What Banks Need to Know from Verizon's Comprehensive Breach Report

Dozens of security reports come out every year; Verizon's annual Data Breach Investigations Report is the Farmer's Almanac of them, the one referred to in PowerPoint presentations throughout the year.

For the 2014 report issued Tuesday morning, Verizon and 70 contributing organizations (service providers, forensic firms, computer security information response teams and government agencies) analyzed 79,790 security incidents and 2,122 confirmed data breaches in 61 countries. Two-thirds of the incidents took place in the U.S., a reflection more of the contributor base than of relative threat vulnerability.

The estimated financial loss of the 700 million compromised records the report tallied: $400 million.

Several trends and insights emerge from the data that banks could use to hone their security efforts. Among them: Hackers are attacking companies with multiple motives and multiple attack vectors; phishing remains effective; and cyber-threat sharing efforts need to speed up.

Here are seven key takeaways for banks from the report:

1. Hackers increasingly have more than one motive and method of attack.

Verizon calls these "compound attacks." Last year, Verizon and its partners began tracking security breaches with secondary motives, where the initial phase of attack is just a prelude or decoy for another. They found that in nearly 70% of the attacks where a motive was known, there was a secondary victim. In some, compromised servers were used to participate in denial-of-service attacks, to host malware, or to be used as a phishing site.

In financial services, secondary motives tend to pop up in denial-of-service attacks. "Unfortunately we're seeing attackers getting access to legitimate systems using credentials obtained via phishing, using the denial of service increasingly more as a diversion," said Bob Rudis, managing principal and DBIR author at Verizon.

The Financial Services Information Sharing and Analysis Center has been seeing such attacks for some time.

"The most common instance of this started back in 2011, where DDoS was used as a deception to hide cybercriminals' real intent, which was to hijack business accounts," said Bill Nelson, president and CEO of the cyberthreat information sharing organization. "This was classic business account takeover and once the hijacking of the funds had occurred, the DDoS attack prevented all legitimate online banking business customers from accessing their account information, not just the victimized company."

Arbor Networks, a DDoS mitigation company that contributed to the Verizon report, found a nearly 20% increase in the use of DDoS attacks as a diversion to cover compromise or data exfiltration in 2014.

"The usual strategy is to DDoS a bank, a bank's website, or financial processing infrastructure shortly after or around the same time that a fraud campaign is taking place," said Curt Wilson, senior research analyst at Arbor Networks. "Threat actors behind the Game Over Zeus malware have been known for using this approach, and most recently, threat actors using the Dyreza malware have been doing the same thing in a campaign dubbed 'Dyre Wolf.'"

2. The use of memory scraping in data breaches has increased.

Memory-scraping malware (or RAM-scraping malware as the Verizon report calls it) is a type of malicious software that helps hackers find and steal personal data. This was used in the Target breach -- hackers scraped the memory of the store's point of sale terminals to grab card information briefly stored in the cache. "This type of malware was present in some of the most high-profile retail data breaches of the year, and several new families of RAM scrapers aimed at point-of-sale systems were discovered in 2014," the report stated.

This seems to be more of a problem for retailers than banks, but banks are affected since they have to reissue cards and deal with the fallout.

"We're definitely seeing a lot of RAM-scraping malware at merchants -- not just retailers, but anyone who processes payment cards," said Charles Carmakal, managing director of Mandiant, a unit of FireEye, a security software company that contributed to the report. "I have not personally seen it at financial services organizations."

3. More cyber threat information is being shared, but there is a need for faster sharing.

Banks, with the help of the FS-ISAC and similar organizations, have gotten better at warning each other of nearby predators — a phenomenon the report authors refer to as "herd alertness."

But the herd needs to move more quickly, the report's authors say. "We need to close the gap between sharing speed and attack speed," they wrote.

According to the report, 75% of attacks spread from the first victim to the second within 24 hours. More than 40% hit the second organization within an hour.

"When one organization sees an attack, the time to broadcast that information is really short," Rudis said. "Attackers move really quickly to other targets. Unfortunately I think we're going to be behind the curve for a while on that."

Nelson at the FS-ISAC agrees that information sharing needs to speed up.

"It takes seconds or a few minutes for the attacker to compromise a system," he said. "Without information sharing, it takes hours, days, or even weeks or months to detect a compromise. Even with information sharing systems like FS-ISAC, the sharing is near real-time but the use of email to cut and paste threat indicators and apply them to defenses to block attacks or delete malware is a slow, manual process."

