VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT 2014 DATA BREACH INVESTIGATIONS REPORT

INSIDER MISUSE

MISCELLANEOUS ERRORS DOS ATTACKS

PHYSICAL THEFT AND LOSS

CYBER-ESPIONAGE CRIMEWARE PAYMENT CARD SKIMMERS

WEB APP ATTACKS

92% THE UNIVERSE OF THREATS MAY SEEM LIMITLESS, BUT 92% OF THE 100,000 INCIDENTS WE’VE ANALYZED FROM THE LAST 10 YEARS CAN BE DESCRIBED BY JUST NINE BASIC PATTERNS. POINT-OF-SALE INTRUSIONS VERIZON

Conducted by Verizon with contributions from 50 organizations from around the world. 2014 DBIR Contributors (see Appendix C for a detailed list)

CUR SE ITY S E E S R N V E I F C

E

E D

U N A I C T I E R D E M S T A AT E S O F

Malware Analysis & Threat Intelligence

V C D B

ii VERIZON ENTERPRISE SOLUTIONS CONTENTS

INTRODUCTION...... 2

2013 YEAR IN REVIEW...... 3

VICTIM DEMOGRAPHICS...... 5

A DECADE OF DBIR DATA...... 7

RESULTS AND ANALYSIS...... 13

POINT-OF-SALE INTRUSIONS...... 16

WEB APP ATTACKS...... 20

INSIDER AND PRIVILEGE MISUSE...... 23

PHYSICAL THEFT AND LOSS...... 27

MISCELLANEOUS ERRORS...... 29

CRIMEWARE...... 32

PAYMENT CARD SKIMMERS...... 35

DENIAL OF SERVICE...... 38

CYBER-ESPIONAGE...... 43

EVERYTHING ELSE...... 46

CONCLUSION AND SUMMARY RECOMMENDATIONS...... 48 Questions? APPENDIX A: METHODOLOGY...... 51 Comments? APPENDIX B: DATA BREACHES AND IDENTITY THEFT: A CONVOLUTED ISSUE...... 53 Brilliant ideas? APPENDIX C: LIST OF CONTRIBUTORS...... 55 We want to hear ENDNOTES...... 56 them. Drop us a line at [email protected], find us on LinkedIn, or tweet @VZdbir with the hashtag #dbir.

VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT 1 INTRODUCTION

Welcome to the 2014 Data Breach Investigations Report (DBIR).1 Whether you’re a veteran reader who’s been with us since our initial publication back in 2008 or a newbie to our annual data party, we’re sincerely 50 glad you’re here. We hope that this year’s submission will improve awareness and practice in the field of CONTRIBUTING security and support critical decisions and operations from the trenches to the boardroom.

GLOBAL For DBIR veterans, a cursory look at the table of contents will reveal some significant changes to the ORGANIZATIONS report structure you’ve gotten used to in years past. Rather than our signature approach organized around actors, actions, assets, timelines, etc., we’ve created sections around common incident patterns derived directly from the data itself (more on that later). Within each of those patterns, we cover the actors who cause them, the actions they use, assets they target, timelines in which all this took place, and give specific 1,367 recommendations to thwart them. The drive for change is three-fold: first, we realized that the vast CONFIRMED DATA majority of incidents could be placed into one of nine patterns; second, we can (and did) draw a correlation between these incident patterns and industries; and third, we wanted to challenge ourselves to look at the BREACHES data with a fresh perspective. The ultimate goal is to provide actionable information presented in a way that enables you to hash out the findings and recommendations most relevant to your organization.

We all know that data doesn’t grow on trees, and we must express our gratitude to the 50 organizations that contributed to this report, representing public and private entities from around the globe. We’re 63,437 proud to work with these organizations and feel that what you’re now reading is proof of the benefits of SECURITY INCIDENTS coordinated incident data sharing. For the full list of 2014 DBIR contributors, check out Appendix C.

The dataset that underpins the DBIR is comprised of over 63,000 confirmed security incidents — yep, over Sixty-Three Thousand. That rather intimidating number is a by-product of another shift in philosophy with this year’s report; we are no longer restricting our analysis only to confirmed data breaches. This evolution 95 of the DBIR reflects the experience of many security practitioners and executives who know that an COUNTRIES incident needn’t result in data exfiltration for it to have a significant impact on the targeted business. REPRESENTED So prepare to digest what we hope will be some very delicious data prepared for you this year. The Methodology section, normally found near the beginning of the report, is now in Appendix A. We’ll begin instead with a review of 2013 from the headlines, then provide a few sample demographics to get you oriented with the dataset. The following section — a summary of our 10 years’ of incident data — might just be our favorite. (but please don’t tell the other sections that). We’ll then provide analysis of the aforementioned incident classification patterns and end with some conclusions and a pattern-based security control mapping exercise. So let’s get started!

2 VERIZON ENTERPRISE SOLUTIONS 2013 YEAR IN REVIEW

The year 2013 may be tagged as the “year of the retailer breach,” but a more comprehensive assessment of the InfoSec risk environment shows it was a year of transition from geopolitical attacks to large-scale This section is a compilation attacks on payment card systems. of the weekly INTSUM lead paragraphs posted to our blog and is 100% based on 2013 may be remembered as the “year of the retailer breach,” but a open source intelligence comprehensive assessment suggests it was a year of transition from (OSINT). We maintain a geopolitical attacks to large-scale attacks on payment card systems. very strong policy against identifying Investigative Response clients, and JANUARY mentions of organizations January saw a series of reports of targeted attacks by what were probably state-sponsored actors. The in this section in no way Red October cyber-espionage campaign was exposed and responsible for targeting government agencies imply that we conducted an and research institutions globally, but in Russian-speaking countries in particular. Intelligence on a investigation involving them different series of attacks beginning with a “watering hole” attack on the Council on Foreign Relations or that they are among the web site (cfr.org) that began on Boxing Day 2012 was linked to actors using the Elderwood Framework. victims in our dataset. Meanwhile, the Izz ad-Din al-Qassam Cyber Fighters (QCF) were almost a month into Phase II of Operation Ababil Distributed Denial of Service (DDoS) attacks on U.S. financial services companies.

FEBRUARY The segue into February was provided by and the Wall Street Journal, with new reports of targeted cyber-espionage. And Sophos reported a new Citadel-based Trojan crafted to attack Point-of-Sale (POS) systems using a Canadian payment card processor. We would soon learn that www. iphonedevsdk.com became a watering hole, using a surprise attack on Java late in the month. Most InfoSec professionals well remember February as the month Mandiant (now FireEye) released its superb APT1 report. February was also the start of reports of data breaches from large enterprises, courtesy of the aforementioned iPhoneDevSDK: Facebook, , Apple, and were all victims. Noteworthy retailer POS data breaches were reported by Bashas’ and Sprouts, two discrete grocery chains in the U.S. Southwest. Bit9 reported a data breach that began in July 2012, attacking its code-signing infrastructure.

MARCH Fifty million Evernote users remember that March was the month they were forced to change their passwords. On March 20, the Republic of Korea suffered a large-scale cyber-attack that included disk corruption. We remain skeptical that the Cyberbunker--Spamhaus DoS attack almost broke the Internet at the end of March. Group-IB reported “Dump Memory Grabber” (a.k.a. BlackPOS), a new POS Trojan that would go on to make headlines when news broke of Target Stores’ breach in December.

VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT 3 APRIL In April, another U.S. grocery retailer, Schnucks, reported a POS data breach. The (SEA) did some damage when it hijacked the Associated Press’ Twitter account, sending a tweet reporting an explosion at the White House and causing a spasm on Wall Street. Operation Ababil continued, but OSINT cannot support attributing DoS attacks on several European banks to the QCF.

M AY Cyber-espionage continued in May, with reports from QinetiQ and the U.S. Army Corps of Engineers. The SEA hijacked the Twitter accounts of both and The . A watering hole attack targeted nuclear weapons researchers in the U.S. for cyber-espionage, probably from China. More cyber- espionage campaigns reported in May included Operation Hangover, targeting Pakistan; Safe, targeting Mongolia; and operations by the Sunshop actors against Tibetan activists. The U.S. Department of Justice shut down Liberty Reserve, the go-to bank for cyber-criminals.

JUNE Early in June, Raley’s, yet another U.S. grocer with stores in and Nevada, reported its payment card systems were breached. NetTraveller, a global cyber-espionage campaign targeting diplomats in countries with interests not aligned with China occurred. A day later, The Guardian published the first intelligence leaked by Edward Snowden… and then InfoSec intelligence became the “All-Snowden-All-the- Time” channel.

JULY July’s largest retailer data breach was reported by Harbor Freight, a U.S. tool vendor with 445 stores – nearly 200 million customers and we still don’t know how many records were compromised. The QCF initiated Phase IV of Operation Ababil. The SEA breached Viber, Tango, and the Daily Dot. The U.S. Department of Justice indicted four Russians and one Ukrainian for high-profile data breaches, including Heartland and Global Payments.

AUGUST In August, the SEA hijacked the Twitter accounts of CNN, The Washington Post, Time Magazine, SocialFlow, and both The New York Times and . Attendees of the G8 Summit in St. Petersburg, , were targeted for cyber-espionage by the Calc Team actors.

SEPTEMBER In September, Vodafone notified two million customers their personal and financial information had been breached. Espionage reported in September involved the EvilGrab Trojan and separately, the Hidden Lynx actors who seem to engage in both espionage and cybercrime. New intelligence linked the Bit9 attack from February with Operation Deputy Dog, Hidden Lynx, and watering hole attacks on Japanese financial institutions. At the end of the month Brian Krebs began his reports on intelligence extracted from ssndob[dot]ms. The site was home to data stolen from some of America’s largest data brokers: Lexis-Nexis, Kroll, and Dun & Bradstreet. Cryptolocker made its first appearance in September, extorting money from victims that were willing to pay to decrypt their essential files.

OCTOBER On October 3, Adobe announced its systems had been breached; eventually 38 million accounts were identified as affected. Intelligence connected this to the ssndob[dot]ms actors. Nordstrom, the luxury U.S. department store, discovered skimmers on some of its cash registers. Two of 2013’s big wins also occurred in October: Dmitry “Paunch” Fedotov, the actor responsible for the Blackhole exploit kit, was arrested in Russia, and Silk Road, an online fraud bazaar, was taken down. Questions? Comments? NOVEMBER Brilliant ideas? The proverbial calm before the storm, November was fairly quiet. Banking malware evolved with reports of Neverquest and another version of IceIX. BIPS, a major European bitcoin payment processor, was the We want to hear victim of one of the largest bitcoin heists recorded up to that point in time. them. Drop us a line at DECEMBER The last significant entry under cyber-espionage for 2013 was the targeting of foreign ministries in [email protected], European countries by Operation Ke3chang. The Washington Post reported its second breach of the year. find us on LinkedIn, And then InfoSec intelligence became the “All-Target-All-the-Time” channel. Although the breach of this or tweet @VZdbir major U.S. retailer was a little more than half the size of Heartland and three-fourths the size of TJX, it’s with the hashtag vying to become the event for which 2013 will always be remembered. #dbir.

4 VERIZON ENTERPRISE SOLUTIONS VICTIM DEMOGRAPHICS

Readers of the DBIR frequently approach us with two important (CSIRTs) than ever before. Our ability to compare global trends has questions. How generally representative are the findings of this never been higher. report? Are these findings relevant to my organization? To help get But it’s not quite that simple. The charter, focus, methods, and you oriented with this year’s report, let’s see what the data has to data differ so much between CSIRTs that it’s difficult to attribute show us. 2 differences to true variations in the threat environment. However, The 2013 DBIR featured breaches affecting organizations in 27 regional blind spots are getting smaller thanks to our growing list of countries. This year’s report ups that tally by 350%, to 95 distinct contributors (see Appendix C), and we’re very happy with that. countries (Figure 1). All major world regions are represented, and we have more national Computer Security Incident Response Teams

Figure 1. Countries represented in combined caseload

Countries represented in combined caseload (in alphabetical order): Afghanistan, Albania, Algeria, Argentina, Armenia, Australia, Austria, Azerbaijan, Bahrain, Belarus, Belgium, Bosnia and Herzegovina, Botswana, Brazil, Brunei Darussalam, Bulgaria, Cambodia, Canada, Chile, China, Colombia, Congo, Croatia, Cyprus, Czech Republic, Denmark, Egypt, Ethiopia, Finland, France, Georgia, , Greece, Hong Kong, Hungary, India, Indonesia, Iran, Islamic Republic of, Iraq, Ireland, Israel, Italy, Japan, Jordan, Kazakhstan, Kenya, Korea, Republic of, Kuwait, Kyrgyzstan, Latvia, Lebanon, Lithuania, Luxembourg, Macedonia, the former Yugoslav Republic of, Malaysia, Mali, Mauritania, Mexico, Moldova, Republic of, Montenegro, Morocco, Mozambique, Nepal, , New Zealand, Oman, Pakistan, Palestinian Territory, Occupied, Peru, Philippines, Poland, Portugal, Qatar, Romania, Russian Federation, Saudi Arabia, Singapore, Slovakia, Slovenia, South Africa, Spain, Switzerland, Taiwan, Province of China, Tanzania, United Republic of, Thailand, Turkey, Turkmenistan, Uganda, Ukraine, United Arab Emirates, United Kingdom, United States, Uzbekistan, Vietnam, Virgin Islands.

VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT 5 Figure 2. Figure 3. Number of security incidents by victim industry and organization Number of security incidents with confirmed data loss by victim size, 2013 dataset industry and organization size, 2013 dataset

Industry Total Small Large Unknown Industry Total Small Large Unknown

Accommodation [72] 212 115 34 63 Accommodation [72] 137 113 21 3 Administrative [56] 16 8 7 1 Administrative [56] 7 3 3 1 Agriculture [11] 4 0 3 1 Construction [23] 2 1 0 1 Construction [23] 4 2 0 2 Education [61] 15 1 9 5 Education [61] 33 2 10 21 Entertainment [71] 4 3 1 0 Entertainment [71] 20 8 1 11 Finance [52] 465 24 36 405 Finance [52] 856 43 189 624 Healthcare [62] 7 4 0 3 Healthcare [62] 26 6 1 19 Information [51] 31 7 6 18 Information [51] 1,132 16 27 1,089 Management [55] 1 1 0 0 Management [55] 10 1 3 6 Manufacturing [31,32,33] 59 6 12 41 Manufacturing [31,32,33] 251 7 33 211 Mining [21] 10 0 7 3 Mining [21] 11 0 8 3 Professional [54] 75 13 5 57 Professional [54] 360 26 10 324 Public [92] 175 16 26 133 Public [92] 47,479 26 47,074 379 Real Estate [53] 4 2 0 2 Real Estate [53] 8 4 0 4 Retail [44,45] 148 35 11 102 Retail [44,45] 467 36 11 420 Trade [42] 3 2 0 1 Trade [42] 4 3 0 1 Transportation [48,49] 10 2 4 4 Transportation [48,49] 27 3 7 17 Utilities [22] 80 2 0 78 Utilities [22] 166 2 3 161 Other [81] 8 6 0 2 Other [81] 27 13 0 14 Unknown 126 2 3 121 Unknown 12,324 5,498 4 6,822 Total 1,367 243 144 980 Total 63,437 5,819 47,425 10,193 Small = organizations with less than 1,000 employees, Large = organization with 1,000+ employees For more information on the NAICS codes [shown above] visit: https://www.census.gov/cgi-bin/sssd/naics/naicsrch?chart=2012 We saw some increases where we added new industry-specific Next, let’s review the different industries and sizes of victim contributors, so pieces of the puzzle are filling in. Certain sectors organizations in this year’s dataset (Figure 2). The Public sector’s will always skew higher in the victim count given their attractiveness astronomical count is primarily a result of U.S. agency reporting to financially motivated actors — i.e., those that store payment requirements, which supply a few of our contributors with a vast card or other financial data. But even discounting that, we don’t see amount of minor incidents (more on that later), rather than a sign of any industries flying completely under the radar. And that’s the real higher targeting or weak defenses. Figure 3 filters out the minutiae takeaway here — everyone is vulnerable to some type of event. Even by narrowing the dataset to only those incidents involving confirmed if you think your organization is at low risk for external attacks, data compromise. Moving beyond the Public sector outlier, both there remains the possibility of insider misuse and errors that harm Figure 2 and Figure 3 show demographics relatively similar to prior systems and expose data. years. So, we can’t claim to have unbiased coverage of every type and size of organization on the planet (fingers crossed for next year, though!). But we dare say that the majority of readers will be able to see themselves or something that looks enough like them in this sample.

6 VERIZON ENTERPRISE SOLUTIONS A DECADE OF DBIR DATA

Long-time readers of this report will know that we’re not very good That said, measuring deltas has value and we know readers appreciate at maintaining the status quo. The sources of data grow and diversify some level of continuity between reports. Thus, this section attempts every year. The focus of our analysis shifts. The way we visualize data to create an “as-comparable-as-possible” set of findings to previous and organize results evolves over time. And with the 2014 DBIR, we’re DBIRs. It “only” includes breaches from 2004-2012, plus the 1,367 really gonna shake things up. incidents for which data compromise was confirmed in 2013. It’s worth noting that this represents the high mark in ten years of data This section attempts to create an breaches, and is the first time we’ve crossed 1,000. (Give a round of applause to all those contributors who keep adding fuel to the “as-comparable-as-possible” set of findings to bonfire.) previous DBIRs. It “only” includes breaches from 2004-2012, plus the 1,367 incidents for which We began writing a lot of commentary for this data compromise was confirmed in 2013. section, but then changed our minds. Instead, we’ll churn out some eye candy for you to chew While this does make it hard to meaningfully compare trends across on as long as you like with only a few general time, it has the positive effect of shining light into new and shadowy areas each year. The truth of the matter is that we’re more interested observations from us. in exploring and learning than churning out the same ‘ol stuff each time just to measure deltas. We began writing a lot of commentary for this section, but changed our minds. Instead, we’ll churn out some eye candy for you to chew on as long as you like, with only a few general observations from us.

A BRIEF PRIMER ON VERIS AND VCDB The Vocabulary for Event Recording and Incident Sharing (VERIS) Launched in 2013, the VERIS Community Database (VCDB) project is designed to provide a common language for describing security enlists the cooperation of volunteers in the security community in incidents in a structured and repeatable manner. It takes the an attempt to record all publicly disclosed security incidents in a narrative of “who did what to what (or whom) with what result,” and free and open dataset. translates it into the kind of data you see in this report. Because we We leverage VCDB for a few sections in this report, which are hope to facilitate the tracking and sharing of security incidents, we clearly marked. Learn more about VCDB by visiting the website released VERIS for free public use. Get additional information on below. the VERIS community site ; the full schema is available on GitHub. vcdb.org Both are good companion references to this report for understanding terminology and context. www.veriscommunity.com | github.com/vz-risk/veris

VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT 7 Figure 4. Number of breaches per threat actor category over time

1000 External

750

500

250

Internal Partner

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

Figure 5. Percent of breaches per threat actor category over time

100%

75%

50% External

Internal 25% Collusion

Partner

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

Figure 4 depicts the raw count of breaches attributed to external, Since we’re letting the visualizations do most of the talking here, we’ll internal, and partner actors over the 10-year history of our breach only make a few observations and leave the rest for homework. data. Figure 5 shows this as a proportion of all breaches and • Ten years offers some nice min/max/most likely estimates for you rearranges the categories to highlight exclusivity and overlap among modelers out there. Barring 2006-2008, the overall ratio is them. It uses a third-degree polynomial trend line to make it nice relatively stable, especially when you consider the dramatic and smooth, so we can see the basic behavior over time. Together changes in total breaches and sources in scope each year. they help answer our primary questions of interest — which actors • 2007 is the only year showing an insider majority in Figure 4. This is perpetrate the most breaches and what’s the relative change over primarily the result of an unusually small Verizon caseload for time? confirmed breaches and an influx of U.S. Secret Service data from 2006-2008. We essentially crashed two equally sized – but very BREACHES VS INCIDENTS? different – samples together. This report uses the following definitions: • That giant dip for external actors in 2012 seen in Figure 4 coincides Incident: A security event that compromises the integrity, with an overall drop in breach count that year, mainly due to fewer confidentiality, or availability of an information asset. large, multi-victim POS intrusion sprees targeting SMBs in the Breach: An incident that results in the disclosure or dataset. potential exposure of data. • Thanks to several new partners who focus on insider crimes, the Data disclosure: A breach for which it was confirmed proportional trend line for internal swings up over the last couple that data was actually disclosed (not just exposed) to an years while external turns downward. If we removed the polynomial unauthorized party. curving, however, you’d see a positive regression for outsiders and a slightly negative one for insiders.

8 VERIZON ENTERPRISE SOLUTIONS Figure 6. Figure 7. Percent of breaches per threat actor motive over time Number of breaches per threat actor motive over time

100% 1000 Ideology/Fun Financial

75% 750 Espionage

50% 500

25% 250 Financial

Espionage

Ideology/Fun

2009 2010 2011 2012 2013 2009 2010 2011 2012 2013

Two different views indicating how the motives of threat actors have Figure 8 has the challenging job of exhibiting 10 years of threat changed over the last five years appear in Figure 6 and 7. The line actions leading to data breaches. We experimented with alternate chart (Figure 6) gives the relative percentage of the top three motives ways to visualize this, but thought the simplicity of this chart worked in our dataset, while Figure 7 uses an area plot of total incident best. Keep in mind that actions aren’t mutually exclusive; several can counts. contribute to an incident (the same goes for actors and assets). • We knew espionage had been rising over the last few years, but the • This chart does a superb job underscoring the value of data sharing. trend line chart surprised us by the degree of convergence with You can see the number of breaches and diversity of threats grow financial motives. Will that continue? as the DBIR transitions from single sample to a meta study. • Is this finding merely the result of adding contributors to the DBIR • But it’s not all because of changes in the sample set. Notice how the who specialize in espionage, or is money truly diminishing as the hacking and malware categories explode upward in 2009 and social prime driver of crime on the Internet? We have an easier time tactics begin to climb in 2010. These have parallel stories in the real believing the former than the latter, but it certainly makes us want world (e.g., automated attack tools and DIY malware kits), to continue widening our collection of breach data in the future. and it’s fascinating to see them reflected in the data. • The area plot reminds us that money-motivated breaches still outnumber others by a good margin. To borrow from Pink Floyd, most actors still want to “grab that cash with both hands and make a stash.”

