Cybercriminals care most about ROI, so make yourself expensive to hack: Verizon

High-profile companies will always be singled out by cybercriminals but the majority of businesses find themselves in the spear-phisher's sights due to simple economics – and one security expert argues that they can save themselves by becoming too expensive to bother with.

“Criminals are seeking easier ways to make money, and they need to have a very high return their investment,” Ashish Thapar, managing principal for investigative response with Verizon Enterprise Services, told CSO Australia as the company dropped its latest annual Data Breach Investigations Report (DBIR).

“If defenders can increase the cost to the attackers, they can defend themselves very well,” Thapar explained, recommending that businesses create layered security controls as an evolution of conventional perimeter-based defences.

“From an enterprise perspective, if you can really take hold of your controls and protect your most important golden nuggets, you can at last – if not win the game – can defend the game to some extent.”

Thapar's conclusion comes on the back of a significant expansion in the coverage of the latest DBIR, which is based on analysis of more than 100,000 incidents from 82 countries – up substantially from the previous year's report. Privilege misuse was the most commonly used exploit observed in the company's analysis of 64,199 incidents, with 10,490 of those attributed to privilege misuse – more even than the 9701 attributed to physical theft or loss.

Denial of service (9630 incidents), crimeware (7951), and Web app attacks (5334) were the other major vectors for attack while POS intrusions (534) and cyber-espionage (247) were relatively uncommon. The figures showed small retailers, large public-sector organisations, large financial-services providers, and small hospitality companies as suffering notable volumes of data-loss incidents throughout 2015 – which was “unsurprising” to the report's authors “as they process information which is highly desirable to financially motivated criminals.”

Indeed, analysis of attacker motivations suggested that financial gain had increased throughout 2015 while espionage was on the decline – fuelling a headline statistic that 89 percent of breaches during the year had a financial or espionage motive.

Worryingly, analysis of the time to compromise versus the time to discover showed that 81.9 percent of compromises happened within minutes of infection and 67.8 percent of data exfiltrations happened within days of the compromise. This suggested an extremely small window of opportunity for businesses to defend themselves – and, particularly, to deflect attacks in a way that will encourage often automated attack bots to simply move on to another, softer target.

“Unfortunately we see the detection gap between the bad guys and the good guys widening,” Thapar said. “It's not that organisations aren't trying to do their best, but the bad guys are automating their attacks. The time for them to really penetrate and attack the entry point is becoming shorter and shorter, and they are definitely trying to be more targeted and more efficient.”

This expediency meant that many organisations should consider focusing their security resources on plugging the main entry points to the organisation rather than spending inordinate amounts of time trying to be comprehensive; a strong front door and an obvious security system, Verizon Enterprise Solutions Security Services Advisors team lead Aaron Sharp said, is often enough to deter would-be attackers. “We have learned that trying to mitigate beyond those main attack paths is inefficient,” he explained.

“There are so many side branches that an organisation can end up chasing its tail. Cybersecurity should be incorporated more completely into risk management functions. And, beyond those key mitigation points, you are much better investing your security dollar in well-trained operational staff who are trained to detect and respond effectively to these threats.”

If that quick response can stymie cybercriminals' initial – and often automated – efforts to breach your network, they will have to try different approaches and their ROI goes down. And this, Thapar said, can make all the difference. “The evidence suggests that they are compromising systems within seconds or minutes,” he explained, “but they are so opportunistic that sometimes all you need to do is to raise the bar a little bit to make it uneconomical for the bad guys to target you. And if they can't make any money from targeting you, maybe they will target somebody else.

That's good if you are a corporate entity but it's not good from an industry perspective – but eventually the invisible hand of the market forces the bar to be raised across the board.”

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersexpensiveautomated attack botstargeted attacksroiDBIRverizoncybercriminalsVerizon Enterprise ServicesHigh profile

More about CSOSharpVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts