Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Picking Over The Corpse: The Value Of Forensics

Matthijs van der Wel MBA CISSP® CISA® RON® QSA® QFI®Managing Principle Forensics EMEAVerizon Business Security Solutions

Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

2009 Data Breach Investigations Report

US TEAMEMEA TEAM

Matthijs van der WelJelle Niemantsverdriet

Thijs BosschertBen van Erck

Paul WrightAPAC TEAM

4Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

R I S K TeamESPONSE

NTELLIGENCE

OLUTIONS

NOWLEDGE

Response – Incident response and investigation services.

Intelligence – Gather, analyze, and correlate intel from a wide range of sources and then provide appropriate data, alerts, analysis and recommendations to our clients.

Solutions – Innovation and prototyping of new products and services.

Knowledge – Develop and disseminate risk knowledge and capabilities throughout the company, to our customers, and to the public.

The DBIR is the result of collaboration between

the Response and Intelligence groups

Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Results and Analysis

2009 Data Breach Investigations Report

10Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

2009 DBIR: What’s New?

• Periodic data collection allowed for more detail– Much more info within the Hacking and

Malware sections• Responded to public requests and questions

– Results also shown in % of records (was just % of breaches)

• New lines of study– PCI, Incident detection and response

practices• More thorough treatment and analysis• More mature presentation

– Better charts and graphs – No more pastel colors

• Plus, the bad guys were really busy (and, unfortunately, really successful)

After a 4-year study of 500 breaches, what makes the 1-year sequel interesting?

11Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

IR Case Data

All data collected during cases worked by the Verizon Business

Investigative Response team during 2008

• Objective, credible, first-hand information on actual breaches

2008 Caseload:

• 90 confirmed breaches (>150 total engagements)

• 285 million compromised records (confirmed – not “data-at-risk”)

• 1/3 of these cases have been publicly disclosed (so far)

• About 50% of caseload comprised of sets of interrelated incidents– Same attacker(s), shared connections, identical circumstances, etc

• 15 arrests (and counting)

• 31% Retail, 30% Financial, 14% Food & Bev, remaining mixed

• Over 1/3 of investigations conducted outside the US

12Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Breach Sources

• External sources– Most breaches, nearly all records– 90+% of breached records attributed to organized

crime activity• Internal sources

– Roughly equal between end-users and admins• Partner sources

– Mostly hijacked third-party accounts/connections

Impact

Likelihood

13Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Threats and Attacks

• Similar to previous 4 years for breach percentages

• Most breaches and records linked to Hacking & Malware

• Misuse is fairly common– Mostly admin abuse

• Deceit and social attacks– Involved a range of methods,

vectors, and targets• Physical attacks

– Represent minority of caseload– Portable media in one case (but

not essential to breach)• Error is extremely common

– Rarely the direct cause– Usually contributing factor

(67%)

14Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Breakdown of Hacking(64% of breaches)

• Default credentials and SQL injection most common• Few and old vulnerabilities exploited• Web Apps & Remote Access are main vectors

Techniques

Vectors

Vulnerability Exploits

15Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

• Most malware installed by remote attacker

• Malware captures data or provides access/control

• Increasingly customized

Breakdown of Malware(38% of breaches)

16Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Attack Difficulty and Targeting

• Targeted attacks doubled• Highly difficult attacks did not increase but are

responsible for nearly all breached records• Message: Some attacks are difficult to pull off,

but the payout appears worth it

17Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Compromised Assets and Data

• Most data breached from online systems– Different than public disclosures

• Criminals seek payment card data– Easily convertible to cash

• Other types common as well– Auth credentials allow deeper access– Intellectual property at 5-year high

18Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

18

• Amount of pre-attack research varies

• Data compromised within hours/days after breaching perimeter

• Breaches go undiscovered for months

• It typically takes days to weeks to contain a breach

Breach Timeline

19Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Breach Discovery

• Most breaches discovered by a third party • Event monitoring caught few breaches

20Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Unknown Unknowns

• Unknown data lower than ’04-’07

rates, but still accounts for 2/3 of compromised records

– Discovery and classification• Unknown privileges up

– Account review

An asset unknown to the organization

Data unknowingly stored on an asset

Unknown or forgotten external IT connections

Accounts and Privileges not known to exist

21Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

PCI DSS

Is PCI a Failure? NO!Then why were 19% breached?• Self-attestation• Study includes failures only• Scope / Unknowns• Assessment Sampling• Partners (transitive trust)

22Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Recommendations

Recap from previous report (They still apply)

• Align process with policy

• Achieve “Essential” then worry about “Excellent”

• Secure Business Partner Connections

• Create a Data Retention Plan

• Control data with transaction zones

• Monitor event logs

• Create an Incident Response Plan

• Increase awareness

• Engage in mock incident testing

23Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Recommendations, Cont’d

New recommendations (Based on 2008 cases)

• Changing default credentials is key

• Avoid shared credentials

• User Account Review

• Application Testing and Code Review

• Smarter Patch Management Strategies

• Human Resources Termination Procedures

• Enable Application Logs and Monitor

• Define “Suspicious” and “Anomalous” (then look for whatever “It” is)

24Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Summary

2008 saw much of the same, but new twists and trends were observed

• Sources: Similar distribution; organized crime behind most large breaches– Organized criminal groups driving evolution of cybercrime

• Attacks: Criminals exploit errors, hack into systems, install malware– 2008 saw more targeted attacks, especially against orgs processing or storing large

volumes of desirable data – Highly difficult attacks not common but very damaging– Large increase in customized, intelligent malware

• Assets and Data: Focus is online cashable data– Nearly all breached from servers & apps– New data types (PIN data) sought which requires new techniques and targets

• Discovery: Takes months and is accomplished by 3rd parties

• Prevention: The basics–if done consistently–are effective in most cases– Increasing divergence between Targets of Opportunity and Targets of Choice

• ToO: Remove blatant opportunities through basic controls• ToC: Same as above but prepare for very determined, very skilled attacks

– Initial hack appears the easiest point of control

25Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Questions?