An analysis of the Verizon Data Breach Report for 2011, with a focus on the threats, their attack methodologies, and approach vectors. Delivered to InfraGard - Honolulu Chapter, May 3 2011
BEHAVIOURAL ANALYTICS IN CYBER SECURITY FOR DIGITAL FORENSICS APPLICATION
Know Your Enemy: Verizon Data Breach Report
1. Verizon Data Breach Report “Know Your Enemy” Edition Originally prepared for InfraGard Honolulu Chapter May 3, 2011 Beau Monday, CISSP GSEC Information Security Officer @ HawaiianTel
Focused on who the bad guys are and what they are exploiting.
Most of NHTCU’s time was spent taking down a huge child porn ring and taking down botnets, so they are not actually included in the 2010 stats. They are laser focused on high value targets, and don’t investigate a large volume of cases.
Top3 remain the same, just shuffle places (Fin was 1 st last year, then hosp, then retail). Have to keep in mind that the 2009 dataset was only 141 breaches. So, while Government sector is the same 4% of the total as it was in 2009, the number of breaches there actually quadrupled from 6 to 27.
Again, dataset size is deceiving here. While the percentage of breaches overwhelmingly seemed to target SMBs, the number of breaches by companies of 1000+ employees still doubled since last year. This graph actually trends closely with the size of businesses in the United States overall.
Only 3 partner-related incidents this year. 1 was a deliberate act, 2 were unintentional. Our long-fought battle with malicious insiders is finally won, right? Not so fast.
While the percentage of insider breaches was down, the actual number of incidents doubled. Decline in partner-contributing breaches appear to be genuine, which is a good thing.
Eastern Europe was still top dog in last year’s report, but only by a margin of 21% to USA’s 19%. Shows marked rise in criminal groups based in Eastern Europe.
Infection vectors and functionality. Trend continues to focus on exfiltration capabilities and remote access. The 79% exfiltration and 78% backdoor represent huge jumps from last year (32% and 36%, respectively)
18% of malware investigated by Verizon was completely custom, and two-thirds was customized to some degree, mostly to avoid AV detection.
Web application vulns fell to 3 rd place, from it’s traditional 1 st place spot, but if you take out the hosp and retail verticals, web applications are back on top and more prevalent than ever.
Wait – IN PERSON?? Email was the favorite MO last year, but criminals have gotten personal it seems
Skimming operations are becoming more organized and sophisticated. Sprees can target 50-100 businesses at a time
Remote access channels are increasingly a favorite target. With the proliferation of cloud-type offerings like GoToMyPC, do you really know what remote access capabilities you have in your environment? Data exfiltration continues to be the primary goal of most intruders.
Log management: reducing time to discovery is critical in limiting the damage intruders can inflict on your organization.
Many companies don’t know what to do when they suspect a problem. Users clicking on hostile attachments is still a problem (see: RSA). Don’t neglect educating employees on social engineering tactics that involve a personal contact.