For all the talk of cyber attacks growing more sophisticated, the bad guys still rely heavily on tried and true methods of cracking networks, such as phishing emails, mostly because they work, says the author of Verizon's most recent Data Breach Investigation Report, due out tomorrow.
Marc Pitler, principal author of the 2016 DBIR, Verizon's annual look at the global landscape of security threats, points to one stark statistic: More than 63% of all data breaches involved weak, lost or stolen credentials. That's one of the main reasons Verizon Communications Inc. (NYSE: VZ) continues to tout multi-factor authentication as a key to lowering security risks.
Pitler authored this year's report with considerable humor -- and you can check it out here -- and refers to it as a "scouting report" for those attempting to thwart attacks. He calls things such as phishing emails "the number one play in the bad guy's playbook," because they lead to significant data breaches. The percentage of users clicking on the corrupted links in phishing emails actually rose slightly from 11% to 13% and while that is not a statistically significant increase, it is a reflection of why phishing remains a tried and true method of attacking networks.
So if you can picture your typical cyber-criminal "sitting in his version of a cubicle just doing his job -- albeit a criminal one," Pitler notes, the most common thing to do is a phishing email, because "there is an extremely high likelihood that one person is going to click on the email." As he writes in the DBIR about the figure below, "That lovely 'Person' line trending up is due to the human asset falling victim to phishing attacks. The 'User device' line upward trend is based on desktops being infected with malware, as well as PoS terminals getting popped."
How an attack goes from there is largely dependent on the attacker and his/her motivation, whether it be financial, sabotage or espionage, Pitler says.
"This is still being used by cyber espionage folks, and also by organized criminal groups looking for low-hanging fruit," hoping to make the compromised computer part of a spambot or distributed denial of service (DDoS) attack or ransom ware demands, he says.
Once an individual takes the bait, things happen quickly. Infiltration of a network happens in minutes more than 80% of the time, but often discovery of the breach is measured in days, and that detection deficit is getting worse. "If -- and some have called 'if' the biggest word in the language -- there’s any good news, it's that the number of breaches staying open months or more continues to decline slightly," Pitler writes in the report.
This year's numbers were influenced by one large attack, known as Dridex, which was a very large botnet targeting bank credentials, he notes. It produced a treasure trove of information.
There are some technical answers to the phishing problem -- better segmentation of networks, for example, so that one click doesn't take down an organization's entire operation. Education remains important, including greater efforts to get employees who don't click on phishing emails to report them, Pitler says. "But we aren't going to eliminate human error -- people aren't robots," he notes.
That's one of the reasons that Verizon continues to stress the notion of two-factor authentication so strongly. Capturing a user's name and password through nefarious means becomes a lot less attractive when that isn't all that is required to access a network.
"With better network segmentation and stronger authentication through your internal network, we can limit damage," Pitler says. "Now we can click in a response plan -- who clicked, let's quarantine that device, find out exactly what has been done, what communications inbound and outbound have happened, and really try to break the chain before the real impact occurs where significant data is exfiltrated from the organization."
Slowing down the attack would make it possible to increase detection and limit damage. That is an area where automation can help, detecting the patterns of intruders and enabling providers to shut them down or limit access.
Pitler says mobile devices are not yet a major source of threats, but are still something being watched carefully. And as the Internet of Things brings many low-level devices onto the network, those are also being scrutinized.
"We have to be careful and understand the motivation of attackers in the IoT space," he comments. Sensors and other typical IoT devices are typically low in processing power so per-device firewalls or anti-virus software may not be practical. But there are other protections that can be built in, based on a clear understanding of what's at stake in a given IoT network.
— Carol Wilson, Editor-at-Large, Light Reading