Learn about six developing trends in cybersecurity from one of the industry’s most respected reports.
2020.04.23
Emerging trends in cybersecurity
The much-anticipated 2019 Data Breach Investigations Report released by Verizon provides a wealth of tremendously helpful information. Since reading through it in its entirety will require quite a bit of time, we’ve taken the liberty of isolating six particularly significant trends. We’ve divided them into those which are broadly acknowledged, and those on which a consensus has yet to be reached. We hope this is helpful to you as you work to fortify your organization’s cybersecurity posture in an era rife with threats.
This edition of the Data Breach Investigations Report which debuted in 2008, provides information on confirmed security breaches and other incidents that occurred in 2018 from a wide range of sources, including those involved in telemetry data for vendors. Verizon’s report is lent significant additional credibility by its use of the VERIS (Vocabulary for Event Recording and Incident Sharing) Community Database as a key source. VERIS collects reports on security breaches from various sources and unifies the language.
Again, the report itself is extensive, but is an invaluable resource as your chances of finding information pertaining to your enterprise’s conditions are relatively high. Here we’ve provided six that we feel are representative of the challenges faced by organizations of larger scale or with significant IT-related outlays.
The verdict is in on these three
Targeting of C-level executives is on the rise: The report states that attempts to compromise executives have grown 12 times. Cybercriminals are shifting away from general phishing as they are not having as much success as in the past, and are engaging in spear phishing, where they pose as an acquaintance and attempt to acquire sensitive information. The DBIR also provides rates by business type or industry representing the likelihood of executives being targeted.
According to the report, executives having approval power and higher levels of system access may make them more appealing marks for attacks using false pretenses. This is supported by the 2019 Global Threat Report issued by cybersecurity technology company Crowdstrike, which cites examples of state-sponsored malware attacks engineered by Korea, China, and Russia.
Dan Tuchler, CMO of Securityfirst, which supports cybersecurity with data-centric solutions, points out that “Increasing targeting of C-level execs is the new reality, and they must make sure that the critical data is secured where it is stored.”
This is also the case when it comes to breach attempts via social media, notes founder and CEO George Wrenn at Cybersaint Security, specialists in cybersecurity compliance and risk management. “The drastic increase in social attacks on C-level personnel points to the increased demand for cybersecurity awareness in the C-suite.”
Preventative measures:
- Conduct security awareness training periodically
- Ensure two-party signoffs and multi-factor authentication (MFA) protection on treasury and payment processing for vulnerable users’ accounts
- Invest in research into enhancing protection for C-level executives
Nation-state actors are becoming increasingly prevalent: Such operators are broadening their scope from specific targets like power plants and grids to business at large. With government support, they are looking to throw operations into disorder, obtain classified industry information, and remain in the good graces of their unethical superiors. According to the DBIR, cyber espionage is the driving force behind a quarter of all security breaches, but it also stipulates that this may be due to a higher success rate in identifying those behind the breaches rather than an increase in the number of incidents.
Preventative measures:
- Classify data such as confidential sales numbers and customer purchase information as “sensitive data”
- Conduct security training regularly to raise awareness of issues such as typical phishing lures
Cloud security policies are only effective if they are strictly observed: Simple carelessness with regard to passwords for cloud accounts and databases has resulted in a staggering number of cases involving data leakage. Examples include the recycling of previously used passwords, and successful access by attackers using credentials swiped in past endeavors. Adam Laub, product management senior vice president at cybersecurity software firm Stealthbits Technologies, acknowledges that “Certainly, credential theft seems to be more prevalent and consistent in many more breaches.” Tyler Owen, director of solution engineering at cloud security company Ciphercloud, concurs. “Why try to hack into an organization when you can just reuse easily guessed passwords?”
Cloud-based email is highly susceptible to breach, as the front ends of cloud-based email servers account for 60 percent of such incidents, according to the DBIR. This is an attractive entry point for attackers because it can lead to access to a host of other internal information assets. Pravin Kothari, Ciphercloud CEO, says that “Criminals are also finding it far easier to target the cloud to use stolen passwords, API vulnerabilities, or misconfiguration to take over accounts and access all information like an authorized user.”
Preventative measures:
- Protect cloud services by mandating MFA credentials for all cloud accounts
- Look into cloud access security broker tools
- Access Have I Been Pwned and similar resources to see if corporate credentials have already been compromised
The jury is still out on these three
Should security emphasis be on internal or external threats? TThere are data that support both sides of the argument. According to the DBIR, two-thirds of the cases of unauthorized access originated from outside the targeted organizations. And this chart published in The Breach Level Index shows that the vast majority of the largest-scale breaches were external in origin.
