One in five data breaches are the result of cyberespionage, Verizon says

Verizon's data breach investigations report covering 2012 includes information on cyberespionage-related breaches for the first time

Even though the majority of data breaches continue to be the result of financially motivated cybercriminal attacks, cyberespionage activities are also responsible for a significant number of data theft incidents, according to a report that will be released Tuesday by Verizon.

Verizon's 2013 Data Breach Investigations Report (DBIR) covers data breaches investigated during 2012 by the company's RISK Team and 18 other organizations from around the globe, including national computer emergency response teams (CERTs) and law enforcement agencies. The report compiles information from over 47,000 security incidents and 621 confirmed data breaches that resulted in at least 44 million compromised records.

In addition to including the largest number of sources to date, the report is also Verizon's first to contain information on breaches resulting from state-affiliated cyberespionage attacks. This kind of attack targets intellectual property and accounted for 20 percent of the data breaches covered by the report.

In over 95 percent of cases the cyberespionage attacks originated from China, said Jay Jacobs, a senior analyst with the Verizon RISK team. The team tried to be very thorough regarding attribution and used different known indicators that linked the techniques and malware used in those breaches back to known Chinese hacker groups, he said.

However, it would be naive to assume that cyberespionage attacks only come from China, Jacobs said. "It just so happens that the data we were able to collect for 2012 reflected more Chinese actors than from anywhere else."

The more interesting aspects of these attacks were the types of tactics used, as well as the size and industry of the targeted organizations, the analyst said.

"Typically what we see in our data set are financially motivated breaches, so the targets usually include retail organizations, restaurants, food-service-type firms, banks and financial institutions," Jacobs said. "When we looked at the espionage cases, those industries suddenly dropped down to the bottom of the list and we saw mostly targets with a large amount of intellectual property like organizations from the manufacturing and professional services industries, computer and engineering consultancies, and so on."

A surprising finding was the almost fifty-fifty split between the number of large organizations and small organizations that experienced breaches related to cyberespionage, the analyst said.

"When we thought of espionage, we thought of big companies and the large amount of intellectual property they have, but there were many small organizations targeted with the exact same tactics," Jacobs said.

There is a lot of intelligence-gathering involved in the selection of targets by these espionage groups, Jacobs said. "We think that they pick the small organizations because of their affiliation or work with larger organizations."

In comparison to cyberespionage, financially motivated cybercrime was responsible for 75 percent of data breach incidents covered in the report and hacktivists were behind the remaining 5 percent.

One noteworthy finding of this report is that all threat actors are targeting valid credentials, Jacobs said. In four out of five breaches, the attackers stole valid credentials to maintain a presence on the victim's network, he said.

This will hopefully start to raise some questions about the widespread reliance on single-factor password-based authentication, Jacobs said. "I think if we switch to two-factor authentication and stop being so reliant on passwords, we might see a decrease in the number of these attacks or at least force the attackers to change" some of their techniques.

Fifty-two percent of data breach incidents involved hacking techniques, 40 percent involved the use of malware, 35 percent the use of physical attacks -- for example ATM skimming -- and 29 percent the use of social tactics like phishing.

The number of breaches that involved phishing was four times higher in 2012 compared to the previous year, which is probably the result of this technique being commonly used in targeted espionage campaigns.

Despite all the attention given to mobile threats during the past year, only a very small number of breaches covered by the Verizon report involved the use of mobile devices.

"For the most part, we are not seeing breaches leverage mobile devices as of yet," Jacobs said. "That's a pretty interesting finding that's kind of counter-intuitive in light of all the headlines saying how insecure mobile devices are. That's not to say they're not vulnerable, but the attackers currently have other easier methods to get the data."

The same holds true for cloud technologies, Jacobs said. While there have been some breaches involving systems that are hosted in the cloud, they were not the result of attacks exploiting cloud technologies, he said. "If your site is vulnerable to SQL injection, it doesn't matter where it's hosted -- in the cloud or locally. The kind of breaches we're seeing would occur regardless of whether the system would be in the cloud or not."

The Verizon report includes a list of 20 critical security controls that should be implemented by companies and which are mapped to the most prevalent threat actions identified in the analyzed dataset. However, the level to which every company should implement each control depends on the industry they're part of and the type of attacks they're likely to be more exposed to.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityverizondata breachAccess control and authenticationForensicsspywaredata protectionmalwareCompliance monitoring

More about VerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place