Secrets Under Attack: Report

Friday, April 28, 2017 @ 11:04 AM gHale

Varieties of data breached within the Manufacturing industry.
From DBIR report

By Gregory Hale
Insider threat, outside threat, malware, ransomware, terrorist, nation state attack, advanced persistent threat, DDoS, DoS, phishing, or cyber espionage.

While all are potential threats to any manufacturing enterprise, it appears cyber espionage is by far the most predominant pattern associated with breaches in Manufacturing, according to the Verizon 2017 Data Breach Investigations Report (DBIR).

ICSJWG: New Reality for Safety, Security
ICSJWG: Malware Having ICS Impact
Defense from Tainted Mobile Devices
SANS: Know the Security Mission

While ransomware has been gaining traction throughout the industry over the past six months or so, the Verizon report said for manufacturers, “it is a safe bet that you worry quite a bit about hanging on to secrets. A whopping 90 percent of data stolen in Manufacturing was of the ‘Secrets’ variety.”

For a manufacturer, the intellectual property it possesses, whether it is a secret recipe, a creative new concept or a less expensive way to make a widget, makes a tempting target for thieves.

Unlike the more run of the mill, “grab-the-loot-and-scram” attacks we see in other verticals, espionage attacks are typically aimed at more long-term results, the report said. “The criminals want to infiltrate the network, find out where the secrets are kept, and then sit and slowly siphon off the nectar for as long as they can,” the report said.

In this report, Verizon recorded 620 incidents, with 124 confirmed data disclosures. The top three patterns they found were cyber espionage, privilege misuse and a category they labeled “everything else” represent 96 percent of breaches within manufacturing. Other categories they found were miscellaneous errors, crimeware and physical theft and loss.

The top threat actors were 93 percent external, 7 percent internal.

In 94 percent of the time, the motive for the breach was espionage, with six percent being financial.

Data compromised was secrets at 91 percent, and 4 percent each for internal and personal.

Gains in strategic advantage via espionage-related actions comprise the majority of breaches within this industry. Most are conducted by state-affiliated actors, but instances of internal espionage pilfering trade secrets are present as well.

With attacks getting more sophisticated, hackers really don’t focus on breaking into the intended target, rather the bad guy will go in through the front door via a phishing attack that contains a malicious link or attachment. That works because, let’s face it, someone in a company will click on any kind of link sent via email.

Then malware ends up installed and it creates a backdoor or C2, and the bad guys return at their leisure to footprint the network and take what they need. In fact, the social and malware combination occurred in 73 percent of breaches Verizon recorded in the manufacturing sector.

When state-affiliated actors are involved, their operations are targeted attacks, rather than opportunistic, the report said. In other words, the criminals are coming directly for a particular organization with a specific purpose in mind.

The next most common incident pattern, privilege misuse, (while only a very small sample size) is in some ways akin to the external espionage breaches discussed above. It often occurs when a disgruntled employee is tired of being kept down by “the man” and sets off to make their fortune elsewhere — but wants to take as much data as possible with them.

The following are tips Verizon suggested to avoid an attack:
• If you have highly-sensitive information, keep that data segregated and only allow access to those who require it to perform their job.
• Attacks against manufacturing end up initiated via a phishing email. Train employees in regard to phishing, and provide them with a quick and easy way to report suspicious emails.
• Internal monitoring of networks, devices and applications is critical. Attempt to implement account monitoring, audit log monitoring and network/IDS monitoring.
• Implement data loss prevention (DLP) controls to identify and block improper transfers of data by employees.

Leave a Reply

You must be logged in to post a comment.