Around half of cyber attacks are being perpetrated by organised criminal groups and ransomware is by far their favourite modus operandi, according to new Verizon research that paints a dark picture of the increasingly challenges facing cybersecurity executives.
Outside attackers weren’t the only group to fear, however: according to Verizon’s 2018 Data Breach Investigations Report (DBIR), while 73 percent of attacks were attributable to outsiders, fully 28 percent of the 53,000 analysed incidents – which included 2216 data breaches – involved company insiders.
Ransomware was identified in 39 percent of cases where malware was identified, with 4 percent of people said to click on any given phishing campaign. Perhaps even more worrying, the report noted, “the more phishing emails someone has clicked, the more likely they are to do so again”.
This last finding fuelled perceptions that businesses “are really losing the arms race”, Verizon principal consultant Chris Tappin told CSO Australia. “People haven’t really moved much in terms of whether they have heard of ransomware, whether they have backups, have done their DDoS recovery exercise.”
“Meanwhile, cybercriminals are taking commodity malware, redefining it, and customising it for a campaign against a specific target. You are up against very highly motivated attackers who are trying to blind the radar – and small businesses, in particular, are sitting ducks.”
Financial goals – attached to 76 percent of analysed incidents – continued to lead the list of motivations for cybercriminal activities, while espionage activity was down from 2016 and the number of attacks carried out for ‘fun’ increased moderately.
As in previous years, the DBIR recorded a wide spread of internal risk amongst industries: while 56 percent of attacks on healthcare targets were blamed on internal actors, for example, just 13 percent of attacks on manufacturing companies stemmed from internal actors.
In the retail industry, just 10 percent of attacks came from internal sources. This reflected the desirability of retail targets as honeypots of customers’ financial information – which comprised 73 percent of data taken in incidents.
By contrast, intellectual property secrets were targeted in 30 percent of attacks against manufacturing companies, and credentials were targeted in 41 percent of attacks against information-industry firms.
Methods for breaches were evolving all the time but the preponderance of ransomware showed it “really coming to the forefront loud and strong,” said Ashish Thapar, managing principal for Verizon’s Threat Research Advisory Centre (VTRAC). “It has really ratcheted up big time. You’re not up against script kiddies, and not up against novice attackers.”
The figures corroborate findings in the recently-released Telstra Security Report 2018, which noted respondents had reported more ransomware attacks in 2017 than in any previous year.
A quarter of Australian respondents to that survey said they had experienced a business interruption due to a security breach in the last 12 months – well ahead of the 17 percent global figure. And, with some 47 percent of Australian businesses saying they paid ransomware ransoms to get their data back, such incidents are unlikely to disappear any time soon.
Sophisticated phishing tactics, which are preying on users that inevitably prove susceptible to even the most blatant deceptions, are continuing to promulgate malware infections. The DBIR reported a window of just 16 minutes until somebody clicks on a new phishing campaign for the first time – and 28 minutes until IT-security staff get the first report of a new campaign from a “savvy user” whose suspicions are, correctly, raised.
That leaves a window of at least 12 minutes, on average, in which new malware can run rampant on the network – and in which CISOs will be operating blissfully unaware of the coming storm.
“There is a certain amount of information overload for the CISO,” said Thapar, noting that social-engineering attacks are successful three times as often as exploitation of technical vulnerabilities.
“The human factor continues to be a key weakness,” he said, noting that even human resources departments are becoming key targets due to their concentration of employee-related PII.
“That is what is mainly being attacked. Whatever you say is not enough, and whatever you do is not enough; it’s an ongoing journey, and there is no destination for this.”