The 2017 Verizon Data Breach Investigation Report shows that across the world, the main cyber security threats facing government organisations come from “state-affiliated espionage” although few attacks are ever attributed to specific nation-states.
Nearly all of these cyber-espionage attacks begin with spear-phishing emails. Misuse of privileges and miscellaneous errors were the next two big categories of confirmed data breaches for government agencies.
“Verizon does tend to see quite a lot of spear-phishing, and email, in-bound attacks to federal customers,” Prescott Pym, Verizon’s Canberra-based network security operations manager, told The Mandarin.
He explains the company handles gateway management for most of the federal government’s law enforcement and defence agencies, and most of the bad stuff starts with a dodgy email that tricks someone into clicking where they shouldn’t.
“And this year, after doing the research, Verizon’s really found that the ransomware and malware — targeted campaigns by some of these state-affiliated actors — are really on the rise as the easy mechanism to get into corporations and government agencies,” said Pym.
The tenth iteration of the jocular report, released last week, is the first to include specific sections on industry sectors, including public administration.
In government, data breaches also appear to take a long time to discover. The report explains (in the trademark humourous style that also makes it stand out as a very readable corporate report, despite the dry subject matter):
“As a rule, the government is only in a hurry if you owe them something. Otherwise their mills may grind fine, but they grind very slowly. Certainly, it would appear that is the case when it comes to breach discovery.”
There were 66 public sector breaches where “time to discovery” is known and in 39 of those cases, it took years.
It took less than a year in nine cases, under a month in four instances, a matter of days on three occasions, only a few hours for eight exfiltrations, and mere minutes in three examples.
“Some of the … really top-end state-affiliated actors or nation-states, they have some pretty advanced malware and they’re pretty good at hiding their tracks,” said Pym.
He says the company has been sharing threat indicators and intelligence with government much more than in the past and that this kind of collaboration is the best way to detect breaches sooner.
Pym acknowledges “the inability to come together has been a blocking factor” but says the Prime Minister’s cyber security adviser Alistair MacGibbon has been working hard on bridging the gap between government and industry over the past year.
The yearly report provides an extremely broad overview of what’s happening among a large number of organisations across the world, but warns repeatedly it is not a totally representative sample.
Rather, it is Verizon’s attempt to slice and dice whatever data it can get, which is a lot, given the number of contributors and the amount of information that goes through its global IP network, which the company claims is about 70% of the world’s internet traffic.
This year’s effort considers information about 239 confirmed data breaches that hit public agencies last year, among a huge amount of other information on the global trends of 2016.
The fact governments reported a whopping 21,000 incidents — way more than any other sector — is no cause for alarm. The report gets a lot of data that comes out of governments and they typically have a far lower threshold for reporting cyber security incidents than people in the private sector.
In the public administration category, 41% of breaches were linked to espionage and it was identified as the main motivation for 64% of threat actors.
About 40% were insiders, and 20% had a financial motivation while 13% hack for fun, ideological reasons or because of a personal grudge. The type of data breached was split pretty evenly between personal information and “secrets” while 14% of breaches concerned credentials and 9% medical data.
It seems the cyber-espionage industry is booming and a lot of private sector businesses are targets as well. Out of 271 breaches in this category, 115 were in manufacturing and 112 in the public sector. The report notes:
“Unlike organized criminal groups, who are typically after directly monetizable data, state-affiliated actors are playing the long game and are more selective of their targets.”
Aaron Sharp, a Sydney-based security consultant with Verizon Enterprise Solutions, adds that trusted insiders are a threat to watch out for in the public sector, who could be involved with state-affiliated espionage.
“Those nation-state threat actors are very targeted and they can afford to take a lot of time and be patient in trying to get to what they want to get to, but I think the other element that helps them cover their tracks and makes detection harder is the prevalence of insider threats,” Sharp told The Mandarin.
“If they’re working in conjunction with an insider, it just makes their job so much easier, because they know where all the controls are and they can just make hiding their tracks so much easier, so I think that’s the other element.”