Cybersecurity is top of mind for public sector organizations. Myriad attacks ranging from spear phishing to unauthorized access attempts to denial of service attacks keep cyber defenders on their toes. But, there’s a more nefarious and growing concern among public sector security professionals: Cyber-Espionage, a cyber-attack by external actors using advanced techniques using stealth, efficiency, persistence to obtain sensitive information for competitive advantage.
In a recent deep-dive report into the world of Cyber-Espionage, Verizon data breach investigation experts stated that of reported data breaches “in the past seven years (2014-2020 DBIR timeframe), nearly one-third (31%) of cyber-espionage breaches occurred in the public sector. Furthermore, of 2,152 data breaches in the Public sector during this same timeframe, 23 percent were perpetrated by Cyber-Espionage threat actors.” Bottom line, these are numbers that cyber defenders and incident response leaders can’t ignore.
So, what do public sector cybersecurity stakeholders need to know about Cyber-Espionage? According to the report, top actor varieties for Cyber-Espionage breaches were State-affiliated (85%) and Nation-state (8%). Among all industries, the top action varieties were Phishing and Use of backdoor or command and control (C2). John Grim, Distinguished Architect, with the Verizon Threat Research Advisory Center (VTRAC), stated that “generally speaking, the majority of Cyber-Espionage breaches, as compared to all breaches, take much longer to discover (from months to years) and contain (from days to months). While ‘all breaches’ includes various threat actor motives, these are dominated by Financial motive (76%) with threat actors seeking to avoid detection at least until they can cash in their stolen data for financial gain. These threat actors know that eventually someone will miss the stolen data and detect the breach (or fraud) and investigate.”
Grim further stated, “For all breaches, top compromised data varieties were Credentials, Personal (PII), Payment (PCI), and Medical (PHI). Generally speaking, if compromised, these data varieties fall within mandatory regulatory reporting requirements. Furthermore, these data varieties are rather straightforward for cyber defenders to identify and monitor for compromise. Whereas, for Cyber-Espionage breaches, compromised data varieties differ significantly: Secrets (75%), Internal (30%), and Credentials (22%). These data varieties are much harder to define, and generally speaking, are unregulated for breach reporting. Bottom line, detecting a compromise of these data varieties is a challenge on several levels: the stealth and skill of the threat actors, as well as the nature and structure of the data varieties.”
Detecting Cyber-Espionage breaches is just one piece of the puzzle. Read on to learn who’s behind Cyber-Espionage breaches, how they operate, which victim attributes are most impacted, and which victim assets top the list for compromise.Download the Report
Attacker and Cyberdefender Timelines
In terms of timelines for Cyber-Espionage breaches, Time to compromise was seconds to days (91%), Time to exfiltration was minutes to weeks (88%), Time to discovery was months to years (69%) and Time to containment was days to months (79%). Top discovery methods were Suspicious traffic (48%), Antivirus (23%) and Emergency response team (7%). “This is indicative of the threat actor’s due diligence to not only understand their target’s environment and cybersecurity posture, but also to leverage that knowledge to accomplish their objectives without detection,” states the report.
The VERIS (Vocabulary for Event Recording and Incident Sharing) A4 Threat Model – Actors, Actions, Assets, Attributes – sheds light on Cyber-Espionage breaches across all industries.
Top threat actor varieties were State-affiliated (85%), Nation-state (8%) and Organized crime (4%) entities. These threat actors differed for all breaches (dominated by Financial motive), as top threat actor varieties were Organized crime (59%), State-affiliated (13%) and Unaffiliated (7%) entities.
Top threat actions were Malware (90%), Social (83%) and Hacking (80%), while top threat action varieties were Phishing (Social) (79%), Use of Backdoor or C2 (Hacking) (60%), Backdoor (Malware) (53%), C2 (Malware) (53%), Downloader (Malware) (27%), and Capture stored data (Malware) (27%).
Top compromised asset varieties were Desktop or laptop (89%), Desktop (80%), and Mobile phone (9%).
Top compromised attribute varieties (the Confidentiality-Integrity-Availability Triad) were Software installation (Integrity) (91%), Alter behavior (Integrity) (84%), Secrets (Confidentiality) (73%), Internal (Confidentiality) (29%), Credentials (Confidentiality) (21%)c, and System (Confidentiality) (19%).
Click here to download the Cyber-Espionage Report.