application attacks are easier.
Essentially, Web application attacks have punched the time clock and relieved POS Intrusion of their duties. This is not just a retail specific phenomenon – Figure 64 comes courtesy of our friends at the National Cyber-Forensics and Training Alliance (NCFTA) and their tracking of card-present versus card not present fraud independent of victim industry.
Companies should report breaches to the FBI and the Internet Crime Complaint Center. Bassett said that IC3 has a good chance of recouping financial losses. At the very least, reporting an incident allows for more data sharing so law enforcement can stop the cybercrimes.
When the IC3 Recovery Asset Team acts upon BECs, and works with the destination bank, half of all US-based business email compromises had 99% of the money recovered or frozen; and only 9% had nothing recovered.
Law enforcement can often find criminals on the dark web and through financial accounts. "The point is that if you've been breached keep fighting and stay in the game," said Bassett.
System admin issues are also leading to more breaches. Simply put, companies are careless with their cloud storage and leaving data open for cybercrime.
Our data indicates that misconfiguration (45%) and publishing errors (24%) are common miscues that allowed data disclosure to occur. When looking at the relationship between actions and assets, 36% of error-related breaches involved misconfigurations on databases, often cloud storage – not good. Obviously, those buckets of data are meant to store lots of information and if your bucket has a (figurative) hole in it, then it may run completely dry before you make it back home from the well and notice. Often these servers are brought online in haste and configured to be open to the public, while storing non-public data. Publishing errors on web applications offer a similar exposure of data to a much wider than intended audience. Just for cmd shift and giggles, we will mention that programming errors were committed on web servers and a couple of databases.
Related stories:
- Cyberwar and the future of cybersecurity (free ebook)
- Cyberwar predictions for 2019: The stakes have been raised
- Can Russian hackers be stopped? Here's why it might take 20 years
- Survey shows IT professionals concerned about cyberwarfare, end users, and conducting international business
- What is cyberwar? Everything you need to know about the frightening future of digital conflict
- Governments and nation states are now officially training for cyberwarfare: An inside look