Threat sharing has become a frequent response to the increasing number of cyberattacks. The 2015 Data Breach Investigations Report released Tuesday by Verizon found that 40 percent of attacks hit a second organization within just an hour. Three quarters of attacks spread within 24 hours.
This information puts a lot of pressure on initiatives that include threat sharing as a cybersecurity strategy such as the new legislation Obama recommended in February and his proposed $14 billion cybersecurity budget that includes $227 million for construction of a civilian cyber campus to better share information on cyber threats.
The Verizon study is maybe the most comprehensive report of it’s kind including 70 contributing organizations including service providers, forensic firms computer security information response teams, government agencies and the cybersecurity industry offering real world data. Data breaches from 34 countries were included using VERiS, a research methodology used to “provide a common language for describing security incidents in a structured and repeatable manner” making the results more valuable.
Threat sharing is not as effective as we may be led to believe. Much recent legislation has focused on the idea that the sharing of threat intelligence will reduce incidents, which makes sense on an intuitive level. However, the researchers didn’t find that to necessarily be the case. “It is hard to draw a positive conclusion from these metrics, and it seems to suggest that if threat intelligence indicators were really able to help an enterprise defense strategy, one would need to have access to all of the feeds from all of the providers to be able to get the ‘best’ possible coverage,” said the report. “This would be a herculean task for any organization, and given the results of our analysis, the result would still be incomplete intelligence.”
The good news is that organizations are actually sharing information. “However, we’d like to recommend that if you do produce threat intel, focus on quality as a priority over quantity,” recommended the researchers.
Even with increased sharing and awareness about data breaches and how they happen, time to detection is taking longer. “Unfortunately, the proportion of breaches discovered within days still falls well below that of time to compromise,” said the report. “Even worse, the two lines are diverging over the last decade, indicating a growing ‘detection deficit’ between attackers and defenders.”
The industries most affected by security incidents were the same as last year including public, information and financial services. The proportion of threat actors between external, internal and partner remained the same with external comprising over 80 percent. Most targets are really secondary to the intended victim 70 percent of the time. For example, a website is hacked to serve malware hoping that that the “real” target will be infected with the software after visiting the compromised site.
Phishing continues to be an amazingly effective method for spreading malware with an unbelieveable 23 percent of people still opening phishing email and 11 percent clicking on attachments. Nearly 50 percent of those who open it do so within an hour. This is consistent with Google’s report of phishing effectiveness in allowing hackers to breach a network in under 30 minutes.
One final bit of good news in the report is that mobile is not yet a preferred tool in data breaches. “Out of tens of millions of mobile devices, the number of ones infected with truly malicious exploits was negligible,” said the report. However with mobile broadband subscriptions expected to reach 8.4 billion by 2020 and mobile payments expected to grow 60 percent this year that will likely change.