Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Nation-State Breaches Surged in 2018: Verizon DBIR

The source of breaches has fluctuated significantly over the past nine years, but organized crime has almost always topped nation-state actors each year. The gap narrowed significantly in 2018, according to the annual report.

The share of breaches attributed to nation-state attacks doubled in 2018, but organized criminal hacks were still more common, according to the annual "Data Breach Investigations Report" (DBIR), released by Verizon on May 8.

Nearly seven out of every 10 breaches involved an outside attacker, rather than an insider, slightly down from the previous year, according to the report. Of those external breaches, nation-state groups accounted for 23%, up from 12% in 2017.

Those estimates are likely on the low side, says Bob Rudis, chief data scientist of security management firm Rapid7. Security professionals are leery of attributing attacks to nation-state actors unless they have a significant body of supporting evidence, says Rudis, a former Verizon data scientist who has helped compile the DBIR in the past.

"My gut tells me, from what I have seen, I actually think the nation-state estimates are low across the board, because it is hard to say 100% that an attack is a nation-state," he says. "We [researchers] also are less likely to commit to the attribution, because companies and governments may act on that information."

The report highlights the resurgence of nation-state activities in the past year. Nation-state attackers have almost always come in second to organized criminals over the past decade. For the nine years included in Verizon's data, only once — in 2012 — did nation-state attackers garner a greater share of breaches than organized crime.

While nation-state attacks climbed as a share of breaches, organized crime fell to 39%, from 50% in 2017.

The resurgence of nation-state attackers can leave companies as a loss, says Nathan Wenzler, senior director of cybersecurity at Moss Adams, a Seattle, Washington-based accounting, consulting, and wealth management firm. With nation-state attackers, companies feel that, no matter how well they defend, the attackers will keep coming back, while security professionals believe that they have some recourse against attacks perpetrated by organized criminals — there is a chance, if unlikely, that the perpetrators will be arrested, he says.

"We can't arrest 'China' — so it is a much harder problem for people to solve, even though the groups are essentially using the same tactics, in terms of the breaches," Wenzler says.

The public sector saw the most attention from nation-state actors, with 79% of all breaches involving external actors coming from state-affiliated attackers, the DBIR stated. While all other attack patterns — such as attacks on web applications or privilege misuse — occurred less frequently or stayed the same, cyber espionage surged to account for 42% of all breaches in the public sector, up from 25% in 2017, a significant increase.

"Given the sheer number of incidents in this sector, you would think that the government incident responders must either be cape-and-tights-wearing superheroes, or so stressed they're barely hanging on by their fingernails," according to the report.

Perhaps coincidentally, the greatest surge in the share of breaches caused by nation-state attacks has coincided with US election years, peaking in 2012 and 2016. 

At the other end of the spectrum, the education sector saw a smaller share of attacks from nation-state actors in 2018. Espionage-related attacks dropped to 12% of all breaches in 2018, down from 43% in 2016. Financially motivated attacks, however, became much more common, with 79% of attacks in 2018 having some financial motivation, up from 45% in 2016, per Verizon's report.

The information industry fell somewhere in between the public and education sectors. Cyber espionage accounted for 13% of all attack types, according to the DBIR. In addition, 36% of all external attackers were state-affiliated, Verizon said, calling the figure "eye-opening."

"Sir Francis Bacon once famously stated 'knowledge is power,'" the report stated. "Perhaps a better definition for 2019 would be 'to gain and to control information is power.' Therefore, we should probably not be shocked that the organizations that own and distribute that information are the target of such attacks."

Most state-sponsored and espionage attacks begin with a phishing e-mail. In the information industry, for example, 84% of such attacks start have a genesis in social engineering. However, employees click on such e-mail far more often than they report the fraudulent messages, according to Verizon.

While the latest trends change somewhat, the advice for companies remains the same year to year, says Wenzler. Companies need to establish a security program that strongly supports the basics: asset discovery, patch management, and application security controls. Still, he often runs into clients that have no idea what is running inside their network.

"The security stuff is always the afterthought," Wenzler says. "If you worry about nation-states, you should be doing the basics right."

For companies already doing the basics, the data from the Verizon report suggests some areas on which to focus. The report shows what areas attackers are exploiting for each industry.

"Look and see what the actions that the nation-state actors did prefer," says Rapid7's Rudis. "Then maybe you can use that to see how your defenses stack up."

The Verizon DBIR is based on 41,686 incidents reported from more than 73 contributors and includes information on 2,103 breaches. 

Related Content

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
CVE-2016-4606
PUBLISHED: 2020-02-21
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...