Figure 8. Number of breaches per threat action category over time 800

Hacking

600

Malware

400

Social

200 Physical Misuse Error

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT 9 Figure 9. Top 20 varieties of threat actions over time

2009 2010 2011 2012 2013

Brute force [hac] 107 Tampering [phy] 300 Brute force [hac] 581 Spyware/Keylogger [mal] 215 Use of stolen creds [hac] 422

Backdoor [mal] 104 Spyware/Keylogger [mal] 255 Spyware/Keylogger [mal] 480 Backdoor [mal] 209 Export data [mal] 327

Export data [mal] 103 Export data [mal] 233 Use of stolen creds [hac] 327 Use of stolen creds [hac] 203 Phishing [soc] 245

Use of backdoor or C2 [hac] 94 Brute force [hac] 221 Export data [mal] 309 Capture stored data [mal] 196 Ram scraper [mal] 223

Ram scraper [mal] 90 Backdoor [mal] 214 Backdoor [mal] 267 Use of backdoor or C2 [hac] 192 Backdoor [mal] 165

Adminware [mal] 90 Use of backdoor or C2 [hac] 202 Use of backdoor or C2 [hac] 237 Brute force [hac] 188 Use of backdoor or C2 [hac] 152

Use of stolen creds [hac] 28 Disable controls [mal] 188 Disable controls [mal] 169 Export data [mal] 183 Spyware/Keylogger [mal] 149

Spyware/Keylogger [mal] 28 Footprinting [hac] 185 Tampering [phy] 146 C2 [mal] 183 Downloader [mal] 144

Tampering [phy] 22 Use of stolen creds [hac] 84 Phishing [soc] 62 Phishing [soc] 181 Capture stored data [mal] 133

Privillege abuse [mis] 18 Privillege abuse [mis] 59 C2 [mal] 61 Downloader [mal] 181 C2 [mal] 119

SQLi [hac] 13 SQLi [hac] 53 Downloader [mal] 59 Scan network [mal] 101 SQLi [hac] 109

Downloader [mal] 13 Adminware [mal] 47 Capture stored data [mal] 58 Password dumper [mal] 70 Brute force [hac] 108

Capture stored data [mal] 11 Scan network [mal] 38 SQLi [hac] 53 Rootkit [mal] 106 Rootkit [mal] 106

Phishing [soc] 10 Ram scraper [mal] 17 Password dumper [mal] 51 Privillege abuse [mis] 59 Tampering [phy] 102

Footprinting [hac] 8 Downloader [mal] 15 Privillege abuse [mis] 33 Tampering [phy] 56 Disable controls [mal] 102

C2 [mal] 4 C2 [mal] 15 Rootkit [mal] 31 Adminware [mal] 33 Password dumper [mal] 75

Disable controls [mal] 2 Phishing [soc] 11 Adminware [mal] 28 Ram scraper [mal] 27 Privillege abuse [mis] 65

Scan network [mal] 1 Capture stored data [mal] 8 Ram scraper [mal] 21 SQLi [hac] 25 Scan network [mal] 62

Rootkit [mal] 0 Rootkit [mal] 0 Scan network [mal] 2 Disable controls [mal] 7 Adminware [mal] 39

Password dumper [mal] 0 Password dumper [mal] 0 Footprinting [hac] 2 Footprinting [hac] 4 Footprinting [hac] 8

Figure 9 dives deeper into the specific varieties of threat actions observed over the last five years. The overall top twenty across the five-year span is listed in successive columns, and the lines connecting columns highlight how each action changes over time.. To be honest, concise commentary on this visualization may be impossible. Yes, it’s incredibly busy, but it’s also incredibly information-dense. Let your eyes adjust and then explore whatever strikes your fancy. As an example, follow RAM scrapers through the years. They start at #5 in 2009, drop way down over the next few years and then shoot up the charts to the #4 spot in 2013. We talk about that resurgence in the POS intrusions section of this report. Literally every item in Figure 9 has a story if you care to look for it. Enjoy.

10 VERIZON ENTERPRISE SOLUTIONS Figure 10. Figure 12. Percent of breaches per asset category over time Breach count by data variety over time Bank Personal 600 600

50% 500 500

Server 400 400 40% 300 300

200 200 30%

User 100 100 Devices Kiosk 20%

Person 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 10% Network Media Payment Internal 600 600

2009 2010 2011 2012 2013 500 500

400 400

300 300 Figure 11. Number of breaches per asset category over time 200 200

100 100

Server 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

600 Credentials Secrets 600 600

User 500 500 400 Devices 400 400

300 300 Kiosk 200 Person 200 200

Network 100 100 Media 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2009 2010 2011 2012 2013

Figures 10 and 11 show how the mix of compromised assets has It would be hard to give proper treatment to a decade of data theft changed over time. It’s useful because it reveals the “footprint” of without covering the varieties of data stolen over that time period. attackers as they travel through the victim’s environment in search Thankfully, Figure 12’s got us covered in that department. of data. As defenders, it gives us a sense of what may need extra • If you compare these trends with those of actor motives from attention or protection. Figure 6 and 7, you’ll see some parallels. Financially-motivated • Servers have typically been on top, probably because attackers criminals will naturally seek out data that is easily converted to know that’s where the data is stored. cash, such as bank information and payment cards, while espionage • User devices have been growing over time, probably because they groups target internal corporate data and trade secrets. offer an easy foot in the door. • The trend for payment card theft is quite fascinating; it rises • Media is the only asset category trending down, probably because quickly to a peak in 2010, and then exhibits a negative slope. of an unusually high concentration of (partially-related) cases in There’s an uptick in 2013, but it was still the first year in the history 2009 that involved numerous thefts of documents and digital of this report where the majority of data breaches did not involve media. payment cards. • Many ask why the Network category is so low, given that most of • Authentication credentials are useful in both the criminal these breaches take place over the network. In view here are underground and the shadowy world of the clandestine, and that specific network devices like routers, switches, etc. Malicious demand is reflected here. traffic definitely passes through those, but they’re not typically compromised during a breach.

VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT 11 Figure 13. Figure 14. Percent of breaches where time to compromise (red)/time to Breach discovery methods over time discovery (blue) was days or less

100% 80% Time to compromise Fraud 60% 75% Detection

40% 50% Law Enforcement Internal Time to discovery 20% 25% Third Party 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

Take a deep, calming breath before diving into this last one; it may Having dealt that last blow regarding timelines, readers familiar result in mental or even bodily harm. In Figure 13, we’re contrasting with the traditional flow of the DBIR may expectantly hear that how long it takes the attacker to compromise an asset with how long Mortal Kombat imperative of “Finish Him!” in their heads as we head it takes the defender to discover this. We chose to peg this on “days” into discussion of breach discovery methods. But there will be no to keep things simple and stark (one might also add “sad” to that triumphant “Fatality!” announcement here; we’re going to show mercy alliteration). instead and end on a positive note. • Ignore the behavior of the lines for a minute and focus on the wide • We’re thrilled to see that internal discoveries outnumber external gap between percentages for the two phases. It smacks us with the fraud detection for the first time in DBIR history! fact that the bad guys seldom need days to get their job done, while • It’s great that law enforcement is steadily getting better and better the good guys rarely manage to get theirs done in a month of at detecting breaches and notifying victims! Sundays. • Unrelated third parties, like CSIRTs and threat researchers, are • The trend lines follow that initial smack with a roundhouse kick to quickly rising as an important and prominent way that victims — the head. They plainly show that attackers are getting better/faster especially espionage victims — come to learn about breaches. Keep at what they do at a higher rate than defenders are improving their up the good work, folks; we’re making a dent! trade. This doesn’t scale well, people. We hope you enjoyed this little ten-year trip down memory lane • We thought about superimposing “total spending on network as much as we did. This small band of geeks is grateful to Verizon monitoring,” “number of security products on the market,” and for allowing us to spend so much time in our playground of breach “number of Certified Information Systems Security Professionals information. We’re also grateful to the many organizations that have (CISSPs) in the workplace,” but we were concerned it would result in participated in making it possible; without your contributions the much self-inflicted harm within the security community. And we’d data would have gotten stale years ago. And finally, thanks to all you much rather you guys and gals stick around and help us fix this. readers out there who download this document and consider these trends as you fight the good fight of protecting information and customers. May the next ten years find us all on the winning side of that battle.

Questions? Comments? Brilliant ideas? We want to hear them. Drop us a line at [email protected], find us on LinkedIn, or tweet @ VZdbir with the hashtag #dbir.

12 VERIZON ENTERPRISE SOLUTIONS RESULTS AND ANALYSIS

The seeds of our approach to the 2014 DBIR began to grow during of the actors that perform them, other actions used in combination the final phase of drafting the 2013 report. When trying to present with them, and the assets they tend to target. To reel in that prize, statistics around threat actions in a simple and meaningful way, we we’re going to need a bigger boat. Full throttle, Mr. Hooper! noticed certain combinations of actors, actions, and assets frequently And that brings us back to recurring combinations of actors, actions, occurring together within an incident scenario. We gave names assets, and attributes, or more formally, incident classification to three of these and included some “scratch paper” calculations patterns. In order to expose these latent patterns in the data, we showing they collectively described 68% of the entire dataset (Figure applied a statistical clustering technique (the bigger boat) by creating 15). Production deadlines prevented further exploration into that a matrix aggregating incidents within each of the common VERIS phenomenon, so we left readers with this thought: “We may be able enumerations and calculating the numeric “distance” between them. to reduce the majority of attacks by focusing on a handful of attack This enabled us to find clusters, or patterns, of strongly related VERIS patterns.” But as soon as the 2013 DBIR was put to bed, we returned enumerations within the incident dataset. “Strongly related” here to the notion of incident patterns and began studying our dataset essentially means they often occur together in the same incidents and from a very new perspective with a new set of techniques. are distinct in some way from other combinations. Figure 15. The first time through, we tossed everything in and looked at the Scratch paper calculations from the 2013 DBIR for commonly- clustering (of the hierarchical type if you’re into that) of VERIS observed incident patterns enumerations. Some clusters were obvious, like the social action of phishing with the social vector of email. However, we were looking for clusters that describe comprehensive incident classifications 111 POS smash-and-grab rather than just frequent pairings. For example, incidents involving physical tampering of ATMs by organized criminal groups to steal 190 Physical ATM payment cards stood out like a Wookie among Ewoks. So we labeled that pattern “skimmers,” removed the matching incidents, and reran + 120 Assured Penetration Technique the cluster analysis on the remaining incidents to look for the next 421 pattern. ÷ 621 Total Breaches In the end, we identified nine patterns that together describe 94% of the confirmed data breaches we collected in 2013. 68% Nine out of ten of all breaches can be described by Now, fast forward to the 2014 DBIR. We have more incidents, more nine basic patterns. sources, and more variation than ever before – and trying to approach tens of thousands of incidents using the same techniques simply won’t But (using our best infomercial voice) that’s not all! When we apply cut it. Not only would the dominant incident characteristics drown out the same method to the last three years of breaches, 95% can be the subtleties of the less frequent varieties, but we cannot continue described by those same nine patterns. to study those characteristics as though they occur in isolation. A list of the top 20 actions is helpful, but even more helpful is an accounting

VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT 13 But wait — there’s more! Act now, and we’ll throw in all security We dig into each incident pattern in the following sections, but you incidents — not just breaches — from all partners and the VERIS can see from Figure 16 that POS intrusions, web app attacks, cyber- Community Database (VCDB) over the last ten years — for free! Yes, espionage, and card skimmers are among the top concerns when we all for the same price of nine patterns, you can describe 92% of 100K+ focus on data disclosure. However, it’s not enough to just identify and security incidents! count the patterns as a whole.

Remember that promise from last year — “We may be able to reduce the majority of attacks by focusing on a handful of attack patterns?” Consider it fulfilled. To us, this approach shows extreme promise as a way to drastically simplify the seemingly endless array of threats we must deal with to protect information assets.

Figure 16. Frequency of incident classification patterns

2013 breaches, n=1,367 2013 incidents, n=63,437 2011-2013 breaches, n=2,861

POS Intrusions 14% <1% 31% Web App Attacks 35% 6% 21%

Insider Misuse 8% 18% 8% Physical Theft/Loss <1% 14% 1%

Miscellaneous Errors 2% 25% 1%

Crimeware 4% 20% 4%

Card Skimmers 9% <1% 14%

DoS Attacks <1% 3% <1%

Cyber-espionage 22% 1% 15%

Everything else 6% 12% 5%

Figure 17. Figure 18. Number of selected incident classification patterns over time Percent of selected incident classification patterns over time

1,000 100% Insider Misuse

750 75%

Web App POS POS Intrusions Attacks 50% 500 Intrusions Card Skimmers Web App Attacks

25% 250 Insider Misuse Card Cyber- Skimmers espionage Cyber-espionage

2009 2010 2011 2012 2013 2009 2010 2011 2012 2013

14 VERIZON ENTERPRISE SOLUTIONS Obviously not every organization needs to focus on point of sale Before continuing on to the detailed discussion of each pattern (which attacks. To make the analysis actionable, we pulled all incidents within appear in order according to Figure 18), you may want to study Figure each industry and then applied the patterns to create the work of 19. Look up the industry (or industries) that matter to you, identify art that is Figure 19. It shows the proportion of incidents within each which patterns are most relevant, and pay special attention to those industry represented by the nine patterns over the last three years. sections in the report (you’ll still want to read the whole thing, of course). For those curious about how these incident patterns trend In order to use Figure 19, identify your industry in the left hand over time, we’ve retrofitted them to pre-2013 data to produce Figures column. Refer to the NAICS website if you’re unsure where your 17 and 18. organization fits. The percentages are relative to each industry. For example, 10% of all Retail incidents fall within the “web app attack”. We’ve heard the (constructive) criticism from some of you noting that The coloring should help you quickly identify “hot spots” for your it’s difficult to pick out exactly which findings from the DBIR apply industry and/or discern differing threat profiles across multiple to your organization, and we spent a lot of time figuring out how to industries. address that. We hope you’ll agree this is a step in the right direction, not only for this report, but also for threat analysis and decision support in general.

Figure 19. Frequency of incident classification patterns per victim industry

POS WEB PAYMENT CYBER EVERY- INSIDER THEFT/ MISC. CRIME- DENIAL OF INDUSTRY INTRUS- APP CARD ESPION- THING MISUSE LOSS ERROR WARE SERVICE ION ATTACK SKIMMER AGE ELSE

Accommodation [72] 75% 1% 8% 1% 1% 1% <1% 10% 4%

Administrative [56] 8% 27% 12% 43% 1% 1% 1% 7%

Construction [23] 7% 13% 13% 7% 33% 13% 13%

Education [61] <1% 19% 8% 15% 20% 6% <1% 6% 2% 22%

Entertainment [71] 7% 22% 10% 7% 12% 2% 2% 32% 5%

Finance [52] <1% 27% 7% 3% 5% 4% 22% 26% <1% 6%

Healthcare [62] 9% 3% 15% 46% 12% 3% <1% 2% <1% 10%

Information [51] <1% 41% 1% 1% 1% 31% <1% 9% 1% 16%

Management [55] 11% 6% 6% 6% 11% 44% 11% 6%

Manufacturing [31,32,33] 14% 8% 4% 2% 9% 24% 30% 9%

Mining [21] 25% 10% 5% 5% 5% 5% 40% 5%

Professional [54] <1% 9% 6% 4% 3% 3% 37% 29% 8%

Public [92] <1% 24% 19% 34% 21% <1% <1% 2%

Real Estate [53] 10% 37% 13% 20% 7% 3% 10%

Retail [44,45] 31% 10% 4% 2% 2% 2% 6% 33% <1% 10%

Trade [42] 6% 30% 6% 6% 9% 9% 3% 3% 27%

Transportation [48,49] 15% 16% 7% 6% 15% 5% 3% 24% 8%

Utilities [22] 38% 3% 1% 2% 31% 14% 7% 3%

Other [81] 1% 29% 13% 13% 10% 3% 9% 6% 17%

For more information on the NAICS codes [shown above] visit: https://www.census.gov/cgi-bin/sssd/naics/naicsrch?chart=2012

VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT 15 EVERYTHING DOS CYBER- PAYMENT CARD MISCELLANEOUS PHYSICAL THEFT INSIDER AND WEB APP POINT-OF-SALE CRIMEWARE ELSE ATTACKS ESPIONAGE SKIMMERS ERRORS AND LOSS PRIVILEGE MISUSE ATTACKS INTRUSIONS 16 POINT-OF-SALE (POS)INTRUSIONS what makes goodheadlines andmarketing fodder. understanding of riskshouldalwayscomeback tothedata,not contributors inthelatteryears). Figure 20remindsusthatour recorded in2010and2011(despite havingtentimesmore attacks in2012and2013issubstantially lower thanthenumber For instance,somemaybesurprisedthat thenumberofPOS too muchonoutliersandheadlines canreflectcognitive bias. largely remainsasmall-and-mediumbusinessissue.Focusing makes quite asplash,butfromfrequencystandpoint,this quite abitabouttheminprevious DB they really have beengoingonforyears andwe reallyhave talked Jokes aside, whilePOShacksaregettingmorepressrecently, out andgonemainstream. quite frankly notallthatintothemanymorebecausethey’ve sold about RAMscrapers beforeanyone heardofthemandwe’re in manyofthe“over time”chartsinthisreport. We were writing years. all security-hipsteronyou —we’ve beentalkingaboutthisfor POS compromisestotheforefront.Butatriskofgetting highly publicizedbreachesofseveral largeretailershave brought brick-and-mortar retailersareallpotentialtargets.Recent of nosurprise:restaurants, hotels,grocerystores,andother The industriesmostcommonlyaffectedby POSintrusionsare AT AGLANCE you canavoid increasingthatnumberin2014. that occurredin2013,alongwithrecommendationsonhow accept ouroverall analysisoftwo hundredPOSintrusions elsewhere. Asaconsolationprize,however, we hopeyou’ll the-minute news onparticularbreaches,you’d bestlook handled by anyoftheDB we divulgeclient-specificinformationonanybreaches disappointed; we don’tnamevictimsinthisreportnordo involving amajorU.S.retailerinlate2013.Preparetobe find alltheparticularsanddirtylaundryofacertainbreach We know manyofyou willcometothissectionhoping Top industries I n fact, this isthemaincauseoflargedipin2012seen Key findings Description Frequency I R contributors. tactical development in2013. as theprimaryintrusionvector. AresurgenceofRAMscraping malwareisthemostprominent involving numeroussmallfranchises. BruteforcingremoteaccessconnectionstoPOSstillleads over thelastseveral years. That’s mainlybecausewe’ve seencomparatively fewer attacksprees Given recentheadlines,somemaybesurprisedtofindthatPOSintrusions aretrendingdown Accommodation andFood Services,Retail devices arecovered intheSkimmingpattern. where card-presentpurchasesaremade.Crimesinvolving tamperingwith orswappingout Remote attacksagainsttheenvironmentswhereretailtransactions are conducted,specifically 198 withconfirmeddatadisclosure 198 totalincidents I Rs. The mediafrenzy I f you wantup-to- 2011-2013 Comparison ofPOSIntrusionsand Web AppAttackspatterns, Figure 20. interesting variations. taken to compromisethepoint-of-saleenvironmentoffersome While themajorityofthesecaseslookvery muchalike, thesteps yours for breakfast, thenwash‘emdown withashotofvodka. Such groupsarevery efficientatwhatthey do;they eatPOSslike to organizedcriminalgroupsoperating outofEasternEurope. can beconclusively attributed(andtherestmostlikely aswell) in. Alloftheseattackssharefinancialgainasamotive, andmost collect magneticstripedatainprocess,retrieve data,andcash is asfollows: compromisethePOSdevice, installmalwareto From anattackpatternstandpoint,themostsimplisticnarrative 20% 40% 60% 2009 Web AppAttacks POS Intrusions 2010 2011 VERIZON ENTERPRISE SOLUTIONS 2012 2013 3

POINT-OF-SALE WEB APP INSIDER AND PHYSICAL THEFT MISCELLANEOUS PAYMENT CARD CYBER- DOS EVERYTHING CRIMEWARE INTRUSIONS ATTACKS PRIVILEGE MISUSE AND LOSS ERRORS SKIMMERS ESPIONAGE ATTACKS ELSE 17 55% 53% 38% 35% 9% 9% 9% 2% 1% 1% <1% <1% <1% VNP SQLi Unknown Brute force Command hell Web application Web Physical access Backdoor or C2 Backdoor Offline cracking Desktop sharing 3rd party desktop Use of stolen creds Use of backdoor or C2 Use of backdoor Figure 22. POS Intrusions (n=187) Hacking variety within Figure 23. within POS Intrusions (n=187) Hacking vector While not as common as the simpler POS intrusions, our datasetWhile not as common as the simpler POS intrusions, incidents from the first quarter of 2013 does include several location, leading to that feature a compromise at a corporate and maliciouswidespread compromise of individual locations Some cases have code installations across a multitude of stores. of the begun with a store compromise that led to penetration architecture allowed but the hub-and-spoke network, corporate and the impact of the of the network for efficient traversal 0” was compromise was magnified regardless of where “device located. was that the same password was used for all organizationswas used for password the same was that became it essentially it was stolen, Once the vendor. by managed of gained knowledge also and the attackers password a default familiar this information, the base. Armed with the customer and code that captured of installing malicious modus operandi desired data began. the transmitted 85% 79% 50% 37% nternet for open remote-access ports I 8% 2% 2% 1% <1% <1% n one case the credentials stolen belonged to a I nternet and, to make matters worse, protected with matters worse, to make nternet and, or C2 [hac] I Phishing [soc] Backdoor [mal] Backdoor Use of backdoor Brute force [hac] Export data [mal] RAM scraper [mal] RAM scraper n years past, we analyzed attack sprees that spanned multiple past, we n years t’s interesting, but not necessarily surprising, that RAM interesting, but not necessarily surprising, t’s Offline cracking [hac] Offline cracking Use of stolen creds [hac] Figure 21. Intrusions (n=196) 10 threat action varieties within POS Top Misconfiguration [err] Misconfiguration VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT INVESTIGATIONS BREACH VERIZON 2014 DATA point-of-sale vendor and were compromised via Zeus malware were and point-of-sale vendor The big problem among these systems. infecting the vendor’s I the use victims with no association with each other beyond This report features almost 200 of truly awful passwords. 200 victims for one saw over we incidents, but in prior years biggest sprees in our 2013 dataset, The two criminal group. of the same company, and the franchisees several one involving are a bit different, and other affecting multiple corporations, lead us to our second common scenario: the use of stolen vendor credentials. scraping has usurped keyloggers as the most common malware has usurped keyloggers scraping functionality associated with POS compromises. One could common varieties (most of which were theorize that keyloggers and Artemis) are more easily spotted such as Perfect Keylogger witnessed in this data set. Or code we than the memory-scraping which hook into specific processes of perhaps the RAM scrapers, the POS software, simply do the job better and more efficiently. I The top three threat actions tell the story rather well (Figure 21). well rather The top three threat actions tell the story scan the The perpetrators and if the script identifies a device as a point of sale, it issues and if the script identifies a device then They credentials (Brute force) to access the device. likely (Export to collect and exfiltrate install malware (RAM scraper) data) payment card information. of RAM scraping One finding that intrigued us is the renaissance data. RAM scrapers malware as the primary tool used to capture while processed in payment card data to be grabbed allow than when stored on memory (where it is unencrypted) rather (where it is (ostensibly) across the network disk or in transit encrypted). weak or default passwords (and sometimes no passwords). (and sometimes passwords or default weak Let’s start with the most frequent scenario, which affects small which scenario, most frequent with the start Let’s a lucrative just how not realize may or may that businesses of begins with the compromise chain This event are. target they to are open the devices with little to no legwork; the POS device the entire Spyware/Keylogger [mal] Spyware/Keylogger EVERYTHING DOS CYBER- PAYMENT CARD MISCELLANEOUS PHYSICAL THEFT INSIDER AND WEB APP POINT-OF-SALE CRIMEWARE ELSE ATTACKS ESPIONAGE SKIMMERS ERRORS AND LOSS PRIVILEGE MISUSE ATTACKS INTRUSIONS 18 ill-gotten gainsforfraud andotherillicitpurposes. payment cardbreachesonlyafterthecriminalsbeginusingtheir intrusions inourdataset.Longstoryshort,we’re stilldiscovering is thetopmethodofdiscovery andthetopcontributorofPOS will uncover other victims,whichexplains whylawenforcement discovery methods. by lawenforcementandfraud detectionasthemostcommon different thaninyears past,andwe continuetoseenotification else toldthevictimthey hadsufferedabreach. This isno is anothercommonalitysharedin99%ofthecases:someone methods were usedtostealpaymentcardinformation,there Regardless ofhow largethevictimorganizationwasorwhich Top 5discovery methodsforPOSIntrusions(n=197) Figure 24. Ext -fraud detection Int -reportedby user the respective relevant infected vital infrastructure were informedofbeinginfected,and criminal investigation. Sixteenorganizationswithinthe with a2012malwareoutbreakthathadprompted By then,thedropzonehadbeenexamined forcorrelations identified asvictims. some time)beeninfected;ofthatgroup,23,000self- 500,000 peoplechecked toseeiftheirmachineshad(at . Afteranonlinecheckingtoolwasmadeavailable, findings onpartofadropzonetheso-calledPobelka February of2013,publicbroadcasterNOSpresented Nevertheless, the NHTCU continuetofightbotnets. botnet don’tseemtooutweigh thebenefitsofitstakedown. part ofthesedamages. The initialcostsforfightingsucha might belarge,specificcountriesonlydealwithasmall on anationallevel. While thetotaldamageofsuchabotnet authorities aren’talwaysabletoamassresourcesfightit impact ofabotnetisoftenspreadaroundtheglobe,federal it comestomitigatingthesecrafty menaces.Sincethe Furthermore, they noteanapparentincentive problemwhen Army knifeofcybercriminals According totheNHTCU, theimpactofbotnets—Swiss BOTNET MITIGATION: ANINCENTIVEPROBLEM Ext -customer enforcement All External All Internal Int -NIDS Ext -law I SPs. I I n manycases,investigations intobreaches P addresses had been communicated to P addresseshadbeencommunicated to <1% <1% 1% 11% 14% ­— remainedhighin2013. 75% I n n

99% Timespan ofevents withinPOSIntrusions Figure 25. their bounty. based entirelyonwhenthecriminalswanttostartcashingin passwords. Mostoftenittakes weeks todiscover, andthat’s quick, asonewould expect whenexploiting stolenorweak vectors andthediscovery methods.Entryisoftenextremely The timelinesinFigure25reinforceboththecompromise Discovery n=178 Exfiltration n=169 Compromise n=169 51% %0 0% 0% 0% 1%

Seconds 88% 36% Minutes 1% 1%

Hours 21% 1% 1%

Days 85% 11% 11%

Weeks 5% 13% VERIZON ENTERPRISE SOLUTIONS

Months 1% 1% 0%0% Years 0% 0% 0%

Never POINT-OF-SALE WEB APP INSIDER AND PHYSICAL THEFT MISCELLANEOUS PAYMENT CARD CYBER- DOS EVERYTHING CRIMEWARE INTRUSIONS ATTACKS PRIVILEGE MISUSE AND LOSS ERRORS SKIMMERS ESPIONAGE ATTACKS ELSE 19 n I n terms I nternet access. I t built a new central forensic laboratory forensic laboratory central t built a new I R featured an appendix from Troels Oerting, Troels an appendix from R featured I t distributed alerts, intelligence notifications, andt distributed alerts, intelligence notifications, on the t also reports a boom in criminal infrastructure combating these trends, the EC3 has prioritized identifying and cases, with the potential operations criminal network for major and lasting impact. of operations, the EC3 prioritizes four areas: cyber the EC3 prioritizes four areas: of operations, abuse. sexual and child online fraud, intelligence, intrusion, focused much of the first year venture, As with any new and capabilities to fulfill these on building infrastructure connections to EU and non-EU priorities. Secure network forensic as centralized rolled out, as well partners were analysis environments and tools. more than 100 law enforcement experts The EC3 trained tools, and obtaining the EU in cyber investigation, all over forensic evidence. evidence. to assist member state colleagues in obtaining I Memorandums threat assessments to stakeholders. private signed with key of understanding (MoUs) were Advisory Group consisting of and a new stakeholders, outside the law enforcement community was experts to be among them). is happy established (Verizon member states in the EC3 across by observed Trends malware,2013 include substantial increases in intrusions, botnet activity.phishing, grooming, DDoS, espionage, and I in malware affecting mobile devices, darknet, growth and wider distribution of malware from cloud services. REFLECTIONS AFTER THE EC3’S FIRST YEAR IN FIRST THE EC3’S AFTER REFLECTIONS OPERATION DB Last year’s Cybercrime Centre of the European Assistant Director of the newly the plans and priorities (EC3), discussing Law enforcement agencies division of Europol. established get not often we report, and it’s play a critical role in this thought it Thus, we stages. to see them in their formative on EC3’s be interesting to include some reflections would of operations. first year 28 European a small one: it serves The job of the EC3 isn’t and dozens of countries, andUnion (EU) member states for 500 million citizens, almostcoordinates protection have three-quarters of whom f a third party I n). The security ofThe n). I t just happens that we that we t just happens I e it difficult for miscreants to log into a Use two-factor authentication Use two-factor Debunk the flat network theory Debunk the flat network activity Look for suspicious network Deploy AV Deploy “S” is for “Sale,” not “Social.” not “Social.” “S” is for “Sale,” Enforce password policies Enforce password Restrict remote access Restrict remote Stronger passwords would cut out a huge chunk of the problem, would Stronger passwords to but larger organizations should also consider multiple factors authenticate third-party and internal users. nstall and maintain anti-virus software on POS systems. nstall and maintain anti-virus software on VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT INVESTIGATIONS BREACH VERIZON 2014 DATA Monitor network traffic to and from the POS network. There to and from the POS network. traffic Monitor network pattern, and while easier said than should be a normalized traffic must be identified and investigated. done, anomalous traffic Review the interconnectivity between stores and central stores and central the interconnectivity between Review locations and treat them as semi-trusted connections. Segment network. the POS environment from the corporate Larger, multi-store companies and franchises should consider a should and franchises multi-store companies Larger, the impact of acouple of additional recommendations to limit a mass compromise. single-location breach and prevent FOR LARGE/MULTI-STORE COMPANIES FOR LARGE/MULTI-STORE I Bottom line: Mak that accepts the most targeted piece of information for device criminals. financially motived handles this, require (and verify) that this is done, and that they that this is done, and that they handles this, require (and verify) for other customers. do not use the same password email, use social media, play games, or do the web, Do not browse on POS systems. anything other than POS-related activities Make absolutely sure all passwords used for remote access absolutely sure all passwords Make the name of the POS defaults, factory to POS systems are not or otherwise weak. dictionary words, vendor, Limit any remote access into POS systems by your third-party your into POS systems by Limit any remote access serious business discussions and have management vendor, will perform their duties. and when they regarding how The shared vector for the major scenarios is third-party remote- is third-party for the major scenarios vector The shared LogMe (e.g., pcAnywhere, access software RECOMMENDED CONTROLS RECOMMENDED COMPANIES FOR ALL these products is not the issue here. is not the issue here. these products insecure manner. a very implemented in often find them EVERYTHING DOS CYBER- PAYMENT CARD MISCELLANEOUS PHYSICAL THEFT INSIDER AND WEB APP POINT-OF-SALE CRIMEWARE ELSE ATTACKS ESPIONAGE SKIMMERS ERRORS AND LOSS PRIVILEGE MISUSE ATTACKS INTRUSIONS 20 External actormotives within Web AppAttacks(n=1,126) Figure 26. section. relevant, discussionoftheseistaken upintheEspionage perpetrated by thosemotivatedby espionagearecertainly treatment foreachmaybeslightlydifferent. While attacks and ideologicalattacksdeserve uniquediscussionsincethe distinct sub-patternsdividedalongthesemotives. The financial to espionage.Aftersomeslicinganddicingwe foundsomevery of financiallymotivatedactors;withthesmallremainderlinked ideology andlulz;justunderoneoutofthreecameby thehand web appattackswere attributabletoactivistgroupsdriven by attacks inthe2013dataset.Justundertwo outofevery three Greed takes abackseattoideologywhenitcomesweb app aren’t there). conclusions dropsaswe digfurtherintothedetails(whichoften application databreachesatahighlevel, ourabilitytodraw categorizations. While we have enoughmaterialtodiscussweb utilized went largelyunreportedorwere recordedwithbroad small subsetoftheoverall dataset),thespecifictechniques incidents. Unlessaforensicsinvestigation wasperformed(a complexity ishamperedby thelevel ofdetailprovided onthese applications acomplex task.Regrettably,ourdiscussionofthis of techniquesavailabletoattackers make defendingweb There’s noquestionaboutit–thevarietyandcombination WEB APPATTACKS AT AGLANCE Top industries Ideology/Fun Key findings Description Espionage Frequency Financial 2% I level vulnerabilities intheapplicationaswell asthwartingauthenticationmechanisms. Any incidentinwhichaweb applicationwasthevector ofattack. This includesexploits ofcode- control ofservers foruseinDDoScampaigns. targeted off-the-shelfcontentmanagementsystems(e.g.,Joomla!, Wordpress, orDrupal)togain by usingstolencredentialstoimpersonateavaliduser. Manyoftheattacksinour2013dataset Web applicationsremaintheproverbial punchingbagofthe tw nformation, Utilities,Manufacturing, Retail 490 withconfirmeddatadisclosure o ways:by exploiting aweakness intheapplication(typicallyinadequateinputvalidation),or 33% 3,937 totalincidents 65%

web shells(remotefileinclusion,etc.)in five of the34. in theretailindustry,followed by techniquestoinstall anduse leveraged in27ofthe34(80%)attacksagainstweb applications in web applicationsworks plentywell enough.SQLinjection was existent, mostlikely becauseexploiting vulnerabilities inherent web application.Socialactions(suchas phishing)aremostlynon- the incidents),whichisoftenaccessiblesimplyby exploiting the primary aimispaymentcardinformation(targetedin95%of Within theretailindustry,we seeaslightlydifferentfocus. The Europe. somewhere alongtheattackchainhailfromEastern the majorityofexternal attackers utilizingstolencredentials the user-managementsystem. When attributionispossible, credentials, bypass theauthentication,orotherwisetarget injection orotherapplication-level attacksasameanstoretrieve and c)rarer casesoftargetingtheapplicationthroughSQL system, b)theoldstand-by ofbruteforcepassword guessing, into supplyingcredentialsorinstallingmalwareontotheclient usual suspects:a)phishingtechniquestoeithertricktheuser them toshow uphere. The tacticsusedby attackers areallthe but theuseofweb applicationsasavector ofattackcauses (and somedidslipthroughcracks inthealgorithmtolandthere), goal. These couldhave beenincludedinthesectiononcrimeware protected withasinglefactor (password) astheconduittotheir target usercredentialsandsimplyusetheweb applications application grants logicalaccesstothemoney. This meansthey more sothanexploiting theweb applicationitself,becausethe access totheuserinterface oftheweb (banking)application accessible). Within thefinancialindustry,they focusongaining that easilyconverts tomoney isabundantand,alltoooften, industries arethefinancialandretail(wheredata access tothemoney, soitfollows thattheirtwo primarytarget Financially motivatedattackers arehyper-focusedongaining FINANCIALLY MOTIVATED ATTACKS I nternet. They’re beateninoneof VERIZON ENTERPRISE SOLUTIONS POINT-OF-SALE WEB APP INSIDER AND PHYSICAL THEFT MISCELLANEOUS PAYMENT CARD CYBER- DOS EVERYTHING CRIMEWARE INTRUSIONS ATTACKS PRIVILEGE MISUSE AND LOSS ERRORS SKIMMERS ESPIONAGE ATTACKS ELSE 21 88% RTs) RTs) I 74% WhiteHat Website Security WhiteHat Website 12% 6% 4% 3% 2% 2% 2% 2% 1% 1% “What’s needed is more secure software, “What’s 5 Ext - audit Int - IT audit Int - IT Total Internal Total Total External Total Ext - customer fraud detection fraud law enforcement Int - fraud detection Int - fraud Ext - actor disclosure Ext - unrelated party NOT more security software.” NOT What we found is a non-finding and the only valid conclusion found is a non-finding What we is needed to understand more work from this is that to draw and application vulnerabilities web the relationship between can only speculate a non-finding, we With security incidents. results. Perhaps this is telling us are seeing these on why we three out of four know We that no industry is doing enough. occur in hours or less of first contact, compromises web-based 70 days in 10 days versus and maybe fixing vulnerabilities one only exploits doesn’t help all that much. Plus, the attacker could But a different explanation vulnerabilities. (maybe two) could learn be that our lens was focused too wide, and we WhiteHat data with specific matching the high-quality more by the causes, Whatever incident data within the same sample. enough application attacks occur often that web do know we to repeat what is said in the Statistics Report, contacting victims to let them know their hosts were involved in involved their hosts were contacting victims to let them know ideological attackers by This is heavily influenced other attacks. than, for rather quietly using the platform to attack others in the dataset). (which are rare instance, simple defacements though the timeline data is a little sparse, it paints the Even compromisespicture of quick entry with 60% of the initial reflects the highlyThis occurring within minutes or less. it works in this pattern; if it works, CMS exploits repetitive in days 85% of the incidents are discovered quickly. Just over longer to discover. or more, with about 50% taking months or good reaction time, with see fairly though, we Once discovered or less to respondabout half of the organizations taking days is better than the norm, which This is far and contain the incident. or longer. typically weeks Figure 27.Figure incidents motivated for financially methods discovery 10 Top (n=122) App Attacks Web within for activists. 99% method looks a little bleaker Discovery parties (primarily CS external of the notifications were Ext - Ext - monitor service Int - reported by user Int - reported by Ext - we were expecting. were we 4 COMPARING ATTACKS TO PATCH TIMEFRAMES TO PATCH ATTACKS COMPARING that (quickly) patching web it be great to know Wouldn’t partnered we This year helps? application vulnerabilities in order to combine and compareWhiteHat Security with collected against the vulnerability the incident data we’ve from tens of thousands collect assessment data they of the most well-known across hundreds of websites decided first to organizations. After some back and forth, we emerge industries (because patterns break out the data by data decided to compare two across industries), then we to the incident data: the average vulnerabilities points on web site and median days to patch. per (mean) vulnerabilities and vulnerabilities assumed that industries with fewer We be less represented in the breach patch time would quicker applied some good incidents) and so we fewer data (i.e., have when admittedly let down and were statistics old-fashioned didn’t see the relationship we deological actors (whether their motivation is social, political, ordeological actors (whether deology represents the largest identified portion of motives motives identified portion of the largest deology represents VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT INVESTIGATIONS BREACH VERIZON 2014 DATA DISCOVERY METHODS AND TIMELINE METHODS AND DISCOVERY the discovery When the actor is financially motivated and we that method notification leading a see we recorded, is method customers noticedon’t see anywhere else: customers. Perhaps else, but something is activity before anyone the fraudulent With mechanism. definitely tipping them off before any internal methods combined, only 9% of victims all internal discovery accord. data breaches of their own discovered I less concerned about getting at the crown just for plain fun) are all senses of the are about getting a platform (in than they jewels not surprising that we in mind, it’s With that to stand on. word) going after types of results from ideological attackers see two send a message or hijacking the to defacements server: a web DDoS) other victims. to attack (including by server server just the web This focus on opportunistically owning compromised in thebecomes plain when looking at the assets was the only asset recorded in nearly all server The web attack. The actors didn’t incidents attributable to ideological motives. and wider into theappear to be interested in pushing deeper This result may be the product of simply not reporting network. this — so don’t take those secondary components of the incident — but it is logical and a server as advice to only focus on the web to other types of attacks in our dataset. point of contrast for web application attacks, and the actors also tend to be actors also tend to attacks, and the application for web true focus on tried and 74% diverse. the most geographically inputs in executed all else, unvalidated above targeting, exploits larger scale than Content on a is this exploited code. Nowhere and as Joomla!, Drupal, Systems (CMS) such Management in the added plugins than the then, more and even WordPress, core CMS code itself. IDEOLOGICALLY MOTIVATED ATTACKS: MOTIVATED IDEOLOGICALLY I EVERYTHING DOS CYBER- PAYMENT CARD MISCELLANEOUS PHYSICAL THEFT INSIDER AND WEB APP POINT-OF-SALE CRIMEWARE ELSE ATTACKS ESPIONAGE SKIMMERS ERRORS AND LOSS PRIVILEGE MISUSE ATTACKS INTRUSIONS 22 Ext - within Web AppAttacks(n=775) Top 5discovery methodsforideologicallymotivatedincidents Figure 28. Ext - Timespan ofevents within Web AppAttacks Figure 29. Ext - Ext -unrelatedparty Int -fraud detection Containment n=41 Discovery n=70 Exfilteration n=33 Compromise n=43 Int -reportedby user law enforcement actor disclosure 19% fraud detection 0% 3% 0% Ext -customer Total External Total Internal Int -unknown Seconds Int -antivirus

42% 27% 2% 3%

Minutes Other 11% 12% 21% 5% Hours 1% <1% <1% <1% <1% <1% <1% <1% 2% 4% 17% 21% 42% 23% Days 16% 18% 22% 0% Weeks 41% 29% 5% 9% Months 11% 0% 0% 0% Years 0% 0% 0% 0%

Never 93% 98% an automatedpatchprocess. need toexecute codeontheserver forevery request. static CMSwillpre-generate thosesamepages,removing the executing code forevery requestandgenerating thecontent, rethink CMSistoconsiderastaticframework. is especiallytrueforthethird-partyplugins.Anotherwayto isn’t viable,thendevelop amanualprocessandsticktoit. This And we mean“rethink”inevery way. your customers. consider mandatingalternative authenticationmechanismfor verification. web applicationseekoutalternatives tothismethodofidentity draw you outofaknown comfortzone,ifyou’re defendinga authentication onanything The writing’s onthewallforsingle-factor, password-based RECOMMENDED CONTROLS down your web server’s abilitytodoso. Europe orDoS’ingothersispart ofthebusinessplan,trytolock your server hasalegitimatereasontosendyour data toEastern compromised data,orattackingothersoncommand.Sounless pulling additionalmalwaretocontinuetheattack,exfiltrating web server intoaclient.Criticalpointsintheattackchainare firewall bypass protocol(HTTP),manyotherschangethevictim’s While manyweb-based attacksrelyheavilyontheexisting that peskybotpokingatyour accountsevery now andthen). dissipate anddisappear(althoughyou maystillbedealingwith the rate ofsuccessfulbruteforceattemptswillmorethanlikely or temporarily lockingaccountswithmultiplefailed attempts, measures, suchasaslowing down therate ofrepeatedattempts but they’re stillworthy ofmention.Byinstitutingcounter- Brute forceattacksaren’ttheleadingmethodinthissection, when they’re found. to have somethinginplace(e.g.,acontract) tofixtheproblems have accesstothesourcecodeand/ordevelopers, besure vulnerabilities beforetheattackers do(andthey will). application won’t beexploited istoseekoutandfixthe the advicestillholdstrue. The bestwaytobesureyour web Even thoughwe’ve beentiltingatthiswindmillforyears, activ e platform(Joomla!,Drupal, WordPress, etc.),thensetup Rethink CMS Rethink CMS Single-password fail Monitor outboundconnections Enforce lockout policies Validate inputs I f you’re avendor intheweb applicationspace,also I nternet-facing. Even thoughitmay I f an automated patch process f anautomatedpatchprocess I f you’re committedtoan VERIZON ENTERPRISE SOLUTIONS I nstead of nstead of I f you don’t POINT-OF-SALE WEB APP INSIDER AND PHYSICAL THEFT MISCELLANEOUS PAYMENT CARD CYBER- DOS EVERYTHING CRIMEWARE INTRUSIONS ATTACKS PRIVILEGE MISUSE AND LOSS ERRORS SKIMMERS ESPIONAGE ATTACKS ELSE 23 S are not mutually I total incidents exclusive, and it’s common to see more than one in a single common to see more than and it’s exclusive, hardware and email misuse/data incident. Unapproved actions in themishandling (tied) round out the top three the data is more a function of how misuse category, but they’re hardware acquired. Unapproved it’s than how rather exfiltrated that are USB drives like using devices refers to employees but subject to various either forbidden altogether or allowed sending intellectual property out to his restrictions. An employee also We of email misuse. or her personal address is an example abused the email cases where system administrators reviewed system, posing as another user and sending messages under that identity, with the goal of getting them fired. Data mishandling uses data in a manner counter to place when someone takes a call center employee example, policies. For the organization’s or an on paper, who writes customer credit card numbers down taking restricted documents home engineer who skirts policy by computer. on a personal to examine Figure 30 lists the top threat actions observed across incidents Figure 30 lists the top threat actions observed are within thefitting the misuse pattern. Note that not all Not on that later. misuse category [mis]; stay tuned for more privilege abuse — taking advantage of the unexpectedly, using and an employer by system access privileges granted realize that We acts — tops the list. them to commit nefarious of activities, but the overall broad range encompasses a very misuse occurs withintheme and lesson differ little: most insider normal duties.the boundaries of trust necessary to perform it so difficult to prevent. what makes That’s VER Remember that action varieties in 88% 11,698 112 with confirmed data disclosure 112 with confirmed data All incidents tagged with the action category of Misuse — any unapproved or malicious use of the action category of Misuse — any unapproved All incidents tagged with mainly insider misuse, but outsidersThis is within this pattern. — fall organizational resources up as well. show privileges) are granted partners (because they (due to collusion) and Mining Manufacturing, Transportation, Public, Real Estate, Administrative, mostThe gain. for financial or personal trusted parties are perpetrated Most crimes by targeting an increase in insider espionage were 2013 dataset, however, noticeable shifts in the we say “2013 dataset” because We of tactics. secrets, and a broader range internal data and trade seeing the benefit of of such crimes increased significantly; we’re the actual rate do not believe increased visibility from insider-focused partners. 18% 16% 11% 11% 7% 5% 4% 4% 4% Frequency Theft [phy] Description Unapproved Unapproved Unapproved Unapproved Unapproved Unapproved n many cases, organizations also have custody of vast n many cases, organizations also have Bribery [soc] I Key findings Key

software [mis] hardware [mis] Top industries Top

workaround [mis] workaround Email misuse [mis] AT A GLANCE AT Embezzlement [mis] Privilege abuse [mis] Data mishanding [mis] Use of stolen creds [hac] VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT INVESTIGATIONS BREACH VERIZON 2014 DATA amounts of data about the customers they serve, the employees the employees serve, amounts of data about the customers they rely upon to do them, and the relationships they who serve organization, but also toThis data has value to the business. personal benefit or myriad seek it for their own those who would focus on those who the misuse pattern, we other reasons. For a trusted place inside the organization. Arguably, already have in the headlines thisthe most prominent case of internal misuse Edward contractor has been that of U.S. government past year that of the damage example While this is an extreme Snowden. the risk that exists determined insiders can inflict, it illustrates when an organization must place trust in individuals. An organization’s intellectual property is among its most intellectual property An organization’s to compete in thevaluable assets, frequently driving its ability market. INSIDER AND PRIVILEGE MISUSE PRIVILEGE AND INSIDER Figure 30. within Insider Misuse (n=153) 10 threat action varieties Top EVERYTHING DOS CYBER- PAYMENT CARD MISCELLANEOUS PHYSICAL THEFT INSIDER AND WEB APP POINT-OF-SALE CRIMEWARE ELSE ATTACKS ESPIONAGE SKIMMERS ERRORS AND LOSS PRIVILEGE MISUSE ATTACKS INTRUSIONS 24 Top 10varietiesofinternalactorswithinInsiderMisuse(n=99) Figure 32. our blessing. down cubefarms infavor ofmoreopenfloorplans—you have these statisticstoloosenupwork-at-home policiesandtear from therelative safetyoftheirhouse. the nosesofcoworkers, rather thanhoppingthroughproxies employees perpetrated theiractswhileintheofficerightunder access withinthecorporate facility. This meansthemajorityof 71% oftheseincidents,and28%tookadvantagephysical I by takingtheonlycopy. property, oftendenyingavailabilitytotheoriginalorganization taking documentssuchasblueprintsandotherintellectual backdoors. These cadshave even resortedtophysicaltheft, social engineering,andtheuseofmalwarelike keyloggers and others’ credentials)andcircumvent controls,variousformsof hacking techniquestoelevate privileges(oftenby stealing to abusingentrustedprivilegesandresources,we observed the datawhentheirown accessisinsufficient. parties, we couldmoreeasilyseehow they goaboutacquiring With moreincidentsthanever beforeinvolving trusted Vector forthreatactionswithin InsiderMisuse(n=123) Figure 31. t’s alsoworth notingthatthecorporate LANwasthevector in Physical access Remote access Non-corporate System admin LAN access Developer Call center End-user Manager Executive Finance Auditor Cashier Other Other 1% 2% 1% 21% 6% 6% 7% 7% 28% 9% I f someone wants to use f someonewantstouse 13% 13% I n addition n addition 17% 71% 23% status inthecompany. from following securitypoliciesbecauseoftheirprivileged competition and,tragically, arealsomorelikely tobeexempted access totrade secretsandotherdataofinteresttothe with uppermanagementwrittenallover him. They oftenhave prior years. You know thetype;oneofthosestraight shooters managers (includingthoseintheC-suite)camehigherthan payment chainpersonnelandend-userswere stillprominent, Let’s take alookatthepeoplecommittingthesecrimes. While Variety ofexternal actorswithinInsiderMisuse(n=25) Figure 33. Actor motives withinInsiderMisuse(n=125) Figure 34. contributors, MishcondeRe competitor, insidercrimeisstill“allabout theBenjamins,baby.” on thequicktocriminals orinternalsecretseventually soldtoa activity thanever before.So,whetherit’s fraud-ready datasold addition ofmorecontributorswho have aview into thistypeof This kindofthingiscertainlynot new — it’s largelyduetothe • • involve perpetrators taking thedatato: According toTheRecover Report trade secretsthanever before. insider espionagetargetinginternalorganizationaldataand information to use for fraud. AsFigure34shows, we sawmore Nearly allmisuseincidentspriorto2013centeredonobtaining must take intoaccountthatsuchplayers areonthefield. business advantages. To mountaproperdefense, organizations only tothem.Competitorssolicitintellectualpropertygain employees exploit stillactive accountsorotherholesknown criminals bribeinsiderstostealdataforfraud schemes.Former or indirectlyparticipatedinincidentsofmisuse.Organized 33 gives anaccountofexternal andpartneractorswhodirectly only oneswhomisuseentrustedprivilegesandresources.Figure As mentionedinthebeginningofthissection,insidersaren’t prisons” won’t dofortheirilk.

Help secureemplo Start theiro Former employee Organized crime Acquaintance Convenience Unaffiliated Competitor Espionage Financial Grudge wn competingcompany(30%). N/A Fun yment witharival(65%). 6 2% One of those “white-collar resort Oneofthose“white-collarresort 3% 4% 10% ya, thetwo mostcommonscenarios 18% 8% , 7 publishedby oneofourDB 16% VERIZON ENTERPRISE SOLUTIONS 24% 24% 72% 36% I R R POINT-OF-SALE WEB APP INSIDER AND PHYSICAL THEFT MISCELLANEOUS PAYMENT CARD CYBER- DOS EVERYTHING CRIMEWARE INTRUSIONS ATTACKS PRIVILEGE MISUSE AND LOSS ERRORS SKIMMERS ESPIONAGE ATTACKS ELSE 25

8 55% 45% 16% 13% 11% 10% 9% 8% 6% 6% 6% P theft cases, insiders stole theP theft cases, insiders I 3% Ext - law nsider Threat Center (another partner of ours)Threat Center (another partner nsider Ext - audit I Int - IT audit Int - IT enforcement Int - unknown Total Internal Total Ext - unknown Total External Total Ext - customer T audits were also very common. Reviewing the books on Reviewing common. also very were audits T I Int - financial audit Int - fraud detection Int - fraud Ext - fraud detection Ext - fraud Figure 37. methods within Insider Misuse (n=122) 10 discovery Top Monday morning is an example of the former, and a promising of the former, example Monday morning is an access for review of the latter is a regular process to example employees. exiting The CERT days of announcing their resignation. information within 30 focuses research on insider breaches, and it determined thatfocuses research on insider in more than 70% of the Discovery methods for the majority of breaches have have of breaches the majority methods for Discovery insider For signals. external by dominated been traditionally for (55%) are responsible internal methods misuse, however, The most methods (45%). incidents than external detecting more when insider crimes was organizations detected common way financial by triggered them. Discoveries reported employees and On quite a few occasions, a review of the activity of outgoing of the activity occasions, a review On quite a few information allowed sensitive with access to employees to detect the incident and act quickly toimpacted organizations damage the information (hopefully before irreparable retrieve had been done). Int - reported by user Int - reported by 26% 34% 25% 29% 22% 27% 18% 12% 14% 10% 9% 8% 8% 9% 6% 5% 3% 3% 2% 1% File (media) (server) (server) (server) Bank (people) (people) (people) Other Other (user dev) (user dev) Other Laptop Cashier Secrets Medical Internal Desktop Personal Payment Unknown Unknown Database Classified Credentials Payment card Web application Web Figure 36. within Insider Misuse (n=142) 10 assets affected Top VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT INVESTIGATIONS BREACH VERIZON 2014 DATA Desktops are the most frequently compromised asset in thisDesktops are the most frequently compromised computers are sense because desktop pattern, which makes to the rest of the network primary interface an employee’s stored, uploaded, this is where the data is Typically, (Figure 36). onto removable or emailed out of the organization, or copied both repositories of so much media. Databases and file servers, Paymentvaluable information, are also targeted regularly. actual rather cards doesn’t refer to the variety of data, but (or run through handheld skimming devices cards that were waiter” scenario. As far otherwise copied) in the classic “evil see insiders abusing corporate-owned we as asset ownership, for assets allowed (“BYOD”) than employee-owned rather often leverage they do see evidence we use. However, corporate to help them get the data out of the personal devices unapproved hardware). up as use of unapproved organization (which shows Figure 35. Figure Misuse (n=108) Insider data within of at-risk Variety EVERYTHING DOS CYBER- PAYMENT CARD MISCELLANEOUS PHYSICAL THEFT INSIDER AND WEB APP POINT-OF-SALE CRIMEWARE ELSE ATTACKS ESPIONAGE SKIMMERS ERRORS AND LOSS PRIVILEGE MISUSE ATTACKS INTRUSIONS 26 (which ain’tsogreat). number ofincidents(70tobeexact) thattookyears todiscover within days(whichisgreat),butthere’s alsoanotinsignificant of incidents. The majorityofthemisuseincidentswere detected very differentfromtheoverall timelinewe seeforothertypes Note thediscovery timelineformisuseinFigure38—itlooks Discovery timelinewithinInsiderMisuse(n=1,017) Figure 38. Seconds Minutes Months Weeks Hours Years Days <1% 4% 7% 8% 22% 28% 32% retrieving itquicklytocontaintheincident. preventing the datafromleavingtheorganization,orin warranted, beforethat). This hasproven successfulineither accounts assoonanemployee leaves thecompany(and,if employees give noticeorhave beenreleased.Disableuser implement aprocesstoreview accountactivitywhenthose Having identifiedthepositionswithaccesstosensitive data, that warrant doingit. they have accesstoitalready),buttherearemanyotherbenefits and detectmisuse. and whohasaccesstoit.Fromthis,buildcontrolsprotectit The firststepinprotectingyour dataisinknowing whereitis, occurring, oratleastincreaseyour chancesofcatchingitquickly. are somestepsthatcanreducethelikelihood ofanincident apropos). While it’s impossibletostopallrogueemployees, there and execute aforcedtakeover ofthebusiness,soitisrather (though Walter did***SPO in a Walter White sense;more like awhitecollarcrimesense parties is,rather obviously, anemployee breakingbad.No,not The rootcauseofdatatheftandotherillicitactsby trusted RECOMMENDED CONTROLS act asapowerful deterrenttobadbehavior. consequences andthatthepoliciesarebeingenforced. This can results ofauditsaccess.Letemployees know thatthereare From anawarenessperspective, regularlypublishanonymized worth exploring. taken tostealsensitive information,andthesearecertainly data lossprevention productscover themostcommonactions places tosetupcontrolsdetectthistypeofactivity.Many data tr I n thetopmisusevarieties,we seeactionsthatfacilitate the Review useraccounts Know your dataandwhohasaccesstoit Publish auditresults Watch fordataexfiltration ansfer outoftheorganization—theseareexcellent I t won’t prevent determinedinsiders(because I LER ALERT*** murderhisboss VERIZON ENTERPRISE SOLUTIONS POINT-OF-SALE WEB APP INSIDER AND PHYSICAL THEFT MISCELLANEOUS PAYMENT CARD CYBER- DOS EVERYTHING CRIMEWARE INTRUSIONS ATTACKS PRIVILEGE MISUSE AND LOSS ERRORS SKIMMERS ESPIONAGE ATTACKS ELSE 27 43% 23% laptops. 10% ncident reports — especially to I 5% 4% 4% 3% 2% 2% 2% 9 Public facility Public vehicle Victim grounds Partner facility Partner vehicle Personal vehicle RTs — often don’t specify the asset lost or stolen. Thus, — often don’t specify the asset lost or stolen. RTs Victim work area Victim work I n a surprising finding, we discovered that assets are discovered we n a surprising finding, Victim public area I Victim secure area Personal residence Figure 40. Theft/Loss (n=332) 10 locations for theft within Top Speaking of laptops, they’re the most common variety of asset Speaking of laptops, they’re reported with this pattern. CS why can infer and explains is all we “some kind of user device” what you’d that, it’s is so frequent. Beyond “Other (user dev)” computers, documents, and drives. expect: of loss to theft; losing thing to note is the ratio The next a 15-to-one theft, by information assets happens way more than it suggests the vast important because difference. And that’s due to maliciousmajority of incidents in this pattern are not challenge is to a) keep Thus, the primary or intentional actions. from losing things (not gonna happen) or b) minimize employees is on option b, though The smart money do. the impact when they do hold some future promise bio-implanted computing devices going to say about loss, but about all we’re That’s for option a. more lessons for us. theft still has a few noteworthy that this is the only incident pattern that applies noteworthy problems with people that have farmers across the board. Even come and try to snatch their crops total incidents 892 9,704 ate offices more often than personal vehicles or residences. And while than personal vehicles ate offices more often whatever was whatever 10 308 116 with confirmed data disclosure 116 with confirmed data stolen from corpor Pretty much what it sounds like — any incident where an information asset went missing, whether where an information asset went — any incident like Pretty much what it sounds or malice. through misplacement Healthcare, Public, Mining often than theft. Loss is reported more most losses/thefts are reported information is commonly exposed, personal and medical of fraud. than because rather because of mandatory disclosure regulations 140 108 102 37 36 27 12 11 (media) (media) (media) (media) (media) (server) (server) Other Other Other Tapes (user dev) (user dev) (user dev) Laptop Desktop Database Frequency Disk drive Flash drive Description Documents Key findings Key

Top industries Top

AT A GLANCE AT VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT INVESTIGATIONS BREACH VERIZON 2014 DATA Figure 39. Theft/Loss (n=9,678) 10 action varieties of Top

To be honest, we debated whether or not to include a section on debated whether or not to include be honest, we To that however, decided, We lost and stolen assets in this report. that such incidents simply couldn’t ignore the blatant fact we or “cyber-y” — are among the most common — while not sexy This organizations. reported by causes of data loss/exposure Healthcare, where the is especially apparent in industries like data sensitive expose disclosure of all incidents that potentially to be true about know anything we is mandatory. And if there’s seem to that losing things and stealing things human nature, it’s be inherent predispositions. interesting observations Studying the findings yielded a few focus our where we’ll and that’s that may help inform practice, in mind that we’re begin, keep attention in this section. As we specifically talking about information assets; PHYSICAL THEFT AND LOSS AND THEFT PHYSICAL lost or stolen had to store, process, or transmit information in lost or stolen had to store, process, or transmit order to get our attention. evidence have we Observation #1 relates to demographics; type and size of organization loses stuff and/or has that every at least That may not be much of a shock, but it’s stuff stolen. EVERYTHING DOS CYBER- PAYMENT CARD MISCELLANEOUS PHYSICAL THEFT INSIDER AND WEB APP POINT-OF-SALE CRIMEWARE ELSE ATTACKS ESPIONAGE SKIMMERS ERRORS AND LOSS PRIVILEGE MISUSE ATTACKS INTRUSIONS 28 Uncontrolled location Variety ofat-riskdatawithin Theft/Loss (n=3,824) Figure 42. assets were lostorstolen. was compromisedor, more often,potentiallyexposed when The finalsetofobservationscovers thevarietyofdatathat privileges orbecauseitwasapubliclyaccessiblelocation. remainder hadaccessalready,eitherbecausethey were granted do have thatinfoinvolved disablingorbypassing controls. The physical accesstotheselocations,over 80%oftheftswherewe While it’s usuallynotknown/reported exactly how actorsgained on thegoarepronetomissing. as thevenue fornearly40%oftheftsandremindusthatdevices Personal residencesandpersonal/partner/publicvehicles serve save face. potty breakatthecoffeeshopsimplyreportthemas“lost”to suspect thatpeoplewhoselaptopsarestolenwhenthey take a is counterintuitive tothepointofirrationality; we can’thelpbut common, butstillposthigherthanpublicfacilities. That lastbit Notice thattheftsininternalhighsecurityareasaremuchless identifying information andmedicalrecordsinFigure 42. explains thepredominanceofregulated datalike personalor unauthorized access,andtherefore hadtobereported. This contain regulatedinformationthat isnow exposed topotential requirement. The assetwent missing,wasdeterminedto they trippedsomekindofmandatoryreporting/disclosure primary reasonmostoftheseincidentsareincludedisbecause Vector ofphysicalaccesswithin Theft/Loss (n=158) Figure 41. enough; therearestillalotofpeopleinsidethoselocked doors. simply havingsensitive information“behindlocked doors”isn’t main officespaceorcubefarm (Figure40). That suggests occur inthevictim’s work area,whichbasicallyrefers tothe We finditquitesurprisingthatthehighestproportionofthefts Bypassed controls Disabled controls Privileged access Credentials Classified Unknown Payment Personal Internal Medical Secrets Other Bank 23 1 3 4 5 5 20 21 3% I t’s worth pointingoutthatthe 508 11% 26% 3,393 60% 11

there overnight. lock itinthetrunkbeforeyou leave theofficeanddon’tleave it in aroomfullofstrangers. be awkward,butit’s saferthanleavingitinthecarorunattended to applymobiledevices inacorporate settingeither. client dinnersandvisitstotherestroom. possession andinsightatalltimes. Yes, thisappliestofancy Encourage employees tokeep sensitive devices intheir it wasencrypted?” regulator asksthatdreadedquestion:“How doyou know forsure right uptheretoo. This willcomeinhandywhentheauditoror periodically checkingtoensureencryptionisstillactive is being abletosaytheinformationwithinitwasprotected.Also, a lotofworry, embarrassment, andpotentiallawsuitsby simply pattern. Sure,theassetisstillmissing,butatleastitwillsave as closetoano-brainer solutionasitgetsforthisincident Considering thehighfrequencyoflostassets,encryptionis But thereareafew thingsyou candotomitigatethatrisk. lose stuff.PeoplestealAndthat’s never goingtochange. carelessness ofonedegreeoranother. Accidentshappen.People The primaryrootcauseofincidentsinthispatternis RECOMMENDED CONTROLS where itcounts, kid. clunky laptopcovers. Shemay not looklike much,butshe’s gotit the galaxyisamust,perhapsthere’s alucrative aftermarket for thick mid-90’s lapbrick.Or, ifbeing thefastest hunkofjunkin only thosetrulydedicatedcrooks willriskincarceration fora4” passenger seatmaybetootempting foranyone toresist,but increase lossfrequency). That shinynew MacBookAironthe actually beaneffective theftdeterrent (thoughitwillprobably Yes, it’s unorthodox asfar asrecommendationsgo,butitmight a separate, secureareaandmake surethey staythere. strategy would betomove highlysensitive orvaluableassetsto cabinet andmobiledevices (includinglaptops).Amoreeffective the majorityofsuchtheftswere documentstaken fromthefiling should atleastbeconsidered. The bigcaveat, however, isthat cabling orotherwisesecuringequipmenttoimmo I device todetermineifdisclosureisnecessary. with minimaldown time,andhelpestablishwhatdatawasonthe irrecoverable work, getyou productive againonanew device purpose. They salvageweeks/months/years’ worth of Regular (andpreferably automatic)backupsserve athreefold n lightoftheevidence thatsomanytheftsoccurintheoffice, Keep itwithyou Encrypt devices Lock itdown Back itup BONUS -Useunappealingtech I f itabsolutelymustbeleftinthecar, VERIZON ENTERPRISE SOLUTIONS I t’s notabadprinciple vable fixtures vable fixtures I t may t may POINT-OF-SALE WEB APP INSIDER AND PHYSICAL THEFT MISCELLANEOUS PAYMENT CARD CYBER- DOS EVERYTHING CRIMEWARE INTRUSIONS ATTACKS PRIVILEGE MISUSE AND LOSS ERRORS SKIMMERS ESPIONAGE ATTACKS ELSE 29 49% t’s also noteworthy that also noteworthy t’s I 14% 12 9% 7% 5% 5% 4% 3% 1% 1% File total incidents Mail (media) (media) (media) (media) (server) (server) (server) (server) (server) Other Other (user dev) Desktop Database Disk drive Disk media Documents 16,554 Web application Web There are only two difficult problems in computer science: cache There are only two errors. Misdelivery invalidation, naming things, and off-by-one wrong recipient)(sending paper documents or emails to the in data disclosure.is the most frequently seen error resulting is a mass mailing where One of the more common examples are out of sync (off-by-one) the documents and envelopes documents are sent to the wrong recipient. A and sensitive data to often exposes but one that very yes, mundane blunder, unauthorized parties. Figure 44. 10 assets affected within Miscellaneous Errors (n=546) Top Misdelivery (sending paper documents or Misdelivery is the mostemails to the wrong recipient) in datafrequently seen error resulting disclosure. 44% This does not include lost devices, which is grouped with theft instead. which is grouped lost devices, This does not include 22% 20% 412 with confirmed data disclosure 412 with confirmed data ncidents where unintentional actions directly compromised a security attribute of an actions directly compromised a security ncidents where unintentional I Healthcare Public, Administrative, up sometimes. screw — people made a startling discovery incidents, we’ve After scrutinizing 16K and mundane seems to suggest that highly repetitive The data come!) (Nobel Prize, here we info are particularly error prone. sensitive business processes involving than any other. business partners by this pattern contains more incidents caused information asset. 6% 3% 3% 1% 1% 1% <1% Gaffe Other Omission Frequency Description Misdelivery Malfunction Key findings Key

Disposal error Top industries Top Publishing error

Misconfiguration AT A GLANCE AT Maintenance error Programming error Programming t’s also worth noting that this pattern doesn’t include every noting that this pattern doesn’t include every also worth t’s VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT INVESTIGATIONS BREACH VERIZON 2014 DATA Figure 43. 10 threat action varieties within Miscellaneous Errors Top (n=558) I incident in the Error category. Loss is a type of error, but we but we of error, incident in the Error category. Loss is a type patterngrouped it with theft (under Physical) in a different no longer possess share certain similarities (you because they vs. often difficult to determine loss and because it’s the device) the top actions and view this in mind as you theft. Please keep assets in this section.

