Verizon-Secret Service Breach Report Focuses On External Attacks

Insiders were at least partly responsible for nearly half the data breaches investigated by Verizon Business and the U.S. Secret Service in 2009, but external attacks continue to account an overwhelming majority of records stolen, according to the 2010 Verizon Data Breach Investigation Report. The third annual report is the first to include data from the Secret Service, which accounts for a substantial increase (26 percent) in reported insider attacks over the previous year. However, more than 138 million of the 143 million records stolen were attributed to external attacks, with the balance rest split about equally between insider compromises and multiple agents, generally a combination of outside attackers working with employees or partners.

This massive impact of external attacks has held true for the more than 900 million stolen records stolen in the six years covered by the reports. The successful attacks continue to rely, more often than not by exploiting things like misconfigurations or default admin passwords. "It's painful watching the companies fall victim to the same stupid problems," said Bryan Sartin, director of investigative response for Verizon Business. "The purpose of the data breach report is to give readers insight into the underpinnings of cybercrime and the ability to dissect, look at how what causes the breaches and what can they do to keep from being the next victim."

More than half of the insiders involved in data breaches were what Verizon characterizes as "regular employees/end users." Another quarter were split evenly between financial/accounting staff and network/system administrators. Executives accounted for 7 percent of the insider breaches. Social tactics were involved in more than a quarter of the total breaches, a large increase over the previous year that the report attributes to the influx of insider incidents in the Secret Service data. These tactics include solicitation or bribery, phishing (or spear-phishing, etc.), deception, spoofing, extortion or some sort of scam. However, these tactics only account for about 3 percent of the stolen records.

In the most successful breach cases, hacking and malware were each involved in the theft of about 95 percent of the records stolen. The report shows that external attackers typically gain access to the victim network through a hack -- almost always through a Web application, very often using SQL injection - then plant malware to exploit their foothold and collect and remove data. Anti-malware software is generally ineffective, because malware is not used to gain initial entry, and attackers are customizing their malware to evade detection. "Malcode is almost never the point of entry," said Sartin. "We still see a lot of customization, and anti-virus doesn't pick it up."

In the cases where most of the data (more than 80 percent) is stolen, attackers install malware with backdoor functionality to gain remote access and control, capture the data and send it out. System/network utilities such as PsTools and Netcat plays a role in these attacks. Keyloggers are also very popular, but only in low-yield attacks, responsible for just 1 percent of the stolen records.Verizon, who often works with law enforcement as a result of many of its investigations, has had an ongoing relationship with the Secret Service, who uses Verizon's VerIS (Verizon Incident Sharing) breach metrics framework for collecting and organizing data so organizations can assess and reduce risk when they analyze the collected results and see where they are most vulnerable. Verizon released the VerIS framework for free public use in March.

The report goes out of its way to note that it has no data on the hot topic of advance persistent threats (APT), choosing to "classify threat actions and their agents in a descriptive manner," rather than identify something as an ATP attack. "The actual threat behind APT is the media hype," said Sartin. Verizon investigated 25 or 30 cases, he said, usually involving oil and gas companies or critical infrastructure (water district, power companies) for what turned out to be minor incidents but no data breach.

"It's almost like they had made up their minds that it was already happening and was worst case situation," he said. "I have never seen anything credible that could be related to something called APT that has any earmark of anything we haven't been seeing for 10 years now. It's the same stuff, but someone came up with a new concept and scared the hell out of us."