New Dog, Old Tricks – 2017 Breach Analysis

As 2017 comes to an end, let’s look back on some of the year’s breach statistics and threats that have plagued us and are forecasted to be back next year. Not surprisingly, financial organizations are again at the top of the list of the most attacked industries- accounting for 24% of breaches according to Verizon’s 2017 Data Breach Investigations Report.  

This statistic has been true for the last several years and does not show any indication of changing, which is not surprising since 73% of breaches are financially motivated.  What may be surprising is the changing trend of the type of financial organizations being targeted.  The majority of breach victims (61%) came from organizations that have fewer than 1,000 employees.  

What hasn’t changed is the way those breaches are occurring.  While attackers are using new tactics and tricks, their overall strategies remain relatively unchanged.  Understanding them is critical to knowing how to defend your organization from cyberattacks.  

In 2014, Verizon’s RISK team researchers released the nine breach attack patterns that 92% of all reported breaches followed.  Guess what, those attack patterns have not changed, and in Verizon’s 2017 report, 88% of breaches still follow those patterns. Below is the list of attack patterns and what they mean for your organization.

  • Web app attacks
    • Web-application-related stolen credentials or vulnerability exploits.
    • 2017 Key Finding: The breaches within this pattern are heavily influenced by information gathered by contributors involved in the Dridex botnet takedown. Hundreds of breaches involving social attacks on customers, followed by the Dridex malware and subsequent use of credentials captured by keyloggers dominate the actions.
  • Cyber-espionage
    • Targeted attacks from external actors hunting for sensitive internal data and trade secrets.
    • 2017 Key Finding: Targeted phishing campaigns continue to be the tip of the spear for espionage-related breaches. Educational organizations made a bigger appearance in the victim base this year.
  • Point-of-sale intrusions
    • Attacks on POS environments leading to payment card data disclosure.
    • 2017 Key Finding: Accommodation, specifically restaurants, were the most prevalent victim of POS Intrusions. Use of stolen credentials to access POS environments continues to rise and is almost double that of brute force for hacking actions. RAM scraping continues to be very pervasive, but keylogging/spyware malware increased substantially as part of multi-function malware targeting POS systems. Continuing the trend over the last several years, the sprees (single threat actor, many victims) represented in this data are a byproduct of successful attacks represented in this data are a byproduct of successful attacks against POS vendors and cannot be attributed to automated attacks targeting poorly configured, internet-facing POS devices.
  • Insider threats and privilege misuse
    • Trusted actors leveraging logical and/or physical access in an inappropriate or malicious manner.
    • 2017 Key Finding: When the threat actor is already inside your defenses, they can be quite a challenge to detect—and most of the incidents are still taking months and years to discover. Most of these perpetrators are financially motivated, but don’t rule out those who want to use your data for competitive advantage.
  • Payment card skimmers
    • Physical tampering of ATMs and fuel-pump terminals.
    • 2017 Key Finding: ATMs continue to account for the majority of incidents, however, the number of ATM attacks fell by 25%, while the number of gas pump terminal-related attacks more than tripled. Attackers are mostly from Eastern Europe and Cuba.
  • Denial of service attacks
    • Non-breach-related attacks affecting business operations.
    • 2017 Key Finding: When we knew the organization size, DDoS attacks were disproportionately (98%) targeted at large organizations. Most attacks are not sustained for more than a couple of days.
  • Physical theft or lost devices
    • Physical loss or theft of data or IT-related assets.
    • 2017 Key Finding: Consistent with prior reports, misplacement is more common than theft. Top industries are influenced by our data contributors and regulatory requirements rather than a higher likelihood of loss.
  • Crimeware
    • Malware incidents, typically opportunistic and financially motivated in nature (e.g. banking Trojans, ransomware).
    • 2017 Key Finding: Ransomware has continued to increase for the last few years and is now the number one malware variety within this pattern. When examining non-incident data, 99% of malware is sent via email or webserver.
  • Miscellaneous user errors
    • An error directly causing data loss.
    • 2017 Key Finding: Misdelivery of information in either electronic or paper format continues to be the primary form of error. Publishing and disposal errors also make a respectable showing.

Knowing the basic attack patterns and statistics are great, but translating that into real world scenarios that can help your organization shape their defense strategy is where the real benefit lies.  That is exactly what the 2017 Data Breach Digest aims to do.  I would encourage you to read this and use the scenarios as a table-top exercise to evaluate your controls. 

For more information on breach statistics and research see the 2017 Data Breach Investigations Report. 

For more general information see the 2017 Data Breach Digest