Verizon Report: DDoS a Broad ThreatStudy of Investigations Shows No Sector Is Immune
Breach statistics for 2012 show distributed-denial-of-service attacks dramatically increased in all sectors, says Dave Ostertag, global investigation manager and senior analyst for the investigative response team at Verizon. "If your organization, company or agency has a presence on the Internet, you're a potential victim now."
In its recently released 2013 Data Breach Investigations Report, Verizon discovered a marked rise in DDoS attacks worldwide, Ostertag says in an interview with Information Security Media Group (transcript below).
"They appear to be targeted, for the most part, by activism groups," Ostertag says. That includes Izz ad-Din al-Qassam Cyber Fighters, which has waged a DDoS campaign against U.S. financial institutions since last September (see DDoS: Is Phase 3 Over?).
Ostertag says organizations should be mindful that DDoS attacks have been used, in certain rare cases, to divert attention from attempts to perpetrate fraud. "Don't just focus on the DDoS attack, but also keep your eyes open and aware of other potential attacks," he says.
During this interview, Ostertag discusses:
- Escalating attacks aimed at compromising intellectual property;
- Why companies and organizations need to know who's attacking them in order to understand what the attackers are after;
- Increased investments companies throughout the world are making to mitigate their data risk exposure.
Ostertag is a global investigation manager and senior analyst for the investigative response unit at Verizon. He has more than 30 years of investigative experience in the government and security arenas. Ostertag coordinates the forensic investigations conducted by the investigative response unit worldwide. He is a certified expert witness and is a frequent instructor and speaker on the topics of data compromise investigation and international criminal organizations. Previously, Ostertag worked as a retail regional investigator and served 14 years as a police detective sergeant and four years as a state's attorney investigator. He also was global manager of field investigations for Discover Financial Services for more than 10 years. He serves on the board of advisers for the International Association of Financial Crimes Investigators.
DDoS: 2012 Trends
TRACY KITTEN: What stood out about DDoS in 2012, relative to the number of attacks and the costs associated with those attacks?
DAVE OSTERTAG: 2012 saw a dramatic increase in both the number of distributed-denial-of-service attacks and the complexity and size of those attacks. We had attacks aimed primarily at the banking industry in the United States, as well as other banks and companies across Europe and the Middle East. The number of attacks increased dramatically. ...
Prior to 2012, the recommended level of attack mitigation service for a major financial institution would be approximately 10 gigabytes per second. Attacks are increasing in size of up to five or six times that, so now the distributed-denial-of-service attack mitigation service that's recommended to large banks is 50 to 60 gigabytes per second. ... Overall, the number of attacks, as well as the types of attacks, has changed the game in the area of DDoS in 2012.
Associated Data Loss, Fraud?
KITTEN: Were data losses or fraud ever associated with some of those attacks?
OSTERTAG: In very few of these attacks we've seen data loss associated with DDoS. But, again, those are very small - less than could be counted on one hand. What we have seen, though, is fraud associated with attacks against regional banks or smaller banks that don't necessarily follow security procedures that other larger banks would incorporate, particularly in the area of ACH transactions. We saw a number of cases where Russian organized crime was involved and a high-value ACH transaction was committed. And typically, in banks associated with a high-value ACH transactions, there would be an out-of-cycle or out-of-band communication to the consumer at the time that transaction was requested to verify it was legitimate.
In order to circumvent that bank's security procedure of the out-of-cycle transactions, a DDoS attack would be launched against the bank - in the case of telephone calls, a telephone-based DDoS attack, or in the instance of e-mail, an Internet-based DDoS attack - to slow down that communication to the consumer, knowing that the banks have a built-in timer switch. Once a certain amount of micro-seconds passes, if that communication has not been conducted, the transaction is approved. The DDoS attack is used to successfully complete an ACH transaction for a high-dollar amount.
We have not at this point seen a clear pattern of DDoS attacks being used as a diversion for some other type of attack; however, that's always a possibility, and we warn our banking customers that they should pay attention to that and realize that's a definite possibility. Don't just focus on the DDoS attack, but also keep your eyes open and aware of other potential attacks.
KITTEN: Banking institutions in the U.S. have been targeted by DDoS this year. Were DDoS attacks up for other industries as well?
OSTERTAG: We have seen an increase in other industries. They appear to be targeted, for the most part, by activism groups. Most of the DDoS attacks that we've seen in the past year we characterize as activism-based attacks. We have seen attacks against industries other than financial institutions, and they appear to be on an individual basis related to some type of problem the activism groups have with particular organizations.
2013 Data Breach Investigations Report
KITTEN: Could you give us some background about this survey itself?
