DarkReading reported that the 2017 Verizon Data Breach Digest (99 pages) breaks out 16 different attack scenarios and specifies the target, sophistication level, attributes, and attack patterns, along with their times to discovery and containment. The Digest is full of intriguing stories of online misconduct.
In one example, an online gaming company finds its production network hacked – and worse, points of top players were being siphoned off and customers' personal information might have been compromised as well. Network and application logs were quickly parsed and Verizon's RISK team identified 15 systems that process game-point transactions, yet only 14 of them were known to be legitimate resources.
Sure enough, the anomalous system, while valid, had been abandoned for more than a year after an employee left the company. But it remained attached to the network, if dormant, and was an inviting target for hackers who brute-forced it, then loaded it with malware to.
Situations like these, where hidden endpoints that could be anything from systems, user accounts, software, or data, are what Verizon labels "Unknown Unknowns," and are the hardest for organizations to plan for and react to, Verizon says in its latest Data Breach Digest (DBD) report. "We're seeing lots of cases of Unknown Unknowns … detection systems are picking up old and new malware that may be sitting there," said John Grim, senior manager and lead for Verizon's investigative response team. "We then come in and see if it's done any damage or if it's just laying in wait. Sometimes they emerge when we do testing."
The DBD has two objectives: Sketch out the complexity of the most common kinds of attacks, and provide a guidebook for all the individuals affected in the chain of command.
In another DBD scenario dubbed "Mobile Assault – The Secret Squirrel," Verizon outlines the problems faced by a business traveler who may be forced to use sketchy Wi-Fi networks, hand over their laptop or smartphone at security checkpoints or immigration areas, or are required to decrypt their devices completely. There's also the potential for loss, theft, or device tampering in a hotel room; in some instances, specific companies and individual personnel are targeted for the high-value data they carry or are able to access.
The fix for Mobile Assault is very simple. Employees no longer travel with their assigned corporate devices, but instead are given "travel" smartphones and laptops, and after every trip, these devices are wiped clean and rebuilt. "From a forensic examination standpoint, having this known baseline image to compare against drastically reduces analysis time and helps [the organization] focus on potential problems rather than background noise," Verizon says in the new DBD report.
The report also deconstructs the complexity of breaches from a human standpoint and a stakeholder perspective, Grim told Dark Reading. It's no longer enough to tell companies and end-user organizations, "This is the malware, and this is how you fix it," Grim added. "HR and legal need to be involved too if it's an inside threat or involves employee records." Grim was quick to emphasize that the DBD report isn't just for IT staff or InfoSec professionals. Human resources professionals can query the report for HR issues, or HR in a specific industry sector. Incident responders can also query by industry, Grim said.
The DBD uses data derived from the Verizon's more comprehensive Data Breach Investigation Report. This is the second year Verizon has released the digest.
Verizon also offers a five-point incident response plan for organizations that have discovered any kind of data breach:
- Preserve evidence; consider consequences of every action taken once the breach has been discovered.
- Be flexible; adapt to evolving situations.
- Establish consistent methods for communication.
- Know the limits of your own expertise; collaborate with other key stakeholders.
- Document actions and findings; be prepared to explain them.
Hat tip to Dave Ries.
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology