News

2012 Verizon DBIR: Hacktivists make impact on data breach statistics

Robert Westervelt, News Director

Hacktivists, typically young cybercriminal activists attempting to advance political and social objectives, have made a huge impact on data breaches in 2011, according to the 2012 Verizon Data Breach Investigations Report (DBIR) (.pdf).

Whether it’s hacktivists, cybercriminal gangs or a lone attacker with an automated toolkit, as far as the network perspective is concerned, a probe is going to look like a probe regardless of whoever is initiating it.

Andrew Brandt, director of threat research, Solera Networks Research Labs

The 2012 Verizon DBIR examines 855 breaches and 174 million stolen records, making up the largest data set ever analyzed by Verizon. In addition to the U.S. Secret Service, Verizon includes data breach cases from the Dutch National High Tech Crime Unit and police forces from Australia, Ireland and London. The results of the report are based on first-hand accounts of Verizon’s forensics investigations from 2004 to 2011 with the sole focus of the 2012 report based on last year’s case load of 90 confirmed data breaches and 765 breaches investigated by law enforcement. 

Verizon cautions that its data and the data of the participating law enforcement agencies contain a certain level of sample bias. For example, internal threats make up only 4% of breaches, a fact in the report that Verizon acknowledges is likely underreported. Many breaches go unreported, Verizon said, and other organizations don’t yet realize they have been breached.

Although activist groups accounted for approximately 3% of the 2011 breaches analyzed in the report, their spoils made up more than 100 million records, accounting for 58% of all pilfered data, according to Verizon.  “That’s almost twice the amount pinched by all those financially-motivated professionals,” according to the report.

The cyberactivists typically deploy relatively unsophisticated attack methods, akin to a convenience store smash-and-grab burglary, breaking into large enterprises and stealing as much data as they can access, said Christopher Porter, a principal with Verizon’s RISK team. The approach is stands in contrast to the automated large-scale attacks targeting smaller businesses, including restaurants and retailers.

“Many times it seems [hacktivists] look for any weaknesses they can find and then they attack the organization, publish the information and come back with a reason of why they targeted the organization after the fact,” Porter said.

More on Verizon DBIR 2012

Verizon DBIR 2012 recommends log analysis, password management:

The 2012 DBIR highlights prevalent problems with simple, relatively inexpensive recommendations.

Verizon DBIR 2012: Automated, large-scale attacks taking down SMBs:

The Verizon DBIR says cybercrime groups automate attacks against SMBs with lax controls on remote access services and point-of-sale systems.

Verizon breach caseload shows weak passwords root cause of 2011 data breaches:

Weak and default passwords are at the root of many data security breaches investigated by Verizon in 2011.

Verizon data breach report 2012 edition boasts more new contributors

The number of countries contributing to the 2012 DBIR increased as three more nations added information about breaches in their countries.

Hactivists don’t bother to cover their tracks and since they don’t have financial motivation to sell the information on the black market, the stolen data is made publicly available, resulting in an embarrassing high-profile breach and expensive clean-up costs, Porter said.

In 2011, 79% of attacks represented in the report were opportunistic and the many of them involved hacktivists. Of all attacks, 96% were not highly difficult. Verizon found that a renewed focus on fundamental and relatively inexpensive security measures could address the threat posed by hacktivsts, as well as automated attacks from financially motivated cybercriminals.

“When organized crime groups break into an organization they are trying to stay as quiet as possible to maintain access and collect data over time,” Porter said. “Hacktivists rarely bothered to cover their tracks.”

Rather than using malware, hacktivists target Web application vulnerabilities, Porter said, garnering them access to Web servers behind the website itself. Web applications were the third most common attack vector overall in 2011 and were associated with over a third of total data loss. Web apps was the route used in 56% of large business breaches, according to the 2012 Verizon DBIR data breach statistics.

Meanwhile, remote access services were the favorite vector of automated attackers, making up 88% of all breaches in 2011, and backdoors were the second most common hacking-related pathway. To defend against the attacks, Verizon is highly recommending that businesses deploy and monitor security information management (SIM) systems and check point-of-sale (POS) systems for default and weak passwords. 

While some financial data was stolen by hacktivists in 2011, personally identifiable information, corporate email, password files and information about how the victim organization’s systems are architected made up the bulk of the data stolen by hacktivists.

Payment card information was involved in 48% of the breaches in the 2012 Verizon DBIR analysis, more than any other data type. Authentication credentials made up 42% of breaches in the DBIR data set. Personally identifiable information, which includes name, email and national IDs comprised only 4% of breaches but made up 95% of the records lost, compared with only 1% in 2010.

Andrew Brandt, director of threat research for Solera Networks Research Labs, said organizations shouldn’t make major changes to their security strategy based on one potential threat source, such as hacktivism. A security conscious business will conduct an audit to determine system weaknesses at least annually to estimate the points most at risk, Brandt said. 

“Whether it’s hacktivists, cybercriminal gangs or a lone attacker with an automated toolkit, as far as the network perspective is concerned, a probe is going to look like a probe regardless of whoever is initiating it,” Brandt said.  “We’ve entered this era where people are chipping away nonstop and eventually someone will make a mistake; either a human error or a technical one, and that becomes one of those small cases where an attack is successful.”

Hacktivist attacks take their toll on enterprises and recent breach cases illustrate that fact. The arrest of six hacktivists believed to be members of the AntiSec Movement has yielded new details into the Stratfor data breach and the costs associated with the successful hack of the Austin, Texas-based geopolitical intelligence company. The six men face a variety of charges associated with a string of cyberattacks against Stratfor, Fox Broadcasting Company, Sony Pictures Entertainment and the Public Broadcasting Service. The attack against Stratfor reportedly cost the company at least $2 million and resulted in $700,000 in unauthorized credit card charges affecting Stratfor clients. 

The attack illustrates how the threat posed by hacktivist groups can escalate beyond website defacements and webserver leaks. Enterprises need to be aware of cybercriminals with financial motivations, nation-states attempting to pilfer intellectual property, and hacktivists groups hell bent on pilfering systems to make a political statement, said Paul Henry, security and forensics analyst at vulnerability management and endpoint security vendor Lumension Inc.

The Antisec Movement could conceivably turn more financially motivated, Henry said. Hactivist attacks could blend with state-sponsored cyberattacks, he said.

“Nation-states may realize that it’s more efficient to use hacktivists to gather information from their adversaries, so I would not put it past some of these governments to somehow sponsor these activists,” Henry said. “Hacktivists could get their voice heard and make a few dollars as well.”