Editor’s note: this is part one of a two-part series covering the Verizon DBIR 2017. You can read part two, regarding the need for better basic cybersecurity and multifactor authorization here.
The 2017 Verizon Verizon Data Breach Investigation Report both highlighted big threats of which the industry is already aware, such as ransomware, as well as under-the-radar threats like pretexting, which can be extremely dangerous in certain situations.
The data in the 2017 Verizon Data Breach Investigation Report (DBIR) was gathered from 65 organizations across the world, including analysis of 42,068 incidents and 1,935 breaches from 84 countries. And, unlike last year’s DBIR, this year Verizon focused more on each industry vertical and the specific threats each faced.
Dave Hylender, contributing author of all 10 Verizon DBIRs and senior risk analyst at Verizon Business, said the industry specific focus was always part of the research but had been separate.
“In the last two to three years, we have released industry verticals separately. This year we thought it might be helpful to put them in the main report and get it all done at once,” Hylender told SearchSecurity. “Part of it was we thought 10 years is kind of a good anniversary. Let’s try to talk more to each individual group of the main verticals that we deal with inside the actual report, so they can read that and then jump to whatever threat action category that they struggle with might be more helpful.”
Pretexting: A threat on the rise
One of the more common threads in the data was the prevalence of social engineering attacks using phishing, with 43% of data breaches involving phishing. Verizon said 95% of phishing attacks that resulted in a breach also installed software on a user’s device. And one of the more dangerous variants of phishing is pretexting.
Hylender described the social engineering tactic of pretexting as being a more advanced version of spearphishing where not only would the message content be specifically tailored to a recipient, but an attacker would take steps to impersonate a person of authority and create a dialogue with the target. Hylender said one example involved an attacker spoofing the email of a company’s CFO in order to trick someone with access to financial data into leaking it.
According to the Verizon DBIR, phishing and pretexting combined represented almost 98% of incidents and breaches that involved a social action, with 88% of pretexting attacks being carried out via email. Additionally, many pretexting attacks were found by internal financial audits rather than a cybersecurity product or fraud detection method.
Rick Holland, vice president of strategy at Digital Shadows, said the financial impact of pretexting makes it worth highlighting.
“Pretexting within the context of business email compromise [BEC] is a significant threat to organizations. Last year the FBI called BEC a $3.1 billion scam,” Holland said. “It is important to note that BEC can be more than just CFO/CEO pretexting. You also have bogus invoices from those impersonating suppliers. You can also have employee email accounts compromised that then solicit invoice requests to their networks. You can also have actors posing as attorneys pressuring victims to transfer funds to gain access to confidential and time sensitive data.”
Ajay Uggirala, director of product marketing at Imperva, said the advancement of phishing to pretexting may have been inevitable.
“It is also important to note that the technical skill needed and the cost associated with a phishing campaigns has gone down over the past year — making it easier than ever to launch a phishing campaign due to the availability inexpensive servers and DIY kits,” Uggirala said. “These advances leave the hacker with more time to focus on identifying the target and crafting his bait. With financial gain as the motivator, it’s not a stretch to think that the hackers will follow the money up leveling the phishing targets to CFOs and CIOS and then use this info in a pretexting scheme.”
Brian Vecci, technical evangelist at Varonis, noted that even the social engineering attack that tricked Clinton campaign chairman John Podesta into giving up the credentials to his Gmail account could be considered pretexting.
“This type of big-game hunting is simply another means for cyber-espionage by competitors, nation-states and the ideologues with a grudge; and they are almost always after an organization’s toxic data — any data that has value and will harm the reputation or bottom line if stolen or made public,” Vecci told SearchSecurity. He added that pretexting and phishing “are both tactics designed to lure in the victims with a false sense of security or reality. They are both forms of phishing, one just has a little more lipstick on it.”
According to the 2017 Verizon DBIR, more than half of data breaches analyzed involved malware, and ransomware was the fifth most common malware variety recorded, up from the 22nd most common in the 2014 DBIR.
Data provided by McAfee showed a steady increase in ransomware samples and saw a change in how ransomware was spread. In the 2016 DBIR, web drive-by downloads was the top malware vector, email took over that crown this year.”
Verizon noted in the report that, “Perhaps the most significant change to ransomware in 2016 was the swing away from infecting individual consumer
systems toward targeting vulnerable organizations.”
Vecci said this swing was purely financial.
“In the case of ransomware targeting vulnerable organizations, there are a lot more Benjamins there than in some consumers’ bank accounts and there’s more at stake,” Vecci said. “The concept of a vulnerable organization means that the defensive measures, detection controls and recovery solutions are not in place or sufficient to stop and remediate an attack; therefore, it’s cheaper for these organizations to pay the ransom to get their data back rather than lose more productivity by fixing it themselves.”
Verizon echoed this statement in a press release, saying, “This year’s report sees a 50% increase in ransomware attacks compared to last year. Despite this increase and the related media coverage surrounding the use of ransomware, many organizations still rely on out-of-date security solutions and aren’t investing in security precautions. In essence, they’re opting to pay a ransom demand rather than to invest in security services that could mitigate against a cyberattack.”
Uggirala said having the Verizon DBIR data was useful.
“It’s helpful to have a clear breakdown on each industry that is being targeted by threat actors along with the breach success rate,” Uggirala told SearchSecurity. “As the Verizon DBIR points out, the total number of incidents is just an indicator of participating level of each industry and not an indication that one industry is more secure than the other just because there are fewer incidents.”
However, Holland warned IT pros that it could be dangerous to focus too much on their own industry.
“The focus on specific industries will resonate with security executives who are getting more access to their leadership teams. Business leaders are always interested in industry trends and the DBIR can be used as a tool to educate boards and to justify security strategy,” Holland told SearchSecurity. “It is important for defenders to not hyper focus on their industry alone. Attackers do attack across industries so keeping track of macro attack trends is critical.”
Eddie Habibi, CEO of ICS cybersecurity and reliability firm PAS, said although social engineering attacks like pretexting and ransomware are dangerous threats, the Verizon DBIR had a major one blind spot.
“If you look at the cyber assets on which the report gathered security data, there is not a single industrial control system (ICS) category listed. ICS are the systems that have direct responsibility for running volatile chemical and oil refining processes, producing electricity and clean water, and delivering many other products and services upon which we rely in our daily lives,” Habibi told SearchSecurity via email. “They are also the systems that prevent industrial accidents, which can have severe environmental, safety, or financial consequences for a company. Unfortunately, reports that only focus on information technology systems and don’t include ICS perpetuate an environment of risk that outsider and insider threats will eventually exploit.”