Nearly every incident involves some element of human error. error. some element of human incident involves Nearly every patch certainly leaves WordPress a to apply failing example, For to attack, but it doesn’t directly the application vulnerable actor/action iscompromise the system. Some other threat that distinction, this Without drawing required to do that. be be so bloated with “incidents” that it would category would useful information. difficult to extract MISCELLANEOUS ERRORS MISCELLANEOUS EVERYTHING DOS CYBER- PAYMENT CARD MISCELLANEOUS PHYSICAL THEFT INSIDER AND WEB APP POINT-OF-SALE CRIMEWARE ELSE ATTACKS ESPIONAGE SKIMMERS ERRORS AND LOSS PRIVILEGE MISUSE ATTACKS INTRUSIONS 30 properly clearedofsensitive data. away withoutbeingshreddedor, inthecaseofdigitalmedia, category isdisposalerror, wheretheaffectedassetisthrown assets chart(Figure44).Roundingoutthetopthreeinthis why web applicationtakes thenumbertwo spotontheaffected to apublicresource,suchasthecompanyweb server. That’s which ofteninvolve accidentallypostingnon-publicinformation right, thesecondmostfrequenterrorvarietyispublishingerrors, later regrettingitwasamemeinthecorporate world too? That’s than anyotherpattern. large numberofincidents(70)causedby partnererrors—more all ofusareguilty.Buttheinterestingthingisthatthere’s quitea the packwhenitcomestomuckingthingsup,thoughprettymuch insiders, ofcourse.End-users,sysadmins,anddevelopers lead Who’s makingallthesemistakes? Well, it’s almostentirely much allofusareguilty. it comestomuckingthingsup,thoughpretty sysadmins, anddevelopers leadthepackwhen almost entirelyinsiders,ofcourse.End-users, Who’s makingallthesemistakes? Well, it’s the year, Oxford Dictionariesdeclaredthat“selfie”was2013’s word of resulting inexposed data. the results,misdelivery stilldominatesthelistoferrors in point:even withgovernment misdelivery removed from have haddisclosurelawsonthebookslongest.Case see highernumbersofoverall breachesinU.S.statesthat which maynotbethecase. This isnotunlike theway we mistakes happenmorefrequentlythaneveryone else’s, mistakes, itcreatestheimpressionthatgovernment agencies. Sincewe have morevisibilityintogovernment reporting ofsecurityincidentsalsocover government misdelivery incidents.Publicdatalawsandmandatory and constituents,soonecanexpect ahighnumberof maintains amassive volume ofdataonbothitsemployees government isthelargestemployer inthatcountry,and Why isthatnumbersolarge? The UnitedStatesfederal Figure 43sothatyou couldseetheothererrorvarieties. recipient; somuchso,infact, thatwe hadtoremove itfrom frequently deliver non-publicinformationtothewrong According tooursample,government organizations GOVERNMENT MISDELIVERY 13 butdidyou know thatpostingcontenttotheweb and Ext-law enforcement Errors Discovery andcontainmenttimelinewithinMiscellaneous Figure 45. out itdoesn’tmeanwhatyou thinkitmeans. on your website —butifyou keep usingthatword, they’ll figure customer callstosaythey foundtheirunprotectedpersonaldata customers. You couldtrythe“ of theincident,andmostfrequentlyit’s theorganization’s own of thetime.Otherwise,anexternal entitymakes themaware Organizations onlydiscover theirown mistakes aboutone-third (n=148) Top 10discovery methodsforMiscellaneousErrorincidents Figure 46. Ext-actor disclosure Int-reported by user Ext-unrelated party Seconds Minutes Months Weeks Hours Never Years Days Total External Int-log review Ext-customer Total Internal Int-unknown Int-IT audit Ext-audit 0% 3% icvr =2 Containmentn=55 Discovery n=127 6% Other 8% 9% 10% 17% 1% 1% 2% 2% 3% 5% 47% 12% I nconceivable!” tactic when a nconceivable!” tacticwhena 18% 25% 30% 32% VERIZON ENTERPRISE SOLUTIONS 2% 4% 6% 6% 6% 13% 27% 68% 38% POINT-OF-SALE WEB APP INSIDER AND PHYSICAL THEFT MISCELLANEOUS PAYMENT CARD CYBER- DOS EVERYTHING CRIMEWARE INTRUSIONS ATTACKS PRIVILEGE MISUSE AND LOSS ERRORS SKIMMERS ESPIONAGE ATTACKS ELSE 31 t looked like a blizzard of white paper had struck a blizzard of white like t looked I the area,” according to one witness. These were old medical These were according to one witness. the area,” When of protected information. records with all manner called law enforcement, an inmatepeople found them and in the area was sent to pickup doing regular trash crew the sound of documents. And that’s these sensitive retrieve on the “cha-ching” gang. the men working IMPRISONED RESPONSE: THE FUTURE OF IR? FUTURE THE RESPONSE: IMPRISONED things can get bad how shows VCDB the from An example A medical center disposal goes wrong. when document and shred pick up documents a vendor to have arranged truck an actual “pickup” to disposal. Apparently, them prior the roadside up all over the files ended was used, because instead. “ t’s t’s I T for proper handling.” Test the Test for proper handling.” T I T department. Educate users to think of T I f a third-party handles this, ensure that I y the Nail the snail mail fail whale Nail the snail mail fail Check out the pub Keep it on the DLP IT don’t make trash don’t make IT T burns it. Any disposal or sale of information assets should T VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT INVESTIGATIONS BREACH VERIZON 2014 DATA disposing of a computer the same way they think of disposing think disposing of a computer the same way they that in the trash can’t just throw of hazardous materials. “You (or sell it on eBay)! Send it to been they’ve to verify devices sampling disposal process by sanitized properly. store, and dispose of data, to transfer, stipulate how contracts and penalties for along with roles, responsibilities, verification, non-compliance. I be coordinated b Say that three times really fast. When sending large postal Say that three times really fast. and repetition),mailings (also prone to error at higher speed in thespot-check a sample to ensure that the information out for Watch document matches the name on the envelope. might be too too – sometimes that window envelopes window content might not be centered properly, allowing big or your through. A lot of these incidents show information to sensitive if someone had popped a few been prevented could have in went and inspected them before they off the stack envelopes the mail. Decrease the frequency of publishing errors by tightening up by Decrease the frequency of publishing errors and external processes around posting documents to internal anything approve reviewer a second have example, sites. For processes to develop getting posted to company servers, pages for non-public data, and regularly scan public web prohibition against storing un-redacted implement a blanket running. server that also has a web documents on a file server Consider implementing Data Loss Prevention (DLP) software Data Loss Prevention Consider implementing email. DLP by documents sent sensitive to reduce instances of format, such as a common that follows can identify information social security numbers, or medical billingcredit card numbers, codes. to the over easy it is for a spreadsheet to migrate amazing how to test the security a process sure there’s Make htmldocs folder. to put often seen a failure controls after a change — we’ve breach.controls back in place result in a publishing RECOMMENDED CONTROLS RECOMMENDED once of fluffy little clouds, painter favorite Bob Ross, everyone’s accidents.” happy just have we mistakes, don’t make said, “We to decrease the steps can take still, organizations Even reducing their exposure by of all manner of accidents frequency result in data disclosure. error patterns that to the common EVERYTHING DOS CYBER- PAYMENT CARD MISCELLANEOUS PHYSICAL THEFT INSIDER AND WEB APP POINT-OF-SALE CRIMEWARE ELSE ATTACKS ESPIONAGE SKIMMERS ERRORS AND LOSS PRIVILEGE MISUSE ATTACKS INTRUSIONS 32 shows up inthedata. be usedforotherfunctions.Zitmo(“ZeusintheMobile”)also stealing money viabankaccounttakeovers, thoughthey canalso detail). Zeusanditsoffspring,Citadel,primarilyfocuson to make abuckwithcrimeware in2013(seesidebarformore I are openedupfortheattacker. and controlofadevice, themyriadpossibilitiestomake abuck “crimeware”). Oncemaliciouscodehasacquiredalevel ofaccess kind ofdirectorindirectfinancialmotive (hencethetitle opportunistic infectionstiedtoorganizedcriminalswithsome As expected, thisincidentpatternconsistsmainlyof firepower ofthat magnitude. and intrusionprevention system( day-to-day malwareinfectionswherethevictim’s anti-virus(AV) But thehighnumberofincidentsstillofferssomeinsightinto provided totheCS investigation orsimilarin-depthanalysis(orthereportwasn’t level ofdetailtends tobelower becausetherewasnoforensic Many incidentsinthissectioncomefromourCS CRIMEWARE reflecting aroll-upacrossmanyvictimorganizations. n not-so-shockingnews, Zeuscontinuestobeafavorite way AT AGLANCE elude thegoodguys thataretryingtoshutitdown. browsers. Despitetheefforts ofmany,ithascontinued to but oftengrabs loginandbankingcredentials fromwithin substantially. Zeuscanbeused to installothermalware Citadel startedoffasavariantof Zeusbuthasevolved own purposes,includingevading antivirussoftware. other programmers couldmodifyandextend Zeus fortheir it down, andoncethesourcecodebehinditwaspublished, supposed retirementoftheoriginalauthorhave notslowed many attemptstoeradicate it. malware. Zeus (sometimescalled“Zbot”)issortofthecockroach ZEUS Top industries Key findings Description Frequency I t hasmanagedtosurvive andeven thrive despite I RT), leaving VER 14 14 infection vectors. credentials, DDoSattacks,,etc. Web downloads anddrive-bys arethemostcommon The primarygoalistogaincontrolofsystemsasaplatformforillicituseslike stealing Public, of variedtypesandpurposes. among suchincidents. labeled thispattern“crimeware” becausethemoniker accurately describesacommontheme Any malwareincidentthatdidnotfitotherpatternslike espionageorpoint-of-sale attacks. We 50 withconfirmeddatadisclosure I I nternational arrests and the nternational arrestsandthe PS) shields could not repel PS) shieldscouldnotrepel I S metrics a bit sparse. S metricsabitsparse. I nformation, Utilities,Manufacturing I RT partners, I n reality,thepatterncovers abroadswathofincidentsinvolving malware The The I n fact, 12,535 Top 10threatactionvarietieswithinCrimeware (n=2,274) Figure 47. these two stoodouttousasworthy ofabriefmention. a hostofothermalwarefamilies madeappearances lastyear, but anyone whowantstoattackacompanyorinstitution.Naturally, websites” have madethistypeofattackavailabletoliterally and specificinstitutionssinceMarch,2013.So-called“booter in theNetherlandswaswave ofDDoSattacksonbanks as-a-service, becameagrowing trendin2013.Agoodexample Expanding onlinemarkets, wherespecialistsoffercybercrime- systems toparticipateinDDoSattacks. Nitol allows backdoor accessandfrequentlycausesinfected but we have noinstancesofitinfectingsystemsoutsideAsia. among incidentsreportedtoMyCERT ofCybersecurityMalaysia, a morelocalizedpresence.Nitol,forinstance,wasquitecommon of crimeware families reportedallaroundtheworld, othershad devices forsimilarpurposes. While Zeusserves asanexample This oneprimarilytargetsAndroidandBlackberrymobile Spyware/keylogger Client-side attack total incidents Downloader Export data Backdoor Unknown Adware Spam DoS C2 1% 2% 4% 4% 6% 9% 10% 13% 24% VERIZON ENTERPRISE SOLUTIONS 86% POINT-OF-SALE WEB APP INSIDER AND PHYSICAL THEFT MISCELLANEOUS PAYMENT CARD CYBER- DOS EVERYTHING CRIMEWARE INTRUSIONS ATTACKS PRIVILEGE MISUSE AND LOSS ERRORS SKIMMERS ESPIONAGE ATTACKS ELSE 33 43% 84% RTs only saw RTs I RTs as the primary RTs I 19% 32% 14% 28% 13% DS. The discovery timeline in The discovery DS. 22% I 10% 16% 7% 8% 7% 3% 4% <1% <1% <1% <0.1% Mail (server) (server) (server) (people) (people) Days Years Other Other (user dev) (user dev) (user dev) Other (user dev) Hours Weeks Laptop Months Minutes Desktop Seconds End-user Unknown Mobile phone Web application Web Internal discovery External discovery DS and AV?” This reflects the role of CS This DS and AV?” Figure 51. methods within Crimeware External vs. internal discovery (n=183) Figure 52. (n=1,017) timeline within Crimeware Discovery Figure 50. Figure (n=1,557) Crimeware within assets affected 10 Top Figure 52 hints that this might, in fact, be the case. Notice the Figure 52 hints that this might, in fact, many Figure 51 and Figure 52 and how difference in N between within seconds — only automated infections are discovered be so quick. detection methods would Like us, your first reaction might be “why not technologies like first reaction might be “why not technologies like us, your Like I The discovery incidents in this dataset. of crimeware provider within not usually for 99% of incidents; it’s method wasn’t known CS know, all we their visibility or responsibility. For or AV by the 1% not discovered 43% 82% RTs RTs I 38% 71% RTs) were by by were RTs) I Adware still shows Adware still shows 15 ere reported more servers than ere reported more servers 14% 6% 5% 4% 2% 2% 4% 4% 3% nfected assets usually weren’t identified, nfected assets usually weren’t 1% 1% 1% I 1%

16 Bank Other Secrets Internal Unknown Payment Personal Unknown Email link Credentials Web drive-by Web Web download Web Remote injection Email attachment Removable media Removable Network propagation Network VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT INVESTIGATIONS BREACH VERIZON 2014 DATA Figure 49. (n=73) of at-risk data within Crimeware Variety The majority of crimeware incidents start via web activity — incidents start via web The majority of crimeware kits and the like infections from exploit or drive-by downloads than links or attachments in email. — rather Victims don’t always report malware functionality, but when they they but when functionality, malware report don’t always Victims CS interesting to the most (according prefer C2 do, they in the world, at least). This makes perfect sense, as the goal is perfect sense, as makes This at least). in the world, to command it to device control of a and maintain to achieve are minions Whether the little compromised bidding. do your or banking credentials, in a spam botnet, stealing participating there are ad revenue, to artificially boost browser hijacking a that compromised workstations numerous ways to leverage into a network. don’t entail deeper penetration but interestingly, those that w far the most common way victims learned of the incident. the most common way far Crimeware incidents are light on timeline and discovery details light on timeline and discovery incidents are Crimeware because the response is often to just wipe the system and this pattern comprises a lot of (remember, get it back to work When known, one-off infections that don’t fit other patterns). third parties (namely CS unrelated notification by Figure 48. (n=337) actions within Crimeware for malware 10 vectors Top user devices. Wow. So vectors. Much families. Many incident. Many Much families. So vectors. Wow. user devices. up, though Bonzi Buddy thankfully remains extinct. For malware For extinct. up, though Bonzi Buddy thankfully remains scams and phishingwith a social engineering component, both play important roles. Download by malware by Download EVERYTHING DOS CYBER- PAYMENT CARD MISCELLANEOUS PHYSICAL THEFT INSIDER AND WEB APP POINT-OF-SALE CRIMEWARE ELSE ATTACKS ESPIONAGE SKIMMERS ERRORS AND LOSS PRIVILEGE MISUSE ATTACKS INTRUSIONS 34 of thosecredentials. but itwillgoalongwaytoward preventing thefraudulent re-use Two-factor authenticationwon’t prevent thetheftofcredentials, when theattackobjective istogainaccessuseraccounts. any othertypeofdata. This pointstothekey roleofcrimeware Our resultslinkcrimeware tostolencredentialsmoreoftenthan and thehistoryofvulnerabilities here. Java browser plugins,given thedifficultyinsandboxing content Legacy appsmaycomplicatethis,butifpossible,avoid using patches asquicklysoftwareproducersmake themavailable. reducing theimpactofthissortincident.Applybrowser Keeping browsers andpluginssecurewillgoalongwaytoward that involves usingbrowser vulnerabilities andadd-onfunctions. Zeus frequentlyusesatechniquecalled“maninthebrowser” detection ofthesortusedby manyAV products. reputation forevolving quicklytoevade signature-based sort ofAV. The ZeusandCitadelfamily hasawell-deserved and likely beforeusersoradministrators haddeployed any particular, infectedmanysystemsatthefactory beforeshipping — ororganizationsthatdon’tdoAV particularlywell. Nitol,in we lookprimarilyatthesortsofthingsAV doesnotdoaswell pattern reflectsareverse sortof“survivorship bias”inwhich malware andpreventing compromiseinthefirstplace.Sothis play animportantroleincatchingmanytypesofcommodity to askis“whathappenedantivirus?”AV technologies to helpkeep incidentsofcrimeware down. The natural question These resultsledustodevelop somespecificrecommendations RECOMMENDED CONTROLS malware quicklytoidentifyinfrastructure usedby thebadguys. a finejobofimplementingsinkholes andreverse-engineering due topossibleoperational issues.But malwareresearchersdo generally don’trecommendusingthese listsforoutrightblocking logs canhelpaccelerate detectionand thus containment. We control ,thenmatching this dataagainstfirewall orproxy threat datathatidentify Given the highincidenceofC2communications,usingfeeds focusing onprevention. theme ofimproving detectionandresponserather thansolely by watching key indicators onsystems. This goestothegeneral persistence methodsusedby crimeware canbeeasilydetected monitoring. Unlike iocanepowder, manyofthe vectors and Consider how besttodeploy systemconfiguration change Leverage threatfeeds Change isgood…except whenitisn’t Use two-factor authentication Disable Javainthebrowser Keep browsers uptodate I P addresses and domain names used to P addressesanddomainnamesusedto by bankstoauthenticatetransactions. mobile transaction authenticationnumbers(mTANs) used are madetoinstallone-timepassword stealerstointercept techniques toobtaincredentials.For example, attempts attack). Acommonthemeistheuseofsocialengineering banking sitedeemedofinterest(a“Man-in-the-Browser” injects codeintothebrowser whenever thatuservisitsa malware family), whichinfectsauser’s machine,andthen malware (withZeus/Citadelbeingthemostpopular The attacker’s toolofchoiceisavarietyweb-inject by CERT Polska. names). Over 20suchbotnetswere taken over ordisrupted properties forC2purposes(including.plccTLD domain numerous financialmalwarebotnetsusingPolish Polish usersareoftenamongthefirsthit.2013alsosaw Whenever new financialmalwareorattackmethodssurface, a user’s computer, andsubsequentlytotheirbankaccount. engineering andsoftwarevulnerabilities togainaccess banking credentials. These useacombinationofsocial banking Trojans —crimeware aimedatstealingusers’online The By theCERT Polska/NASK A YEAR IN THE LIFEOF THE POLISHCERT engineering methodssimilartothosedescribedabove. two-factor authenticationmechanismsby usingsocial attacks throughaseriesofproxies, subverting SSLand These were thenusedtoperformMan-in-the-Middle subsequently reconfiguredtopointatrogueDNSservers. against homerouters,whichhadtheirDNSserver settings about malwareeither:late2013sawlargescaleattacks copy/paste operation inMicrosoft Windows. bank accountnumberstothoseoftheattacker duringa tricks observed in2013includemalwarethatswitches However, it’s notjustweb-inject malwareatwork: other from themerger. bank numbers–undertheauspicesofchangesresulting permanent transfers –redirectingthemtoanattacker’s resulted inattacksforcinguserstoredefinelistsof mergerinvolving thelargestPolish onlinebank account. Realworld events areoftenexploited: arecent asking forthemoney tobereturned-anattacker’s notifying therecipientofanerroneousbanktransfer and are alsoemployed: fictitiousbankmessagesareinjected, Cruder methodstosubvert two-factor authentication to interceptandredirecttext messagestotheattacker. on hissmartphone–butwhat,inreality,ismalwareused to installanew securitycertificatedesignedby thebank user ispromptedtoprovide hismobilenumber, supposedly I nternet threatlandscapeinPoland islargelydefinedby VERIZON ENTERPRISE SOLUTIONS I n such cases, a n suchcases,a I t’s notalways I nternet nternet POINT-OF-SALE WEB APP INSIDER AND PHYSICAL THEFT MISCELLANEOUS PAYMENT CARD CYBER- DOS EVERYTHING CRIMEWARE INTRUSIONS ATTACKS PRIVILEGE MISUSE AND LOSS ERRORS SKIMMERS ESPIONAGE ATTACKS ELSE 35 87% 9% n most cases they can be snapped in can be n most cases they I 2% 2% 2% 1% 1% 1% 1% 1% S level: criminal groups install skimmers criminal groups install S level: I Mail ATM (server) (server) (server) (server) (server) (network) Proxy (user dev) (terminal) (terminal) (terminal) Backup PED pad Database Mainframe Gas terminal POS terminal Access reader n 2013, most skimming occurred on ATMs (87%) and gas pumps (87%) n 2013, most skimming occurred on ATMs Figure 54. Assets affected within Card Skimmers (n=537) I can be approached ease with which they (9%) due to the relative and tampered with. Gas pump skimmers are often installed by a small group of people acting in concert. One scenario involves a going into the station to make one or more conspirators attention, while a partner in cashier’s the purchase and distract key. inside the machine using a universal crime plants the device skimmers, on the other hand, are installed on the outside ATM are clunky skimming devices ATM While some of the machine. might afford an opportunity for that homemade affairs observant customers to spot them, the design of many skimmers criminal and those purchased “off the the (both those created by are virtually that they shelf”) can be so realistic in appearance invisible to the end user. place in a matter of seconds and can be produced in sufficient scalable and highly organized. the attacks quantities to make has been the norm for some time and warrants This, however, What has changed over only a cursory mention in this report. by which the data is retrieved are the methods by time, however, the criminals. 38% 17 R, we can’t justify R, we I 18% 18% TMs (most common) and other card swipe devices. On a more qualitative level, the skimmers level, On a more qualitative other card swipe devices. TMs (most common) and 130 total incidents disclosure 130 with confirmed data on A All incidents in which a skimming device was physically implanted (tampering) on an asset thatphysically implanted (tampering) on an asset was a skimming device All incidents in which gas pumps, POS terminals, etc.). data from a payment card (e.g., ATMs, reads magnetic stripe Finance, Retail VER pattern at the not a ton of variation in this There’s data through the use of more efficient at exporting and in appearance are getting more realistic etc. Bluetooth, cellular transmission, 8% 8% 2% 2% 2% 2% 2% Cuba Brazil Mexico Nigeria Bulgaria Armenia Romania Frequency Bosnia and Description Republic of Iran, Islamic Iran, Key findings Key Herzegovina

United States Top industries Top

AT A GLANCE AT VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT INVESTIGATIONS BREACH VERIZON 2014 DATA excluding a tried-and-true method used by criminals to steal criminals a tried-and-true method used by excluding payment card information.

