Hackers so far ahead of defenders it's not even a game

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Crims using multiple exfiltration points

26 Apr 2016 at 04:01, John Leyden

Cybercriminals are way ahead of the game against defenders without having to try anything new, according to the latest edition of Verizon's benchmark survey of security breaches.

The study shows that miscreants have no need to switch up, because the same old tactics are still working fine. Security defenders are still performing poorly in their attempts to defend against hacking or malware-based attacks. This isn't for a lack of trying or skills on their part, but almost completely down to the fact that the game is rigged against them.


Verizon's ninth annual Data Breach Investigations Report (DBIR) provides an analysis of over 100,000 security incidents and 3,141 confirmed data breaches last year, drawing on real-world data breach caseloads handled by either Verizon or around 50 other contributing organisations.

Those involved include the US Secret Service, the European Cyber Crime Center (EC3), UK CERT and the Irish Reporting and Information Security Service (IRISS CERT), amongst others.

Hackers are getting faster whilst defenders are treading water. Over 99 per cent of attacks compromise systems within days (four out of five do it within minutes), and two-thirds of those siphon off data within days (a fifth do it in minutes). Whilst there was an improvement in the number of breaches detected in 'days or less' noted in the last DBIR, that turned out to be a temporary blip. This year, less than a quarter of breaches were detected within the same timeframe – meaning attackers have almost always gotten away with the goods before anyone notices.

Worse yet, it's usually not the victim that notices the breach, but a third party (normally either a security researcher or law enforcement).

Nearly two-thirds of all breaches are still traced back to weak or stolen passwords – a basic security failure.

"People are not sitting in front of consoles, looking for SQL Injections before running a manual attack," Dave Ostertag, global investigation manager at Verizon told El Reg. "They are stealing credentials, planting malware, pivoting and exfiltrating data."

Hackers have begun using multiple exfiltration points to avoid detection, Ostertag added.

Phishing lures
Phishing (which "is efficient and works really well," according to Ostertag) remains a huge problem and a major factor in most breaches. The DBIR found that nearly a third of phishing emails get opened, and more than one in ten recipients open the attachments, a significant rise from last year. The main perpetrators of these attacks are organised crime syndicates, but nearly one in ten can be attributed to a state-affiliated actor. China accounts for more than half of all cyber-espionage attacks by volume last year, according to Ostertag, who nonetheless welcomed the recent US/China no hack pact as a positive development.

Public sector, manufacturing and professional services firms top the hit list of targets for cyber-espionage. Attackers are using phishing scams and pilfered passwords to open up a backdoor onto enterprise networks. This foothold is used to smuggle malware into targeted networks. Corporate networks would be far harder to attack – even with access credentials – in cases where enterprises had applied two-factor authentication. However, failure in this area was yet another security shortcoming identified during Verizon's study.

"Many victims have single-factor access into parts of their network even if they think otherwise," according to Ostertag.

On the cybercrime-for-profit front, ransomware is a problem across the board in manufacturing, the public sector and healthcare, Verizon reports. Cybercrooks, like cyber-spies, often rely on phishing.

"Hackers do their homework using social media like LinkedIn and other sources to know who to target, and what sort of content is likely to be opened," Ostertag explained.

"Cybercrooks are going after people who initiate or manage financial transactions."

Older threats such as phishing, malware and weak passwords predominate in breaches. By contrast, the much-discussed security risks from the Internet of Things and mobile phones barely register in Verizon's breach study. ®
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
Security people really have to think like a bad hacker or a criminal. If you know how they think, you know how to best prevent them.
I'm sure they're doing this already. But their efforts are not enough!
 
D

Deleted member 178

Security people really have to think like a bad hacker or a criminal. If you know how they think, you know how to best prevent them.
I'm sure they're doing this already. But their efforts are not enough!

security people do what they can, problem are the unaware users who are careless (either by ignorance, misplaced trust or lazyness). Just look here, how many are lazy to enable the basic security features of their OS.
 

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
security people do what they can, problem are the unaware users who are careless (either by ignorance, misplaced trust or lazyness). Just look here, how many are lazy to enable the basic security features of their OS.
Yep, think so too. Most suites offer preset modes, which can boost Security with just a few clicks but evoke more warnings.
However, they usually state the impact of those settings.

Great article, thank you for sharing @Solarquest :)
 

Kate_L

in memoriam
Verified
Top Poster
Well-known
Jun 21, 2014
1,044
Hackers so far ahead of defenders it's not even a game. This is because Security Companies don't even try, it's very expensive and they need to have profit. This is all about balance, if you have an amazing product and you invested a lot of money, you need to get back that money and if you raise the price of your product, nobody will buy it. I worked with a few security companies and I notice that. The last company I worked with was OpenSecLabs and they invested a lot of money in research and the they didn't get back only ~75%
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
Hackers so far ahead of defenders it's not even a game. This is because Security Companies don't even try, it's very expensive and they need to have profit. This is all about balance, if you have an amazing product and you invested a lot of money, you need to get back that money and if you raise the price of your product, nobody will buy it. I worked with a few security companies and I notice that. The last company I worked with was OpenSecLabs and they invested a lot of money in research and the they didn't get back only ~75%
With little background checking with your account, now I recognize you. You're the OpenSecLabs in the past. :)
 
H

hjlbx

This is why users should use Windows built-in security mechanisms (e.g. LUA), keep software updated, and - most importantly - moderate their online behaviors.



Following the above formula will easily get a system to 85 % or better protection level. Safe, conservative online habits can get it even higher - well into the 90 %s.

It's not difficult to develop an unknown\untrusted file verification\handling routine on a home system.

Another big factor is that most users aren't willing or just don't know how to clean install their OS - at any indication that something might be wrong.

Of course, this only applies to home users. I think the article encompasses both Enterprise and home users. Enterprise systems are an entirely different beast.

* * * * *

Ignorance, laziness, neglect, disregard, mistakes = these are the primary drivers of infections. The user is always the weakest link. Target a sufficient number of users and a malc0der is sure to succeed.
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Very ironic why? They take granted for security and when it comes from breach, hack and stolen information where that's the time to improve and make a partnership on other organizations.

Still the number one main problem here is piracy since they use as a form of protection without any assurance of safeness.
 

chrcoluk

Level 1
Verified
Aug 6, 2015
23
There is also red tape issues.

A large company I worked for in the past where I administered their servers would often not let me apply hardening to the configuration because it made life harder for their developers (who were lazy in security practices), their priority was rolling out new features, second to maintain uptime, security and performance was only last.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top