If espionage is secretive, and cyber things are too, that makes cyber-espionage doubly a secret.
Verizon Threat Research Advisory Center (VTRAC), part of the digital communications company, has come out with a first Verizon Cyber-Espionage Report (CER). That takes seven years (2014 to 2020) of the company’s Data Breach Investigations Report (DBIR) content and covers cyber-espionage perpetrators and the specific capabilities cybersecurity teams need to detect and defend against cyber-spies.
As for the most widespread types of breaches within the 2014-2020 DBIR timeframe those driven by financial motivations are higher (between 67-86 percent) and those by cyber-espionage are comparatively lower (between 10-26 percent). The stealth-like nature of espionage attacks may make them more intrusive and hard-hitting. Whereas financial motivated breaches are more likely to be discovered due to the loss of money involved and also reported as a result of regulatory policies, the types of data stolen in espionage breaches ranks as some of the most important in terms of secrecy, sensitivity and business critical. A motive that should not be ignored, the report suggests.
The top industries commonly targeted are public sector (31 percent) followed by manufacturing (22 percent) and professional (11 percent), likely due to the fact that they hold the majority of secrets and priority information which are most desired by cyber espionage criminals.
Where espionage attacks differ is in the tactics used and the skill and patience of the criminals. Malware (90 percent), social media (83 percent) and hacking (80 percent) are the top tactics used by espionage threat actors. This differs when compared to breaches in general where hacking (56 percent) is the dominant tactic followed by malware (39 percent) and social (29 percent). Why? The slow, methodical and lengthy process that these tactics employ speaks to the patience and complexity accompanying espionage attacks.
These threat actors also take from months to years to be discovered (versus days to months for all breaches in general).
John Grim is lead author of the report. He says: “Cyber-crime comes in all shapes and sizes, but fighting and preventing it is of equal importance. It is our aim that by sharing our expertise and industry data we can help businesses and governments tailor their cybersecurity strategies to become more effective. Defences and detection and response plans should be tested regularly and optimised to confront cyber threats head-on. This is particularly important for cyber-espionage breaches, which typically involve advanced threats targeting specific data and operating in ways to avoid detection and deny cyber defenders effective response.”
To request the report visit the Verizon website.
Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Centre), said: “If your business were a target of a well-funded malicious group, how would you know? For most victims, the initial exploited weakness was likely an opportunistic one, even when the damage done was significant. Victims of cyber espionage find themselves subject to a strategic set of actions. As highlighted in the report, cyber espionage teams are often well-funded and highly skilled. This combination allows them to infiltrate a business quickly and leave few traces behind which in turn increases the potential for ongoing damage. While their motivations might be financial, the rules they follow in their attacks will be unique to each team – even an outcome such as a ransomware demand might occur.
“Defending against such an attack requires businesses to identify what assets they possess and how those assets might be valuable to an attacker – be that as a stepping stone along the attack path or as a saleable commodity. The starting point in such a defence is a comprehensive inventory of all software, how it’s configured, its role within the organisation, how it’s connected to other software powering the business and what data it has access to. From there a data model can be created that maps users to data and systems in a manner that allows for audit rules to be defined. Once audit rules are in place, monitoring can begin which then feeds into monitoring for unexpected access. While this process can be daunting, it should be considered a work in progress which supports good business hygiene such as patch management, disaster recovery planning and compliance with data privacy regulations.”