Underground movements

A report into 150 cases investigated in 2008 by Verizon Business’s forensic data security team has revealed that a staggering 91% of all compromised systems were at as a result of the activity of organised criminal groups.

The most ‘successful’ of these attacks were targeted against the data of financial institutions, netting the cyber-criminals 93% of the 285 million compromised records tracked by the team, according to the Verizon’s Data Breach Investigations Report.
The escalation in criminal activity is difficult to exaggerate. That 285 million compares to the 230 million records that were compromised during the previous four years, says Verizon’s forensics manager, Matthijs van der Wel.

And the company’s investigation teams have pinpointed the source of most of these attacks: 22% originated from Eastern Europe while 18% came from East Asia. There is “a great deal of evidence that malicious activity from Eastern Europe is the work of organised crime,” Verizon’s report concludes.

Given the lack of transparency of online activity and its multinational nature, netting such criminals is still a relatively rare event. In most cases, the immediate need is in containing the breach rather than rooting out the entities responsible.

However, Verizon is seeing more success. In 2008, its efforts alongside law enforcement agencies led to arrests in 15 known cases.

Related to that the report also tracks a disturbing rise in the level of sophistication of attacks. What the Verizon calls ‘highly difficult’ attacks represent 17% of the firm’s caseload, and those were responsible for netting 95% of the stolen data.

This is evident in the sophistication of the malware itself, rather than the method of attack, explains van der Wel.

“Usually, in 90% of the cases, the victim makes a mistake, the hacker gains access, malware is installed, then intercepts and stores data while creating a backdoor for its retrieval,” van der Wel says.

“But the malware installed in very difficult attacks is not typical. It is custom created and does things we previously only theorised about, like ‘PIN block’ attacks (which tries to brake the encryption used by banks to secure consumer PINs). We’re seeing these in real life right now.”

The more sophisticated attacks are also using advanced search technology that traces ‘forgotten’ unencrypted data, scrapes server memory or trawls unallocated disk space for ‘deleted’ data. Attackers are also becoming more savvy with anti-forensic techniques, including encrypting stolen data to thwart data loss prevention (DLP) and ingress/egress monitoring tools, as well as tools designed to “prevent other one cyber criminal stealing the data files of another.”

While such reports will whiten the hairs of even the most hardened chief security officer, it may be of some relief for many to hear that fears over the ‘insider threat’ are generally overplayed.

“Results from 600 incidents over five years make a strong case against the long-abiding and deeply held belief that insiders are behind most breaches,” Verizon’s report notes.

Three-quarters of breaches contained an external element and 32% involve partners (so-called ‘partial insider’ attacks’) but “only about 11% of all breaches were committed by an insider acting alone. The remainder of the breaches tied to insiders mostly involved employees as unwitting participants in the crime through errors and policy violations.


Over 69% of breaches are discovered by a third party, such as a bank, but in three quarters of the cases that is weeks or even months after the incident.

“The malware is installed and collects information over a long period,” says van der Wel. “Companies don’t notice these data files are growing, and I know from first hand experience that they [can miss] files of 30GB  across the network.”

Fortunately for the panicking CSOs, in 53% of cases preventative measures are “simple and cheap”, with the majority of breaches involving misconfiguration (particularly default passwords), omission or a breakdown of policy or process.

“An easy thing to do is to look at your outgoing data – just the IP – and plot it on Google maps. If every Saturday morning you have data going to Romania then that’s something you should look at,” says van der Wel.

However simple security failings can suggest larger, more entrenched problems: most of the organisations that Verizon investigated met less than a third of PCI (Payment Card Industry) standards. “I’m working on a big case at the moment where the customer has not invested in security for two years,” van der Wel says incredulously.

The recession is unlikely to improve vigilance, either, he adds. “It’s like selling insurance – it’s very difficult to prove what security has brought you. Especially when you haven’t been attacked.”

That makes a difficult proposition in a recession, he concludes, even as criminal activity intensifies.

Pete Swabey

Pete Swabey

Pete was Editor of Information Age and head of technology research for Vitesse Media plc from 2005 to 2013, before moving on to be Senior Editor and then Editorial Director at The Economist Intelligence...

Related Topics