2017 marks the 10th anniversary of Verizon’s Data Breach Investigations Report (DBIR), and as breaches have evolved throughout the years, so too has the DBIR study. 2017’s DBIR report now includes data on security incidents as well as actual breaches, with results showing that cybercrime refused to take a year off.
Despite the regular doom and gloom that comes along with data breach studies, Verizon’s outlook in reporting the findings is that there is hope for the future.
“While this report will not be able to definitively answer the macro-level question of “are we getting better?” the readers can leverage the combined efforts and use the results of this study as a platform to improve their organization’s awareness of tactics used by the adversary, to understand what threats are most relevant, and as a tool to evangelize and garner support for your information security initiatives.”
DBIR reports high-level data breach findings for 2016, delves into industry-specific findings that discuss the key differences between industry sectors, and covers the human element in information security as well as the highly trending malware attacks. True to the previous DBIR reports, the study reviews the nine incident classification patterns of data breaches and recaps the incident and breach events that defined 2016, which offers a peak into what to expect in the year to come.
The Big Picture
Hackers make a living off of stolen data, so there is no surprise that in 2016, 75% of breaches were initiated by individuals outside of the organization, with 51% of the breaches involving organized crime groups. Malware, a tactic often used in the well-reported big retailer hacks, was used for 51% of the breaches, while privilege misuse and errors were the cause of a breach 14% of the time. Hacking systems proved to be the most successful tactic at 62%, with stolen and/or weak passwords used for 81% of the hacking related breaches.
A tactic that seems to be on the rise in breaches is social attacks. There were 1,616 social attacks in 2016, approximately half (828) of which had confirmed data disclosure. Those events accounted for 43% of all breaches in the 2017 DBIR’s dataset. Nearly all the social incidents (99%) involved an external actor.
A common trend with social hacks is the use of phishing attacks in infiltrate a network.
In 95% of cases, attackers followed up a successful phish with software installation (malware). That’s to be expected given most social attackers’ motivations and targets. Two-thirds of these actors chase after financial gain, whereas another third is in it for conducting espionage. Both these motivations involve the theft of credentials, personal information, and trade secrets.
A potent mixture for cyber-attacks, the triple threat of hacking, malware, and social, has been on top and trending upward for the last few years, and it does not appear to be going away any time soon.
Most often, financial organizations, retail, healthcare and the public sector suffer most from breaches, which will be discussed in part 2 of this blog.
A common payload of phishing attacks is ransomware, with growth in popularity due to new ransomware technology and extortion methods.
“Ransomware is the latest scourge of the internet, extorting millions of dollars from people and organizations after infecting and encrypting their systems. It has moved from the 22nd most common variety of malware in the 2014 DBIR to the fifth most common in this year’s data.”
Although ransomware has been around for 10 years, a rise in ransomware’s popularity left 2016 with 228 ransomware incidents reported, up from 159 in the 2015.
The increase in ransomware incidents in 2016 is perhaps due to the shift from individual consumer systems towards targeting organizations, with ransomware hackers using a variety of methods to make it more difficult to recover systems without paying.
“Moving on from file encryption — the standard practice of ransomware authors — attackers introduced master boot record locking, and partial and full disk encryption in an effort to make it more difficult to recover systems without paying. They also experimented with a variety of methods to avoid detection by security sandboxes. These included execution time differences between real and virtual machines, unexpected command- line arguments and an abnormally short list of Microsoft Office recent files.”
The profitability of ransomware allowed for criminals to become more brazen, offering ransomware-as-a-service, which enables anyone to extort their favorite targets while taking a cut of the action. And ransomware demands have also become, well, more demanding.
“The ransomware-as-a-service approach was followed by a variety of experiments in ransom demands. Criminals introduced time limits after which files would be deleted, ransoms that increased over time, ransoms calculated based on the estimated sensitivity of filenames, and even options to decrypt files for free if the victims became attackers themselves and infected two or more other people.”
Ransomware relies on infected websites and traditional delivery for most attacks and targets vulnerable networks – most often, as the DBIR reports, hitting the Public Administration, healthcare and financial sectors the hardest in 2016.
As ransomware grows, anyone is fair game, as proven in last week’s massive world-wide attack appropriately named WannaCry.
WannaCry, a ransomware attack that began in Europe on Friday, May 12th, spread to an estimated 57,000 computers in more than 150 different countries around the world by the end of the day, demanding a $300 payment to restore their files. European countries were hit the hardest, and business ground to a halt at several large companies and organizations, including banks, hospitals, and government agencies.
Although researchers were able to slow the spread of the WannaCry virus, it has not actually been stopped, and the proven success of the cyberattack, which has now hit more than 300,000 computers, has already inspired imitators.
In WannaCry’s case, security experts recommend installing security updates for all operating systems, and specifically for Windows users, but as far as a confirmed fix – until security experts are able to decrypt the files on the infected computers – there isn’t one.
World map showing where computers were infected by WannaCry ransomware since May 14th, as recorded by MalwareTech.com.
The security industry has made strides on multiple fronts in their efforts to thwart ransomware attacks, with enhanced security software solutions that enable earlier detection.
Endpoint protection systems can now detect millions of ransomware samples, with more added as they are discovered. Because this process is obviously insufficient to stop all attacks, the security industry has also added detection techniques such as sandboxes that can mimic a user environment to catch obfuscated ransomware, behavioral analysis to prevent ransomware from executing completely and file creation blocks to prevent ransomware from writing encrypted files.
The DBIR reports that these actions have increased detection and prevention rates, but as the variants of ransomware changes and the criminals develop new techniques, additional actions will always be needed.
Collaboration is key, as the DBIR reports, and threat intelligence sharing between security vendors, law enforcement agencies and organizations will help to detect ransomware before they reach systems, protect individuals and organizations from criminal campaigns, and help rescue ransomed systems without enriching attackers.
Perhaps the most significant action taken to combat ransomware in the past year is the creation and ongoing development of the No More Ransom! collaboration.
The group’s goal is to share information, educate users and help victims recover their encrypted data without having to pay ransomware attackers, and currently hosts 27 decryption tools, which can recover files from a wide range of ransomware families. No More Ransom! calculates that they have successfully diverted more than US $3 million from criminals by offering free decryption tools to thousands of victims around the world.
Learn more about No More Ransom! and prevention advice on ransomware, and stay tuned for part 2 of the DBIR analysis, which will include industry-specific findings as well as the incident classification patterns of attacks.