Verizon's 2012 Data Breach Investigations Report sheds light on how hackers are attempting to steal intellectual property through cyber intrusions.
Photo credit: (Image courtesy stock.xchng/dimitri c)
This graphic from the DBIR shows the threat actions that caused or contributed to data breaches involving IP theft.
Photo credit: (Graphic courtesy Verizon)
This graphic shows the timespan of events by percent of breaches involving IP theft.
Photo credit: (Graphic courtesy Verizon)
Telecommunications giant Verizon on Wednesday released the findings of its 2012 Data Breach Investigations Report (DBIR), which in addition to typical cyber intrusions also looked at the characteristics of data breaches intended to steal companies’ intellectual property. The report, which was conducted with cooperation from the U.S. Secret Service and several other law enforcement agencies around the globe, found that a total of 174 million records were compromised in 2011, the second highest total since the company began keeping track in 2004.
While the majority of these data breaches were perpetrated by people looking for a quick way to cash in on their theft, there were also those whose goal was much larger in scope. In fact, the DBIR discovered 85 confirmed data breaches over the last two years that resulted in the theft of intellectual property (IP).
The report, which looked at a variety of vertical markets including the healthcare, financial, insurance, retail, hospitality and food services, found that no organization was immune to IP theft – whether it be a company with one to 10 employees or more than 100,000 employees. The financial services and public administration verticals accounted for two-thirds of IP data breaches, while information, technology services, and manufacturing made up the remaining third.
Although most of these intrusions were the work of outside agents (87 percent), the data also shows that there was a great deal of collusion with company insiders, which accounted for 46 percent of breaches involving IP theft. This collusion between external agents and insiders is why the percentage totals between the two top 100 percent.
"Typically, in our main report as we look at the threat actors, we’ve got a whole lot of external people causing these breaches, participating in the breaches and usually in the single digits when it comes to insiders, four to nine percent or something like that," said Jay Jacobs, managing principal, RISK Team at Verizon Enterprise Solutions. "As we get into intellectual property, it becomes very, very different looking. There are a whole lot of internal actors… so we see a lot of collusion there, we see a lot of external people soliciting or bribing internal people in order to help them."
Among the threat actions that caused or contributed to data breaches involving IP theft in the DBIR were; misuse (an insider abusing the privileges that they have, such as using their account to access data in a way that they shouldn’t); social (using social tactics to get someone else to do something on your behalf usually without their knowledge, such as pretending to be someone you’re not, employing phishing scams or soliciting/bribing people); physical (any physical theft or tampering); hacking; malware; and, error. Misuse and hacking lead the way in this category at 51 percent and 47 percent respectively, followed by social (41 percent), malware (29 percent), physical (7 percent), and error (7 percent).
Jacobs said that the use of social tactics was higher in the IP theft section of the DBIR than in any other part of the report.
"An interesting thing about the threat actions, the use of stolen login credentials, that is using valid credentials by an invalid or unauthorized person, is something that appears in our larger data set and across these vertical snapshots at some layer or another," he explained. "That seems to be a pretty universal trait of these (IP) breaches where an attacker tries to get into a valid account. They try to go in as a valid user. It’s much easier to go after a credential and come in as a valid user than exploit some vulnerability. Even when a vulnerability is exploited, they’re still going to go after credentials because it’s easier to maintain sort of a long-term presence with valid credentials."
In contrast with breaches of opportunity, Jacobs said the report also found that IP thieves will stick with their intended target for a much longer period of time.
"Typically, the initial attack to initial compromise – that is how long an attacker is trying to get into an organization before they succeed – in most of these (incidents) it’s relatively short. As we look at industries that are a little bit more opportunistic like the accommodation or healthcare (sectors), we see that as being very, very short. From seconds to minutes, most of them occurring very, very quickly because they’re scanning for a vulnerability and when they find it they exploit it," he added. "As we get into markets that are a little bit more targeted like the financial industry and intellectual property, we’ll see that top line span across the entire line, so they’ll pick a target and then start to try different ways to break-in and that can go well past minutes into hours, days, weeks, months, and in some cases even years."
Jacobs said that one of things that really stood out to him as poured through the results of the data his team collected was the difference between larger and smaller organizations that were attacked. "Every organization that is no the Internet is being attacked, it’s just that the larger organizations have more maturity around their security controls and they’re not going to fall prey to it as much," he said.
In addition, Jacobs said the fact that stolen credentials were used so frequently in cyber intrusions means that companies may want to look into more two-factor authentication solutions, which would make it more difficult to steal and misuse valid credentials.
Jacobs said that going forward, mobile devices will also likely become highly targeted by hackers.
"When we look at the assets that we do see (in the report) they share two qualities; they either hold the data directly or they’re an easy path to the data," he said. "So, the lack of mobile devices in the breaches that we’ve looked at may be an indication that they are not one of those two things yet. As these mobile devices get more integrated into the network, more built into the infrastructure and they start hosting the data, they are going to become a high-value target."