Hackers so far ahead of defenders it's not even a game

Crims using multiple exfiltration points

Cybercriminals are way ahead of the game against defenders without having to try anything new, according to the latest edition of Verizon's benchmark survey of security breaches.

The study shows that miscreants have no need to switch up, because the same old tactics are still working fine. Security defenders are still performing poorly in their attempts to defend against hacking or malware-based attacks. This isn't for a lack of trying or skills on their part, but almost completely down to the fact that the game is rigged against them.

Verizon's ninth annual Data Breach Investigations Report (DBIR) provides an analysis of over 100,000 security incidents and 2,260 confirmed data breaches last year, drawing on real-world data breach caseloads handled by either Verizon or around 50 other contributing organisations.

Those involved include the US Secret Service, the European Cyber Crime Center (EC3), UK CERT and the Irish Reporting and Information Security Service (IRISS CERT), amongst others.

Hackers are getting faster whilst defenders are treading water. Over 99 per cent of attacks compromise systems within days (four out of five do it within minutes), and two-thirds of those siphon off data within days (a fifth do it in minutes). Whilst there was an improvement in the number of breaches detected in 'days or less' noted in the last DBIR, that turned out to be a temporary blip. This year, less than a quarter of breaches were detected within the same timeframe – meaning attackers have almost always gotten away with the goods before anyone notices.

Worse yet, it's usually not the victim that notices the breach, but a third party (normally either a security researcher or law enforcement).

Nearly two-thirds of all breaches are still traced back to weak or stolen passwords – a basic security failure.

"People are not sitting in front of consoles, looking for SQL Injections before running a manual attack," Dave Ostertag, global investigation manager at Verizon told El Reg. "They are stealing credentials, planting malware, pivoting and exfiltrating data."

Hackers have begun using multiple exfiltration points to avoid detection, Ostertag added.

Phishing lures

Phishing (which "is efficient and works really well," according to Ostertag) remains a huge problem and a major factor in most breaches. The DBIR found that nearly a third of phishing emails get opened, and more than one in ten recipients open the attachments, a significant rise from last year. The main perpetrators of these attacks are organised crime syndicates, but nearly one in ten can be attributed to a state-affiliated actor. China accounts for more than half of all cyber-espionage attacks by volume last year, according to Ostertag, who nonetheless welcomed the recent US/China no hack pact as a positive development.

Public sector, manufacturing and professional services firms top the hit list of targets for cyber-espionage. Attackers are using phishing scams and pilfered passwords to open up a backdoor onto enterprise networks. This foothold is used to smuggle malware into targeted networks. Corporate networks would be far harder to attack – even with access credentials – in cases where enterprises had applied two-factor authentication. However, failure in this area was yet another security shortcoming identified during Verizon's study.

"Many victims have single-factor access into parts of their network even if they think otherwise," according to Ostertag.

On the cybercrime-for-profit front, ransomware is a problem across the board in manufacturing, the public sector and healthcare, Verizon reports. Cybercrooks, like cyber-spies, often rely on phishing.

"Hackers do their homework using social media like LinkedIn and other sources to know who to target, and what sort of content is likely to be opened," Ostertag explained.

"Cybercrooks are going after people who initiate or manage financial transactions."

Older threats such as phishing, malware and weak passwords predominate in breaches. By contrast, the much-discussed security risks from the Internet of Things and mobile phones barely register in Verizon's breach study. ®

Other stories you might like

  • Beijing probes security at academic journal database
    It's easy to see why – the question is, why now?

    China's internet regulator has launched an investigation into the security regime protecting academic journal database China National Knowledge Infrastructure (CNKI), citing national security concerns.

    In its announcement of the investigation, the China Cyberspace Administration (CAC) said:

    Continue reading
  • Israeli air raid sirens triggered in possible cyberattack
    Source remains unclear, plenty suspect Iran

    Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms. 

    While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat. 

    Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident. 

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading

Biting the hand that feeds IT © 1998–2022