Author in this article discusses how attackers compromise and exfiltrate IP and also suggests ways one can improve defenses.
There are several hacking methods and attack designs, attackers have embraced to deploy while targeting an organization. A well designed attack with multi-dimensional approach can confuse the organization to identify the attacker and by the time, organization reaches to the source, attackers would have completed his/their job and left the organization paralysed. Couple of such attacking methods have been discussed here below and their trends also have been mentioned based on a survey report.
- Cyber-espionage
The biggest threat to your IP comes from state-affiliated groups. And in 93% of cases, state-affiliated groups were responsible for external espionage attacks — although organized crime was involved on a small scale. Activist groups also showed up in some espionage attacks and that suggests, rather worryingly, that trade secrets may have been disclosed to attackers who weren’t even after them.
Attackers are becoming more sophisticated in how they compromise your IP. Just under a third (31%) of all espionage breaches involved a victim that was just a means to an end. Such cases often take the form of strategic web compromises, whereby an organization’s website is compromised to serve malware to the intended victims when they visit the site.
The attack chain usually begins with phishing — either through interaction with malicious attachments or following links to malicious websites — although credentials may be stolen or guessed. This allows malware to gain a foothold on a device, which then provides a backdoor for hackers to install more malware and advance their attack deeper into the network.
What can you do?
Patch promptly: Attackers often seek to exploit software vulnerabilities — timely patching limits their opportunity.
Monitor email links and attachments: You’d be amazed at the low-tech methods attackers have used to successfully breach data. Email scanning can identify any suspicious links or attachments.
Use anti-virus and modern malware detection and remediation tools: Anti-virus won’t protect you from zero-day attacks, but many organizations continue to fall prey to well-known dangers.
Enable two-factor authentication: Both phishing and malware lead to lost credentials. Using two-factor authentication can break the chain of attack.
- Insider and privilege misuse
Insider and privilege misuse accounted for 12% of data breaches involving the loss (or suspected loss) of trade secrets. This pattern covers situations where employees and business partners use their legitimate access rights to take confidential information for personal gain.
What can you do?
Know your data: Before you can protect your data, you need to understand exactly what data you have, where and how it’s stored, and who has access to it.
Review user behaviour: Implement processes to monitor use of systems and data so that you can identify any suspicious behaviour. Establish a process for reviewing or revoking access when employees change role or leave.
Watch data transfers: Set up controls to watch for data transfers out of the organization — in our experience these controls have caught many incidents of insider data theft that would otherwise have been missed.
- Crimeware
Crimeware accounted for just 4% of breaches where trade secrets were stolen (or suspected stolen). This is a broad category that covers any use of malware to compromise systems such as servers and desktops. Breaches that fall into the crimeware category are usually opportunistic in nature.
What can you do?
Patch anti-virus and browsers: This could block many attacks.
Implement configuration change monitoring: Many of the methods used to breach your data can be detected easily by watching key indicators.
Store IP securely and not on user devices: Laptops and desktops used to surf the internet often get infected with malware. Only store IP on user devices if there is a strong business need.
In 85% of cases where IP was stolen, attackers were able to compromise the victims’ systems in a matter of days or less. IP should sit deep within an organization. Yet in 38% of cases, attackers were able to exfiltrate trade secrets in just minutes. In contrast, in the majority of cases (54%), it took organizations months or even years to discover there had even been a breach. And it then took them days or weeks (54% of the time) to contain the breach.
Authored By: Ashish Thapar, Managing Principal – Investigative Response, Verizon Enterprise Solutions, APAC