M-Trends, Verizon DBIR & Symantec ISTR: Detecting and responding to cyber attacks has never been more important

The release of three of the most important annual threat intelligence reports earlier this month confirmed that 2013 was an explosive year for cybersecurity. All three reports point to rising incidences of cyber attack, increasing sophistication of attack vectors and a growing diversity of threat actors and targets.

The first of the reports is entitled M-Trends, compiled by the security forensics company Mandiant, now owned by FireEye. M-Trends is based on the analysis of incidence response data from organisations across 30 industries. While the analysis detected a slight improvement in the average number of days taken by organisations to detect a network breach, there was no discernable improvement in the ability of organisations to detect breaches without outside assistance. Only 33 percent of breaches are discovered by internal resources.

The analysis also revealed that cybercriminals are deploying a wider variety of attack methodologies against targets. Traditional approaches involve the detection and exploitation of vulnerabilities in Web applications which enable attackers to move laterally through connected systems after a successful compromise. According to M-Trends, attackers are shifting focus from Web applications to exploiting workstations and other systems infected with botnets and Trojans. These tools are designed to create backdoors for the installation and propagation of more powerful  forms of malware designed to seek out and extract sensitive data.

The report notes that sensitive data goes beyond proprietary intellectual property. State-sponsored attackers target a wide variety of information sources to understand how businesses work including emails, procedural and workflow documents, plans, budgets, organisational charts, and meeting agendas and minutes.

M-Trends concludes that the list of potential targets has increased, and the playing field has grown. Threat actors are not only interested in seizing the corporate crown jewels, but are also looking for ways to publicize their views, cause physical destruction, and influence decision makers.

The second report is also the most long-standing and well-known. The Verizon Data Breach Investigations Report (DBIR) is now in its eighth year and includes contributions from organisations such as the U.S Secret Service, US-CERT, Europol and the Council on Cyber Security. The 2014 DBIR analyzed over 1300 confirmed data breaches and 63,000 security incidents in 95 countries.

The highest number of security incidents analyzed by the DBIR affected organizations in the financial, retail and public sector. This is unsurprising since such organizations tend to store or process financial and other sensitive information. However, the DBIR did not observe any industry that was not impacted by security incidents that led to confirmed data losses. This underscore the DBIR finding that “everyone is vulnerable to some type of event. Even if you think your organization is at low risk for external attacks, there remains the possibility of insider misuse and errors that harm systems and expose data. To illustrate, 30% percent of security incidents impacting manufacturing companies can be classified as acts of cyber espionage. In comparison, less than 1 percent of incidents in public sector organisations are caused by cyber espionage. However, public sector organisations experience three times as many incidents of insider abuse as manufacturing companies.

The third and final threat intelligence report released in April was Symantec’s Internet Security Threat Report which revealed a 62 percent year-on-year increase in data breaches with 8 breaches exposing more than 10 million identities each. According to the report, the industries most at risk of a targeted attack are mining, government and manufacturing. The likelihood that organisations in such industries will experience an attack are 1 in 2.7, 1 in 3.1 and 1 in 3.2 respectively.

The report also revealed that there were more zero-day vulnerabilities in 2013 than other year on record. The number of zero-day vulnerabilities discovered last year were 61 percent higher than the year before and more than the previous two years combined.

The report recommends multiple and mutually-supportive defense-in-depth strategies to guard against single-point failures. It also recommends continuous monitoring and automatic alerting for intrusion attempts, as well as aggressive updating and patching. These recommendations are echoed by both M-Trends and the DBIR. According to the former, organisations require “visibility into their networks, endpoints and logs. Organisations also need actionable threat intelligence that identifies malicious activity faster.

Layer Seven Security enable SAP customers to meet this challenge by hardening every component of the SAP technology stack for defense in depth including underlying networks, databases and operating systems. We also configure comprehensive network, system, table and user logs to enable organisations to track, identify and respond to cyber attacks. Finally, we unlock standard, powerful security monitoring mechanisms in SAP Solution Manager to automatically detect and alert of potential malicious activity.