Verizon - 2014 Data Breach Investigations Report - October 2014
Published in: Business
Verizon - 2014 Data Breach Investigations Report - October 2014 from Gde Merklin
- 5. 2013 YEAR IN REVIEW The year 2013 may be tagged as the “year of the retailer breach,” but a more comprehensive assessment of the InfoSec risk environment shows it was a year of transition from geopolitical attacks to large-scale attacks on payment card systems. 2013 may be remembered as the “year of the retailer breach,” but a comprehensive assessment suggests it was a year of transition from geopolitical attacks to large-scale attacks on payment card systems. JANUARY January saw a series of reports of targeted attacks by what were probably state-sponsored actors. The Red October cyber-espionage campaign was exposed and responsible for targeting government agencies and research institutions globally, but in Russian-speaking countries in particular. Intelligence on a different series of attacks beginning with a “watering hole” attack on the Council on Foreign Relations web site (cfr.org) that began on Boxing Day 2012 was linked to actors using the Elderwood Framework. Meanwhile, the Izz ad-Din al-Qassam Cyber Fighters (QCF) were almost a month into Phase I of Operation Ababil Distributed Denial of Service (DDoS) attacks on U.S. financial services companies. FEBRUARY The segue into February was provided by The New York Times and the Wall Street Journal, with new reports of targeted cyber-espionage. And Sophos reported a new Citadel-based Trojan crafted to attack Point-of-Sale (POS) systems using a Canadian payment card processor. We would soon learn that www. iphonedevsdk.com became a watering hole, using a surprise attack on Java late in the month. Most InfoSec professionals well remember February as the month Mandiant (now FireEye) released its superb APT1 report. February was also the start of reports of data breaches from large enterprises, courtesy of the aforementioned iPhoneDevSDK: Facebook, Twitter, Apple, and Microsoft were all victims. Noteworthy retailer POS data breaches were reported by Bashas’ and Sprouts, two discrete grocery chains in the U.S. Southwest. Bit9 reported a data breach that began in July 2012, attacking its code-signing infrastructure. MARCH Fifty million Evernote users remember that March was the month they were forced to change their passwords. On March 20, the Republic of Korea suffered a large-scale cyber-attack that included disk corruption. We remain skeptical that the Cyberbunker-CloudFlare-Spamhaus DoS attack almost broke the Internet at the end of March. Group-IB reported “Dump Memory Grabber” (a.k.a. BlackPOS), a new POS Trojan that would go on to make headlines when news broke of Target Stores’ breach in December. This section is a compilation of the weekly INTSUM lead paragraphs posted to our blog and is 100% based on open source intelligence (OSINT). We maintain a very strong policy against identifying Investigative Response clients, and mentions of organizations in this section in no way imply that we conducted an investigation involving them or that they are among the victims in our dataset. VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT 3
- 6. APRIL In April, another U.S. grocery retailer, Schnucks, reported a POS data breach. The Syrian Electronic Army (SEA) did some damage when it hijacked the Associated Press’ Twitter account, sending a tweet reporting an explosion at the White House and causing a spasm on Wall Street. Operation Ababil continued, but OSINT cannot support attributing DoS attacks on several European banks to the QCF. MAY Cyber-espionage continued in May, with reports from QinetiQ and the U.S. Army Corps of Engineers. The SEA hijacked the Twitter accounts of both The Guardian and The Financial Times. A watering hole attack targeted nuclear weapons researchers in the U.S. for cyber-espionage, probably from China. More cyber-espionage campaigns reported in May included Operation Hangover, targeting Pakistan; Safe, targeting Mongolia; and operations by the Sunshop actors against Tibetan activists. The U.S. Department of Justice shut down Liberty Reserve, the go-to bank for cyber-criminals. JUNE Early in June, Raley’s, yet another U.S. grocer with stores in California and Nevada, reported its payment card systems were breached. NetTraveller, a global cyber-espionage campaign targeting diplomats in countries with interests not aligned with China occurred. A day later, The Guardian published the first intelligence leaked by Edward Snowden… and then InfoSec intelligence became the “All-Snowden-All-the- Time” channel. JULY July’s largest retailer data breach was reported by Harbor Freight, a U.S. tool vendor with 445 stores – nearly 200 million customers and we still don’t know how many records were compromised. The QCF initiated Phase IV of Operation Ababil. The SEA breached Viber, Tango, and the Daily Dot. The U.S. Department of Justice indicted four Russians and one Ukrainian for high-profile data breaches, including Heartland and Global Payments. AUGUST In August, the SEA hijacked the Twitter accounts of CNN, The Washington Post, Time Magazine, SocialFlow, and both The New York Times and New York Post. Attendees of the G8 Summit in St. Petersburg, Russia, were targeted for cyber-espionage by the Calc Team