For a wide array of criminals ranging from highly organized crime of criminals ranging a wide array For who are turning out no rings to garden variety ne’er-do-wells skimming would, their mama warned them they good just like easy way to “get rich quick.” continues to flourish as a relatively to Eastern European actors, While most incidents are linked in this report arenearly all victims of payment card skimmers and public disclosuresU.S. organizations (the U.S. Secret Service While some don’t think being the primary sources for this data). should include this type of attack in the DB we PAYMENT CARD SKIMMERS CARD PAYMENT Figure 53. actors within Card Skimmers (n=40) Origin of external EVERYTHING DOS CYBER- PAYMENT CARD MISCELLANEOUS PHYSICAL THEFT INSIDER AND WEB APP POINT-OF-SALE CRIMEWARE ELSE ATTACKS ESPIONAGE SKIMMERS ERRORS AND LOSS PRIVILEGE MISUSE ATTACKS INTRUSIONS 36 wonder ifthislatterscenariowillbecomeincreasinglyrare. more difficulttodetectvisually,however, we can’thelpbut report ittomanagement. Way togo,folks.Asskimmersbecome discovery methods areinternaluserswhospottamperingand and whiteplasticcards.Hangingclosetothatpackofexternal they’ve arrested agangwithtrunkfullofskimmingdevices Other timesit’s aphonecallfromlawenforcementagencyafter company oracustomerwhohasnoticedfraudulent activity. party. Mostofthetimethatthirdpartyisapaymentcard it’s notsurprisingthatit’s mostcommonlydetectedby athird With subterfugeandfraud beingtheobjectives behindskimming, criminal eachtimetheATM isused. tampering alerts.Somedevices actuallysendanSMSalerttothe collect dataviaBluetoothorS and thetarget. Therefore, themorehighlyskilledcriminalsnow the onewhocanmaintainasafedistancebetween themselves we findwithnetwork-based attacks,thesuccessfulcriminalis when retrieving theskimmedcarddata. some sweet moolahwithUncleRico.” They’re oftenapprehended of thelessorganizedandmoresmalltimecrooksoutto“make stolen data. While we continuetoseethis,it’s normallyindicative scene andphysicallyremo I Discovery methodswithinCardSkimmers(n=42) Figure 55. Ext -unrelatedparty Ext -lawenforcement Ext -fraud detection Int -reportedby user n the past it was necessary for the criminal to return to the n thepastitwasnecessaryforcriminaltoreturn Int -fraud detection Ext -customer Total External Total Internal ve thedevice inordertocollectthe 7% 12% I M cards with remote caching and M cardswithremotecachingand 17% 17% 21% 24% 26% I n keeping withwhat 76% greatly reducingrisk. triggered, willcachethedataandsenditoutimmediately, remote uploadingofdata,andtamperingalertsthat,if built-in S video camera 300yardsawayinaweatherproof case. captured track information)thecriminalssetupawireless skimmer wasplacedinsidethepump,and(sinceitonly skimmer wasfoundatagasstationinCalifornia. The Fast-forward totheyear 2000,whenthefirstgaspump well, you know therest. the victims. The individualwould thenbeinterviewed and… ease determinethatthesamewaiter/waitressserved all they couldobtainaccesstothereceipts,andwithrelative charges. When lawenforcementarrived attherestaurant to determinetherestaurant responsibleforthefraudulent Common Point ofPurchase(CPP)algorithmscouldbeused guys topinpointtheculpritafterfraud hadtranspired. On theflipside,itwasoftenrelatively easyforthegood the stock-in-trade formostcriminalsalongtime. customer. Becausethey were soeasytouse,they became mag stripedatawhilethey hadthecardawayfrom held skimmertypicallyusedby waitstafftoillicitlyobtain traditional skimmerastheclassicwedge –thesmallhand- devices arenodifferent.Manypeoplestillthinkofthe and slow toward streamlinedandefficient.Skimming Like anytechnology,thetendencyistodevelop frombulky EVOLUTION OFSKIMMING I the track andP Bluetooth equipped,whichallowed someonetodownload and sellingthemonline. This new wave ofdevices was great, somorecriminalsstartedmanufacturing skimmers Eventually theriskofdiscovery duringretrieval becametoo were promptlytaken intocustody. showed upatthe gasstationtoseewhatwent wrong,and unplugged by aninvestigator. Within minutes, thebadguys this particularinstance,thecamera wasdiscovered and t’s now possibletobuyonlineskimmingdevices with I M cardsthatallow forremoteconfiguration, I N data from the safety of the parking lot. N datafromthesafetyofparkinglot. VERIZON ENTERPRISE SOLUTIONS I n n POINT-OF-SALE WEB APP INSIDER AND PHYSICAL THEFT MISCELLANEOUS PAYMENT CARD CYBER- DOS EVERYTHING CRIMEWARE INTRUSIONS ATTACKS PRIVILEGE MISUSE AND LOSS ERRORS SKIMMERS ESPIONAGE ATTACKS ELSE 37 f a criminal is I f one of these things is not like f one of these things is not like I While criminals are increasingly You wouldn’t want a ne’er-do-well want a ne’er-do-well wouldn’t You N now, would you? you? would N now, I N, cover your hand to block tiny cameras cameras hand to block tiny your N, cover I eep it to yourself. Be sure to tell the merchant or bank Be sure eep it to yourself. See something, say something Trust your gut your Trust Protect the PIN Watch for tampering Watch Use tamper-evident controls Use tamper-evident Design (or buy) tamper-resistantDesign (or buy) terminals f something seems out of place to you at a payment terminal, f something seems out of place to you f something looks out of the ordinary at your ATM or gas pump, ATM f something looks out of the ordinary at your that may be recording it. VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT INVESTIGATIONS BREACH VERIZON 2014 DATA the others, don’t swipe your card! the others, don’t swipe your be helping Not only will you found a skimmer. may have that you consumers. fellow your also be helping them, you’ll I don’t k I something fishy may be afoot. still might be sly at designing difficult-to-detect skimmers, you able to notice something amiss, especially if the terminal looks different than others around it. When entering your P When entering your FOR CONSUMERS getting ahold of your P getting ahold of your Regularly check terminals for signs of unauthorized tampering.Regularly check terminals for signs of unauthorized skimmers and recognize suspicious to spot employees Also train behavior from individuals trying to install them. able to place a skimmer on one of your devices, these regular devices, able to place a skimmer on one of your inspections will help curb the damage. Do things that make it obvious (or send an alert) when tampering it obvious Do things that make the door of a over This may be as simple as a sticker occurs. visual anomaly gas pump or more sophisticated tactics like monitoring on ATMs. As the merchant, this probably isn’t something you can do probably isn’t something you As the merchant, this more susceptible but be aware that certain designs are yourself, are ATMs than others. Many modern to skimming devices mind; choose those if possible. designed with this in FOR BUSINESSES RECOMMENDED CONTROLS RECOMMENDED or mistake no obvious find might argue, we Though some to skimming that allows part of organizations on the oversight things But there are some it otherwise wouldn’t. succeed when shorten for the criminal and it harder done to make that can be exposure. of the window EVERYTHING DOS CYBER- PAYMENT CARD MISCELLANEOUS PHYSICAL THEFT INSIDER AND WEB APP POINT-OF-SALE CRIMEWARE ELSE ATTACKS ESPIONAGE SKIMMERS ERRORS AND LOSS PRIVILEGE MISUSE ATTACKS INTRUSIONS 38 windows andstolenstereos. Unfortunately, we canalsoseethatthosecarshave broken the street,morecontributorsallow ustoseemorecars. capabilities. Like astreetlightilluminatingcarsparked along more communityinformationsharingthatimproves discovery of contributorsconductingresearchinthisarea,alongwith we attributethisincreaseprimarilytoourever-expanding set have beenconsistentlytargetedforseveral years. espionage in2013,we’re quitesurecountlessorganizations Before someoneconcludeswe’re assertingavastincreasein number ofespionageincidentsinthisyear’s dataset,to511. from thesecircles,whoseinformationhasmorethantripledthe community. Thus, we’re excited tohave quiteafew contributors researchers whocompileandsharetheirknowledge withthe from incidentresponders,intelligenceanalysts,andmalware of whatwe know publiclyaboutthisgenreofthreatcomes such data,leavingmanycasesofespionageundiscovered. Most there’s nofraud algorithmtoalertvictimsaboutillicituseof secrets, asthey arewithregulatedconsumerdata.Additionally, publicly disclosebreachesofinternalinformationandtrade hard tocomeby. Organizationstypicallyaren’trequiredto Comprehensive informationabout“cyber” CYBER-ESPIONAGE AT AGLANCE Top industries Key findings Description Frequency broader geographic regionsrepresentedby bothvictimsandactors. evident changesfromourlastreportincludetheriseofstrategic web compromisesandthe number. Espionageexhibits awidervarietyofthreatactionsthananyotherpattern. The most it waspervasive, butit’s alittledisconcertingwhen ittripleslastyear’s alreadymuch-increased Most surprisingtousistheconsistent,significantgrowth ofincidents in thedataset. We knew Professional, Transportation, Manufacturing, Mining,Public actors and/ore I ncidents inthispatternincludeunauthorizednetwork orsystemaccess linked tostate-affiliated 306 withconfirmeddatadisclosure 511 totalincidents 19 espionage is really espionageisreally xhibiting themotive ofespionage. I nstead, nstead, Cyber-espionage Number ofincidentsby victimindustryandsizewithin Figure 56. For moreinformationontheNA https://www Other [81] Retail [44, Public [92] Construction [23] Administrative [56] Real Estate[53] Unknown Transportation [48, Education [61] Total Utilities [22] Finance [52] Healthcare [62] I Management [55] Manufacturing [31, Mining [21] Professional [54] nformation [51] nutyTtlSalLreUnknown Large Small Total Industry 45] .census.gov/cgi-bin/sssd/naics/naicsrch?chart=2012 32, 49] 18 33] I CS codes[shown above] visit: 3 01 94 19 20 133 135 1 95 404 58 49 511 1 11 114 11 81 0 0 0 5 1 5 0 1 1 0 0 1 0 1 1 2 0 0 1 1 1 3 1 5 0 1 1 2 7 1 0 8 1 2 0 3 1 0 1 2 0 1 1 2 3 2 0 5 VERIZON ENTERPRISE SOLUTIONS 3 0 7 2 2 5

759 17 5

132 98 POINT-OF-SALE WEB APP INSIDER AND PHYSICAL THEFT MISCELLANEOUS PAYMENT CARD CYBER- DOS EVERYTHING CRIMEWARE INTRUSIONS ATTACKS PRIVILEGE MISUSE AND LOSS ERRORS SKIMMERS ESPIONAGE ATTACKS ELSE 39 49% 87% and was used 23 22 25% 21% None of these methods None of these 20 11% 4% <1% 1% 1% <1% <1% <1% s “Words of Estimative Probabilities” of Estimative s “Words Europe t’s important to carefully evaluate information important to carefully evaluate t’s I Unknown Competitor Eastern Asia t would be more helpful if probabilistic language like like be more helpful if probabilistic language t would Unattributed Western Asia Western I

Southern Asia 21 State-affiliated Organized crime Former employee Former Northern America former employees join in the game too. We also see that the We join in the game too. former employees it often sole motive; longer game of espionage is not always the a nearer-term, more direct financial element as well. exhibits be a mercenary-style theft of source code or would An example a rival organization or other by digital certificates contracted interested party. Figure 59. actors within Cyber-espionage (n=230) Region of external Figure 58. actors within Cyber-espionage (n=437) of external Variety Sherman Kent’ Attribution is also probabilistic in nature. Be wary of threat Be wary in nature. probabilistic is also Attribution attack is X sure an to be 100% claiming vendors intelligence “likely” are they with Z motives; country Y from actor group attribution methods for determining There are many incorrect. the actors. by the breadcrumbs left following it’s — sometimes something like using the alternatives ruling out it’s Other times competing hypothesis. analysis of are perfect. to make sure one isn’t suffering from some type of cognitive of cognitive sure one isn’t suffering from some type to make bias. when describing attribution to particular countries, regions, andwhen describing attribution between fall would With that in mind, the following threat actors. Certain.” “Probable” and “Almost most incidents in this category are attributed As expected, reminds us thatto state-affiliated actors. But the data also current organized criminal groups, competitors, and 54% 6% 4% 3% 2% 2% 1% 1% 1% 1% talian victims of espionage in our dataset. of espionage in our talian victims I Japan Belarus Ukraine Vietnam Colombia Philippines Kazakhstan South Korea United States nsofar as we can determine from the data before us, as we nsofar I Russian Federation ndustry, on the other hand, does: the Public, Professional, andndustry, on the other hand, does: the Public, n addition to geographic broadening, we see a wide distribution broadening, we n addition to geographic Figure 57. Cyber-espionage (n=470) Victim country within VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT INVESTIGATIONS BREACH VERIZON 2014 DATA however, size doesn’t seem to be a significant targeting factor. targeting factor. size doesn’t seem to be a significant however, I espionage than sectors are more targeted by Manufacturing There wide gamut). the rest of the field (which still runs a fairly which spans is little doubt that figures for the Public sector, military, and other support embassies, economic programs, contributors. our government organizations, are boosted by are a prime target for There is also little doubt that they the Professional, Scientific, andVictims within espionage. Services category typically deal with custom computer Technical engineering research and development, services, programming Many of these organizations and design, and legal practices. and relationships they are targeted because of the contracts as serve can some, they For with other organizations. have both a valuable aggregation point for victim data and a trusted target organizations. Lastly, and point across several exfiltration industries are also targeted for Manufacturing not unexpected, their intellectual property, technology, and business processes. I Unfortunately,of both sizes and types of victim organizations. so there are a lot of unknowns victim size is often not tracked, here. Our best hypothesis is that sophisticated actors remember theOur best hypothesis is in against a Sicilian when death is onclassic blunder of “go[ing] of blunder, targets (the most famous the line” when selecting in a land war in Asia). course, is getting involved To set the tone, we need to understand the victims representedthe victims need to understand the tone, we set To in activity all espionage cover claim to don’t We the data. within 57, the in Figure As is evident from it, actually. far 2013 — quite based, but not as exclusively half) U.S. largely (over sample is still as more global this to continue expect We years. as in previous why we but wonder can’t help We join the cause. organizations of no examples have EVERYTHING DOS CYBER- PAYMENT CARD MISCELLANEOUS PHYSICAL THEFT INSIDER AND WEB APP POINT-OF-SALE CRIMEWARE ELSE ATTACKS ESPIONAGE SKIMMERS ERRORS AND LOSS PRIVILEGE MISUSE ATTACKS INTRUSIONS 40 Use ofbackdoor orC2[hac] wide range ofcapabilities),whichisevident inFigure60. groups oftendeploy awiderange oftools(orthathave involved won’t beasurprisetomanyreaders.State-affiliated breaks thatmoldinabigway,thoughthespecificactions simpler storieswithrelatively few VER wide varietyofthreatactions.Manytheotherpatternshave One aspectofthispatternthatsetsitapartfromothersisthe were morecampaignsattributedtothem. target agreaterbreadthofindustries,butthat’s becausethere Asian andEasternEuropeangroups.Chineseactorsappearedto seem tobemuchdifferenceintheindustriestargetedby East show thefruitsofthoseefforts.Atahighlevel, theredoesn’t and attribution,we hopefutureversions ofthisreportwill into differentactorgroupsiscontinuallydrivingbetterdetection countries engagedinespionage.Morecomprehensive research As before,we don’tproposethesearetheonlyactive regions/ Eastern Europeanactors,Russian-speakingonesinparticular. The 2013datasetshows muchmoreactivityattributedto not theonlycountryconductingespionage. – that,despiteourChina-exclusive results,Chinadefinitelywas that region. This underscoresthe point we made in our last report China andtheDemocratic People’s RepublicofKorea, represent dataset. Two countriesinparticular, thePeople’s Republicof attributed toEastAsiaismuchlesspredominantinthisyear’s With respecttoactororigin,thepercentageofincidents Top threatactionvarietieswithinCyber-espionage(n=426) Figure 60. Spyware/keylogger [mal] Use ofstolencreds[hac] Capture storeddata[mal] Client-side attack[mal] Password dumper[mal] Disable controls[mal] Scan network [mal] Packet sniffer[mal] Ram scraper [mal] Downloader [mal] Exploit vuln[mal] Brute force[mal] Brute force[hac] Export data[mal] Backdoor [mal] Phishing [soc] Rootkit [mal] Other [mal] C2 [mal] 13% 14% 14% 16% 19% 24% 24% 24% 28% 30% I S actions. Espionage S actions.Espionage 37% 37% 38% 43% 57% 60% 65% 67% 68% 70% Network propagation I I (SWCs) asamethodofgaininginitialaccess. due toabigincreaseintheuseofstrategic web compromises but notbecauseofadropinactualfrequency. This isprimarily incorporating phishingislower thanourlastreport(itwas95%), toward theirobjective. The proportionofespionageincidents channel opens,andtheattacker beginsachainofactionsmoving point malwareinstallsonthesystem,abackdoor orcommand within themessage. user(s), promptingthemtoopenanattachmentorclickalink personally/professionally-relevant emailissenttoatargeted you whohave somehow missedit,heregoes:Awell-crafted and have covered thisadnauseaminpriorreports,butforbothof most prolificistheoldfaithful: spearphishing. We (andothers) methods ofgainingaccesstoavictim’s environmentarenot. The avoiding detection(seesidebaronnext pageformoreonSWCs). technique, whichassiststheactorsinfocusingtheirtargetsand the industryhasobserved somematuration oftheSWC SWCs canprovide avery highreward forattackers. Furthermore, the restissameasdescribedabove. Even ifdetectedquickly, they visitthepage,trap issprung,thesysteminfected,and websites likely tobevisitedby thetargetdemographic. When Vector formalwareactionswithin Cyber-espionage(n=329) Figure 61. t’s interestingthat,whilethearray oftoolsisdiverse, thebasic nstead ofemailbait,SWCs setatrap within(mostly)legitimate Email autoexecute • • • • • • • campaigns, someexamples arelistedbelow: have published in-depthresearchonspecificactorsand to espionagecampaigns.Several ofourcontributors The DB CAMPAIGN RESEARCHPUBLISHEDIN2013 Email attachment Remote injection

Multi-campaign Tr Sunshop Red October MiniDuk Ephemer Deputy Dog “TargetingU.S. Technologies” 2013 likely ongoing) Downloaded by oy Web drive-by Direct install (McAfee,partof I R focusesonoverall trendsandstatsrelated Email link Unknown malware e (Kaspersky),February2013 (FireEye), September2011-October2013 (But al Hydra (FireEye), November 2013 (FireEye), August-September2013 (Kaspersky),May2007-January2013 I (U.S. Defense Security Service), (U.S.DefenseSecurityService), nevitably, they take thebait,atwhich <1% <1% <1% <1% 2% 3% 4% I ntel Security), January–March ntel Security),January–March 20% VERIZON ENTERPRISE SOLUTIONS 78% POINT-OF-SALE WEB APP INSIDER AND PHYSICAL THEFT MISCELLANEOUS PAYMENT CARD CYBER- DOS EVERYTHING CRIMEWARE INTRUSIONS ATTACKS PRIVILEGE MISUSE AND LOSS ERRORS SKIMMERS ESPIONAGE ATTACKS ELSE 41 62% n 2012, SWCs made n 2012, SWCs I and continued in 2013 24 16% 9% 8% 5% 0% 0% Days Years Hours n 2014, we’d like to predict SWCs will fade, but that will fade, to predict SWCs like n 2014, we’d Weeks TOOLS OF THE TRADE: STRATEGIC WEBSITE COMPROMISE STRATEGIC TRADE: THE OF TOOLS to be proven have compromises (SWCs) website Strategic tactic of state-affiliated threats to infiltrate an effective of target organizations. the networks ” Affair their debut with the “VOHO seems unlikely. While there are downsides to SWCs for the to SWCs While there are downsides seems unlikely. and and high cost to weaponize (high visibility attackers way to support burn a zero day), the benefits of a low-cost the risks. outweigh generally long-term operations with attacks focused against the Public, Manufacturing, with attacks focused against the Public, Manufacturing, sectors. Technical Professional, and that are of critical or websites leverage SWCs line of business to complementary value to an industry’s contained in spear phishing distribute malware traditionally granting download, Visitors are hit with a drive-by emails. of the system. State-affiliated access/ownership attackers zero-day browser-based three new in 2013 exhibited SWCs 75% of publicly disclosed (constituting over vulnerabilities of compromise per event. which upped the rate SWCs), in espionage campaigns So, why has the use of SWCs have no doubt that attackers there’s Well, increased? reasonable and provides realized this tactic scales well By opting out of direct attacks of ambiguity. assurances themselves remove effectively phishing, attackers like scanners, and astute from the tribulations of poor grammar, achieve they zero-day exploits, leveraging users. And by no longer rely on carefully coerced that higher success rate actions. I Months Minutes Seconds Figure 64.Figure (n=101) Cyber-espionage timeline within Discovery The most common method of discovery is ad hoc notification of discovery The most common method and research organizations thatfrom threat intelligence with C2 for instance, the victim communicating observe, While this isn’t good news threat group. of a known infrastructure are an important per se, it does suggest intelligence operations tool for combating espionage. 85% 85% 83% 80% 67% t typically takes t typically takes I 39% 31% 19% 16% 15% 8% 2% 2% 2% 1% 1% 1% 1% 1% <1% <1% <1% Other Other System Secrets Internal Int - NIDS Personal Payment Unknown Ext - audit Classified Credentials Copyrighted Int - antivirus Int - unknown Total Internal Total Total External Total Int - log review Ext - customer law enforcement Int - reported by user Int - reported by Ext - unrelated party victims months or more to learn they’ve been breached and it’s been breached and it’s victims months or more to learn they’ve usually an outside party notifying them. REPORT INVESTIGATIONS BREACH VERIZON 2014 DATA Examining discovery timelines and methods for espionage Examining discovery While this ample room for improvement. incidents reveals (for various reasons, or provided information is often not known including the visibility and focus of our contributors), there’s state of affairs. enough to discern the general Figure 63. methods within Cyber-espionage (n=302) 10 discovery Top Figure 62. Figure (n=355) Cyber-espionage data within of at-risk Variety Once the phishing email or SWC has done its work, and an has done its work, Once the phishing email or SWC game is moving internal system is infected, the name of the This may to obtain the prize. determinedly through the network Common methods happen quickly, but it also may last for years. on systems to maintain access, loading backdoors involving to steal dumpers and password dropping spyware/keyloggers to elevate user credentials, and then using those credentials control. privileges and expand Ext - EVERYTHING DOS CYBER- PAYMENT CARD MISCELLANEOUS PHYSICAL THEFT INSIDER AND WEB APP POINT-OF-SALE CRIMEWARE ELSE ATTACKS ESPIONAGE SKIMMERS ERRORS AND LOSS PRIVILEGE MISUSE ATTACKS INTRUSIONS 42 applications andfindpeskyshellsothermalware. and ontheendpoint)cangoalongwaytodetectanomaliesin still fall toone-zero-zerodays(orhigher).AnupdateAV (in-line dreaded zeroday,butlet’s behonest—manyespionagevictims without animmunesystem. While manyproclaimAV isdead,nothavingit isakintoliving will make thatstepalothardertotake. common initialstepforattackers. Keepingeverything uptodate Flash andJava)vulnerabilities toinfectend-usersystemsisa Exploiting browser, OS,andother third-partysoftware(e.g., be moot. super-advanced cybertasticAPT kryptonitesolutionsmaywell you’re worried aboutespionage. that you reallyoughttobedoingregardlessofwhetherornot First, we’ll startwithafew blockingandtacklingfundamentals these adversaries oftentake advantageof. mind, let’s take acloserlookattheholesandotherthinspots will keep pokinguntilhefinds(ormakes) ahole. With thatin determined, skillful,patient,andwell-resourced adversary who that areexploited intheprocess,butrealrootissueisa a snipehunt.Sure,victimsmak I RECOMMENDED CONTROLS proactive countermeasureswillbenefitfromitaswell. lay anecessaryfoundationforincidentresponse,butmany Log system,network, andapplicationactivity. This willnotonly access toonedesktopasastepping-stonetheentirenetwork. containing anincident,especiallywhereactorsintendtoleverage Good network androlesegmentationwilldowonders for incidents quickly. knowledge andskillsthey needtorecognizeandreportpotential or technology. have discovered morebreachesthananyotherinternalprocess reminder that,over theyears we’ve donethisresearch,users Some willconsiderthisalostcause,butwe counterwitha solating the root cause of an espionage-related breach is a bit of solating therootcauseofanespionage-relatedbreachisabit Keep goodlogs Segment your network Train users Use andupdateanti-virus(AV) ALL THETHINGS! Patch I t’s notallaboutprevention; armthemwiththe I t mightnotprotectyou fromthe e mistakes (minorandotherwise) I f you don’tdothese,allthose chance torecognizeandrespond. critical pointsinthepathofattack,wherevictimshave thebest determined adversaries shouldconsider. These roughlyfollow organizations concernedwithstate-affiliatedandother Beyond thebasics,therearesomespecificpractices that contributors. contributors. options inthisspaceby startingyour searchwithsomeofour specific productsinthisreport,butyou’ll findsomegood Detection andResponse(ETDR)solutions. We don’tpromote of DataExecution Prevention (DEP)andEndpoint Threat For morematureorganizations,checkoutthegrowing collection analysis ofattachmentsorlinksincluded. pattern matchingbasedonpastdetectedsamples,andsandbox on spamdetectionandblocklists,butalsodoingheaderanalysis, completely defendsagainstphishing,suchasnotrelyingsolely the datatoprove it.Focus onimplementingasolutionthatmore Users willbephished,andthey willeventually click;we’ve got accounts. Watch foruserbehavioranomaliesstemmingfromcompromised it astraight shotfrompatientzerotoafull-fledgedplague. doing itwell ischallenging,we’ll mentionithereagain.Don’tmake We mentionednetwork segmentationinthebasics,butsince unchallenged re-useofuseraccounts. Two-factor authenticationwillhelpcontainthewidespreadand across your network. ETDR,mentionedabove, canhelpheretoo. After gainingaccess,attackers willbegincompromisingsystems intelligence, andminethisdataoften. of datawithinyour organization.Comparethesetoyour threat Monitor your DNSconnection,amongthesinglebestsources will comeinhandyhere. what “normal”lookslike. Those indicatorsyou collected/bought recognize “abnormal,” you’ll needtoestablishagoodbaselineof and potentialexfiltration ofdatatoremotehosts. Monitor andfilteroutboundtraffic forsuspiciousconnections intelligence andmonitoringoperations. Collect and/orbuythreatindicatorfeeds. the y aren’tintelligence,butthey’re certainlyusefulwithin the network Stop lateral movement inside Spot C2anddataexfiltration installation Break thedelivery-exploitation- 25

chain VERIZON ENTERPRISE SOLUTIONS I n andofthemselves,

I n order to n orderto POINT-OF-SALE WEB APP INSIDER AND PHYSICAL THEFT MISCELLANEOUS PAYMENT CARD CYBER- DOS EVERYTHING CRIMEWARE INTRUSIONS ATTACKS PRIVILEGE MISUSE AND LOSS ERRORS SKIMMERS ESPIONAGE ATTACKS ELSE 43 8 10 mean = 7.8Mpps n this situation, I mean = 2.6Mpps ncludes both 6 I mean = 0.4Mpps 10 nternet users, have relatively relatively nternet users, have I 4 10 nternet pipes of home broadband users. I 2011 packets per second 2012 packets per second 2013 packets per second when you visit during the holidays. Obviously, such systems, visit during the holidays. Obviously, when you largely for normal home reserved then, The attackers small bandwidth from DSL or cable modems. send commands toharnessing their botnet of DoS drones, could to Septemberdirect attacks at a specific target. Flash forward with a along see a different scenario altogether, 2012 and you different method for building a better botnet. and websites vulnerable scanned for and exploited attackers placed specific DOS attacks scripts onto these Then they CMSs. is a customized these attackers The primary script used by sites. as Brobot or itsoknoproblembro. of a Russian kit known version botnet drones aren’t for starters these Well, different? So what’s sitting on the 10 nformation, Public 10 I n the R), but I I 8 10 title. R to include them. I mean = 7.0Gbps 26 mean = 10.0Gbps mean = 4.7Gbps R” I 1,187 total incidents ncident Report (VS ork and application layer attacks. ork and application layer I 6 n a data breach report? I 10 netw 0 with confirmed data disclosure 0 with confirmed data Any attack intended to compromise the availability of networks and systems. compromise the availability of networks Any attack intended to Finance, Retail, Professional, against the financial industry, in our 2013 dataset was the QCF campaign The headliner for DDoS high-bandwidth attacks from hosting centers. CMSs to create which compromised vulnerable equivalent of Bigfoot (DDoS also became “big” but sightings of the DoS DNS reflection attacks rare. activities) remain nefarious up other covering distractors 4 10 Frequency Description 2013 bits per second 2012 bits per second 2011 bits per second Key findings Key

