Attack Pattern #1: Web applications (9.4% of incidents)This year, the authors of the DBIR 2015 noticed that organized crime has become the most frequently seen actor behind web application attacks. These computer criminal syndicates, as well as other malicious actors, have shifted their tactics to embrace Strategic Web Compromise, in which attackers target a web server simply to set up an attack against a different target. Two-thirds of web app attacks now embrace this secondary style attack, with the vast majority (98%) of them constituting opportunistic campaigns against easy targets. Further analysis reveals that in the financial sector, 82% of web application attacks back in 2014 involved end-user devices, and a tenth incorporated at least one phishing/social engineering element. Attackers in this industry are also getting more creative with their tactics. For example, earlier this year, it was reported that a group of criminals compromised a financial firm’s web application, used that unauthorized access to encrypt a database managed by the enterprise, and eventually demanded $50,000 in return for the decryption key in what has become one of the first publicized “ransomweb” attacks. The information services industry was similarly hard-hit by web application attacks last year. From a more general perspective, approximately 95% of attacks targeting web applications harvested credentials from users’ devices and used this stolen information to compromise their accounts. This trend has somewhat eclipsed cross-site scripting (XSS) and SQL injection, techniques which are still popular among malicious hackers but together constitute just over a quarter of web app attacks.
Attack Pattern #2: Privilege Misuse (10.6% of incidents)Today, privilege misuse accounts for the top action (55% of incidents) with respect to internal actor breaches. 40% of these incidents were propelled by financial gain and/or convenience, motives that ultimately led internal attackers to either sell the data or use it to directly compete with the victim organization following the breach. For the first time since 2011, cashiers did not top the charts for internal actors most associated with privilege misuse breaches. End users instead ranked number 1 at 37.6% of incidents. They were followed by cashiers at 16.8% and finance at 11.2%. Privilege misuse breaches affect the mining, administrative, and healthcare industries most. However, that does not mean other industries are not vulnerable. Serious privilege escalation bugs were discovered in both Microsoft Windows and all Android devices below Lollipop 5.0 in the past year, which together left potentially hundreds of millions of users vulnerable to an internal security breach. As of this writing, no incidents have resulted from the disclosure of those two vulnerabilities.
Attack Pattern #3: Cyber espionage (18% of incidents)548 separate incidents of cyber espionage were observed in 2014. Of this total, only one-third had any attribution information available to security researchers and forensic investigators whatsoever. The manufacturing, public, and professional industries were most affected by this method of attack at 27.4%, 20.2%, and 13.3% respectively. The information services industry registered at 6.2% of the total number of cyber espionage incidents, whereas the financial and healthcare sectors measured a combined 1.5%. Further analysis reveals that the preferred medium for this method of attack was malicious email attachments at 39.9%. This was followed by email links (37.4%) and web drive-by attacks (16.6%). In general, trade secrets made up the bulk (85.8%) of information targeted by cyber espionage campaigns, whereas credentials and internal data were stolen in significantly fewer events at 11.4% and 8.5%, respectively. It is important to note that cyber espionage is a tactic reserved not just for computer criminal rings and hacker groups. Nation states have also increasingly embraced this attack pattern, as is evident in the use of Turla malware by a country (most likely Russia) to spy on government institutions, embassies, military installations and other organizations in more than 45 countries, as well as the activities of the Equation Group threat actor.