Cyber thugs continue to flourish as organizations don’t collaborate: Verizon

Investigating a 100,000 data breaches across 82 countries, Verizon’s investigative response unit throws light on the weakest links in the security fence. 

Picture this: You’re a lone soldier guarding a fort. You don’t know who your foe is, you don’t know what weapons is he armed with, and you don’t know when or how he is going to strike.

This absolute lack of foresight and intelligence is what makes this lone soldier uncannily similar to the quintessential CSO.

A tête-à-tête with Chris Novak, Director – Investigative Response, Verizon Enterprise Solutions, brings to light the state of the cyber security landscape in the enterprise today.

Financial motive continues to be a top driver for cyber attacks, while espionage comes second. 89 percent of breaches either had a financial or an espionage motive.

“Out of the 89 percent, about 80 percent is financially motivated, the remaining is espionage. Espionage is a much smaller percentage because cyber-attacks take significantly more effort, resources, and money. So, they need to have a very specific target in mind,” explains Novak.

You scratch my back, I scratch yours

The threat actors are doing a great job in sharing the information they have and know about vulnerabilities. A lot of organizations on the defensive side, however, don't necessarily do a really good job.

They may read a few blogs and websites, but they don't necessarily go to the next step of plugging into the threat intelligence community. That's where they can learn what has happened to other peers, maybe even on the other side of the globe. 

“What we've also derived from our threat intelligence reports is that in most of these situations, cyber criminals go from one victim to the next in less than 24 hours. So, it's very unlikely that any particular victim is the only victim,” says Novak.

Ransomware – the multi-headed hydra

A lot of people and organizations land up paying the ransom because the attacker keep the ransom low enough. So, it's more economical for you to pay the ransom, than to try and resolve the problem yourself.

The threat actors essentially get funding from this, and so as a result, they change and improve the ransomware in the next iteration. So, it's kind of self-feeding, if you will.

“In terms of how to prevent it, it starts with understanding what your assets are,” says Novak, “This sounds very simple and basic, but the majority of the time, what we find during our investigations is that the organization doesn't really have a good grasp of what assets they own.”

So, now you end up in a situation where you don't know what assets you have, you don't know what data is on them. All you know is that you have got a bunch of encrypted assets that you cannot access. 

"You need to know if you're backing up the right data, and backing up frequently enough, and whether your backups are immune to ransomware. You don't want to find out that you just re-backed up the encrypted ransomware data," says Novak.

The delivery model, and what has changed

“What we've seen in terms of evolution is the malware getting more sophisticated, more advanced,” says Novak. The threat actors make small adjustments to malware to get past antivirus and other platforms that generally do things from a signature perspective. This is what a lot of organizations are heavily relying on. 

Organizations using things like sandboxing technology or behavioral-based analytics generally fare better. And organizations that are doing things like application white-listing generally fare the best. 

In the last 10 years alone, security research was heavily reliant on things like disk forensics. Now, disk forensics is one of the last things they do, and one of the least beneficial as an evidence source.

"And more often than not, we find that memory forensics and network forensics, or other forms of endpoint analytics are usually where we find the best evidence," adds Novak.

Also, so much of today's malware is also memory resident – It is injected into the memory stream without actually leaving any footprints on the disk.

“In terms of automation delivery model, if you look at the current scenario, today you have botnets that could contribute to malware attack in an automated fashion,” says Ashish Thapar, Managing Principal, Verizon Enterprise Solutions, APAC.

What is happening is basically the army of botnet devices that have been taken over. They are injecting infections into IoT devices, which in turn can launch DDoS attacks.