Upload
leminh
View
225
Download
3
Embed Size (px)
Citation preview
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
PTEXXXXX XX/13
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 2
Incidents that 50 global contributors
investigated form the basis of the research
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 3
The DBIR uses the VERIS framework for
data collection and analysis
Actor – Who did it?
Action – How’d they do it?
Asset – What was affected?
Attribute – How was it affected?
Documentation, classification examples, enumerations: http://veriscommunity.net/
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 4
A decade of data breaches
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 5
Internal and partner threat actors are fairly
consistent; external ones are increasing
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 6
Espionage-motivated incidents increase;
possibly due to increased visibility
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 7
Increased threat diversity reflects both
better sharing and real trends
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 8
Attackers are faster than defenders, and
the gap is widening
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 9
Law enforcement and third parties detect
breaches more often; internal is still poor
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 10
2014: specific patterns for
specific recommendations
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 11
Last year, we noticed most breaches fit
into patterns
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 12
We can use the structured VERIS coding
of an incident for statistical clustering
malware.vector
asset.variety
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Cyber-espionage
POS intrusions
Insider misuse
Misc errors
Card skimmers
Crimeware
DoS attacks
Web app attacks
Theft/Loss
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 14
The frequency of patterns in an industry
supports specific recommendations
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 15
Point of Sale (POS) Intrusions
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 16
• Overall frequency is actually
declining
• Brute forcing remote access to POS
still primary intrusion vector
• Increased frequency of RAM
scraping malware (versus key
logging)
• Recommendations:
– Restrict remote access, mixed use
– Enforce password policies
– Deploy AV
– Network segmentation
– Network monitoring
– 2-factor authentication
Point of Sale Intrusion Key Findings
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 17
Web App Attacks
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 18
• Common motivations are
ideology/fun and financial
• Discovery is typically external and
slow
• Most attacks exploit weak input
validation or use stolen credentials
• Compromising content
management systems for DDoS
use was common
• Recommendations:
– 2-factor authentication
– Rethink CMS
– Validate inputs
– Enforce lockout policies
– Monitor outbound connections
Web App Attacks Key Findings
19 Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Insider and privilege misuse
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 20
Most insider misuse activity abuses trust
necessary to perform normal duties
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 21
Most incidents happen at the victim
organization
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 22
Internal actors include more managers
and executives than in prior years
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 23
External actors bribe, exploit known
access, and solicit information
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 24
Motivation is primarily financial, with some
espionage (to benefit a competitor)
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 25
The varieties of data at risk are diverse
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 26
Internal detection is unusually common
for insider and privilege misuse
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 27
Discovery time is also unusual: many were
discovered within days
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 28
• Know your data and who has access to it
• Review user accounts
• Watch for data exfiltration
• Publish audit results
Recommended controls for insider and
privilege misuse
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 29
Physical Theft and Loss
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 30
• Assets are stolen more often from
offices than vehicles or residences
• Loss is reported more frequently
than theft (15:1)
• More losses and thefts are reported
because of disclosure regulations
than fraud
• Data varieties at risk are mostly
personal and medical
• Recommendations:
– Encrypt devices
– Keep them with you
– Back them up
– Lock them down
– Use unappealing tech
Physical Theft and Loss Key Findings
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 31
Miscellaneous errors
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 32
Highly repetitive processes involving
sensitive data are particularly error prone
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 33
Discovery typically takes a long time, and
it’s external about two-thirds of the time
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 34
• Consider Data Loss Prevention (DLP) software
• Tighten processes around posting documents
• Spot-check large mailings
• IT disposes of all information assets (and test them)
Recommended controls for miscellaneous
errors
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 35
Crimeware
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 36
• Web downloads and drive-bys are
the most common infection vectors
• Primary goal is usually to gain
control of systems for illicit uses like
stealing credentials, DDoS attacks,
and spamming
• Recommendations:
– Keep browsers up to date
– Disable Java in the browser
– 2-factor authentication
– System configuration change
monitoring
– Leverage threat feeds
Crimeware Key Findings
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 37
Payment card skimmers
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 38
• Most actors are Eastern European
• Most assets are ATMs
• More highly skilled criminals now
collect data via Bluetooth or SiM
cards with remote caching and
tampering alerts
• Recommendations:
– Tamper-resistant terminals
– Tamper evident controls
– Watch for tampering
– Protect your PIN
– Avoid unusual-looking terminals
– Report unusual observations
Payment card skimmers key findings
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 39
Cyber espionage
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 40
Certain industries saw far more cyber
espionage than others
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 41
About half of our sample is U.S. victims,
but visibility on others is increasing
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 42
Most actors are state affiliated, but a
significant minority are not
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 43
More data about non-eastern-Asia actors
reflects more, better research
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 44
Cyber espionage involves a much wider
range of tools than other patterns
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 45
But there are relatively few ways attackers
gain access to victims
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 46
Attackers compromise sensitive data
they’re after and credentials along the way
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 47
Discovery methods and times leave a lot
of room for improvement
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 48
• Patching
• Anti-virus
• User training
• Network segmentation
• Good logging
• Break the delivery-exploitation-installation chain
• Spot C2 and data exfiltration
• Stop lateral movement inside the network
Recommended controls for cyber
espionage
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 49
Denial of Service Attacks
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 50
Denial of Service Attacks Key Findings
• Using compromised CMSs
continued
• DNS reflection attacks increased
• Izz ad-Din al-Qassam Cyber
Fighters (QCF) was responsible
for a significant number of
attacks
• There was little hard evidence of
DoS attacks to distract from fraud
• Recommendations:
– Basic practices of patching, turning
off unneeded services
– Isolate key assets on the network
– Make preparations for anti-DDos
service
– Ask ISPs about upstream capacity
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 51
So what?
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 52
• Download: www.verizonenterprise.com/dbir
• VERIS: www.veriscommunity.net
• Email: [email protected]
• Twitter: @vzdbir and hashtag #dbir
• Blog: http://www.verizonenterprise.com/security/blog/
Additional information is available