Verizon released its latest Data Breach Investigation Report (DBIR) highlighting the latest trends in malware and cyber crime, covering 53,000 incidents and 2,216 confirmed breaches. The report reveals that botnets are the most widespread, dangerous attacks to date. The number of botnet attacks reported was so numerous that all 43,000 breaches (mainly on financial data) were excluded from overall statistics and given a separate section of its own. With botnet breaches on the rise, Verizon's report confirms that monitoring network traffic is more important than ever.
The Big Picture: Attackers Mainly Aim for Financial Data
A decade ago, a hacker was viewed as just a malicious teenager causing mayhem with various computer skills; but today, hackers are financially motivated and treat cyber crime as a business. Verizon's data shows that over 60% of breaches featuring hacking techniques came from outsiders and 76% were financially motivated. The second most common motive was espionage or state-funded attacks. Combining financial motivation and espionage gives you 90% of reported motivation for an attack, and this overwhelming statistic shows that hacking is no longer teenage shenanigans, but a collaborated and strategic event to steal your data.
In recent years, security experts focused on insider threats as the main pain point in cyber security defenses, but 73% of breaches are still perpetrated by outsiders. 48% of tactics were hacking, and 30% include malware injection.
The report shows that (aside from botnets) cyber criminals mainly use DoS (Denial of Service) attacks with 21,409 incidents and 399 breaches. DoS attacks were usually amplified using third-party systems that had been compromised. Verizon also discovered that DoS attacks are primarily used as a distraction to what could be a bigger breach. By keeping IT occupied with DoS containment, an attacker can cover up a bigger breach in progress.
Assets targeted in successful breaches were mainly database servers (398 in count), POS terminals (321) and POS controllers (320). These top three assets would correlate with financial breach numbers because they store credit card numbers and personal identifiable information (PII). In addition to database compromises, credentials were stolen en masse using RAM scrapers to capture financial data from point-of-sale (POS) systems. Most malware that infects POS devices also have secondary and tertiary functionality, such as keylogging and data export transfer giving the attacker more than just credit card numbers, but also user credentials from the employee operating the register.
Breach Timeline: It Takes Minutes to Steal Data, Months to Find the Compromise
Most important to note from Verizon's report is the amount of time it takes between compromise and exfiltration. Before a compromise, the attacker spends time strategizing and collecting information from social media and your corporate website. This initial step can take months as the attacker finds a target and vulnerabilities. Cyber criminals might spend months collecting enough information to launch a final attack, but this time duration can't be quantified since it's outside of the discovery and forensics process.
When an attacker finally deploys an attack, Verizon reports that it takes a matter of seconds to compromise a system, and then several minutes to hours for exfiltration (extraction or theft). In a matter of a few hours, your entire customer data could be stolen without any discovery from system administrators.
Even more concerning, is the average time it takes for detection and discovery of the compromise. Attackers leave backdoors and steal data as silently as possible, but the average time for an organization to discover that they have been compromised is months after a breach. By that time, terabytes of data could be transferred to the attacker's server.
Discovery is based on the type of attack. On average, discovery of data theft happens when users report stolen credit cards and fraudulent transactions, which means that attackers have already stolen possibly millions from consumers before the organization identifies the vulnerability.
On average, 68% of breaches took months (yes, more than a month) to detect. After discovery, some breaches took weeks to contain, but most take several days.
Social Engineering: Few Users Ever Report It
Some attackers send phishing emails that contain malware, but malicious software rarely gets attackers to their end goal. Less than 10% of phishing was found to contain malware. Rather, attackers are interested in stealing credentials with elevated permissions. Phishing accounted for 1,192 incidents and 236 confirmed data breaches.
Social engineering includes pretexting, which is the act of contacting an organization employee pretending to be someone official. For instance, an attacker might pretend to be a vendor sending an invoice or a CEO requesting transfer of funds. More commonly, the attacker pretends to be a member of IT staff to get a user to provide credentials to the system. From there, the attacker can log in without notice. Verizon indicates that a spike in pretexting from 61 incidents to 170 was reported.
The biggest data target for social engineering was HR. Data most often lost was W-2 information for employees. This data is loaded with PII, including social security numbers, date of birth information, full name and addresses, driver's license numbers, and even birth certificates. 83 of the 170 pretexting incidents targeted HR staff.
Security and system administrators struggle to protect from social engineering since it usually involves legitimate transactions from employees. More concerning is that Verizon shows only 17% of phishing campaigns were reported, which means an attacker has an indefinite amount of time on your system until discovery, possibly months later.
Botnets: 43,000 Reported Breaches Involving Customer Credentials
The big reveal in Verizon's report is the massive amount of botnet breaches. Of the collected data, 43,000 breaches were from botnets. Compare this number to the 2,216 of breaches for other cyber attacks, and you can see why Verizon highlighted this section as a dire warning for system administrators.
Most botnet attacks focus on bank employees, with 91% of breaches reported from banking organizations. It could start with a phishing email or dropping malware on user comuperts when they browse a malicious site. Botnet installation is silent, and then it covertly steals user credentials without detection, making it one of the nastiest, yet efficient, attacks for cyber crime.
Botnets also infect nodes on the network and silently wait for attackers instructions. These nodes are usually cleared by administrators within a month, but organizations struggle to wipe them from the entire network and infection reappears months later. For organizations that deal with stolen credentials, two-factor authentication can remedy the issue. However, dealing with infected servers and critical nodes is much more of a strugle when botnets move laterally across the network. Verizon's report shows that months after initial containment, organizations are re-infected with the same malware.
Monitoring is key to detetion and elimination in botnet infiltration. Programmable Packet Engines (PPEs) in collaboration with IDS/IPS will continuously monitor and separate legitimate from malicious accesses as well as understand internal and external patterns, and detect malicious payloads (malware or data that is being exfiltrated in real-time.
The Solution: Real-Time Monitoring Significantly Reduces Discovery Time
IDS/IPS and threat monitoring systems rely exclusively on static data-at-rest and after-the-fact processing to make a decision. A PPE uses in-memory processing and machine-to-machine communications to continuously monitor networks in real-time. Both IDS/IPS and PEEs are integral to botnet detection, containment and elmination from your network.
For all methods in an attack, monitoring is the foundation for discovery. Faster discovery means faster containment and elimination from the system. Whether it's botnets, RAM scrapers, DoS events or hidden malware, traffic across the network must be monitored to stop an incident from becoming a catastrophic data breach. Months for discovery is unacceptable for both your organization's integrity and customer data protection.
Attackers know that your organization has defenses, but most security is fragmented and poorly executed. It only takes on misconfiguration to create a vulnerability. Scalable sensor-based monitoring can stop a compromise and elminate exfiltration in times when standard defenses fail. Real-time monitoring tools look at traffic patterns, payloads, protocols, and behaviors and provide metadata to network analysts to review for suspicious activity.
The result is a safer and more secure network with fewer incidents and intercepted breaches.