Verizon’s 2014 Data Breach Investigations Report (DBIR) compiled a decade’s worth of security incident data both from breaches and security incidents that did not result in data loss. They were able to group the incidents into 9 patterns based on the method of attack, the attack target, and attacker motivations. They were Point of Sale Intrusions (e.g. Home Depot), Web App Attacks, Insider and Privilege Misuse (e.g. Edward Snowden), Physical Theft, Miscellaneous Errors (e.g. document misdelivery or incorrect document disposal), Crimeware, Payment Card Skimmers, Cyberespionage, and DOS attacks. These 9 patterns described 92% of the attacks; the remaining 8% didn’t fit into the existing patterns but used similar underlying methods.
This breakdown of attack patterns is relevant because Verizon also found different industries were targeted by different types of patterns. Obviously retailers with physical stores were targets for Point of Sale Intrusions but they were also primary targets of DOS attacks. While one might expect Crimeware to be a significant problem in Healthcare it turns out that Physical Theft, Insider Misuse, and Miscellaneous Errors were far more serious issues.
Knowing the most likely avenue of attack for your environment enables you to prioritize your defenses. Each pattern has a recommended set of control measures, securing POS systems can mean isolating those systems, restricting access, using and updating antivirus, and enforcing strong password policies. If Crimeware or Cyberespionage are potential problems keeping a software inventory and scanning for unauthorized software may be more beneficial than restricting access. The conclusion of the report includes charts displaying which security controls measures are most significant vs. threat pattern and industry, including links to the applicable sections of SANS Critical Security Controls.
Addressing the most significant threats to your network is a good place to start but obviously you want 100% protection and prioritizing your defenses for 92% of possible threats isn’t a complete defense. As we discussed in an earlier post looking at Cisco’s 2015 Annual Security Report, malware and spam are evolving and becoming more difficult to detect so there is also the possibility that a new type of attack could make it through your defenses before you have the tools to defend it.
How can you defend against unknown attacks? The answer is by knowing what your environment looks like when there is no problem and monitoring your environment for unusual activity that can indicate problems. Network traffic to atypical outside sites could indicate someone trying to exfiltrate data from your environment. Failed login attempts could be someone trying a brute force attack to log in to your network. A large number of connections to your company’s web portal could be someone trying to hijack it.
Whether or not you’re looking at the activity in your environment most applications have logs recording the activity. The difficulty is in differentiating normal behavior from threats and tracing threats across different log formats. Heroix has begun to work with Splunk® to help analyze logs and identify attacks.