Hacking and automated attacks made simple by poor password management practices were at the root of most 2011 data breaches, and many firms failed to detect the intrusion, according to an analysis conducted by Verizon’s breach investigators.
“[Logs are] one of the most valuable ways that companies can improve their chances of catching breaches.Wade Baker, director of RISK intelligence, Verizon
The Verizon Investigative Response Caseload Review is a first-ever preview of the company's Data Breach Investigation Report (DBIR), which is due out later this year.
The analysis is based on 90 breaches investigated by Verizon last year, which makes up about 10% of the more than 850 included in the 2012 DBIR. While the trends evident in the Caseload Review will likely be reflected in the larger Verizon data breach report, the numbers themselves will be different, said Wade Baker, director of RISK intelligence at Verizon Business.
The report detailed how hacking and malware often work together to cause a data breach, and also identified some of the common security weaknesses exploited by attackers. “A whopping 99% of all stolen data involved the use of some form of hacking and malware,” according to the report. Verizon also noted that social tactics, which target individual people, such as phishing, were tied to over half of all data loss in the 90 breaches.
“Phishing leads to malware and leads to hacking by using a backdoor or stolen credentials,” Baker said. “An attack might include all of those things.”
Weak, default passwords and stolen credentials were at the root of more than half of the breaches investigated by the Verizon team. Attackers used default or guessable credentials in about 29% of the data breaches. Stolen credentials were at the heart of 24% of the breaches.
Baker said that exploiting user credentials has been a growing trend.
“Attackers seem to be looking for ways to exploit the mechanisms we use to authenticate users,” he said. “If they gain access to an account and it looks like they’ve just logged in, they look like a real user; that gives them a real advantage.”
Once the attacker is inside the system as a credentialed user, Baker said, the potential for damage increases.
“Getting in makes you look legitimate,” Baker said. An attacker gains almost unfettered access without being detected as a possible threat or looking unusual in security information event management (SIEM) logs, he said
Another 49% of breaches were a result of some form of backdoor exploitation. Backdoors, while sometimes stumbled upon by a hacker after already being installed, are also often created by the attacker themselves through vulnerability detection or phishing.
If the attempt is successful, the backdoor gives the attacker unhindered access to everything allowed by the user’s account. It’s also another way to avoid detection by SIEM logs.
SIEM Logs going unmonitored
That’s only worrisome for an attacker, however, if they are targeting a company with an IT staff that actually analyzes the logs. Most companies have SIEM in place to meet compliance obligations, but many don’t monitor logs regularly.
“I’m a fan of using logs much, much more than we do,” Baker said. “I think a lot of companies save logs … but they don’t have people actually using them.” This is a shame, he said, because “that’s one of the most valuable ways that companies can improve their chances of catching breaches.”
Because of the lack of regularly monitoring SIEM system logs, breach detection took months or years in nearly 60% of breaches; only about 20% were detected within days.
Of the 90 breaches investigated by Verizon in 2011, only 5 were detected by IT teams that regularly monitor their SIEM system logs. Two thirds of the breaches were detected by an external party -- usually a customer who received identity fraud notification, or law enforcement that was already tracking a suspected cybercriminal or group, Baker said.
Baker sees the five instances as a slight glimmer of hope for the future of enterprise security. The Verizon RISK team also noted that the number of breaches detected through log analysis, “while still small, represents the highest such event we have ever seen in our caseload.”
Baker hopes that trend will continue, even with the introduction of mobile devices to the corporate world. Monitoring smartphones and tablets is only different, he said, because an additional threat is the risk of them being lost or stolen.
Although the Caseload Report noted that nearly half of the breaches included the compromise of user devices, it is more common that devices “provide a foothold into the organization,” rather than stealing data directly from a device. Attackers often use a keylogger to steal user credentials, and then gain access to the internal application server directly.
For the most part, Baker sees future threats to mobile devices as the same problems that currently plague workplace PCs and laptops.
“It’s just a matter of time until they become the norm,” he said.