Back to all posts

Taylor Havlisch

March 29th, 2017

5min Read

Verizon Data Breach Digest: The Highlights

The Verizon enterprise team recently shared a Data Breach Digest (DBD) to shine a light on the complexity of breaches and their necessary responses. With applied use-case scenarios to illustrate the reality of these situations, the report provides a clear account of historical breach types and their patterns, so we can do our best to reduce the impact of their inevitable occurrence.

Before we get into the more doleful details, they’ve offered the good news that there aren’t thousands of unique attacks that businesses have to worry about, because it’s usually a case of “combinations of actors, actions, assets and attributes” that are consistent when we’re talking about data breaches. That means, we can better predict and identify them. Success in their identification begins with learning and recognizing incidence patterns, so effective planning and preparation can be done.

This DBD focuses on six incidence patterns which include:

  • Insider + privilege misuse
  • Cyber-espionage
  • Web application attacks
  • Crimeware
  • Point-of-sale (POS) intrusions
  • Denial of service (DoS) attacks

Above all in this report, the compilers reinforce that data breaches aren’t just an IT security problem. The impact of breaches can reach to a company’s corporate communications team, the legal team, human resources and beyond.

From the report, we’ve pulled a few highlights that can be used to represent a large sample set of companies and their potential breach types.


The first we’ll cover falls under a breach type that the report has characterized as “The Human Element.” After all, it’s human beings that are responsible for initiating data breaches. In this scenario, a lead investigator of a risk team describes a situation in which a company makes the decision to restructure its staff plan, resulting in the dismissal of employees. This makes the company a “soft target” and leads to actions taken by disgruntled former employees against the company, like the sharing of personal information belonging to two executives. The company also experiences several DoS attacks, which occur when multiple infected systems are used to impact one single system. Online content belonging to the company becomes defaced and internal teams are locked out.

To deal with a case like this, the report outlines the below steps to consider:

  • Prepare, initiate and establish your Incident Response Plan early
  • Prioritize tasks related to handling the incident
  • Proactively communicate with all impacted parties
  • Engage law enforcement when the time is right

In this scenario, a network forensics specialist discovers suspicious network traffic on her company’s systems. An infected system has connected to the company’s command and control center, and the attack appears to be part of a phishing campaign, a common tactic used to compromise networks. Identifying the source is painstaking but when it’s determined, her team is able to communicate to the victims the techniques of the breach, which results in the criminal actor shutting down the operation after realizing they’ve been discovered.

While the report further details her procedures for identifying the source of the attack and mitigating the impact, here are the highlights:

  • Know threat actor tactics and techniques
  • Monitor file system changes on servers
  • Operationalize monitoring
  • Conduct proactive reviews
  • Watch for unexpected trends

Here, we learn from a Malware Reverse Engineer at Verizon who shares the experience of discovering an infected system, which unfortunately is typically done so as a result of realizing “direct impact after the fact.” It’s difficult for malware of this type to be detected because it can evade security controls and live within a system for a long period of time, before anyone notices anything is wrong.

The report makes an interesting point that a system is more likely to get attention from its security team if it completely crashes, than if it’s just “running slowly.” When malware is eventually identified, “behavioral analysis of such malware is usually inconclusive or incomplete due to the decentralized nature of the architecture. An infected system can be used in many different ways and reconfigured on the fly, allowing threat actors to maintain access even when certain systems are remediated.”

An example of this type of malware includes credit card skimmers, like these devices found on ATMs. As the report points out, for criminal hackers, accessing skimmers isn’t very difficult. The devices can be purchased for only a few hundred dollars and applied to unattended card readers like ATMs, parking meters and gas pumps. When they’re actually discovered, it’s usually too late and transactions have likely already been completed, allowing criminals to use the stolen information to create fraudulent cards. It’s suggested that regular inspection of credit card acceptance devices be conducted to detect and remove skimmers.

If it’s too late and a team finds itself in a situation where a skimmer has gone undetected, the report has outlined these response tactics:

  • Remove the infected system from the network, but leave it on (so evidence isn’t wiped)
  • Draw a network map of the infection
  • Declare the containment only when all outbound traffic vectors are identified
  • Preserve all artifacts
  • Collect all information about the infection

Though each of the scenarios outlined in the report varies in some way, there are identifiable patterns and consistencies that can help inform strategies for managing breaches. The report has pulled five of the most important things to keep in mind when the inevitable does happen.

  1. Preserve evidence
  2. Be flexible and adapt to evolving situations
  3. Establish consistent communication
  4. Know your limits and collaborate when you need to
  5. Document your actions and findings
Click here to download the full content of the DBD.

Connect with us

blog comments powered by Disqus