But it’s not an open-and-shut case. Of the 400 respondents to a survey conducted as part of the Bitglass Insider Threat Report, six in 10 had been the target of an internal attack within the previous 12 months. And Veriato’s 2019 Insider Threat Maturity Report survey, sent to 150 professionals in the IT domain, found that “the majority of organizations have no formal team in place to establish inside-threat policies and processes, and a majority of those surveyed allocated no budget for a program despite being generally supportive of the idea.”
Preventative measures:
- Terminate access rights for all employees who leave the company, regardless of the circumstances
- Be objective and realistic about the possibility of internal sabotage, while remaining vigilant with regard to external threats
Are ransomware attacks becoming more common? Again, data exists to make either position viable. Articles in a blog published by Malwarebytes seem to indicate that ransomware attacks are increasing both in number and prominence. The city of Baltimore was hit by attacks in March 2018 – the target being the city’s 911 operations center – and in May 2019 when many municipal computers were rendered inoperable.
Instead of taking one side or the other, the DBIR notes that attackers have found value in using ransomware beyond simply stealing data. Almost 25 percent of the breaches in 2018 involved ransomware. In the healthcare field, the report states, businesses are obliged to report ransom incidents whether data was lost or not. That’s not true, however, for companies in most fields. The fact that not all cases are documented makes it difficult to accurately identify the frequency of such attacks. But they are prominent, as the DBIR estimates that seven in 10 malware infections involved ransom demands.
According to security specialist Brian Higgins at cybersecurity consulting firm Comparitech, ransomware “is easier than trading in stolen credit card details, less reliant on TOR (The Onion Router; open-source software that makes anonymous communication possible), and a far more reliable moneymaker because, unfortunately, it’s still easier to pay up than report it even with GDPR hanging over your head.”
Preventative measures:
- Ensure backup capability is commensurate with the computer environment
- Reconfirm workflow and plug any holes found
- Develop or shore up your disaster recovery plan and conduct regular tests to confirm viability
How long are hackers actually present within our networks? While many of the reports on what is referred to as “dwell time” appear somewhat unreliable in terms of its definition and of accuracy, the general sense is that it is on a downward trend. Threat detection specialists Trustwave, ffor instance, claim that the median duration from intrusion through to containment decreased from 83 days in 2017 to 55 the following year. What remains unclear, though, are the starting and ending points. It could be said that the event begins upon the compromise of the endpoint, or when someone discovers that it has happened. And the point at which the hacker has been successfully kicked out of the system is also not clear. The DBIR’s stance is that the nature of the attack really determines how long it might take to become aware that an attack took place, further complicating matters.
What can be said with confidence, though, is that hackers may remain in the system for months after the intrusion. Chief technology officer Fraser Kyne of virtualization technology startup Bromium cautions that “The longer the time a hacker has unauthorized access to systems, the more dangerous the attack can be. We have to turn the endpoint from a traditional weakness into an intelligence-gathering strength.”
Cyberattack perpetrators are evolving, and their malware is becoming increasingly sophisticated, which presents new challenges in detection and negation. There is a bright side to this, however, as the hacker’s margin for error is wafer thin. If they don’t execute every step in the process successfully, they may fail to acquire the data or financial assets they were after. The increasing complexity of malware conversely provides more opportunities for detection, so if you are able to discourage the invader at some point, they may very well cut their losses and select a different target.
Understanding the mechanics of a malware offensive is key in mounting a defensive strategy. The DBIR helps greatly in that regard as it breaks malware attacks down into the early, middle, and late stages. It starts with something characteristic of hacking, like an attempt to manipulate individuals into revealing classified or personal data. This is often followed by the deployment of malware to sneak around your network and get the lay of the land, and then further malware and hacking activity. If malware is detected within your network, then the attack attempt is already underway. Detecting an attempt at social engineering or phishing, though, could be an indication of an impending breach.
Satya Gupta, founder and CTO of enterprise security specialists Virsec, laments the inability to discover and respond more rapidly to intrusions. “There continues to be a temporal disconnect between the time frame for attacks versus response. The DBIR points out that attack chains act within minutes, while the time to discovery is more likely to be months. This gap must be tightened, and security tools need to focus on real-time attack detection if we are to have any chance to curtail these breaches.”
Preventative measures:
- Learn to understand the messages your defensive tools are sending you
- Be sure to perform a comprehensive examination along the entire path to identify the nature and origin of an attack
The Verizon DBIR is a much-anticipated publication, and while there have been many articles picking up and commenting on certain aspects of the report, it behooves you to download it and review it yourself. Needs and exposure risks differ from one enterprise to the next. And you never know – it may be just the tool you need to persuade the decision makers at your firm to invest in more sophisticated security measures.