Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Nation-State Breaches Surged in 2018: Verizon DBIR

The source of breaches has fluctuated significantly over the past nine years, but organized crime has almost always topped nation-state actors each year. The gap narrowed significantly in 2018, according to the annual report.

The share of breaches attributed to nation-state attacks doubled in 2018, but organized criminal hacks were still more common, according to the annual "Data Breach Investigations Report" (DBIR), released by Verizon on May 8.

Nearly seven out of every 10 breaches involved an outside attacker, rather than an insider, slightly down from the previous year, according to the report. Of those external breaches, nation-state groups accounted for 23%, up from 12% in 2017.

Those estimates are likely on the low side, says Bob Rudis, chief data scientist of security management firm Rapid7. Security professionals are leery of attributing attacks to nation-state actors unless they have a significant body of supporting evidence, says Rudis, a former Verizon data scientist who has helped compile the DBIR in the past.

"My gut tells me, from what I have seen, I actually think the nation-state estimates are low across the board, because it is hard to say 100% that an attack is a nation-state," he says. "We [researchers] also are less likely to commit to the attribution, because companies and governments may act on that information."

The report highlights the resurgence of nation-state activities in the past year. Nation-state attackers have almost always come in second to organized criminals over the past decade. For the nine years included in Verizon's data, only once — in 2012 — did nation-state attackers garner a greater share of breaches than organized crime.

While nation-state attacks climbed as a share of breaches, organized crime fell to 39%, from 50% in 2017.

The resurgence of nation-state attackers can leave companies as a loss, says Nathan Wenzler, senior director of cybersecurity at Moss Adams, a Seattle, Washington-based accounting, consulting, and wealth management firm. With nation-state attackers, companies feel that, no matter how well they defend, the attackers will keep coming back, while security professionals believe that they have some recourse against attacks perpetrated by organized criminals — there is a chance, if unlikely, that the perpetrators will be arrested, he says.

"We can't arrest 'China' — so it is a much harder problem for people to solve, even though the groups are essentially using the same tactics, in terms of the breaches," Wenzler says.

The public sector saw the most attention from nation-state actors, with 79% of all breaches involving external actors coming from state-affiliated attackers, the DBIR stated. While all other attack patterns — such as attacks on web applications or privilege misuse — occurred less frequently or stayed the same, cyber espionage surged to account for 42% of all breaches in the public sector, up from 25% in 2017, a significant increase.

"Given the sheer number of incidents in this sector, you would think that the government incident responders must either be cape-and-tights-wearing superheroes, or so stressed they're barely hanging on by their fingernails," according to the report.

Perhaps coincidentally, the greatest surge in the share of breaches caused by nation-state attacks has coincided with US election years, peaking in 2012 and 2016. 

At the other end of the spectrum, the education sector saw a smaller share of attacks from nation-state actors in 2018. Espionage-related attacks dropped to 12% of all breaches in 2018, down from 43% in 2016. Financially motivated attacks, however, became much more common, with 79% of attacks in 2018 having some financial motivation, up from 45% in 2016, per Verizon's report.

The information industry fell somewhere in between the public and education sectors. Cyber espionage accounted for 13% of all attack types, according to the DBIR. In addition, 36% of all external attackers were state-affiliated, Verizon said, calling the figure "eye-opening."

"Sir Francis Bacon once famously stated 'knowledge is power,'" the report stated. "Perhaps a better definition for 2019 would be 'to gain and to control information is power.' Therefore, we should probably not be shocked that the organizations that own and distribute that information are the target of such attacks."

Most state-sponsored and espionage attacks begin with a phishing e-mail. In the information industry, for example, 84% of such attacks start have a genesis in social engineering. However, employees click on such e-mail far more often than they report the fraudulent messages, according to Verizon.

While the latest trends change somewhat, the advice for companies remains the same year to year, says Wenzler. Companies need to establish a security program that strongly supports the basics: asset discovery, patch management, and application security controls. Still, he often runs into clients that have no idea what is running inside their network.

"The security stuff is always the afterthought," Wenzler says. "If you worry about nation-states, you should be doing the basics right."

For companies already doing the basics, the data from the Verizon report suggests some areas on which to focus. The report shows what areas attackers are exploiting for each industry.

"Look and see what the actions that the nation-state actors did prefer," says Rapid7's Rudis. "Then maybe you can use that to see how your defenses stack up."

The Verizon DBIR is based on 41,686 incidents reported from more than 73 contributors and includes information on 2,103 breaches. 

Related Content

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4968
PUBLISHED: 2019-11-19
nginx http proxy module does not verify peer identity of https origin server which could facilitate man-in-the-middle attack (MITM)
CVE-2012-0824
PUBLISHED: 2019-11-19
gnusound 0.7.5 has format string issue
CVE-2012-0843
PUBLISHED: 2019-11-19
uzbl: Information disclosure via world-readable cookies storage file
CVE-2014-5439
PUBLISHED: 2019-11-19
sniffit 0.3.7 and prior: A configuration file can be leveraged to execute code as root
CVE-2011-4919
PUBLISHED: 2019-11-19
mpack 1.6 has information disclosure via eavesdropping on mails sent by other users