Web attacks surged, financial gain reigned as a motive, and mobile and IoT remained a non-factor in real-world attacks last year.
Legitimate user credentials were used in most data breaches, with some 63% of them using weak, default, or stolen passwords, according to the new 2016 Verizon Data Breach Investigations Report (DBIR), which publishes tomorrow. While widespread abuse of legitimate user credentials by bad guys is really no surprise, such a high percentage of cases was startling, according to Marc Spitler, senior manager at Verizon Security Research, and co-author of the report.
“I knew credentials were a thing, obviously. What I wouldn’t have thought was that over half [of breaches] involved credentials,” Spitler says. “I knew it was a significant issue and knew we wanted to talk about it in the report, but I didn’t quite know it would be that high.”
Stolen credentials top the list of threat action types among attacks that used legitimate credentials, followed by malware, phishing, and keyloggers. Incident and breach data from victims of the pervasive and stubborn Dridex banking Trojan contributed to the findings on stolen credential use, according to the new Verizon report, which drew from more than 64,000 security incidents worldwide in 2015, 2,260 of which were actual data breaches.
In addition to Verizon’s own incident response investigation data, some 65 organizations, including law enforcement agencies, the US Department of Homeland Security, and numerous security vendors, contributed incident and breach data for the report, including several involved in the Dridex botnet takedown in October of last year.
Web application attacks increased 33% in 2015 compared with 2014, and in 95% of these breaches, it was all in the name of financial gain. Web attacks rose this year to 82% -- from 31% last year -- against financial services firms, who along with information and retail industries, were hit most by these types of attacks, of which the report recorded 5,334 total incidents, 908 of which were data breaches.
Dridex, which was disrupted by US and UK authorities last year but began to resurface in new campaigns a few weeks later, again played a role here: “The breaches within this pattern are heavily influenced by information gathered by contributors involved in the Dridex botnet takedown. Hundreds of breaches involving social attacks on customers, followed by the Dridex malware and subsequent use of credentials captured by keyloggers, dominate the actions” against websites, the report says.
Dridex also caused crimeware activity to drop in favor of the use of stolen credentials from the infamous Trojan.
No ‘Killer’ IoT, Mobile
And once again, there was no sign of mobile devices becoming the next big attack vector amid the security incidents and data breaches analyzed in the report. Verizon in last year’s DBIR concluded that mobile devices were a nonfactor in 2014 real-world attacks, with only about 100 smartphones per week out of tens of millions of devices were getting infected, for a 0.68% infection rate, and mostly with adware or other relatively benign infections.
The story was much the same in 2015. Despite all of the vulnerabilities and the hype surrounding the dangers to enterprises of Internet of Things (IoT) things and constant barrage of bugs in popular mobile devices such as Apple iOS and Android, these devices have yet to prove to be widely exploited as attack vectors. So neither mobile nor IoT even made the DBIR report this year.
“We’re still not seeing it,” Verizon’s Spitler says. “There’s nothing there from our incident or breach corpus this year to do any other research around it. Inevitably, somebody will tell us we were wrong, but we tell the story of the data. The data is the data.”
“We’re not saying don’t worry about this [mobile or IoT],” Spitler says. “This is something you need as part of risk management program.”
Here’s what the Verizon DBIR said about the lack of IoT and mobile-borne attacks in 2015: “For those looking for proclamations about this being the year that mobile attacks bring us to our knees or that the Internet of Things (IoT) is coming to kill us all, you will be disappointed. We still do not have significant real-world data on these technologies as the vector of attack on organizations.”
Who Got Hit Most
Financial firms were hit with the most data breaches last year, with some 795 breaches, followed by the accommodation/hotel sector (282), information sector (194), public sector (193), retail (137), and healthcare (115). The decline in big-box retail hacks syncs with many retailers starting to beef up transaction security, including their point-of-sale (PoS) systems. Hotels, meanwhile, have been the new target for cybercriminals in the past year.
Attackers getting faster in their hacks, but victims are still slow to detect they’ve been hit. According to the DBIR, most attackers (82%) compromised victims within minutes, and about 67% pilfered data within days, while 21% did so within minutes.
On the flip side, less than one-fourth of victims detected an attack in days or less. “We’d like to see discover improvement, but there’s a detection deficit,” Spitler says. “I’m a realist. I want to focus on getting the time to exfiltrate longer. Make the [attackers] do work once they get an initial foothold.”
Meanwhile, Web attacks encompassed not only stolen credentials, but attacks via content management systems (CMS). “A lot of plug-ins have vulnerabilities. You have so many layers to worry about in a Web app,” including ensuring there aren’t input-validation flaws. “A lot of hacking stems from there,” Spitler says.
Some 95% of confirmed Web breaches were financially motivated, according to the report. “In attacks against ecommerce servers, web shells are used to access the payment application code and capture user input,” for example, the DBIR said. CMSes are often the vector for installing those web shells.
“A series of events we saw across multiple patterns was phishing -- to drop malware to establish control of a user device, and leverage credentials to advance your attack within the same organization or in another organization,” Spitler says. “The endgame is to compromise that user device and turn it into a spam sender or a DDoS [bot], or to get a foothold into a corporation and dig deeper” for information, he says.
And with POS attacks, it’s all about phishing and installing malware or a keylogger to capture credentials, he says.