07:47 PM

Inside Verizon's Insider Threat Data

Verizon Business' latest Data Breach Investigations Report shows insiders as a growing threat -- but increase comes from a selective data set

For security firms that argue malicious insiders are a greater threat than outside attackers, the latest Verizon Data Breach Investigations Report seems like vindication: The proportion of incidents with an insider agent doubled to 48 percent, while attacks with an external hacker dropped to 70 percent. Incidents involving data theft from the outside still account for the majority of attacks -- with insiders catching up.

The driving factor behind the increase in insider attacks was not the economic downturn -- an oft-argued opinion -- but rather the inclusion of a new data set in Verizon's database, says Alex Hutton, principal of research and intelligence for Verizon Business. The U.S. Secret Service joined much of its caseload data to Verizon's database, adding a large number of incidents where the victim had a better idea of the identity of the attacker and believed the person could be prosecuted. Both factors tend to favor incidents with an insider component. "With the Secret Service [cases], we got exposed to a whole new set of data," Hutton says of the report.

Overall, Verizon still sees external attackers as the major threat, however. When an outsider steals data, he absconds with a massive number of records. In 2009, breaches caused by outside criminals accounted for about 139 million stolen records, while insiders accounted for only 2.6 million records. "A record that has been exposed is 70 times more likely to have been exposed by an external source than in internal source," Hutton says.

Verizon doesn't refute the threat of insiders -- just the assertion that insiders pose the greatest risk. Companies should have defenses that work against insiders, outsiders, and partners, Hutton says. Identity and access management are essential controls that companies need to block -- or at least, slow down -- attackers.

"We are not dismissing the insider threat at all," he says. "We are asking people to prioritize their records. If you are the CIO and in charge of security, you should certainly have controls."

Typically, executives, network administrators, and finance staff are the most problematic insiders: They tend to have higher privileges within the company and are less likely to be subject to oversight. While Verizon's report found that half of all IT security incidents were caused by regular workers, privileged employees usually are the ones to target the company's most sensitive data. In many cases, those breaches are not considered IT security issues.

Software developers are another class of privileged employee who companies have not typically scrutinized. At the recent Defcon hacking convention, security firm Fortify Software touted a specialized ruleset for its code-analysis product that aims to catch malicious code inserted into programs by developers. "Developers have access to a lot of sensitive information in the company," says Matias Madou, principal security researcher for Fortify.

In 2008, a financial firm readying a round of layoff for its internal developers approached Fortify for a way to make sure unwelcome surprises were not left behind, Madou says. So Fortify started working on an add-on ruleset that catches time-sensitive destructive code as well as backdoors. "There is a lot of malicious code put in by insiders," he says. "Some of these pieces of code can be dormant for a long time."

Verizon's report ranks software developers as the sixth biggest insider threat (lower than the help-desk staff), with only 3 percent of incidents involving a developer.

One lesson learned from the Verizon report: Check your logs. According to the report, 90 percent of the time, companies had logs available from the time of the incident, but only managed to discover breaches in five percent of cases. "We have little doubt ... that if the organizations we've studied had tuned their systems to alert on abnormalities like this and actually looked into them when alarms went off, that five percent [of discovered breaches] would be a lot higher," Verizon stated in the report.

Finding evidence of an attack is easier when you know there has been a breach, but Verizon points to three flags in log files that indicate an attack has happened: a large increase in logged data, entries in the log that are abnormally long, or an abrupt decrease in log data. Rather than searching for exact signatures in the logs -- the proverbial needle in a haystack -- look for the major characteristics, the company advises.

"It cannot be a pleasant experience to learn that the six months of log data you've been collecting contained all the necessary indicators of a breach," Verizon says in the report, adding, "the value of monitoring -- perhaps we should say 'mining' -- logs cannot be overstated. The signs are there. We just need to get better at recognizing them."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.
PUBLISHED: 2019-02-15
Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell.