"We're seeing a retooling by the folks who are behind this," says Chris Novak, global forensics investigator for Verizon. "We're not seeing them target large-scale data breaches; they're hitting smaller scale organizations." Novak cites successful arrest and prosecution in the criminal underground as a factor. Criminals are shying away from high-risk "big jobs" and picking on smaller targets, where security is likely to be weaker.
Most of these attacks, 83%, are classified as opportunistic rather than targeted against particular organizations, indicating the use of automated weapons and snatch-and-run tactics rather than long-term intrusions in which criminals continue to exfiltrate records undetected over long periods of time. Malware was a factor in almost half the breaches, an increase from 38% in 2009, which may also indicate a trend to automation and a lower chance of getting caught.
"When we have an opportunity to interview perpetrators, the common thread is that they rarely know who they hacked into," Novak says. "They don't care what the sign on the outside of the building says; cash is cash. Why go after Fort Knox when I run a much better risk of getting caught, when I can knock over a bunch of liquor stores? The job is easier to pull off, and the risk is a lot less."
There may also be a glut of personally identifiable information (PII), credit card numbers and other mass-volume information, Novak says. The value may have decreased as the criminal market reaches a saturation point, so records that may have fetched $30, $50 or $100 at one time may be worth only cents on the dollar. However, payment card information is still a popular target, he says, because it is the easiest to monetize, and randomly stolen intellectual property has no value unless the thief is in a position to use it.