actors. SEPTEMBER In September, Vodafone notified two million customers their personal and financial information had been breached. Espionage reported in September involved the EvilGrab Trojan and separately, the Hidden Lynx actors who seem to engage in both espionage and cybercrime. New intelligence linked the Bit9 attack from February with Operation Deputy Dog, Hidden Lynx, and watering hole attacks on Japanese financial institutions. At the end of the month Brian Krebs began his reports on intelligence extracted from ssndob[dot]ms. The site was home to data stolen from some of America’s largest data brokers: Lexis-Nexis, Kroll, and Dun & Bradstreet. Cryptolocker made its first appearance in September, extorting money from victims that were willing to pay to decrypt their essential files. OCTOBER On October 3, Adobe announced its systems had been breached; eventually 38 million accounts were identified as affected. Intelligence connected this to the ssndob[dot]ms actors. Nordstrom, the luxury U.S. department store, discovered skimmers on some of its cash registers. Two of 2013’s big wins also occurred in October: Dmitry “Paunch” Fedotov, the actor responsible for the Blackhole exploit kit, was arrested in Russia, and Silk Road, an online fraud bazaar, was taken down. NOVEMBER The proverbial calm before the storm, November was fairly quiet. Banking malware evolved with reports of Neverquest and another version of IceIX. BIPS, a major European bitcoin payment processor, was the victim of one of the largest bitcoin heists recorded up to that point in time. DECEMBER The last significant entry under cyber-espionage for 2013 was the targeting of foreign ministries in European countries by Operation Ke3chang. The Washington Post reported its second breach of the year. And then InfoSec intelligence became the “All-Target-All-the-Time” channel. Although the breach of this major U.S. retailer was a little more than half the size of Heartland and three-fourths the size of TJX, it’s vying to become the event for which 2013 will always be remembered. Questions? Comments? Brilliant ideas? We want to hear them. Drop us a line at dbir@verizon.com, find us on LinkedIn, or tweet @VZdbir with the hashtag #dbir. 4 VERIZON ENTERPRISE SOLUTIONS
- 7. VICTIM DEMOGRAPHICS Readers of the DBIR frequently approach us with two important questions. How generally representative are the findings of this report? Are these findings relevant to my organization? To help get you oriented with this year’s report, let’s see what the data has to show us. The 2013 DBIR featured breaches affecting organizations in 27 countries. This year’s report ups that tally by 350%, to 95 distinct countries (Figure 1). All major world regions are represented, and we have more national Computer Security Incident Response Teams (CSIRTs) than ever before. Our ability to compare global trends has never been higher. But it’s not quite that simple. The charter, focus, methods, and data differ so much between CSIRTs that it’s difficult to attribute differences to true variations in the threat environment.2 However, regional blind spots are getting smaller thanks to our growing list of contributors (see Appendix C), and we’re very happy with that. Figure 1. Countries represented in combined caseload Countries represented in combined caseload (in alphabetical order): Afghanistan, Albania, Algeria, Argentina, Armenia, Australia, Austria, Azerbaijan, Bahrain, Belarus, Belgium, Bosnia and Herzegovina, Botswana, Brazil, Brunei Darussalam, Bulgaria, Cambodia, Canada, Chile, China, Colombia, Congo, Croatia, Cyprus, Czech Republic, Denmark, Egypt, Ethiopia, Finland, France, Georgia, Germany, Greece, Hong Kong, Hungary, India, Indonesia, Iran, Islamic Republic of, Iraq, Ireland, Israel, Italy, Japan, Jordan, Kazakhstan, Kenya, Korea, Republic of, Kuwait, Kyrgyzstan, Latvia, Lebanon, Lithuania, Luxembourg, Macedonia, the former Yugoslav Republic of, Malaysia, Mali, Mauritania, Mexico, Moldova, Republic of, Montenegro, Morocco, Mozambique, Nepal, Netherlands, New Zealand, Oman, Pakistan, Palestinian Territory, Occupied, Peru, Philippines, Poland, Portugal, Qatar, Romania, Russian Federation, Saudi Arabia, Singapore, Slovakia, Slovenia, South Africa, Spain, Switzerland, Taiwan, Province of China, Tanzania, United Republic of, Thailand, Turkey, Turkmenistan, Uganda, Ukraine, United Arab Emirates, United Kingdom, United States, Uzbekistan, Vietnam, Virgin Islands. VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT 5
- 8. Industry Total Small Large Unknown Accommodation [72] 212 115 34 63 Administrative [56] 16 8 7 1 Agriculture [11] 4 0 3 1 Construction [23] 4 2 0 2 Education [61] 33 2 10 21 Entertainment [71] 20 8 1 11 Finance [52] 856 43 189 624 Healthcare [62] 26 6 1 19 Information [51] 1,132 16 27 1,089 Management [55] 10 1 3 6 Manufacturing [31,32,33] 251 7 33 211 Mining [21] 11 0 8 3 Professional [54] 360 26 10 324 Public [92] 47,479 26 47,074 379 Real Estate [53] 8 4 0 4 Retail [44,45] 467 36 11 420 Trade [42] 4 3 0 1 Transportation [48,49] 27 3 7 17 Utilities [22] 166 2 3 161 Other [81] 27 13 0 14 Unknown 12,324 5,498 4 6,822 Total 63,437 5,819 47,425 10,193 Next, let’s review the different industries and sizes of victim organizations in this year’s dataset (Figure 2). The Public sector’s astronomical count is