ECI: Anatomy of a Cyber Investigation
Who Are the Actors
Title
1
Who is Doing it?
 70% of breaches involved External agents
 48% of breaches involved Internal agents
 11% of breaches involved Partner agents
 Any breach can involve multiple individuals
 E.g. An employee of a subcontractors steals
Credit Card numbers and delivers the Credit Card
Numbers to an external 3rd party
Title
2
Who is Doing it?
 External Agents (70% breaches, 98% of lost data)
 24%
Organized Criminal Group
 21%
Unaffiliated Person(s)
 3%
External Systems or Sites
 5%
Others (Former Employee, Partner,
Competitor, Customer)
 45%
Unknown
Title
3
Who is Doing it?
Internal Agents (48% of Breaches, 3% of records)
Demographics (90% Deliberate )
 51%
 12%
 12%
 7%
 8%
 9%
Regular Employees / end user
Finance / Accounting
System Admin
Upper management
Other ( Help desk, Software Dev, Auditor)
Unknown
Title
4
Who is Doing it?
 Partner Agent (11% of Breaches, 1% of records)
 3rd party “hijack” Partner,
 Deliberate act of Partner
“Organization that outsource their IT
management and support also outsource a
great deal of trust to these partners. … poor
governance, lax security, and too much trust is
often the rule “
Verizon Data Breach Investigation Report (p. 19)
Title
5
How Are They
Doing it?
Title
6
How did insiders do it?
 Inter-connected factors and events
 48% of breaches included Misuse of privilege
 40% of breaches were by Hackers
 38% of breaches used of Malware
 28% of breaches used Social Engineering
 15% of breaches were Physical attacks
A single attack can may combine multiple vulnerabilities.
Title
7
How did Outsiders do it?
 Hackers methods
 Web Applications 54%
 Remote Access 34%
 Backdoors 23%
 Network file sharing 4%
 Others (physical access, Wireless Network, unk)
Title
8
Top 5 Methods of Attack
 Webpage Access
 Un / Improperly Secured Access
 Trusted network connections
 Trojans / Malware / Spyware
 Employee Malfeasance
Title
9
Top 5 Methods of Attack
 Web Pages
•
•
•
•
Unsecured web pages access
SQL Injection
Improperly designed website
Oops - errors
Title
10
Top 5 Methods of Attack
 Un / Improperly Secured Access
 Abandoned / Unguarded computers.
 Computers with too many connections
 Brute Force
 Backdoors
Title
11
Top 5 Methods of Attack
 Trusted network connections
 Sub contractor / Sister company or agency
Title
12
Top 5 Methods of Attack
 Trojans / Malware / Spyware
 E-mail of a Trojan
 Social Engineering
• Telephone Contact
• Email Contact
• Internet contact (Chat, IM, etc)
 Customized Malware (Largest attacks)
 Back doors
Title
13
Top 5 Methods of Attack
 Employee Malfeasance
 Abuse of system access
 Use of un-approved hardware / device
• Rogue networks
 Improperly handled data
Title
14
Timelines facts
 How long To Compromise Data
 Most took days to months
 31% took only Minutes
 Time to Discovery
 Most took weeks or months
 5% took minutes
 Time to Containment
 Most took days to weeks *some even months
Title
15
Some thoughts
 98% came from servers (duh)
 85% an not very difficult
 61% Discovered by a 3rd party
 86% had evidence in log files about attack
Title
16