RSA: Verizon details data breaches from pirates to pwned water district

Anecdotal Data Breach Digest is a prep manual for cyber combat

In one case pirates – actual pirates – boarded cargo ships armed with a list of which shipping containers contained jewelry and went straight to them, stole the gems and left.

In another, attackers took control of the mainframe at a water district, mixed sewage with the drinking water, boosted the chlorine to dangerous levels and stole customer information.

These are two of 18 representative case studies in Verizon’s new Data Breach Digest, a compendium of anonymized customer investigations performed by the company’s Research, Investigations, Solutions and Knowledge (RISK) Team and released at RSA Conference 2016.

+ NOT AT THE SHOW? Follow all the news from RSA 2016 +

The Data Breach Digest, new this year, is a companion to Verizon’s well established annual Data Breach Investigations Report (DBIR), which is heavy on metrics, graphs and statistics about cyber-threat trends, how to predict them and how to prevent them.

The Data Breach Digest tells the stories behind the metrics that give readers a trench-level view of what it’s like to investigate these breaches and a sense of what it feels like to be the victim.

The goal of the report is to give a trench-level view of the predicaments breach victims find themselves in, and the stories serve as object lessons readers can use to defend their own networks, says Bryan Sartin, director of the RISK Team. “The DBD is a great big book of monsters,” he says.

Bryan Sartin, director of the RISK Team

For the digest, Verizon looked at three years of data breach investigations – about 1,200 customer cases. “What we found completely shocked us,” he says. “Almost 65% of the investigations can be explained in 12 breach categories.” These are the same bad stories that play out in somebody’s back office, one enterprise after another,” Sartin says.

To that dozen, Verizon added six more categories because they were the most lethal, not because they were common. That brings the total to 18, which Verizon then broke down into four types:

  • Human exploitation, social engineering;
  • Compromising devices that lead to attacks on valuable assets;
  • Exploiting configuration and patching errors;
  • And malicious software.

In its war against breaches, Verizon took a page from the U.S. Army’s combat-engagement model that has troops study the most lethal and common methods of engagement they are most likely to face in actual combat. “That’s exactly what we’ve done here,” he says.

The value is that it can help teach smart security by learning from others’ mistakes, he says. It’s organized so, for example, a security pro in retail can look up cases that were carried out against retailers. Just three or four attack scenarios might account for 50% or 60% of all breaches in their sector, helping to focus their defenses.

The digest refers to the case of the hacked water district as Dark Shadow. The district called Verizon in for an assessment and were adamant they didn’t have a breach, but it soon became apparent some kind of breach was underway.

The Verizon team discovered unauthorized access on a Web server where customers could check water-meter readings and pay their bills. A breach of that server led to compromise of personally identifiable information on the server, and that compromise led to exploiting some weak configurations on other devices. Specifically it compromised the mainframe that controlled the valves and ducts that routed the water.

“They started basically joyriding on that,” Sartin says. They connected fresh water and sewage lines, which was caught by monitoring devices. They also leaked large quantities of chlorine into the water supply up to dangerous levels.

In the case of the pirates, dubbed The Roman Holiday, Verizon was called in to investigate a suspected breach at a container shipping company.

Pirates in certain parts of the world were raiding the company’s ships, and the crews would lock themselves in a safe area as per protocol and let the pirates do what they wanted and leave. “The pirates would come in and very quickly and surgically identify a certain container based upon bar code and/or serial number, cut into that container, take certain valuables in it…and then they would leave,” he says. In particular they were looking for jewelry.

A breach on a content management server located 1,000 miles away that contained manifest information about shipping routes and schedules and the content of each container. The data was sold to a gang that sold it to another gang till it wound up in the hands of the pirates. “I can’t speak in that case whether or not the pirates were actually captured,” he says.

Join the CSO newsletter!

Error: Please check your email address.

Tags rsa

More about RSAVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By IDG News Service staff

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place