False Prophets of IT Security: As Seen by Verizon’s RISK Team

False Prophets of IT Security: As Seen by Verizon’s RISK Team
James Grundvig
9/22/2013
Updated:
4/24/2016

For the past twenty years, the double edge sword of technology has been something to behold and recoil from at the same time. Call it the Frankenstein effect on the advances of technology.

From clean nuclear energy to the Fukushima nuclear reactor meltdown, from nanotech advances in materials science to the next generation chemical warfare, science has a dark side and we have trouble stepping out of the shadow of its dark twin.

The best example of this delicate balance between good and bad has been major advances in online communication with the Internet boom, and today, the sea change of social connectivity and enterprise analytics via the cloud, big data, and mobility. But along with each advance, the threat of cyber attacks never leaves us.

That cyber shadow stays awake, poking and prodding us, while we sleep. This is a problem that is growing in scale and malice. So who would have thought that Verizon’s acquisition of Cybertrust, a little known data security firm in 2007 would play so critical a role today?

Verizon’s annual Data Breach Investigation Report (DBIR) has become one of the main resources for professionals, corporations, and industries to see what the threats are and how the trends in cyber attacks are changing each year.

Bryan Sartin, Director of the RISK Team at Verizon Enterprise Solutions, told me in a telephone interview, “The DBIR is a cybersecurity industry report we started to capture a trench level perspective. We needed to figure out the why and how behind data breaches. We started compiling data at Cybertrust, where I came from, studying the perpetrators, tactics, data stolen and the vulnerabilities that set the stage for successful cyber attacks.”

When Verizon acquired Cybertrust, the DBIR came to be. At first, it contained only Verizon’s data, but over time the team began to incorporate investigation findings from third parties.

“Today, the report integrates data from 18 major players, including the U.S. Secret Service, the Dutch National High Tech Crime unit and the Australian Federal Police,” Mr. Sartin said. “The DBIR is the state of the union on cyber crimes analyzing and measuring a billion stolen records.”

DBIR and its Chilling Statistics

Beside governments from Australia to Europe providing security breach data, energy and utilities sectors all could benefit from Verizon’s DBIR report.

In the 2013 Data Breach Investigation Report, it asks: Who are the victims?

37% of breaches affected financial organizations

24% occurred in retail environments and restaurants

20% of network intrusions involved manufacturing, transportation, and utilities

In Who’s perpetrating breaches? section: “14% are committed by insiders.” (page 5).

The DBIR has all kinds of graphs, charts, and data in it, from the methodology used and the industry demographics across 27 countries, to the size of the attacks and breach types by industry and employee count.

“There is a very clear and important difference across industries with respect to motives that will factor prominently throughout this report,” the DBIR states (page 14).

Bryan Sartin is, “Responsible for all computer incident response, digital forensics, electronic discovery, and IT investigations for commercial and government organizations,” Verizon wrote in an email. He has 20 years of experience in cyber security area.

In speaking with the knowledgeable and on-point director of Verizon’s RISK Team, I was impressed by his deep understanding of security issues, the threat landscape, and how the attacks have evolved over time.

“From the report, there are five takeaways—variability, volatility, finance crimes, cyber-espionage, and hackatavism.  There’s more variability and volatility in the threat landscape than ever before,” Sartin explained in clear, succinct terms.

He said cyber-espionage is a growing concern. In just one year, cyber-espionage went from less than 1% of the global threat landscape to 20%— “a massive change,” Sartin said.

Their research is an evidence-driven approach that’s verifiable. And what the DBIR has uncovered from the “empirical data, their recipe for success is that one size does not fit all,” he said, in terms of data breaches.

The E-Fail of Email

“Two out of three attacks now start with phishing. They range from state-affiliated espionage attacks to financial crimes involving Zeus malware outbreaks,” Sartin said.  

As the DBIR states: “More than 95% of all attacks ties to state-affiliated espionage employed phishing as a means of establishing a foothold in their intended victims’ systems,” (page 36)

“The anatomy of email attacks often are cases where end-user training has been in place, but the attacks still occur. There’s needs to be a better holistic landscape approach to developing a security program that works,” he said.

The most shocking graph (Figure 28, page 38) is shown in the boxed section “The Inevitability of ‘The Click’”: “Phishing emails vary in quality, payload, and purpose, but they all share the same initial goal: get the user to take action. Getting the user to click (on a link or attachment) is the first obstacle for all phishing campaigns. So how many emails would it take to get one click?”

The answer is three.

Socially engineer the end users, the recipients of the poison darts, the emails, and three attempts by the hacker is all he needs to run “better than a 50% chance of getting at least one click.”

One click out of thousands of employees, who each receive hundreds of emails a day, to penetrate a corporate network and plant a Trojan horse or malware, and it’s statistically impossible that anti-phishing training will work 100% of the time.

Awareness is good. But it’s no panacea with companies of all sizes turning over employees every week.

One of the primary purposes for the DBIR is to identify trends and show how the threats and technologies are evolving. The report uses the Verizon Incident Sharing, or VERIS framework—a not-for-profit, open-source research structure to describe security incidents—to classify and analyze breaches.

“Today, the DBIR aggregates more data, more variability to exchange data. We act as the hub, the production of this VERIS vocabulary, and then break the data down into a simple taxonomy, diagnose the incident, while bypass confidential information of the countries, companies, and industries that participate.”

The Latin word veris means ’spring,' as in a well of knowledge. Perhaps this is where Verizon’s name originated from.

“The DBIR is emblematic research. We trend hard metrics, statistics,” Sartin said. “We are now gaining great insights on mobile threats.” [Disclosure: I am Verizon mobile and FiOS user.]

Sartin reminded me that the problem too many corporations have in detecting cyber attacks is that techniques are “more insidious. Cyber-criminals are better able to evade prosecution, as they are more difficult to detect. The incident detection time frames are six to seven months.”

That’s far too long a time horizon when companies need to guard their IP, employee and client data. “We need to bring detection of breaches down from months to hours and minutes,” Sartin emphasized.

As Bryan Sartin stated, a holistic approach is a more effective way to prevent data theft, intrusion, and breaches from taking place. The best place to start to develop a robust security strategy is to understand the nature of the beast and its motivation.

Know thy enemy.

James Grundvig is a former contributor to Epoch Times and the author of “Master Manipulator: The Explosive True Story of Fraud, Embezzlement and Government Betrayal at the CDC.” He lives and works in New York City.
Related Topics