Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Nation-State Breaches Surged in 2018: Verizon DBIR

The source of breaches has fluctuated significantly over the past nine years, but organized crime has almost always topped nation-state actors each year. The gap narrowed significantly in 2018, according to the annual report.

The share of breaches attributed to nation-state attacks doubled in 2018, but organized criminal hacks were still more common, according to the annual "Data Breach Investigations Report" (DBIR), released by Verizon on May 8.

Nearly seven out of every 10 breaches involved an outside attacker, rather than an insider, slightly down from the previous year, according to the report. Of those external breaches, nation-state groups accounted for 23%, up from 12% in 2017.

Those estimates are likely on the low side, says Bob Rudis, chief data scientist of security management firm Rapid7. Security professionals are leery of attributing attacks to nation-state actors unless they have a significant body of supporting evidence, says Rudis, a former Verizon data scientist who has helped compile the DBIR in the past.

"My gut tells me, from what I have seen, I actually think the nation-state estimates are low across the board, because it is hard to say 100% that an attack is a nation-state," he says. "We [researchers] also are less likely to commit to the attribution, because companies and governments may act on that information."

The report highlights the resurgence of nation-state activities in the past year. Nation-state attackers have almost always come in second to organized criminals over the past decade. For the nine years included in Verizon's data, only once — in 2012 — did nation-state attackers garner a greater share of breaches than organized crime.

While nation-state attacks climbed as a share of breaches, organized crime fell to 39%, from 50% in 2017.

The resurgence of nation-state attackers can leave companies as a loss, says Nathan Wenzler, senior director of cybersecurity at Moss Adams, a Seattle, Washington-based accounting, consulting, and wealth management firm. With nation-state attackers, companies feel that, no matter how well they defend, the attackers will keep coming back, while security professionals believe that they have some recourse against attacks perpetrated by organized criminals — there is a chance, if unlikely, that the perpetrators will be arrested, he says.

"We can't arrest 'China' — so it is a much harder problem for people to solve, even though the groups are essentially using the same tactics, in terms of the breaches," Wenzler says.

The public sector saw the most attention from nation-state actors, with 79% of all breaches involving external actors coming from state-affiliated attackers, the DBIR stated. While all other attack patterns — such as attacks on web applications or privilege misuse — occurred less frequently or stayed the same, cyber espionage surged to account for 42% of all breaches in the public sector, up from 25% in 2017, a significant increase.

"Given the sheer number of incidents in this sector, you would think that the government incident responders must either be cape-and-tights-wearing superheroes, or so stressed they're barely hanging on by their fingernails," according to the report.

Perhaps coincidentally, the greatest surge in the share of breaches caused by nation-state attacks has coincided with US election years, peaking in 2012 and 2016. 

At the other end of the spectrum, the education sector saw a smaller share of attacks from nation-state actors in 2018. Espionage-related attacks dropped to 12% of all breaches in 2018, down from 43% in 2016. Financially motivated attacks, however, became much more common, with 79% of attacks in 2018 having some financial motivation, up from 45% in 2016, per Verizon's report.

The information industry fell somewhere in between the public and education sectors. Cyber espionage accounted for 13% of all attack types, according to the DBIR. In addition, 36% of all external attackers were state-affiliated, Verizon said, calling the figure "eye-opening."

"Sir Francis Bacon once famously stated 'knowledge is power,'" the report stated. "Perhaps a better definition for 2019 would be 'to gain and to control information is power.' Therefore, we should probably not be shocked that the organizations that own and distribute that information are the target of such attacks."

Most state-sponsored and espionage attacks begin with a phishing e-mail. In the information industry, for example, 84% of such attacks start have a genesis in social engineering. However, employees click on such e-mail far more often than they report the fraudulent messages, according to Verizon.

While the latest trends change somewhat, the advice for companies remains the same year to year, says Wenzler. Companies need to establish a security program that strongly supports the basics: asset discovery, patch management, and application security controls. Still, he often runs into clients that have no idea what is running inside their network.

"The security stuff is always the afterthought," Wenzler says. "If you worry about nation-states, you should be doing the basics right."

For companies already doing the basics, the data from the Verizon report suggests some areas on which to focus. The report shows what areas attackers are exploiting for each industry.

"Look and see what the actions that the nation-state actors did prefer," says Rapid7's Rudis. "Then maybe you can use that to see how your defenses stack up."

The Verizon DBIR is based on 41,686 incidents reported from more than 73 contributors and includes information on 2,103 breaches. 

Related Content

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15570
PUBLISHED: 2020-07-06
The parse_report() function in whoopsie.c in Whoopsie through 0.2.69 mishandles memory allocation failures, which allows an attacker to cause a denial of service via a malformed crash file.
CVE-2020-15569
PUBLISHED: 2020-07-06
PlayerGeneric.cpp in MilkyTracker through 1.02.00 has a use-after-free in the PlayerGeneric destructor.
CVE-2020-7690
PUBLISHED: 2020-07-06
It's possible to inject JavaScript code via the html method.
CVE-2020-7691
PUBLISHED: 2020-07-06
It's possible to use <<script>script> in order to go over the filtering regex.
CVE-2020-15562
PUBLISHED: 2020-07-06
An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.