Highlights of Verizon's 2012 Data Breach Investigations Report

May 2012

Verizon has published the 5th of the Annual Data Breach Investigations Report on March 2012. The report analyzes forensic evidence of 2011 to find out how sensitive data was stolen from organizations, who did it, why they did it and what might be done to prevent it. I made a short summary of the 76 pages long report to help impatient readers looking if it is relevant and possibly helpful in planning of any type of controls for data protection. The full report is available to download at http://www.verizonenterprise.com/Products/security/dbir/

The report focuses on data breaches consolidated from hundreds of incidents in diverse geographies with various contributors, including United States Secret Service (USSS) and the Dutch National HighTech Crime Unit (NHTCU), Australian Federal Police (AFP), the Irish Reporting & Information Security Service (IRISS), and the Police Central eCrimes Unit (PCeU) of the London Metropolitan Police. Data collection and analysis was done using a set of metrics defined in the Verizon Enterprise Risk and Incident Sharing (VERIS) framework. This methodology is open and free for public use. The threat model here views a security incident as a series of events that adversely affects the information assets of an organization. Four A’s (AGENT, ACTION, ASSET, ATTRIBUTE) comprise the elements of an event describing threat and incident scenarios.

It is also worth to note that the event data for large organizations is grouped, analyzed and reported separately to reveal the patterns that is more specific to those organizations.

Following the Four A structure (Agents, Actions, Asset, Attribute), the characteristics of the incidents covered in the report can be summarized as below;

Entities that cause or contribute to an incident are known as threat agents. They are categorized as External, Internal or Partners. External agents acted in a very high percentage of incidents. Organized criminal groups with financial or personal gain motives constitute the majority of this group. These agents mostly targeted payment card information from Internet-facing POS systems or physically-exposed ATMs. Activists with ideological dissent also contributed to the volume of external party attacks. While activist attacks were fairly low compared to financially-motivated attacks, they stole over 100 million records from large organizations. That is almost twice the amount stolen by all those financially-motivated professionals.

Threat actions describe what the threat agent did to cause or to contribute to the breach. Hacking and malware built the body of threat action categories as they were used in 86% of the attacks where two or more events were involved in the incident. Keyloggers and varieties led the malware group as they appeared in almost half of the breaches and took role in compromising 35% of the records. Installation and exploitation of backdoors were also consistent threat actions seen in one out of every five attacks. Remote access services (e.g., VNC, RDP) accounted for 88% of all breaches leveraging several hacking varieties such as exploitation of default or guessable credentials, brute force and dictionary attacks and/or exploitation of backdoor or command and control channel.

Threat actions showed different patterns for large organizations where exploitation of default credentials declined and use of social tactics soared. Presumably larger organizations are more likely have the basic controls in place to prevent several attacks. This is obviously in line with the resources and capabilities of those organizations in question.

Servers and user devices comprised the majority of compromised assets. As expected, majority of the impacted data breaches took place on servers. It was found that most of the breached assets were hosted by the organization itself. There is no distinctive pattern for management of these assets though (Internal vs External). Although payment card information and authentication credentials were involved in majority of the breaches, the number of records compromised in these incidents was relatively small (4%). In contrast, 95% of the compromised records were personal information while the number of associated incidents was relatively small (4%). 

The report reveals that small/medium organizations were mostly targets of opportunistic attacks as they were identified with weaknesses that can be exploited. In contrast, large organizations were more likely chosen for targeted attacks. Finance/Insurance and the Information sectors were targets of choice more often than other industries. More than half of the attacks were made using basic methods without the need of skilled techniques and/or resources. It was found that the initial compromise tended to be easier while subsequent actions such as gaining access is moderately difficult and required skilled techniques and/or significant resources. Almost all of the data in scope was compromised via moderate to difficult post-infiltration methods.

In over half of the incidents investigated, it took months for the victim learns of the incident. The incidents contained and/or compromised systems restored usually within days after learning the incident. Interestingly, third parties discovered data breaches much more frequently than do the victim organizations themselves. This figure is slightly better for large organizations where 49% of incidents were notified by third parties. This is in line with the knowledge, resources and capabilities they have to discover security breaches more effectively. Law enforcement made the majority of notifications (59%) for smaller organizations. Large organizations were informed by various means including by their perpetrators in 21% of the cases. 

Conclusion & Recommendations
Technical controls such as IDS/IPS/HIPS, log monitoring, anti-virus and other like technologies found to be playing an important role to help discovery of attacks. Apparently log review and analysis has been an important step that topped the internal active discovery list. Security awareness campaigns found to be a contributor for internal passive discoveries as employees discover and act on unusual behaviours more promptly.

The Report also checks the PCI-DSS compliance status of the victims and found that 96% of the affected organizations were not PCI compliant, either failed to perform their (self) assessments or failed to meet one or more of the requirements. This group mainly consist of small organizations though. It was concluded that a significant deviation from PCI DSS (as well as many industry standards) was a major factor for breaches. There were also examples where the organization was PCI compliant but still suffered a breach. This was correlated to the possibility that an organization deemed compliant at its last audit may not still be compliant at the time of the breach. It was believed that there might be some degree of variability across individual assessors.

The report's conclusion and recommendations section consolidates indicators and mitigators for the top threat actions observed throughout the year. According to the report, the top threat actions are;

• Keyloggers and the use of stolen credentials
• Backdoors and command control
• Tampering
• Pretexting
• Phishing
• Brute force
• SQL injection

The report finally defines these threat actions and lists indicators (warning signs and controls for detection) and mitigators (threat prevention, recovery and response) that can be used against these actions.