Top industries Top

wing that these attacks are top of mind for manywing that these attacks are top of mind for

Density Density Density .1 .1 .2 .1 .2 .3 .2 .3 .3 AT A GLANCE AT Kno VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT INVESTIGATIONS BREACH VERIZON 2014 DATA Microsoft has already laid claim to the “S Figure 65. 2011-2013 count levels Denial of Service attack bandwidth and packet We collected quite a bit of data on the topic from multiple collected We that spent a lot Verizon sources, including teams at Akamai and could We in 2013. of time in the trenches fighting DDoS attacks Security Verizon’s renamed it have Hold on a second? DoS attacks? 2012/2013 events organizations — especially in light of late the scope of the DB decided to expand — we DENIAL OF SERVICE ATTACKS SERVICE OF DENIAL A new trend started developing in September of 2012. trend started developing A new from compromised primarily generated past, DOS attacks were parents’ Think “your willing participants. home computers or by always cleaning up the one you’re know, desktop” system – you EVERYTHING DOS CYBER- PAYMENT CARD MISCELLANEOUS PHYSICAL THEFT INSIDER AND WEB APP POINT-OF-SALE CRIMEWARE ELSE ATTACKS ESPIONAGE SKIMMERS ERRORS AND LOSS PRIVILEGE MISUSE ATTACKS INTRUSIONS 44 junk traffic fromlegitimatetraffic. encrypted, whichmakes itdifficultfor defenders todetermine particularly problematicformitigation becausethepackets are against, andthey canbeincrediblyeffective. The useofHTTPSis require significantresources,they canbedifficulttodefend These typesofattacksareespeciallyfrustrating: they don’t multiple HTTPSGET requestsforPDFfiles onthetargetsite. DoS attacks. and tieupserver resources,italsocarriedoutapplication-layer as UDPandSYN floodstoclogupatarget website’s bandwidth known. Not onlydidthegroupusemoretraditional attackssuch certain, thetacticsusedtocarryoutgroup’s attacksarewell While it’s truethatexactly whatmotivatedtheQCFisn’tentirely actors andchalkituptohacktivism. ultimately decidedtogowiththepubliclystatedpurposeof VER “ forms ofahighlycontroversial anddisparaging videonamed QCF repeatedlystatedthey would attackU.S.banksuntilall motivated themissimple:ideology.Like abroken record,the during theirattacks,thentheanswer tothequestionofwhat believe thepropaganda thegroupregularlypostedtoPastebin to wageacampaignagainstprominentU.S.financials? All ofthisbegsthequestion: Why wastheQCFsodetermined powerful Brobotioncannons(thinkHoth). wave afterwave ofDoSattacksagainstU.S.banksusingtheir of 2012andwell intothefirsthalfof2013,QCFlaunched Ababil. Andthey didjustthat;forseveral weeks neartheend financial institutions–partofacampaignthey dubbedOperation with thestatedgoalofusingDoSattackstowreakhavoc onU.S. QCF forshort). The groupfirstpoppedupinSeptember2012 simple answer isthe So whoexactly wasbehindthisnew wave ofDoSattacks? The likely anyone else)have ever seen. Mpps attacks. These were someofthelargestattacks we (and Brobot attacksinthelastyear we sawupwards of97Gbps/100 go to11.” Highpacket, highbandwidthattacks. gamers mightcallaDoSBFG.Or, ifmusicisyour game—“these traffic. Putthesetwo togetherandyou have themakingsofwhat high bandwidthpipes. The servers arealsooptimized forheavy They’re inhosted/cloud/privatecloud/etc.datacenterswith that it incrediblydifficulttosaywithcertaintyfromopensources and controlinfrastructure utilizedinbotnetcreationmakes the weaknesses intheU.S.financialinfrastructure atthebiddingof down orarethey state-affiliatedthreatactorsprobingfor Are they trulyhacktivistslookingtoget YouTube videostaken affiliated attackers basedin Operation Ababilwasnothingmorethanafrontforstate- there were theoriescirculatinginthesecuritycommunitythat While thiswastheshow theQCFputonforpublicconsumption, the videohadtohow longthecampaignwould continue. created amathematicalformulatoconvert thenumberof“likes” I nnocence ofMuslims”wasremoved from YouTube. They even I I ranian government? Unfortunately,themultilayer command I S dilemmaabouthow toclassifytheQCF’s actorvariety. ran isindeedthewizardbehindgreencurtain,sowe I n theselow andslow attackstheQCFwould send I zz ad-Din al-Qassam Cyber Fighters (or zz ad-Dinal-QassamCyberFighters(or I ran. Those theoriescreateda I n some of the n someofthe I f you on thepartofattacker toproducedevastating results. DNS reflectiondoesn’trequiresignificantcomputingresources “reflection.” Muchlike thelow andslow attacksdescribedabove, is quicklyswampedwithseeminglylegitimatetraffic. Hence, their typicallylargerresponsestothetargetedaddress,which originated fromhisdesiredtarget. The openresolvers thensend source addressonhisrequeststomake itlookasthoughthey DNS queriestoopenresolvers. The attacker forgesthe So how doesitwork? Typically, anattacker sendsabunchof generating anattackthislargeisDNSreflection. still representsasizablebombardment. The methodbehind during theattackranged anywherefrom85-120Gbps,which that enough);theaverage amountoftraffic hittingSpamhaus of traffic. The key word hereisspiked (andwe can’temphasize that somesecurityvendors claimspiked atnearly300Gbps Spamhaus wasthetargetofamassive andsustainedDoStarget refresh y Remember thebiggestDoSattackinhistory? a botnet;theseareanelegantweapon foramorecivilizedage. recently: DNSreflectionattacks.Notasclumsyorrandom as devastating, we’ve observed another trendstealingthelimelight Speaking ofDoSattacksthatdon’trequireavastbotnettobe past threeyears —asshown infigure65. shows an increaseintheaverage sizeofattacksover the That beingsaid,datacompiledby ourDoSdefenseteam service is. We canstop alltheattacks!” up andrunning.” Orifit’s avendor, “Lookhow powerful our it wassolargetherenowaywe couldkeep thatsite attention totheirattacksanddefenderswillsay,“Look, have motives for inflatingthem.Attackers wanttocall and defenderstendtosensationalizeattackslike this.Both never anything closetothatinbandwidth.Bothattackers will route. We’ve seenattackswithahigherpacket rate, but primary culprits. of reflectionattacksandthepower they generate arethe for thisyear-over-year increase,theincreasingpopularity and itspowerful arsenallikely shouldersomeoftheblame clocked inat10.1Gbpscloseto8.1Mpps. While theQCF surprise you tolearnthatin2013theaverage DoSattack averages jumpedto6.7Gbpsat2.5Mpps. 411 Kppspacket rate. Move forwardto2012andthose average attackinvolved 4.7Gbpsofbandwidthwitha are pushingtowards themaximumpacket sizemost per packet onaverage. This indicatesmanyofthepackets and thatisabout8,500bitsperpacket orjustover 1kbytes 200 Gbps=2.14x10 at anexample. Saytherewasa200Gbpsattackat25Mpps, understanding thenumbersbehindDoSattacks.Let’s look Spamhaus andotherslik I MATHDOS’ING THE f there’s onethingwe’ve learnedfromtheattackon our memory. I n March 2013, the anti-spam organization n March2013,theanti-spamorganization 11 orsobps,dividethatby 25,000,000 e it,it’s theimportanceof VERIZON ENTERPRISE SOLUTIONS I n 2011, the n 2011,the I t shouldn’t t shouldn’t 27

I f not,allow usto I SPs SPs POINT-OF-SALE WEB APP INSIDER AND PHYSICAL THEFT MISCELLANEOUS PAYMENT CARD CYBER- DOS EVERYTHING CRIMEWARE INTRUSIONS ATTACKS PRIVILEGE MISUSE AND LOSS ERRORS SKIMMERS ESPIONAGE ATTACKS ELSE 45 P I P space. Any I SP’s network and your call queues your and network SP’s I P space. That way if it’s attacked, the attacked, if it’s That way P space. I SPs will have to, at some point, protect their to, at some SPs will have I e use for key servers should be announced servers e use for key P/servers from non-essential from non-essential P/servers I Have a plan in place Have Do the math Ask about capacity Let’s start with the basics start Let’s assets Isolate key Get comfortable al network over your company’s specific traffic. Ask your Ask your specific traffic. company’s your over al network space not in activ gener will light up with unhappy customers. will light up with unhappy What are you going to do? Who will you call if your primary call if your Who will you going to do? What are you do if one of your what you’d know You anti-DDoS doesn’t work? any different? – why should this be down went circuits or servers the that most attacks are about the FUD numbers cited by Know capacity, or perhaps SSL server your above They’re media. news don’t But attackers ingress circuit line rate. times your a few infinite resources either – the biggest attack will be just have can manage. what you over Understand that all its upstream peering capacity – if about anti-DDoS provider much in no matter how and bad) traffic can’t get the (good they will be dropped good traffic your have, mitigation capacity they at the outside edge of their RECOMMENDED CONTROLS RECOMMENDED good a at length it’s about the problem talked that we’ve Now DoS prevent to lessen or even what can be done time to discuss organization. your attacks against when not in use, should always be turned off Servers/services and available only to the people who needpatched when in use, case of reflection attacks.them, especially in the Segregate key small backup purchase a circuit, perhaps even out of a separate circuit and announce primary facilities/servers. compromise your attack won’t You anti-DDoS service. provider’s Don’t be shy about using your sure that charge. Make should be able to test it quarterly without if there teams will react in a timely manner operations key your offers “auto-mitigation,” provider if your is an actual attack. Even of service.this shouldn’t be an install-and-forget kind R is I C), but he’ll need A I on Cannon (LO I VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT INVESTIGATIONS BREACH VERIZON 2014 DATA already underway, and we invite any with shaky night vision film already underway, and we clips of this thing to set the record straight. LOT of friends to do the same if the attack has a chance of being of friends to do LOT the got some cash to burn, hand, if he’s successful. On the other botnet and pummel can rent out a DirtJumper or Athena attacker The more for less than $10 an hour. the target of his choice individual might even enterprising (and development-minded) DoS script and herd a botnet as to write his or her own go so far day out every And trust us, these three scenarios play together. in the cybercriminal underground. concern colleagues express heard many clients and We’ve to using DoS attacks as a “smokescreen” about attackers transfers automated clearing house (ACH) hide fraudulent scattered reportsand other illicit activity. Although there are managed to collect we’ve of this happening, hard evidence of angst. or impact justifies the level doesn’t indicate the rate not jokingly refer to this as the “DoS Bigfoot,” sometimes We intrigued and real, but because we’re don’t think it’s because we for the 2015 DB want to capture it on film. Data collection Aside from the rise in DNS reflection attacks and converting converting attacks and reflection in DNS from the rise Aside has changed not much DoS bots, into high-powered webservers DoS toolkits new Sure, there are always years. the past few over attacks of waves and new way into the underground making their as do remain the same, principles but the general taking place, retail, at the financial, many attacks directed saw We the targets. toWhat better way sectors. services, and public professional – or retailer than to go after its website inflict pain on a bank customer service? And though carrying outsomething critical to as it seems, results may vary. For a DoS attack isn’t as difficult open possible to download it’s attacker the financially challenged Orbit source tools such as Low EVERYTHING DOS CYBER- PAYMENT CARD MISCELLANEOUS PHYSICAL THEFT INSIDER AND WEB APP POINT-OF-SALE CRIMEWARE ELSE ATTACKS ESPIONAGE SKIMMERS ERRORS AND LOSS PRIVILEGE MISUSE ATTACKS INTRUSIONS 46 rest were unknown. quarters ofallincidentsinvolved compromisedweb servers; the threat actions,witheverything elsebelow the1%line. Three- unknown), phishing,andbrowser-busting malwareleadknown incidents. Actorsare99.9%external. Generic“hacking”(variety First, let’s describewhatwe seehereamongthese 7,269 Great question;allow ustoexplain. “Why notmake two morepatterns,then?”you mightwell ask. EVERYTHING ELSE Hierarchical clusteringof VERIS enumerations forconfirmeddatadisclosuresfalling outsidethemainincidentpatterns Figure 66. AT AGLANCE Description related speciesofincidents. find looksnothinglike theriffraff ofaMosEisley cantina;it’s almostentirelydominatedby two wretched hive ofscumandvillainythanthisrandom assortmentofoutcasts.Butwhatwe actually This last“pattern”isn’treallyapatternatall.

the orderlyconfinesofotherpatterns.Giv

20 10

phishing/malware campaignsthemselves. else wasreportedaboutthemethodofcompromiseor servers hijacked tohostmalwarefordrive-by exploits. Nothing and usedtohostphishingsites. The otherinvolved hundredsof one, thousandsofservers inhostingfacilities were compromised incidents actuallyrepresentmassattacksreportedtoaCS A littlediggingintothedatauncovers thefact thatthese “Then whydoyou saythey’re relatedspecies?”you mightcounter. 0 attribute.confidentiality.data.variety.Credentials (22) action.hacking.variety.Use ofstolencreds(18) forceaction.hacking.variety.Brute (5) attribute.integrity.variety.Misappropriation (6) attribute.integrity.variety.Software installation(5) asset.assets.variety.S −File(7) asset.assets.variety.S −Web application(10) asset.assets.variety.S −Database(9) attribute.confidentiality.data.variety.Secrets (12) asset.assets.variety.P −Callcenter(9) action.social.vector.Phone (11) attribute.confidentiality.data.variety.Bank (9) attribute.integrity.variety.Alter behavior (18) action.social.variety.Pretexting (12) actor.external.variety.Organized (9) crime actor.external.motive.Financial (23) attribute.confidentiality.data.variety.Payment (11) attribute.integrity.variety.Fraudulent transaction (5) asset.assets.variety.P −Finance(5) attribute.confidentiality.data.variety.Personal (7) actor.external.variety.Unaffiliated (7) I nstead, itcovers allincidentsthatdon’tfitwithin en that,onemightassumeyou’d never findamore VERIZON ENTERPRISE SOLUTIONS I RT. I n n POINT-OF-SALE WEB APP INSIDER AND PHYSICAL THEFT MISCELLANEOUS PAYMENT CARD CYBER- DOS EVERYTHING CRIMEWARE INTRUSIONS ATTACKS PRIVILEGE MISUSE AND LOSS ERRORS SKIMMERS ESPIONAGE ATTACKS ELSE 47 40 18% 30 9% 9% 20 User Action (2014) Drive-by Infections (2014) 10 Drive-by (2013) Overall 0 90% 80% 50% 70% 60% 50% 40% 30% 20% 10% ncluding nearby clusters within that whole middle segment adds clusters within that whole middle ncluding nearby Click attachment Form/Data-entry Figure 68. Phishing success rates 100% Figure 67. of phishing exercises Success rates I organized around that: financially motivated, additional context from to steal payment information criminals using pretexting transactions. conducting fraudulent bank call centers, and digit the extra like secrets kind of sticks out The theft of trade and father your the one who killed (yes; on a six-fingered man what probably because the source knew must prepare to die); or who took it. it was taken but not how was taken, appear to be generic intrusions into web The leftmost clusters and databases to steal personal information. servers hole, but this at least gives go deeper into this rabbit could We other patterns. the cut for the some sense of what didn’t make anyway. now out by probably dendrogrammed You’re this pairing is sometimes seen in conjunction with brute-force with in conjunction seen is sometimes this pairing and installation, (malware) software unauthorized attacks, of file servers. (illegitimate use/hijacking) misappropriation the recognized by a pattern it’s but mind you, not exclusive, That’s algorithm. related cluster linking see a strongly that, we the left of To of call center employees. phone-based social engineering

28 t I n general, it appears n general, I S enumerations. S enumerations. I but their basic premise is pretty straightforward is pretty straightforward but their basic premise 29 n last year’s report we examined data from ThreatSim and data from examined report we n last year’s that about 8% of users will click an attachment and about 8% about while most users are skeptical form. And will fill in a web enough) they clicking an attachment (though not skeptical are less fearful of visiting a link in an email. 18% of users will with drive-by visit a link in a phishing email. Users unfamiliar result in a malware might think that simply visiting a link won’t compromise. I phishing is ancame to the earth-shattering conclusion that way to gain access to an organization. Okay, maybe effective that a phishing campaign of but the revelation that isn’t news, chance of getting aonly ten messages has a better-than 90% click was surprising to many of us. data again and ThreatSim’s took a look at we This year that even last year; immediately reconfirmed the findings from email messagesa campaign consisting of a small number of found we this year has a high probability of success. However, of a phishing message was success rate that the overall The reason could be more awareness of at 18%. slightly lower variation in the samples. phishing, or just natural of different tactics in at the success rate also looked We to visit a link than run an phishing. Are users more likely to click an attachment than likely more attachment? Are they form? in a web enter their passwords YOU AND ME GO PHISHING IN THE DARK AND ME GO PHISHING IN YOU quickly becomes apparent that these incidents aren’t something incidents that these apparent becomes quickly VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT INVESTIGATIONS BREACH VERIZON 2014 DATA All in all, not very informative — and therein lies the issue. lies the and therein — informative all, not very All in utterly different, but rather simply lack sufficient detail to lack sufficient detail simply but rather utterly different, them. better classify the in on narrowing found by is interesting view A slightly more data disclosure. confirmed incidents) that involved subset (81 We’ll use the Figure 66 dendrogram to go hunting for patterns. to use the Figure 66 dendrogram We’ll intuitive aren’t the most inherently realize that dendrograms We visualizations, and they serve this purpose well. serve and they VER are in the dendrogram The words Enumerations are organized into clusters. Clusters are are organized Enumerations of varying branches or indirectly — by connected — directly or low-level on the same cluster Multiple enumerations levels. (i.e., they signify a close and distinguishing relationship branch and within incidents). Enumerations commonly appear together or infrequent signify weak higher branches by clusters separated relationships. cluster to the far When applied to Figure 66, this results in a the use of thoseright encompassing stolen credentials and (weaker/ level credentials to gain unauthorized access. Higher hint that branch less frequent) clusters in that same rightmost CONCLUSION AND SUMMARY RECOMMENDATIONS

It’s fascinating to study what goes wrong. But the real purpose of So for example, in the column for the Public sector, you’ll see CSC this research is to help you reduce the risk that these bad things 17 stands out as a priority. Sure, someone could have said before, will happen to you. At the end of the day, we do this work to support “Intuitively, data loss prevention should probably be important for evidence-based risk management. We think the perspective of the Public sector.” But now this report puts some hard data behind studying clustered incident patterns enables more tailored strategies that. Misuse, theft/loss, and error constitute a strong majority of the to reduce risk, and toward that end, we did two specific things this attack patterns the public sector faces, and data loss prevention helps year. First, we mapped industries to attack patterns to help answer address all of them. The other 19 CSCs are great (and we certainly the question, “For my industry, which threats am I most likely to aren’t saying anyone should ignore them), but this perspective is a face?” Second, for each pattern we made specific recommendations, strong argument for making sure the industry gives CSC 17 the focus including priority controls from the Critical Security Controls (CSCs) and resources it deserves; specifically the sub-controls that cover full based on our collaboration with the Council on Cybersecurity. This disk encryption (17.3) and detecting mis-published information (17.6). included mapping patterns to controls. View this as evidence that can help answer the question “Based on where my industry is now (which reflects the controls already in place To wrap up, let’s connect the dots in one more way. Since we’ve and the threats they often face), what should we focus on next?” used the data to map industries to incident patterns and patterns to controls, we figured we also have a decent foundation to map Granted, one element of this is subjective in that we and the Council’s industries directly to recommendations for controls. Figure 69 on experts decided which controls would best address each threat the next page shows which controls we think are key to the threat pattern. But we based those decisions on event chains observed in our patterns each industry faces. And it weights each control by how data set. And the weighting we did is based firmly on the frequency often we see the patterns the control addresses in that industry. data we have for patterns and industries. So while small differences Essentially, we just did a whole bunch of multiplication to save you the in these numbers probably aren’t too meaningful, we do think there’s a trouble. strong argument for taking a hard look at the controls that come out on top.

As always, we hope you find this year’s report valuable, and we look forward to hearing your feedback. May the Force be with you, and THE COUNCIL ON CYBERSECURITY have fun storming the castle! The Council on CyberSecurity was established in 2013 as an independent, expert, not-for-profit organization with a global scope committed to the security of an open Internet. The Council is committed to the ongoing development, support, and adoption of the Critical Security Controls; to elevating the competencies Questions? Comments? Brilliant ideas? of the cybersecurity workforce; and to the development of We want to hear them. Drop us a line at policies that lead to measurable improvements in our ability to [email protected], find us on LinkedIn, or tweet @ operate safely, securely and reliably in cyberspace. For additional information, visit the Council’s website. VZdbir with the hashtag #dbir. www.counciloncybersecurity.org

48 VERIZON ENTERPRISE SOLUTIONS Figure 69. Critical security controls mapped to incident patterns. Based on recommendations given in this report.

