Jelle Niemantsverdriet, who works as Principal Consultant Forensics and Investigative Response at Verizon Business.
I met Jelle at the Cyber Crime Conference in Rome and, while I was talking to him, I immediately realized how brilliant and skilled he is. So I grabbed the chance to ask him to write something for Punto 1; for my pleasure - and for the pleasure of my readers - Jelle accepted my invitation.
Last week Verizon published the new Data Breach Investigation Report, with the collaboration of the US Secret Service and the Dutch High Tech Crime Unit and Jelle is one of the authors. Hence, having on Punto 1 an "inside view" of the Verizon Report is a very special occasion.
So thank you very much Jelle! Now, I leave the floor to you and to your analysis on Verizon DBIR.
-----------------------------------------------------------------------------------------------2011 DBIR Blog post for Punto 1 weblog
“All you need are logs” as the /dev/random blogs likes us to sing along to. And yes, do we need them – but how seldom we use them…
In the dataset of Verizon and the United States Secret Service, which was used to compile the 2011 Data Breach Investigations Report, none of the breaches were discovered through log analysis. This staggering number came down from an already non-impressive 6 percent and 3 percent of the cases in the previous reports; the most positive interpretation we can give is that there is definitely room for improvement with regard to how organizations monitor their IT environments.
The latest release of the DBIR is the fourth annual report in the ongoing series, which now comprises seven years of analysis of confirmed data breaches. In 2010, the United States Secret Service started to share their breach statistics using the VERIS framework and in 2011 they were joined by the National High Tech Crime Unit of the Netherlands Policy Agency (KLPD). The inclusion of these two law-enforcement agencies clearly demonstrates that it is very well possible to share incident data in aggregate without breaching customer confidentiality; we would like to convince other organizations to follow suit and share information – in a secure way.
Let’s dive into some of the findings: at first glance, two of the most striking statistics are the seemingly paradoxical explosion in number of cases versus the decrease in number of stolen data records. The number of cases went up from 141 in 2009 to a staggering 761 confirmed breaches in 2010. The bad guys must have been busy, it seems… However, there is also a huge drop in number of stolen records: “only” 3.8 million stolen records in 2010, down from more than 143 million in 2009 and more than 360 million in 2008. What is going on here?
You could say that cybercrime seems to have had its “industrial revolution:” attackers are using scalable, (semi-)automated attack methods to successfully target tens of victims in one sweep. Combined with that, they appear to be aiming for smaller “loot:” rather than for example steal millions of credit card numbers from a single payment processor, they are spreading their risks by sticking to smaller numbers of stolen records – combined with the larger scale still sufficient to make a “decent” living.
One of the suspected contributing factors here is the successful arrest and contribution of some of the big players in cybercrime in the past years. Not only have they left the “field of play” but we think this has also made the more lucky, remaining criminals more risk-aware and has convinced them to switch to a large number of smaller scale but less-risky attacks.
Another important thing to keep in mind is that in some cases the number of stolen records is not the most reliable measure of breach impact. This is especially the case in breaches that involve theft of intellectual property or classified information. The theft of one highly sensitive document could have a similar impact as the theft of thousands of credit card numbers.
We explore some more hypotheses in the report – you are encouraged to read these as interpreting the numbers without reading the underlying factors leaves room for confusion.
If we look at the actions that are conducted by the attackers (which – small but important side note – are in the vast majority of the cases due to external attacks), we see that hacking and malware top the charts as a “dangerous duo of data loss.” Hacking is often used as the first “foot in the door” to get onto a victim’s network, after which malware is used to get further onto the network, find the data and send it back out.
This small paragraph does not do the detailed section in the report justice: there is a lot that can be learned from truly dissecting the attacks into their individual events leading up to the incident – not only for informational purposes but more importantly for improving detection and ideally prevention.
Having said that: this is something we cannot stress enough… Please, refrain from using somewhat hollow and over-used terms that sound good in newspaper headlines but don’t make you any wiser on what exactly happened. “Advanced persistent threat” sounds pretty interesting and maybe even scary, but everybody seems to use a different definition of what it is. Quite quickly, these terms become some sort of “boogeyman threat” that you can almost not defend yourselves against, so sophisticated they seem… We think that using a common language to describe what you really see, is a great method of sharing information in such a way that others in the industry can benefit from it.
And hopefully you’ll find, that while there are advanced methods out there, in the whole chain of a successful data breach there are often very easily recognizable and detectable factors at play. Not every cool new technique that you learn about at security conferences, is something you should immediately worry about – especially as there is still so much more to gain by looking at the more basic and more widely used attack methods. Or, as put in the report: “Defend against dragons if you must, but don’t watch the skies so much that common rogues slip inside the castle walls from below.”
In the majority of our cases, prevention could have been done by implementing inexpensive and simple or intermediate measures – difficult and expensive measures were required in only 3 percent of the cases. It’s mostly about using already available tools and techniques, but using them consistently throughout the whole organization – or even checking that the methods you think are in place, are actually in place and are more than a checked box in an audit form.
All in all, this is nothing more than a tip of the iceberg of the information in the report. Everybody is highly encouraged to have a thorough read through it and hopefully apply the statistics and maybe even the VERIS framework within their own organization. Either way, don’t hesitate to get in touch with us, as we are always willing to clarify things or hear your feedback.
Jelle Niemantsverdriet, MSc CISSP CISM QSA
Principal Consultant, Forensics and Investigative Response EMEA
Verizon Business Security Solutions
Jelle Niemantsverdriet is a Principal Consultant with the Forensic and Investigative Team for the EMEA region at Verizon Business. He is responsible for incident response and forensic investigations. Verizon Business helps customers prepare for incidents that may need digital evidence, and offers services that assist customers in fully carrying out an investigation. Examples of incidents covered include stolen information, hacked servers and applications, anonymous email threats and fraud. He is also one of the authors of the 2010 and 2011 editions of the Verizon Data Breach Investigations Report.
Niemantsverdriet holds a Master of Science in Artificial Intelligence. In June 2010 he started an executive MBA at the University of Chicago - Booth School of Business.
Twitter account @jelle_n