Last year, FS-ISAC teamed up with the Depository Trust and Clearing Corp. to launch Soltra Edge, a threat intelligence automation platform. Soltra Edge leverages the standard messaging formats STIX and TAXII to automate the entire end-to-end threat intelligence sharing process. This could let banks detect and respond to attacks within seconds. However, it will take time for banks' security systems to be able to communicate with and understand Soltra Edge's instructions.

"The automated sharing facilities being developed now are probably the best hope we have for that sharing of indicators," Rudis said.

4. Too many people still fall for phishing attacks.

The report found that 23% of recipients open phishing messages and 11% click on attachments to those messages. "The numbers show that a campaign of just 10 emails yields a greater than 90% chance that at least one person will become the criminal's prey," the report states.

"When you think about the nature of the attacks, it's not surprising at all," said Gary Sockrider, Arbor's networks solutions architect for the Americas. "Phishing campaigns can be quite sophisticated, sometimes leveraging social engineering techniques. When a convincing message comes from what appears to be a trusted source and the link is embedded under plain text, some users will certainly click through."

Part of the problem is that efforts to make software interfaces more user friendly, such as replacing addresses and links with names, can help mask the problem, he noted.

Another factor is that clicking on attachments and links within email is part of everyday business operations and processes, said Darien Kindlund, director of threat intelligence at FireEye.

"Steps taken to reduce risk could require a sacrifice in usability [and can] negatively impact business operations," he said. "For example, using a separate system to open and review email that is isolated from all other user data makes it harder to do anything useful with the data."

Companies have to help their employees to spot malicious emails and not open them, Rudis said. "It's only getting worse. It isn't getting any better."

One answer may be simulation exercises. "Many banks have implemented programs to test their employees' response to simulated phishing attacks," said Nelson. "If the employees click on the links, then they are sent to remedial training. This process is repeated until the vast majority of employees — 98% or more — learn to stop clicking on the links. However, even with good education of one's staff, it only takes one person to be socially engineered for a cybercriminal to gain access to a system."

5. Old software vulnerabilities are going unpatched.

Another security firm that contributed to the report, Risk I/O, looked at more than 200 million software vulnerability exploitations in 2014 and found a curious thing: "Hackers really do still party like it's 1999," as the report puts it. They're still breaking into networks through old vulnerabilities for which fixes have long existed.

Almost all — 99.9% -- of exploited vulnerabilities were compromised more than a year after those vulnerabilities had been published and presumably patches issued.

This is a strong case for diligent patch management.

6. Mobile malware is not statistically significant yet, but it's still a concern.

According to the report, only about 0.03% of mobile devices have been infected with malicious exploits.

"We are only seeing a few targeted attacks against mobile devices today — likely because the old attacks still work," said Kindlund.

However, compromised mobile devices are not always detected. "While only 6% of enterprise organizations reported a security breach that could be attributed to [bring-your-own-device policies], one third indicated they still do not know if they had a security breach due to BYOD," Sockrider said.

Kindlund argues that this is something to prepare for. FireEye found that 96% of mobile malware targets Android devices. "There are very real and relevant risks [tech executives] face if they allow Android systems on their networks," he said.

The FS-ISAC has seen evidence of mobile devices being targeted with malware, Nelson said. "Since mobile devices are rarely turned off, they make the perfect platform for malware, especially for botnets used for DDoS attacks," he said. "Fraudulent Web apps, malvertising, and phony personas on social media are just a few examples of how cyber criminals are utilizing mobile devices to conduct criminal activities."

7. Ongoing Web app attacks point to a need for two-factor authentication.

The report authors saw an overarching pattern in 2014 of criminals stealing legitimate credentials and using them in Web applications not protected with two-factor authentication.

"If an organization doesn't have two-factor authentication, they're leaving themselves open really well to that kind of focus," Rudis said. "Criminals are finding it super easy to get these legitimate credentials and they know that no one is watching them. They're having tons of success with this."

Two-factor authentication can act as a speed bump of sorts, Carmakal observed.

"Most targeted attackers now leverage remote access solutions like the VPN, Citrix, and webmail that only use single-factor authentication," he said. "Sure, there are ways around multi-factor authentication, but using it will dramatically reduce the attack service."

For reprint and licensing requests for this article, click here.
Bank technology Data security
MORE FROM AMERICAN BANKER