Cyber criminals targeting C-suite, DBIR shows

C-level executives who have access to a company’s most sensitive data are increasingly and proactively targeted by cyber criminals, correlating to a rise in social engineering attacks with financial motivation, Verizon’s 2019 Data breach investigation report (DBIR) reveals.

Cloud-based services are also becoming an increasingly popular target, with the compromise of web-based email accounts using stolen credentials rising to 98% of cases and seen in 60% of attacks involving hacking a web application, according to the 12th edition of the DBIR.

This year’s DBIR is based on data from 73 contributing organisations and analysis of more than 41,000 security incidents and more than 2,000 confirmed breaches from 86 countries. The latest report has the greatest number of contributors to date, including UK legal and insurance firms, and the FBI’s Internet Crime Complaint Center (IC3).

“This gives us a much broader perspective, particularly with regard to data breaches at a wide range of US businesses,” said Ray Ottey, senior manager UK, Ireland and Nordics, Security Solutions at Verizon. “But there are always points of commonality between country-specific data and breaches in other parts of the world.

“We are seeing instances of executives increasingly being targeted through very sophisticated social engineering attacks using familiar organisations and email addresses over a long period of time, as well as misconfigurations in cloud-based services, and it is good to see that the raw data in the DBIR supports what we are seeing without any marketing or opinion bias.”

The data shows that senior executives are 12 times more likely to be the target of social engineering-related incidents, and nine times more likely to be the target of social engineering-enabled breaches than in previous years. One-third of breaches (33%) involved social engineering, compared with 28% involving malware.

Financial motivation remains the key driver, with financially-motivated social engineering attacks featuring in 12% of all the data breaches analysed, highlighting the critical need to ensure that all levels of employees, including executives, are made aware of the potential impact of cyber crime.

“Enterprises are increasingly using edge-based applications to deliver credible insights and experience,” said George Fischer, president of Verizon Global Enterprise.

“Supply chain data, video and other critical – often personal – data will be assembled and analysed at eye-blink speed, changing how applications utilise secure network capabilities. Security must remain front and centre when implementing these new applications and architectures.”

Fischer said the latest DBIR once again underlines the importance of technical IT hygiene and network security to reducing the risk or cyber attack.

“It all begins with understanding your risk posture and the threat landscape, so you can develop and action a solid plan to protect your business against the reality of cyber crime,” he said. “Knowledge is power, and Verizon’s DBIR offers organisations large and small a comprehensive overview of the cyber threat landscape today, so they can quickly develop effective defence strategies.”

In Europe, in particular, organisations are taking the General Data Protection Regulation (GDPR) seriously and implementing security and privacy measures to ensure compliance and because many realise that it is the “right thing to do” and makes good business sense, said Ottey.

“As those measures are implemented and bed down in the enterprise, we may begin to see the real impact in next year’s DBIR, which may even include a section on the GDPR to explore its impact on data breaches, particularly those involving personal data,” he added.

According to Verizon breach investigators, a successful pretexting attack on senior executives can reap large dividends because of their often-unchallenged approval authority and privileged access into critical systems.

Typically time-starved and under pressure to deliver, senior executives quickly review and click on emails before moving on to the next or have assistants managing email on their behalf, making suspicious emails more likely to get through, investigators said.

The increasing success of social attacks such as business email compromise (BEC) – which represent 12% of confirmed breaches analysed – can be linked to the unhealthy combination of a stressful business environment combined with a lack of focused education on the risks of cyber crime, investigators said.

BECs are advantageous for the criminal element because they provide a quick way to cash out, the report said, but when the FBI’s IC3 Recovery Asset Team acts upon BECs, and works with the destination bank, half of all US-based business email compromises had 99% of the money recovered or frozen, and only 9% had nothing recovered.

“BECs do not pay out as well as it initially appears, and just because the attacker won the first round doesn’t mean you shouldn’t keep fighting,” the report said.

This year’s findings highlight how the growing trend of sharing and storing information within cost-effective cloud-based services is exposing companies to additional security risks. Analysis found there was a substantial shift towards the compromise of cloud-based email accounts by using stolen credentials.

Also, publishing errors in the cloud are increasing year-on-year. Misconfiguration, which is a result of many organisations’ rush to the cloud, led to a number of massive cloud-based file storage breaches, exposing at least 60 million records analysed in the DBIR dataset. This accounts for 21% of breaches caused by error, and highlights that even a simple configuration error can cause huge amounts of data to be stolen.

Bryan Sartin, executive director of security professional services at Verizon, said that as businesses embrace new digital ways of working, many are unaware of the new security risks to which they may be exposed.

“They really need access to cyber detection tools to gain access to a daily view of their security posture, supported with statistics on the latest cyber threats,” he said. “Security needs to be seen as a flexible and smart strategic asset that constantly delivers to the businesses, and impacts the bottom line.”

Other key findings of the report include:

• chip and PIN payment technology has started delivering security dividends in the US, with the number of physical terminal compromises in payment card-related breaches decreasing compared to web application compromises. This was particularly validated by the FBI data.
• Ransomware attacks are still going strong, accounting for nearly 24% of incidents where malware was used and becoming so commonplace that they are not mentioned so often.
• Media-hyped crypto-mining attacks were hardly existent, accounting for only about 2% of incidents, despite being a regular focus for concern in the past 12 months.
• Outsider threats remain dominant, being the primary force behind attacks linked to 69% of breaches, with insiders accounting for only 34%, while partners are linked to just 2%.
• Espionage was the key motivation behind a quarter of all breaches, with more than one-fifth (23%) of these attacks traced back to nation-states or state-affiliated actors, compared with 39% linked to organised crime groups. This highlights that businesses should be reassessing who might be behind the attacks launched against them and how they need to adapt their security strategy to protect their secrets.
• Businesses are still slow to locate attacks, with over half of all breaches taking months or longer to discover.

“Every year we analyse data and alert companies as to the latest cyber criminal trends in order for them to refocus their security strategies and proactively protect their businesses from cyber threats,” said Sartin. “However, even though we see specific targets and attack locations change, ultimately the tactics used by the criminals remain the same.

“There is an urgent need for businesses large and small to put the security of their business and protection of customer data first. Often even basic security practices and common sense deter cyber crime.”