By Jim Lundy
Fireeye and Verizon both confirmed this week via separate reports that cyber espionage is becoming one of the dominant attack methods on enterprises. This blog post discusses some of the findings and reinforces some of our earlier claims about the need for enterprises to be more vigilant in their security practices.
APT30, which comes from China, will become a famous term, but not for the right reasons. A report released by Fireeye this week (April 2015) provides a deep analysis of the great hack of Asia, which has been going on for nearly ten years. The report speaks for itself, but we feel enterprises will have to step up their efforts significantly to protect their users and their intellectual property.
Some of the key findings from the report:
- It is a team of collaborative hackers that work in shifts to target individuals and enterprises.
- The APT30 malware is very sophisticated, can be installed on USB sticks, and can jump air gaps.
- The intrusion methods are sophisticated and target individuals with clever emails and well-designed document attachments.
- The targets and topics included “regional political, military, and economic issues, disputed territories, and media organizations and journalists.”
Targeting Users via Identity and Infected Files
The Fireeye report, along with a new Verizon Data Breach Report, confirms that cyber espionage attacks are on the rise and that some programs (APT30) have gone undetected for a long time. The most popular espionage attack vector is to gain access via an individual’s usernames/passwords or in some cases server or application passwords, along with infected files that are sent along with the email.
The Verizon report provides some compelling statistics that show what methods are being used to target enterprises. For 2014, cyber espionage (18%) was the third most used attack method. It also shows that insider misuse is also one of the biggest threats. There are some important conclusions that need to be drawn from this and one of them is that enterprises are not doing enough.
Frequency of incident classification patterns in 2014 with confirmed data breaches. Source: Verizon.
Is Your Industry Being Targeted?
One of the things that we often hear is, “They won’t target us.”
As you see below, there are key industries being targeted. One of the most popular for cyber espionage is manufacturing, which isn’t a surprise since China is trying to steal intellectual property using methods such as APT30 (see above).
Frequency of disclosed incident patterns in 2014 by industry. Source: Verizon.
Taking Steps to Protect the Enterprise
While many enterprises have some security measures in place, in many cases, we have seen that protecting identities and verifying users via simple methods, such as two-factor authentication has been very poorly enforced. This is particularly true in many IT departments, where common administrator passwords are used across multiple applications.
There are many new ways to protect the enterprise and the problem is enterprises are not doing enough at the user authentication level. Network security firms such as Fireeye are often engaged after an enterprise is breached and by then, it is too late.
The good news is that innovation in security is on the rise. Just this week, some emerging firms such as Illumio hit the news for a $100 million VC round that will drive the adoption of their Adaptive Security, which will go further to alert enterprises on abnormalities in connected applications. Lesser-known, but just as important, a small two-factor authentication firm, Duo Security raised $30 million for advancing the cause of 2FA, which we talked about earlier this year.
These security issues won’t go away and it will take a national effort to combat them. Enterprises should start now by conducting an internal audit, including whether 2FA is enabled for all applications. We will be profiling more of this (what CEOs need to do) in some upcoming research.