Know thy cyber enemy: Who’s attacking and what they want

China and Romania spawned the most cyber attacks last year, according to an in-depth study released this week by Verizon. Notably, whereas Romanian attackers were primarily prowling for financial data to score a big payday, Chinese perpetrators were engaged in espionage, focused on swiping trade secrets and internal data. Much of the responsibility for successful data breaches in 2012, however, can be pinned on IT’s long-standing nemesis: single-factor authentication. Seventy-six percent of network intrusions in 2012 exploited weak or stolen credentials.

Verizon’s 2013 DBIR (Data Breach Investigations Report) is brimming with information as to who was behind worldwide cyber attacks in 2012, what attackers were after, and what tactics they employed to pull of their crimes. Verizon’s RISK (Research, Investigations, Solutions, Knowledge) Team, in conjunction with more than a dozen security-focused organizations, culled the data by analyzing more than 47,000 reported security incidents and 621 confirmed data breaches from the past year.

Whodunit? Among the report’s key findings, the vast majority of cyber attacks against organizations — 92 percent — were perpetrated by external parties; just 14 percent were pulled off by someone on the inside. Verizon pinned the remainder to partners. (The report notes that “many figures and tables in this report add up to more than 100 percent; this is not an error. It simply stems from the fact that items presented in a list are not always mutually exclusive, and thus, several can apply to any given incident.”)

“The two big reasons for the dominance of external actors are their numerical advantage and greater attack scalability,” according to the report. “An organization will always have more outsiders than insiders, and the Internet connects criminals to a virtually limitless host of potential victims.”

As to who was responsible for most of the external attacks, the RISK Team reported that 55 percent were performed by organized crime syndicates. “This reflects the high prevalence of illicit activities associated with threat actors of this ilk, such as spamming, scamming, payment fraud, account takeovers, identity theft, etc.”

These syndicates’ primary motivation is money: “As economic and social activities continue to go online, criminals will follow in order to exploit the soaring amount of data that can be (all too easily) converted to cash.”

Choosing targets Attacks from organized cyber criminals tend to come from Eastern Europe and North America, and they primarily target the financial, retail, and food industries. Their tactics often include physically tampering with victims’ equipment (ATMs, point-of-sale terminals, databases, and desktops); engaging in brute-force hacking; and using malware for spying, capturing store data, posing as admins, and RAM scraping. They tend to focus on grabbing payment cards, credentials, and bank account information.

Meanwhile, state-affiliated groups were behind 21 percent of all outside attacks, representing an increase over previous years — and these folks weren’t in it for the money. Rather, the report says “threat actors engaged in espionage campaigns … seek data that furthers national interests, such as military or classified information, economy-boosting plans, insider information or trade secrets, and technical resources such as source code.”

State-affiliated attacks primarily target manufacturing, transportation, and professional-service companies, and most of these attacks stem from East Asia (China). Their tactics of choice include phishing, hacking to swipe credentials, and using an array of malware for backdoor exploitation, password dumping, and swiping data via command-and-control servers. They generally target computers and servers of all types. The bounty they seek: credentials, internal organization data, trade secrets, and system info.

Just 2 percent of external activists were pinned to activists, and those attacks most commonly come from Western Europe and North America. They target information-service companies and public agencies, primarily with such tools and tactics as SQL hacking, brute-force attacks, using stolen credentials, backdoor malware, and RFI (remote file inclusion) hacking. Hacktivists primarily seek personal information, credentials, and internal data, according to the report.

Broken down by country, 30 percent of external attacks came out of China, and most were focused on espionage. Meanwhile, 28 percent of worldwide external attacks stemmed from Romania, and they were evidently financially motivated. The United States spawned the third highest percentage of attacks at 18 percent, most of which were financially motivated.

Fewer inside jobs Fourteen percent of data breaches came from the inside in 2012. Most were financially motivated, though “not all insiders are about malice and money. Inappropriate behaviors such as ‘bringing work home’ via personal e-mail accounts or sneakernetting data out on a USB drive against policy also expose sensitive data to a loss of organizational control.”

At small organizations (those with 1,000 or fewer employees), cashiers and tellers were the primary insider culprits. At large organizations, administrators topped the list at 31 percent — though “their role was accidental in eight out of the 13 incidents” pointing to “how scary human error is.” End-users were responsible for 24 percent of the data breaches. (“Regular users should seize the opportunity afforded here to start grumbling about the ‘stupid admins’ for a change,” the report suggests.)

Tools of the data-breach business As to cyber criminals’ preferred method of attack, the report found that they used some form of hacking in 52 percent of all data breaches. In 48 percent of those instances, malicious hackers simply used stolen credentials. “[I]t really comes as no surprise that authentication-based attacks (guessing, cracking, or reusing valid credentials) factored into about four of every five breaches involving hacking in our 2012 dataset. Nor is it all that surprising that we see this year after year,” according the report. “If we could collectively accept a suitable replacement, it would’ve forced about 80 percent of these attacks to adapt or die.”

Malicious hackers used backdoor or C&C tactics in 44 percent of all instances. Brute-force attacks comprised 34 percent of hack attacks — mostly against small organizations.

Attackers used malware in 40 percent of the reported data heists. Seventy-four percent of the time, they managed to install malware directly onto a target system. Meanwhile, 47 percent of malware came via email attachment. (“Keep in mind that these vectors are not mutually exclusive,” the report noted. “In many cases, an actor may gain initial entry using a malicious e-mail attachment, and then install additional malware on that and other systems throughout the environment.”)

As to malware type, spyware and keyloggers were used in 75 percent of malware deployments; backdoor malware was used in 66 percent. Malware capable of exporting data was present 63 percent of the time.

Also of note: The proportion of breaches incorporating social tactics like phishing was four times higher in 2012, used in 29 percent of data breaches. “Credit the rise of this challenger to its widespread use in targeted espionage campaigns,” the report said.

Set your defense As for mitigations, there are plenty of steps organizations can and should take. The report recommends that organizations starting by familiarizing themselves with the Center for Strategic and International Studies’ 20 Critical Security Controls for Effective Cyber Defense. They include creating an inventory of your organizations authorized and unauthorized hardware and software; securely configuring hardware and software; embracing continuous vulnerability assessment and remediation; deploying various malware defenses (antivirus, sandboxing, and so on); investing in application-security software; controlling use of admin privileges; creating boundary defenses; and maintaining, monitoring, and analyzing security-audit logs.

This story, “Know thy cyber enemy: Who’s attacking and what they want,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.