High-profile companies will always be singled out by cybercriminals but the majority of businesses find themselves in the spear-phisher's sights due to simple economics – and one security expert argues that they can save themselves by becoming too expensive to bother with.
“Criminals are seeking easier ways to make money, and they need to have a very high return their investment,” Ashish Thapar, managing principal for investigative response with Verizon Enterprise Services, told CSO Australia as the company dropped its latest annual Data Breach Investigations Report (DBIR).
“If defenders can increase the cost to the attackers, they can defend themselves very well,” Thapar explained, recommending that businesses create layered security controls as an evolution of conventional perimeter-based defences.
“From an enterprise perspective, if you can really take hold of your controls and protect your most important golden nuggets, you can at last – if not win the game – can defend the game to some extent.”
Thapar's conclusion comes on the back of a significant expansion in the coverage of the latest DBIR, which is based on analysis of more than 100,000 incidents from 82 countries – up substantially from the previous year's report. Privilege misuse was the most commonly used exploit observed in the company's analysis of 64,199 incidents, with 10,490 of those attributed to privilege misuse – more even than the 9701 attributed to physical theft or loss.
Denial of service (9630 incidents), crimeware (7951), and Web app attacks (5334) were the other major vectors for attack while POS intrusions (534) and cyber-espionage (247) were relatively uncommon. The figures showed small retailers, large public-sector organisations, large financial-services providers, and small hospitality companies as suffering notable volumes of data-loss incidents throughout 2015 – which was “unsurprising” to the report's authors “as they process information which is highly desirable to financially motivated criminals.”
Indeed, analysis of attacker motivations suggested that financial gain had increased throughout 2015 while espionage was on the decline – fuelling a headline statistic that 89 percent of breaches during the year had a financial or espionage motive.
Worryingly, analysis of the time to compromise versus the time to discover showed that 81.9 percent of compromises happened within minutes of infection and 67.8 percent of data exfiltrations happened within days of the compromise. This suggested an extremely small window of opportunity for businesses to defend themselves – and, particularly, to deflect attacks in a way that will encourage often automated attack bots to simply move on to another, softer target.
“Unfortunately we see the detection gap between the bad guys and the good guys widening,” Thapar said. “It's not that organisations aren't trying to do their best, but the bad guys are automating their attacks. The time for them to really penetrate and attack the entry point is becoming shorter and shorter, and they are definitely trying to be more targeted and more efficient.”
This expediency meant that many organisations should consider focusing their security resources on plugging the main entry points to the organisation rather than spending inordinate amounts of time trying to be comprehensive; a strong front door and an obvious security system, Verizon Enterprise Solutions Security Services Advisors team lead Aaron Sharp said, is often enough to deter would-be attackers. “We have learned that trying to mitigate beyond those main attack paths is inefficient,” he explained.
“There are so many side branches that an organisation can end up chasing its tail. Cybersecurity should be incorporated more completely into risk management functions. And, beyond those key mitigation points, you are much better investing your security dollar in well-trained operational staff who are trained to detect and respond effectively to these threats.”
If that quick response can stymie cybercriminals' initial – and often automated – efforts to breach your network, they will have to try different approaches and their ROI goes down. And this, Thapar said, can make all the difference. “The evidence suggests that they are compromising systems within seconds or minutes,” he explained, “but they are so opportunistic that sometimes all you need to do is to raise the bar a little bit to make it uneconomical for the bad guys to target you. And if they can't make any money from targeting you, maybe they will target somebody else.
That's good if you are a corporate entity but it's not good from an industry perspective – but eventually the invisible hand of the market forces the bar to be raised across the board.”