Earlier last week, Verizon issued its first-ever Cyber-Espionage Report. The 2020 Cyber Espionage Report (CER) draws from seven years of Verizon Data Breach Investigations Report (DBIR) content and more than 14 years of the company’s Threat Research Advisory Center (VTRAC) Cyber-Espionage data breach response expertise. Verizon said that it published the CER to serve as a guide for cybersecurity professionals searching for ways to improve their organisation’s cyber-defence posture and incident response (IR) capabilities.
Key findings of the report are that for cyber-espionage breaches, 85% of actors were state affiliated, 8% were nation-state affiliated, and just 4% were linked with organized crime. Former employees made up 2% of actors. The industries most impacted by cyber-espionage breaches in the previous seven years were the public sector, manufacturing, professional, information, mining and utilities, education, and the financial industry.
If your business were a target of a well-funded malicious group, how would you know? For most victims, the initial exploited weakness was likely an opportunistic one, even when the damage done was significant. Victims of cyber espionage find themselves subject to a strategic set of actions. As highlighted in the report, cyber espionage teams are often well-funded and highly skilled. This combination allows them to infiltrate a business quickly and leave few traces behind which in turn increases the potential for ongoing damage. While their motivations might be financial, the rules they follow in their attacks will be unique to each team – even an outcome such as a ransomware demand might occur. Defending against such an attack requires businesses to identify what assets they possess and how those assets might be valuable to an attacker – be that as a stepping stone along the attack path or as a saleable commodity. The starting point in such a defence is a comprehensive inventory of all software, how it’s configured, its role within the organisation, how it’s connected to other software powering the business and what data it has access to. From there a data model can be created that maps users to data and systems in a manner that allows for audit rules to be defined. Once audit rules are in place, monitoring can begin which then feeds into monitoring for unexpected access. While this process can be daunting, it should be considered a work in progress which supports good business hygiene such as patch management, disaster recovery planning and compliance with data privacy regulations.