Critical Security Controls DoS POS Misc (SANS Institute) Card nsider Errors Cyber- I Misuse Attacks Attacks Physical ntrusions Web App Web Skimmers I espionage Crimeware Theft/Loss

Software Inventory 2.4 ∑ ∑ 3.1 ∑ Standard Configs 3.2 ∑ ∑ ∑ 3.8 ∑ 5.1 ∑ ∑ ∑ Malware Defenses 5.2 ∑ ∑ ∑ 5.6 ∑ ∑ 6.4 ∑ Secure Development 6.7 ∑ 6.11 ∑ Backups 8.1 ∑ 9.3 ∑ Skilled Staff 9.4 ∑ 11.2 ∑ Restricted Access 11.5 ∑ 11.6 ∑ 12.1 ∑ ∑ 12.2 ∑ Limited Admin 12.3 ∑ 12.4 ∑ 12.5 ∑ 13.1 ∑ ∑ 13.7 ∑ ∑ ∑ ∑ Boundary defense 13.10 ∑ 13.14 ∑ Audit Logging 14.5 ∑ ∑ 16.1 ∑ Identity Management 16.12 ∑ 16.13 ∑ 17.1 ∑ Data Loss Prevention 17.6 ∑ ∑ 17.9 ∑ ∑ 18.1 ∑ Incident Response 18.2 ∑ 18.3 ∑ Network Segmentation 19.4 ∑ ∑

To find out more about the SANS Institute’s Critical Security Controls, visit: http://www.sans.org/critical-security-controls/

VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT 49 Figure 70. Prioritization of critical security controls by industry. Based on frequency of incident patterns within each industry and recommendations for each pattern given in this report. The shading is relative to each industry. 33 ] 49 ] 32 , 71 ] Critical Security Controls [ (SANS Institute) 45 ] nformation [ 51 ] Mining [ 21 ] Accommodation [ 72 ] [ 56 ] Administrative Construction [ 23 ] Education [ 61 ] Entertainment Finance [ 52 ] Healthcare [ 62 ] I Management [ 55 ] [ 31 , Manufacturing Other [ 81 ] Professional [ 54 ] Public [ 92 ] Real Estate [ 53 ] Retail [ 44 , [ 42 ] Trade [ 48 , Transportation Utilities [ 22 ] Software Inventory 2.4 3.1 Standard Configs 3.2 3.8

5.1 Malware Defenses 5.2 5.6

6.4 Secure Development 6.7 6.11 Backups 8.1 9.3 Skilled Staff 9.4

11.2 Restricted Access 11.5 11.6

12.1

12.2 Limited Admin 12.3 12.4

12.5

13.1

13.7 Boundary defense 13.10

13.14 Audit Logging 14.5 16.1 Identity Management 16.12 16.13

17.1 Data Loss Prevention 17.6 17.9

18.1 Incident Response 18.2 18.3 Network Segmentation 19.4

For more information on the NAICS codes [shown above] visit: https://www.census.gov/cgi-bin/sssd/naics/naicsrch?chart=2012

To find out more about the SANS Institute’s Critical Security Controls, visit: http://www.sans.org/critical-security-controls/

50 VERIZON ENTERPRISE SOLUTIONS APPENDIX A: METHODOLOGY

Based on feedback, one of the things readers value most about this 1. VERIZON’S DATA COLLECTION METHODOLOGY report is the level of rigor and integrity we employ when collecting, The underlying methodology we used is unchanged from previous analyzing, and presenting data. Knowing our readership cares about years. All results are based on first-hand evidence collected during such things and consumes this information with a keen eye helps keep paid external forensic investigations and related intelligence us honest. Detailing our methods is an important part of that honesty. operations we conducted from 2004 through 2013. The 2013 caseload is the primary analytical focus of the report, but the entire Our overall methodology remains intact and largely unchanged from range of data is referenced throughout. Once an investigation is previous years. With 50 organizations contributing data this year, completed, our analysts use case evidence, reports, and interviews to there is no single means used to collect and record the data. Instead create a VERIS record of the incident(s). The record is then reviewed we employed different methods to gather and aggregate the data and validated by other members of the team to ensure reliable and produced by a range of approaches by our contributors. consistent data. Once collected, all incidents included in this report were individually 2. METHODOLOGY FOR CONTRIBUTORS USING VERIS reviewed and converted (if necessary) into the VERIS framework to Contributors using this method provided incident data to our team in create a common, anonymous aggregate dataset. But the collection VERIS format. For instance, agents of the U.S. Secret Service (USSS) method and conversion techniques differed between contributors. used an internal VERIS-based application to record pertinent case In general, three basic methods (expounded below) were used to details. Several other organizations recorded incidents directly into accomplish this: an application we created specifically for this purpose.30 For a few 1) direct recording by Verizon using VERIS contributors, we captured the necessary data points via interviews and requested follow-up information as necessary. Whatever the 2) direct recording by contributors using VERIS exact process of recording data, these contributors used investigative 3) re-coding using VERIS from a contributor’s existing schema notes, reports provided by the victim or other forensic firms, and their own experience gained in handling the incident. All contributors received instruction to omit any information that might identify organizations or individuals involved, since such details 3. METHODOLOGY FOR CONTRIBUTORS NOT USING VERIS are not necessary to create the DBIR. Some contributors already collect and store incident data using their own framework. A good example of this is the CERT Insider 31 Sharing and publishing incident information isn’t Threat Database compiled by the CERT Insider Threat Center at the Carnegie Mellon University Software Engineering Institute. For this easy, and we applaud the willingness and work and other similar data sources, we created a translation between the of all these contributors to make this report original schema and VERIS32 and then re-coded incidents into valid possible. We sincerely appreciate it. VERIS records for import into the aggregate dataset. We worked with contributors to resolve any ambiguities or other challenges to data quality during this translation and validation process.

VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT 51 SECURITY INCIDENTS VERSUS DATA DISCLOSURE Finally, in 1959, Jerome Cornfield and several other researchers took The DBIR has traditionally focused exclusively on security events a step back to conduct a meta-analysis,35 which is analysis done by resulting in confirmed data disclosure33 rather than the broader looking at the combination of several other studies (an approach Nate spectrum of all security incidents.34 In the 2013 DBIR, we deviated Silver would apply to the 2012 U.S. presidential elections with great from that tradition slightly by collecting and referencing a large success). They showed how the aggregate results of all the other number of confirmed security incidents. The 2014 DBIR breaks form studies provided overwhelming evidence that linked smoking with altogether to gain a broader view. We chose to include these incidents lung cancer. Even though each study was flawed in some way, they to capture events such as denial of service attacks, compromises of were flawed in different ways and the aggregate had a consistency systems without data loss, and a very large bucket of incidents where that was enough to dispel any uncertainty. It would take years for this data loss was just simply unknown. While we think this change is for to permeate into the culture, but Cornfield’s meta-analysis was the the better (and we hope you do too), it does mean our report on data tipping point in acknowledging the health hazards of smoking. breaches will include more than data breaches. While we believe many of the findings presented in this report to A WORD ABOUT SAMPLE BIAS be appropriate for generalization, bias and methodological flaws For years, science and statisticians debated the relationship between undoubtedly exist. However, with 50 contributing organizations this smoking and lung cancer. Through the 1940s and 1950s cases of year, we’re aggregating across the different collection methods, epidermoid carcinoma of the lung were on the rise and medical priorities and goals of our partners. We hope this aggregation will help experts sought to understand why. Individual studies starting in minimize the influence of any individual shortcomings in each of the the 1950s would establish a correlation between smoking and lung samples and the whole of this research will be greater than the sum of cancer, but each of them had statistical flaws in their methodologies. its parts. These flaws were not errors or mistakes in any way; the flaws were present because the real world presented imperfect data and the researchers did the best they could to compensate for the imperfect data. R. A. Fisher (a well-respected and famous statistician, who was often shown smoking his pipe) was an outspoken opponent of those studies and would put considerable effort into dissecting and refuting the techniques and conclusions found therein. His personal beliefs were being expressed through his expertise in statistics to such a point that he even accused researchers of manipulating their data.

52 VERIZON ENTERPRISE SOLUTIONS APPENDIX B: DATA BREACHES AND IDENTITY THEFT, A CONVOLUTED ISSUE

BY THE IDENTITY THEFT RESOURCE CENTER (ITRC)

We focus primarily on the corporate side of data breaches in this LESS-SENSITIVE PII – IMPORTANCE AND VALUE report, but there is clearly an overlap into the consumer world. Over time, consumers have been made increasingly aware of breaches Because that world is very much front-and-center for ITRC, we exposing passwords, usernames, and emails. These pieces of less- thought it would be appropriate to have them contribute a perspective sensitive PII might, on the surface, appear to have no importance on an important aspect of breaches: consumer identity theft. and/or value, and therefore represent relatively low risk of harm. Consumers use these pieces of information day-in and day-out, most So you received a data breach notification letter. Does this mean you likely without thinking about their value, or the measures in place to are now a victim of identity theft? Not necessarily (yet). keep them secure and private. For businesses, exposure of this data The relationship between data breaches and identity theft is trickier does not typically even trigger the need for breach notification. than you think. It’s more convoluted than just these two issues being Is there risk of identity of theft? This depends on the ingenuity and related or even correlated. There are studies touting the relationship level of motivation of the data thief. While it is true that thieves can between receiving a data breach notification and identity theft use this non-PII to “socially engineer” other information about you, it victimization, but the ITRC believes this oversimplifies the issue. does require some degree of effort. TYPES OF INFORMATION SENSITIVE PII – IMPORTANCE AND VALUE Data breaches are becoming more commonplace and understood Most consumers readily identify credit/debit cards, and financial by the general public, due in part to surrounding the many account information as important. When it comes to these pieces of high profile incidents that occurred over the past year. As a result, financial information, they understand the need to protect it — there consumers are faced with the fact that their personal identifying are associated risks with it being compromised. One major concern information (PII) is being left unsecured by those entrusted to is who is responsible for any financial loss or expenses incurred as protect it. Passwords, usernames, emails, credit/debit card and a result of this occurrence. Many consumers fear exposure of this financial account information, and Social Security Numbers are being information may result in identity theft; not realizing additional compromised at a staggering rate, endangering the identities of information (see Social Security number below) is necessary to take consumers nationwide. it to that level. Typically, the use of financial information is limited to The perceived significance of PII falls along a continuum of various forms of financial fraud or existing account fraud. importance and value – as well as risk. This issue of “perception” The value of financial account information may be high, but it is applies to all the players in a data breach scenario – the consumer, the usually short-lived if the consumer takes action and closes accounts business entity, and of course, the “data thief.” I hesitate to call the quickly. This is facilitated by businesses making prompt breach criminal an “identity thief” for we know not yet their underlying motive notifications and alerting the consumer that they need to take for stealing the PII. proactive measures.

VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT 53 Social Security numbers — the gold standard of all sensitive PII — UNDERSTANDING TYPES OF PII AND NEED FOR FOLLOW UP ACTION are that extra piece of information that unlocks so many doors. With Depending on the type of personal data compromised (sensitive this data in hand, thieves can now gain access to new credit and other or less-sensitive) in any given data breach incident, many of the benefits in the victim’s name — lines of credit, government benefits, associated risks to the consumer will be contingent upon on how tax refunds, employment, utilities, mortgages, and even medical quickly they respond to a breach notification. This is why the resources. The data thief is the one who truly appreciates the value of timeliness of the notification to the consumers is of significant this information. importance. Laws aside, forewarned is forearmed. An aware customer/client/employee/student is one who can take proactive U.S. businesses recognize the importance of protecting these pieces measures to minimize the risk of any potential harm. of sensitive information because they know exposure of this data will trigger breach notification laws around the country in 46 states. There is a definite value to the business to implement best practices and Many of the associated risks to the consumer will protocols to ensure the security of this information, otherwise they be contingent upon on how quickly they respond to will face the subsequent costs of mitigating a breach. a breach notification. VICTIM IMPACT — PERSONAL COST (NON-FINANCIAL COSTS) And while not all consumers who receive a data breach notification With that said, it is extremely important for consumers to understand will become victims of identity theft, many will face the need to the steps they can take to keep their information as private as contact credit reporting agencies, creditors, financial institutions, possible. health care providers, and possibly law enforcement agencies, to report that their PII has been compromised. Placing Fraud Alerts or RECOMMENDATIONS FOR CONSUMERS Credit Freezes, closing credit cards and financial accounts, changing • First and foremost, never carry your Social Security card with you. passwords and PINs, and closing or changing email accounts are just • Develop strong passwords – Don’t be like the millions of others who some of the possible steps one might need to take to minimize future use “12345678” or “password.” Even when hashed, these passwords 36 risk of identity theft. That said, pity those who do not receive a breach can easily be deciphered by data thieves. notification letter for they do not yet know their information has been • Don’t be too social on social media. Providing too much information compromised. on these very public venues provides data thieves plenty of information to go phishing at your expense. Even if you’re not the hottest celebrity in town, you might be more popular than the next Placing Fraud Alerts or Credit Freezes, closing guy on the thief’s list. credit cards and financial accounts, changing • Shred sensitive documents – what you don’t shred, lock up in a passwords and PINs, and closing or changing secure location. email accounts are just some of the possible steps • Monitor financial statements and be on the look for any fraudulent transactions. one might need to take to minimize future risk of • Make every possible effort to guard your Protected Health identity theft. Information (PHI). Minimize the number of times you provide it the doctor’s office. Ask questions such as who can access it, will it be Many of these steps take a personal toll on consumers who encrypted, and do they take measures to store it securely. Be your oftentimes have no idea what steps to take – even when they are own PHI watchdog. spelled out in a breach notification letter or on a company website. All they know is they are feeling angry, frustrated and confused. They are frequently in an emotional and anxious state of mind. They are trying to grasp the meaning of who is responsible for any financial losses. How much time is it going to take to make necessary calls? Who do they call? What’s the number? Why is the line always busy? Can you make the call for me? Will a request for a credit report effect my credit score? How could the business let something like this happen?

54 VERIZON ENTERPRISE SOLUTIONS APPENDIX C: LIST OF CONTRIBUTORS

CSIRTS INFOSEC PRODUCT AND SERVICE PROVIDERS • CERT Insider Threat Center • Akamai • CERT Polska/NASK • Centripetal Networks, Inc. • CERT-EU European Union • FireEye • CERT.PT • Kaspersky Lab • Computer Emergency Response team of Ukraine (CERT-UA) • Malicious Streams • Computer Incident Response Center Luxembourg (CIRCL), National • McAfee, part of Intel Security CERT, Luxembourg • ThreatGRID, Inc. • CyberSecurity Malaysia, an agency under the Ministry of Science, • ThreatSim Technology and Innovation (MOSTI) • Verizon DoS Defense • Industrial Control Systems Cyber Emergency Response Team • WhiteHat Security (ICS-CERT) ISACS • Irish Reporting and Information Security Service (IRISS-CERT) • Center for Internet Security (MS-ISAC) • OpenCERT Canada • Electricity Sector Information Sharing and Analysis Center • US Computer Emergency Readiness Team (US-CERT) (ES-ISAC) CYBER CENTERS • Financial Services ISAC (FS-ISAC) • Centre for Cyber Security, Denmark • Public Transit ISAC (PT-ISAC) • Council on CyberSecurity • Real Estate ISAC (RE-ISAC) • Defense Security Service (DSS) • Research & Education ISAC (REN-ISAC) • European Cyber Crime Center (EC3) LAW ENFORCEMENT AGENCIES • National Cybersecurity and Integration Center (NCCIC) • Australian Federal Police (AFP) • Netherlands National Cyber Security Centre (NCSC-NL) • Cybercrime Central Unit of the Guardia Civil (Spain) FORENSIC PROVIDERS • Danish National Police, NITES (National IT Investigation Section) • Deloitte and Touche LLP • Dutch Police: National High Tech Crime Unit (NHTCU) • G-C Partners, LLC • Policía Metropolitana (Argentina) • Guidance Software • Policía Nacional de Colombia • S21sec • US Secret Service • Verizon RISK Team OTHER • Anonymous contributor • Commonwealth of Massachusetts • Identity Theft Resource Center • Mishcon de Reya • VERIS Community Database (VCDB) • Winston & Strawn

VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT 55 ENDNOTES

1. Yes, we’ll continue to call it the Data Breach Investigations Report, even though it analyzes incidents that aren’t exclusively breaches or derived through forensic investigations. Hey! Maybe we should just call it the “Data Report” because those two words are still dead-on. 2. Stay tuned, though. We may dig deeper into this topic once we’re free from the pressures of publishing the main report. 3. To be fair, the biggest sprees in this year’s dataset originated in both Romania and Germany 4. For the initiated, we could not reject the null-hypothesis with a p-value of 0.21 and R2 of 0.134. 5. https://www.whitehatsec.com/resource/stats.html 6. Silowash, G., Cappelli, D., Moore, A., Trzeciak, R., Shimeall, T., & Flynn, L. (2012). Common Sense Guide to Mitigating Insider Threats. In S.E. Institute (Ed.), (4th ed., pp. 17): Carnegie Mellon University. http://www.sei.cmu.edu/library/abstracts/reports/12tr012.cfm 7. http://www.mishcon.com/assets/managed/docs/downloads/doc_2714/Mishcon_Recover_Report.pdf 8. Silowash, G., Cappelli, D., Moore, A., Trzeciak, R., Shimeall, T., & Flynn, L. (2012). Common Sense Guide to Mitigating Insider Threats. In S.E. Institute (Ed.), (4th ed., pp. 17): Carnegie Mellon University. http://www.sei.cmu.edu/library/abstracts/reports/12tr012.cfm 9. We supplemented this pattern with data from VCDB because it is a rich source of related incidents. 10. http://veriscommunity.net/doku.php?id=enumerations#assetvariety 11. Note to self: stop leaving laptop in conference room when walking down to the cafeteria. 12. We supplemented this pattern with data from VCDB because it is a rich source of related incidents.

13. http://blog.oxforddictionaries.com/2013/11/word-of-the-year-2013-winner/

14. A major NHTCU investigation into groups using mobile malware showed that in less than a year’s time, five variations of mobile malware for one specific bank could be detected. Modest estimates suggest that criminals gained around €50,000 per week using this specific form of mobile malware, harvesting over 4,000 user credentials from 8,500 infected bank customers in just a few months. Mobile malware does not move the needle in our stats as we focus on organizational security incidents as opposed to consumer device compromises. 15. The two email vectors are almost certainly underrepresented based on the number of phishing actions in this data set. Not enough info was provided to discern whether those phishing incidents utilized email attachments or embedded links, and so they were marked “unknown.” Therefore, the actual number of both email vectors is surely higher than shown here, but still not be enough to overtake the web vectors. 16. You can get more data on this by sending us a small fee to cover transfer costs. Just give us your bank account number and we will email you the information. Bitcoins welcome. 17. We supplemented this pattern with data from VCDB because it is a good source of related incidents. 18. Espionage is not one of the more common patterns in the Public sector, but if you look solely at data breaches, it becomes quite prominent. 19. in all honesty, some of us aren’t crazy about the “cyber” thing. Be that as it may, it is increasingly THE collectively used and understood modifier for the type of attacks we discuss here. By “cyber,” we’re referring to computer networks, systems, and devices. We promise not to go all cyber-cyber-cyber!!! on you; we’ll just use it as a way to reference this pattern.

56 VERIZON ENTERPRISE SOLUTIONS 20. http://en.wikipedia.org/wiki/Analysis_of_competing_hypotheses 21. https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/psychology-of- intelligence-analysis/ 22. https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/sherman-kent-and-the- board-of-national-estimates-collected-essays/6words.html 23. See the Misuse section for analysis of insider espionage. 24. http://blogs.rsa.com/wp-content/uploads/VOHO_WP_FINAL_READY-FOR-Publication-09242012_AC.pdf 25. See Hutchins, E. M., Cloppert, M. J., & Amin, R. M. (2010). Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. 26. http://www.microsoft.com/security/sir/default.aspx 27. ...at least until February 2014, when NTP reflection became bigger-est in history – but too late for us to edit this report beyond adding a footnote. 28. it’s funny to consider that this remnant of the rejects is about equal to the total number of breaches in the 2009 DBIR. 29. For a primer on dendrograms and hierarchical clustering techniques (our method for identifying patterns in this report), see http:// en.wikipedia.org/wiki/Hierarchical_clustering 30. See an example here: https://incident.veriscommunity.net/s3/example 31. http://www.cert.org/blogs/insider_threat/2011/08/the_cert_insider_threat_database.html 32. For instance, CERT has an attribute named “Motives and expectations” that maps very well to actor.internal.motive in VERIS. 33. VERIS defines data disclosure as any event resulting in confirmed compromise (unauthorized viewing or accessing) of any non-public information. Potential disclosures and other “data-at-risk” events do NOT meet this criterion, and have thus not traditionally been part of the sample set for this report. 34. VERIS defines an incident as any event that compromises a security attribute (confidentiality, integrity, availability) of an information asset. 35. Cornfield, Jerome, et al. “Smoking and Lung Cancer: Recent Evidence and a Discussion of Some Questions.” Journal of the National Cancer Institute 22.1 (1959): 173-203. 36. Don’t believe us? Just 286755fad04869ca523320acce0dc6a4

VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT 57 { "action": { "hacking": { "variety": [ "Abuse of functionality", "SQLi", "Use of backdoor or C2” "Brute force" ABOUT THE COVER "notes": “Numerous attacks methods were used in the remote attack of the Apache web server running 2.0.65 and utilizing The “universe” of colored dots on the cover represents 4,596 a password of tomcat for the admin page. The main page was replaced with a GOCI logo of a incidents from the DBIR dataset, including all confirmed data scary dragon, and a skull, and other evil and menacing symbols. Not what the victim wanted breaches over the past three years and a sample of 400 Denial of to see on their page no doubt. Default password was used first, and the attackers moved laterally via SQL injection and installed a Bifrose variant Service attacks from last year. We calculated the distance between backdoor on 3 servers.” ], dots using a multi-dimensional scaling technique (with the Manhattan "vector": [ "Web application" ] distance algorithm) with 65 VERIS fields for each incident. This } }, required over 6 million comparisons, and the resulting distances were "actor": { "external": { projected on a two-dimensional plane. The closer the dots, the more "country": [ "Unknown" ], similar the incidents, meaning they share many VERIS characteristics "motive": [ "Espionage" like threat actors, actions, assets, etc. The colors represent the ], “variety”: [ "Organized crime" nine incident classification patterns discussed throughout this “notes”: “The organized group is very heinous and patient when attacking their report (see the Table of Contents for a section detailing how these available victims. Ruthless in nature and selectively contracted, they can hail from patterns were derived). Patterns in close proximity (e.g., Misuse Helsinki, or Istanbul, or Perth. They were thought to be the main group responsible for heading up the 2006 web compromise of the and Error) share many VERIS characteristics, while those that are ecommerce environment (Apache 2.0.65) of a BSD web fan forum that was then appropriated to far apart (e.g., Espionage and POS Intrusions) have little in common. help organize a fraudulent contest that caused over thirteen thousand dollars in losses. Funds laundered to another division created an The tightness or looseness of dots within each pattern shows the electronic-hacking division based in Bucharest Romania enabling this group to branch out, amount of variation among incidents in that pattern. The sub-pattern executing in a decentralized manner. Since 2009 primarily using IRC and other channels for clusters (overlayed points and lines) were created using 10 years obfuscated communication, the group targets regulatory agencies as well as some private targets. The Oslo faction has become more of incident data (over 100,000 incidents). We generated a force- fanatical; called The Guild of Calamitous Intent, the group has known associations with directed network graph from the frequency of VERIS fields and the right-wing, left-wing, and buffalo-wing groups. Sophisticated hacking techniques like the TARNHT (Truly Awesome Really New Hacking Thing) relationships between them for each individual cluster. can be attributed to the exploit innovation laboratory. The FBI, CIA, NHL, NTSB, ISIS, Underdog, and Zach Attack all have special electro-cyber-hero divisions on the case. “ } }, "asset": { "accessibility": "External", "assets": [ { "variety": "S – Web application" } ], "hosting": "Internal", "management": "Internal", "ownership": "Victim" }, "attribute": { "availability": { "variety": [ "Interruption" ] }, "confidentiality": { "data": [ { "variety": "Secrets" }, { "variety": "Personal" } ], "data_disclosure": "Confirmed", "state": [ "Unknown" ] } }, "discovery_method": "Int - reported by user", "impact": { "overall_rating": "Unknown" }, "incident_id": "069A2112-080D-1235-813F-3DB3CEDDEDA", "plus": { "analysis_status": "First pass", "analyst": "Czumak", }, "created": "2014-03-20T20:24:00Z", "github": "00110110.11101011.01000000.01110000", "master_id": "069A2112-080D-1235-813F-3DB3CEDDEDA", "modified": "2014-03-20T15:21:58Z", "timeline": { "notification": { "year": 2014 } } }, "reference": "http://beesbeesbees.com", "schema_version": "1.2.1", "security_incident": "Confirmed", "source_id": "vcdb", "summary": "Welcome folks. Enjoy this years report. Wow. So vectors. Much families. Many incident.", "timeline": { "compromise": { "unit": "NA" }, "exfiltration": { "unit": "NA" }, "incident": { "year": 2007 } }, "victim": { "country": "US", "employee_count": "101 to 1000", "industry": "541711", "state": "OR", "victim_id": "Mittelos Bioscience" } } verizonenterprise.com © 2014 Verizon. All Rights Reserved. The Verizon name and logo and all other names, logos, and identifying Verizon’s products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners. MC15912 04/14