Nation-State Breaches Surged in 2018: Verizon DBIR

The share of breaches attributed to nation-state attacks doubled in 2018, but organized criminal hacks were still more common, according to the annual "Data Breach Investigations Report" (DBIR), released by Verizon on May 8.

Nearly seven out of every 10 breaches involved an outside attacker, rather than an insider, slightly down from the previous year, according to the report. Of those external breaches, nation-state groups accounted for 23%, up from 12% in 2017.

Those estimates are likely on the low side, says Bob Rudis, chief data scientist of security management firm Rapid7. Security professionals are leery of attributing attacks to nation-state actors unless they have a significant body of supporting evidence, says Rudis, a former Verizon data scientist who has helped compile the DBIR in the past.

"My gut tells me, from what I have seen, I actually think the nation-state estimates are low across the board, because it is hard to say 100% that an attack is a nation-state," he says. "We [researchers] also are less likely to commit to the attribution, because companies and governments may act on that information."

The report highlights the resurgence of nation-state activities in the past year. Nation-state attackers have almost always come in second to organized criminals over the past decade. For the nine years included in Verizon's data, only once — in 2012 — did nation-state attackers garner a greater share of breaches than organized crime.

While nation-state attacks climbed as a share of breaches, organized crime fell to 39%, from 50% in 2017.

The resurgence of nation-state attackers can leave companies as a loss, says Nathan Wenzler, senior director of cybersecurity at Moss Adams, a Seattle, Washington-based accounting, consulting, and wealth management firm. With nation-state attackers, companies feel that, no matter how well they defend, the attackers will keep coming back, while security professionals believe that they have some recourse against attacks perpetrated by organized criminals — there is a chance, if unlikely, that the perpetrators will be arrested, he says.

"We can't arrest 'China' — so it is a much harder problem for people to solve, even though the groups are essentially using the same tactics, in terms of the breaches," Wenzler says.

The public sector saw the most attention from nation-state actors, with 79% of all breaches involving external actors coming from state-affiliated attackers, the DBIR stated. While all other attack patterns — such as attacks on web applications or privilege misuse — occurred less frequently or stayed the same, cyber espionage surged to account for 42% of all breaches in the public sector, up from 25% in 2017, a significant increase.

"Given the sheer number of incidents in this sector, you would think that the government incident responders must either be cape-and-tights-wearing superheroes, or so stressed they're barely hanging on by their fingernails," according to the report.

Perhaps coincidentally, the greatest surge in the share of breaches caused by nation-state attacks has coincided with US election years, peaking in 2012 and 2016. 

At the other end of the spectrum, the education sector saw a smaller share of attacks from nation-state actors in 2018. Espionage-related attacks dropped to 12% of all breaches in 2018, down from 43% in 2016. Financially motivated attacks, however, became much more common, with 79% of attacks in 2018 having some financial motivation, up from 45% in 2016, per Verizon's report.

The information industry fell somewhere in between the public and education sectors. Cyber espionage accounted for 13% of all attack types, according to the DBIR. In addition, 36% of all external attackers were state-affiliated, Verizon said, calling the figure "eye-opening."

"Sir Francis Bacon once famously stated 'knowledge is power,'" the report stated. "Perhaps a better definition for 2019 would be 'to gain and to control information is power.' Therefore, we should probably not be shocked that the organizations that own and distribute that information are the target of such attacks."

Most state-sponsored and espionage attacks begin with a phishing e-mail. In the information industry, for example, 84% of such attacks start have a genesis in social engineering. However, employees click on such e-mail far more often than they report the fraudulent messages, according to Verizon.

While the latest trends change somewhat, the advice for companies remains the same year to year, says Wenzler. Companies need to establish a security program that strongly supports the basics: asset discovery, patch management, and application security controls. Still, he often runs into clients that have no idea what is running inside their network.

"The security stuff is always the afterthought," Wenzler says. "If you worry about nation-states, you should be doing the basics right."

For companies already doing the basics, the data from the Verizon report suggests some areas on which to focus. The report shows what areas attackers are exploiting for each industry.

"Look and see what the actions that the nation-state actors did prefer," says Rapid7's Rudis. "Then maybe you can use that to see how your defenses stack up."

The Verizon DBIR is based on 41,686 incidents reported from more than 73 contributors and includes information on 2,103 breaches. 

Related Content

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.