Preventing data breaches is a tough job. The 2016 Verizon Database Incident Report aptly compares the information security team to a poorly armed soldier told to defend a hill at all costs without knowing who the enemy is or where they will attack. We do have a lot to protect with limited resources, but we are learning more about how cyber criminals go about their business, and that provides us solid clues about where and how to defend. The first article in this three-part series explored the ROI of cyber attacks from the criminal’s point of view. This article looks at preferred cyber-attack targets and tactics to help you figure out what data and systems are most important for you to defend. 

Thinking like a cyber thief

Just as you can’t afford to defend on all fronts, cyber attackers can’t afford to attack everywhere at once. They have operating costs — buying exploit kits and/or credentials, renting botnets for phishing campaigns, etc. — so they will target the data that will bring them the best price for the lowest effort. That determination will depend on your industry, its business systems and processes, and which systems are most vulnerable to attack.

This is a different way to think about protecting your data. Not only do you need to think about what is protected information, you also need to think about what cyber criminals might do with it. For example, attackers will sell financial data such as credit card numbers to other criminals, who will then monetize it by buying goods that they can sell. But the Dark Web is flooded with credit card and bank account numbers, so prices are down. Armed with that knowledge, you can guess that cyber attackers targeting credit card or bank account numbers will be looking for one of two things: either they will try to steal very large data sets in order to compensate for the low prices, or they will target financial information from premium account holders with large credit limits and/or bank balances, because those sell for more on the black market. If they’re looking for premium accounts, a smart thief is likely to try to get passwords that get them directly into your databases so they can pick and choose. In fact, we see a lot of email phishing attacks aimed at getting banking passwords from consumers.

Medical identities are much more valuable to resell, but there is a more limited market for them because they are more complicated to exploit. They can be sold to individuals wanting to use them for medical coverage, but that is more involved than simply buying goods with stolen credit card numbers. They can also be used to commit Medicare/Medicaid fraud, but that also involves more steps to monetize. This may be one of the reasons that ransomware attacks on health care organizations are becoming so popular: the cyber attacker is paid directly by the victim, so there’s no competition to sell information on dark markets, no work to sell the stolen data, and minimal delay between the initial attack and the payment.

In addition to the value of the stolen assets, cyber criminals look at the cost of the attack, so they will see where data is most exposed and what is the easiest way to get it from your business. Trying to brute force their way through firewalls and get at well-protected databases is a good way to lose time and profit. Instead, attackers will look for easier ways to steal information, either at an outward-facing point such as a point-of-sale system, where the data is unencrypted and exposed; by using phishing or spoofs to introduce exploits or SQL injection, or by simply phishing for credentials that let them waltz right in and take what they want.

The cyber-crime ecosystem

Cyber criminals maximize their profits by not reinventing the wheel. If a tactic or tool works, they will reuse it. So if you want to predict where attacks will come from, look at other attacks against businesses in your industry. The 2016 Verizon Database Incident Report includes a really interesting analysis of attack patterns by industry. As we might expect, retail and service industries are mainly targeted through their point-of-sale systems (95 percent in the accommodations industry and 64 percent in retail). If sales or content or service delivery happen via the web, that also becomes an attack vector (50 percent in the entertainment industry, 82 percent in finance, 57 percent in the information industry, and another 26 percent in retail). In less automated industries such as education, healthcare, and public services, human error accounts for a significant number of incidents and breaches. And where there is high-value data at stake, privilege misuse is a leading tactic, suggesting that attackers will go to the trouble to steal credentials through phishing or other tactics in order to get into these systems (21 percent in professional services and 32 percent in healthcare). In manufacturing, thieves will use pinpoint web attacks, phishing, and cyber espionage tactics to exfiltrate intellectual property (92 percent combined).

Two faces of risk analysis

Every organization needs to analyze its privacy and information security risks, but the analysis has traditionally looked from the inside out: what data do we have, what is protected personal information, and what are our compliance risks? You need to know all those things, but risk analysis needs to be like Janus, the Roman god of passages, who faces forward and backward, inward and outward. By looking outward at the motivations and thinking of cyber attackers and backward at previous attacks in your industry, you can better predict where attacks will come from and how to prevent them, so you don’t offer attackers an easy passage to your data.

photo credit: Visual Content Malware Infection via photopin (license)