Verizon has further dissected breach data from its annual Data Breach Investigations Report (DBIR) and built a profile of intellectual property theft that points to a disturbing combination of factors leading to successful infiltrations by cybercriminals, competitors, hacktivists and nation-state sponsored attackers.
Patient and persistent hackers use a combination of advanced malware and social engineering, sometimes in concert with a complicit insider, to gain access to intellectual property, sensitive documents, or even military data buried beneath layers of network security.
Also, companies are compromised for months, even years, before an attack is discovered, and generally an equally long time passes before attacks are contained and systems restored. Unlike with payment card data breaches where the time to discovery is much shorter because of fraud detection technology and regulations such as PCI-DSS requiring breach disclosure and notification, no such mechanisms exist for intellectual property theft. Companies are often only aware they’ve been compromised if law enforcement informs them, or if they discover a project in development suddenly on the market.
Jay Jacobs, managing principal at Verizon and one of the DBIR authors, said attackers involved in intellectual property theft are adept at social engineering, whether it’s a phishing attack, pretexting, even bribery to gain virtual or physical access inside an organization. This type of collusion between external agents and insiders is not uncommon in IP theft cases investigated by Verizon, Jacobs said. The end game is often access to legitimate network credentials.
“Attackers are going after valid credentials in order to have more access to more things,” Jacobs said. “With legitimate credentials, they can do so in a quieter, less obtrusive way.”
That’s another key in IP theft: quiet, persistent access to systems. Attackers, once inside, will often pivot from system to system until landing on the data they’re targeting. This is very much unlike the smash-and-grab scenarios plaguing smaller companies, in particular retail and hospitality outlets and food services. In fact, malware such as keylogging programs was the fourth most popular threat action used in breaches involving IP theft, behind misuse, social engineering and hacking.
Verizon’s data is based upon 101 breaches investigated by Verizon’s RISK Team with additional data supplied by the Australian Federal Police, the Dutch National High Tech Crime Unit, Irish Reporting and Information Security Service, Police Central e-Crime Unit and the U.S. Secret Service. Almost 80 of the 101 cases involved larger companies with a number of employees from 1,001 to more than 100,000.
Verizon characterized attackers in IP theft as professional crime groups, activists, competitors and state-sponsored groups.
“Those targeting IP are typically in a different class (in resources, skills, and determination) than the mainline fraudsters and script kiddies who perpetrate the bulk of cybercriminal activities across the Internet,” Verizon wrote in its report.
Rank-and-file end users were the most complicit insiders working with external attackers, Verizon said, followed by executives and financial staff with system and network administrators next.
The top five threat actions, meanwhile, were non-technical: abuse of system access or privileges; use of stolen credentials; social engineering; bribery; embezzlement and skimming. Backdoors, keyloggers, brute force attacks and SQL injection were among the top 12 threat actions, Verizon said.
The most targeted network assets were database and file servers, in addition to web application servers, messaging servers and directory servers. People (finance staff, HR, users, executives) and physical documents, however, were also prevalent on the list.
“There’s lots of variety in assets attacked,” Jacobs said. “This lends credence to the hopping method used by attackers. First they need access. And to get access, they start with people and getting credentials. Then they get access to data.”
Companies need to enable application and network logs, and not only monitor them, but analyze them for anomalous behavior, Verizon said. Two-factor authentication would also put a dent in the efforts of those after legitimate credentials. Verizon also recommends pre-employment screening of potential employees, keep network access creep to a minimum and use training to inform users of policies and enact mechanism to enforce those policies.
“The take-home message here is that protecting IP from ‘them’ is an incomplete and inadequate strategy.” Verizon wrote. “Understanding that ‘we’ are sometimes our own enemy—and sometimes the enemy targets its own —is important to building good policy and practice for defending the crown jewels.”