primarily a result of U.S. agency reporting requirements, which supply a few of our contributors with a vast amount of minor incidents (more on that later), rather than a sign of higher targeting or weak defenses. Figure 3 filters out the minutiae by narrowing the dataset to only those incidents involving confirmed data compromise. Moving beyond the Public sector outlier, both Figure 2 and Figure 3 show demographics relatively similar to prior years. Industry Total Small Large Unknown Accommodation [72] 137 113 21 3 Administrative [56] 7 3 3 1 Construction [23] 2 1 0 1 Education [61] 15 1 9 5 Entertainment [71] 4 3 1 0 Finance [52] 465 24 36 405 Healthcare [62] 7 4 0 3 Information [51] 31 7 6 18 Management [55] 1 1 0 0 Manufacturing [31,32,33] 59 6 12 41 Mining [21] 10 0 7 3 Professional [54] 75 13 5 57 Public [92] 175 16 26 133 Real Estate [53] 4 2 0 2 Retail [44,45] 148 35 11 102 Trade [42] 3 2 0 1 Transportation [48,49] 10 2 4 4 Utilities [22] 80 2 0 78 Other [81] 8 6 0 2 Unknown 126 2 3 121 Total 1,367 243 144 980 We saw some increases where we added new industry-specific contributors, so pieces of the puzzle are filling in. Certain sectors will always skew higher in the victim count given their attractiveness to financially motivated actors — i.e., those that store payment card or other financial data. But even discounting that, we don’t see any industries flying completely under the radar. And that’s the real takeaway here — everyone is vulnerable to some type of event. Even if you think your organization is at low risk for external attacks, there remains the possibility of insider misuse and errors that harm systems and expose data. So, we can’t claim to have unbiased coverage of every type and size of organization on the planet (fingers crossed for next year, though!). But we dare say that the majority of readers will be able to see themselves or something that looks enough like them in this sample. For more information on the NAICS codes [shown above] visit: https://www.census.gov/cgi-bin/sssd/naics/naicsrch?chart=2012 Small = organizations with less than 1,000 employees, Large = organization with 1,000+ employees Figure 2. Number of security incidents by victim industry and organization size, 2013 dataset Figure 3. Number of security incidents with confirmed data loss by victim industry and organization size, 2013 dataset 6 VERIZON ENTERPRISE SOLUTIONS
- 9. A DECADE OF DBIR DATA Long-time readers of this report will know that we’re not very good at maintaining the status quo. The sources of data grow and diversify every year. The focus of our analysis shifts. The way we visualize data and organize results evolves over time. And with the 2014 DBIR, we’re really gonna shake things up. This section attempts to create an “as-comparable-as-possible” set of findings to previous DBIRs. It “only” includes breaches from 2004-2012, plus the 1,367 incidents for which data compromise was confirmed in 2013. While this does make it hard to meaningfully compare trends across time, it has the positive effect of shining light into new and shadowy areas each year. The truth of the matter is that we’re more interested in exploring and learning than churning out the same ‘ol stuff each time just to measure deltas. That said, measuring deltas has value and we know readers appreciate some level of continuity between reports. Thus, this section attempts to create an “as-comparable-as-possible” set of findings to previous DBIRs. It “only” includes breaches from 2004-2012, plus the 1,367 incidents for which data compromise was confirmed in 2013. It’s worth noting that this represents the high mark in ten years of data breaches, and is the first time we’ve crossed 1,000. (Give a round of applause to all those contributors who keep adding fuel to the bonfire.) We began writing a lot of commentary for this section, but then changed our minds. Instead, we’ll churn out some eye candy for you to chew on as long as you like with only a few general observations from us. We began writing a lot of commentary for this section, but changed our minds. Instead, we’ll churn out some eye candy for you to chew on as long as you like, with only a few general observations from us. A BRIEF PRIMER ON VERIS AND VCDB The Vocabulary for Event Recording and Incident Sharing (VERIS) is designed to provide a common language for describing security incidents in a structured and repeatable manner. It takes the narrative of “who did what to what (or whom) with what result,” and translates it into the kind of data you see in this report. Because we hope to facilitate the tracking and sharing of security incidents, we released VERIS for free public use. Get additional information on the VERIS community site ; the full schema is available on GitHub. Both are good companion references to this report for understanding terminology and context. www.veriscommunity.com | github.com/vz-risk/veris Launched in 2013, the VERIS Community Database (VCDB) project enlists the cooperation of volunteers in the security community in an attempt to record all publicly disclosed security incidents in a free and open dataset. We leverage VCDB for a few sections in this report, which are clearly marked. Learn more about VCDB by visiting the website below. vcdb.org VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT 7