Often the topic of spy novels and movies, Cyber-Espionage is very real and a constant threat for many industries and governments. Stealing industry and government secrets is highly lucrative and its perpetrators technically advanced, patient and determined. For years the world of cyber espionage has remained hidden – until now.
Based on the analyst of the Verizon Business Data Breach Investigations Report (DBIR) series, experts from the Verizon Threat Research Advisory Center (VTRAC) have collated the Verizon Cyber-Espionage Report (CER). The new report analyzes seven years (2014 to 2020) of DBIR content and focuses on the unique nature of Cyber-Espionage, from the perpetrators and the actions they take to the specific capabilities cybersecurity teams need to detect and defend against cyber spies.
The facts — so what do we know?
When we look at the most widespread types of breaches within the 2014-2020 DBIR timeframe those driven by Financial motivations are higher (between 67-86 percent) and those by Cyber-Espionage are comparatively lower (between 10-26 percent). However do not be fooled into thinking that this lower percentage makes Cyber-Espionage breaches less important; the stealth like nature of these attacks makes them more intrusive and hard-hitting. Whereas financial motivated breaches are more likely to be discovered due to the loss of money involved and also reported as a result of regulatory policies, the types of data stolen in Cyber-Espionage breaches ranks as some of the most important in terms of secrecy, sensitivity and business critical. With this in mind, it is a motive that should not be ignored.
The top industries commonly targeted are unsurprisingly Public Sector (31 percent) followed by Manufacturing (22 percent) and Professional (11 percent), likely due to the fact that they hold the majority of secrets and priority information which are most desired by cyber espionage criminals.
Where Cyber-Espionage attacks differ is in the tactics utilized and the skill and patience of the criminals. Malware (90 percent), Social (83 percent) and Hacking (80 percent) are the top tactics used by Cyber-Espionage threat actors. This differs when compared to breaches in general where Hacking (56 percent) is the dominant tactic followed by Malware (39 percent) and Social (29 percent). Why? The slow, methodical and lengthy process that these tactics employ speaks to the patience and complexity accompanying cyber espionage attacks.
These threat actors also take from months to years to be discovered (versus days to months for all breaches in general) – often covertly waiting in the shadows until it is time to strike.
Recommendations on the way forward
The CER contains details of how organizations can help defend and also recover from such attacks. Some initial recommendations are as follows:
- Employees are the first line of defense. Social engineering, or phishing, is a common method cyberspies use to gain access into sensitive systems; it is crucial that employees undertake regular security awareness training.
- Strengthen boundary defenses. Effective boundary defenses (such as network segmentation) and stronger access management capabilities (e.g., access granted on a need-to-know basis) can mitigate Cyber-Espionage attacks.
- A robust managed detection and response (MDR) offering can smoke out indicators of compromise on the network and the endpoints. Essential components of MDR include security information and event management (SIEM) technologies; threat intelligence; user and entity behavior analytics (UEBA); and threat hunting capabilities, as well as integrations with endpoint detection and response (EDR), network detection and response (NDR), and deception technologies.
- Data leakage/loss prevention (DLP) can flag sensitive data being snuck out the back door.
- Optimizing cyber threat intelligence can help recognize indicators of compromise; leveraging tactics, techniques and procedures; and implementing a strong incident response plan are also important strategies for combating Cyber-Espionage.
John Grim, lead author of the Verizon Cyber-Espionage Report leaves organizations with these thoughts, “Cybercrime comes in all shapes and sizes, but fighting and preventing it is of equal importance. It is our aim that by sharing our expertise and industry data we can help businesses and governments tailor their cybersecurity strategies to become more effective. Defenses and detection and response plans should be tested regularly and optimized to confront cyber threats head-on. This is particularly important for Cyber-Espionage breaches, which typically involve advanced threats targeting specific data and operating in ways to avoid detection and deny cyber defenders effective response.”