OSTERTAG: The survey was conducted throughout the year. These are cases that are investigated either by my team or by one of the 18 other partners in the data breach report. The data is collected throughout the year as the incidents happen ... It's not related to specific industry verticals, but, rather, to victim organizations that are attacked and either hire my team or contribute information to one of the other contributing partners for the data breach report.
KITTEN: Can you give us any idea of the number of incidents that were tracked or the number of companies that were included in this report?
OSTERTAG: ... Bringing on all the partners that we did this year, we got a variety of information from around the world, and our partners are truly global. It's really impossible to break down a particular region that stands out because it truly is a global report.
In the report there are 621 incidents that occurred this year. Because of the amount of data we have, there's an additional 47,000 security incidents that are reviewed inside the report also. While those 47,000 incidents didn't rise to the criteria of being in the data breach report, they're being carefully monitored as far as the metrics that are collected and the fact that data may not have been actually compromised. But they offer a substantial data set that contains a lot of information that can be useful.
KITTEN: The report also notes that external attacks are most often to blame for data breaches. How are those external attacks most often waged?
OSTERTAG: A continuation of patterns that we've seen in the past, where malware and hacking continue to be the largest two action groups in the data breach report. We have seen an increase this year in the use of social engineering and phishing as well, which has dramatically increased. In the area of physical attacks, ATM-overlay devices are by far the biggest problem in that area, mostly with Romanian organized criminal groups being behind those.
KITTEN: Verizon also found that 67 percent of the network intrusions that were tracked exploited weak or stolen credentials, such as usernames and passwords. Is that an increase from previous years or has that been relatively consistent?
OSTERTAG: It's been relatively consistent. The use of stolen passwords or easily guessable passwords has always been a problem. That has been one of the highest percentage areas of data breaches since we started collecting information. It continues to be a problem, and, unfortunately, it's one of the easiest problems to solve. The use of good password-change programs, as well as good, strong-password-complexity programs, would stop those. However, it's just an area that we're not paying the attention to that we should be.
KITTEN: You've mentioned the physical attacks on ATMs, but what about malware attacks and other types of attacks? How do you see these comparing to previous years?
OSTERTAG: Malware attacks and hacking continue to be the largest group when we look at external actors and basically all attacks. We continue to see the use of malware being in a very high percentage of our cases this year as in previous years.
KITTEN: What about the industry comparisons? How did industries compare with one another where being targeted by certain types of attacks is concerned?
OSTERTAG: For the reader of the data breach report, there's a very interesting chart or matrix concerning that. We see very clear patterns of the types of attacks as well as who's behind the attacks, the particular industry involved in those attacks, and the type of data that's taken. We break that down into three groups of actors: organized crime, state-affiliated and activism groups. When we look at those, we look at very particular industries. In organized crime, we have finance, retail and the food or restaurant industry; in state-affiliated, it's manufacturing and professional organizations, such as engineering firms and transportation. When we look at activism groups, we see information, public-type organizations and other services, in addition to finance.
Obviously, the DDoS attacks by activism groups against finance groups were big this year. The types of activities involved were in very specific categories, and the assets that are the target for these attacks are very thorough. That's one thing that really stands out this year. We have these very clear categories based on the industry that you're in. To the particular industries, I think that's helpful in managing your security program - to understand whose most likely going to be attacking you, what methodology they're going to be using, and what data they're looking for.
Steps to Mitigate Risks
KITTEN: What about steps or investments that organizations are making to mitigate their risks?
OSTERTAG: In the area of DDoS detection and mitigation, we, like our competitors, invest heavily in that technology and those resources because of the demand, and because of the number of DDoS attacks against financial institutions in particular. There's just a huge demand for DDoS detection and mitigation. ... The number of customers that are looking for those types of services now, as well the cost of those services, is increasing because of the increase in five to six times the amount of coverage needed. That's one area that truly stands out.
No Online Company is Safe
KITTEN: Before we close, are there any final thoughts about the 2012 findings that you would like to share?
OSTERTAG: One thing that stands out in this data breach report is that if your organization, company or agency has a presence on the Internet, you're now a potential victim. ... It's every industry vertical. It's every size of company. We have 14 companies of less than 100 employees in the area of boutique engineering firms or consulting firms that were targeted this year - the size of companies and types of companies that would never be a victim in previous years. Because of the increase in our cases involving espionage, those companies are now a specific target because of the nature of what they do or the type of data that exists within their network. They're now a target. The one pattern that became very clear in 2012 and continues into 2013 is that as long as your company has a presence on the Internet, in any way, you're a potential victim and a target for groups that we have not seen in the past.