Gone in 60 Seconds: Verizon Breach Report Reveals 60% of Enterprise Attacks Succeed in Minutes
by Alexander Heid
Chief Research Officer
(NEW YORK, NY) – During April 2015, Verizon released their annual breach report which identifies ongoing trends within enterprise cyber attacks. This year, the primary focus of the breach report centered around the prolific rise in phishing attacks that spread malware, and rise of of web application vulnerability attacks that revealed private data.
One of the most striking statistics identified in the report was that it takes most attackers only a few minutes to gain persistent unauthorized access within the infrastructure of a corporate network. The report cites that in over 60% of breaches, attackers were able to infiltrate the target within minutes. Attackers primarily accomplished these successful attempts by leveraging the lack of security awareness on the part of corporate employees, in addition to leveraging antiquated vulnerabilities within poorly secured web applications.
The ability for attackers to penetrate a corporate network within minutes is quite realistic, especially when put in the context of a physical robbery. Bank robbers, home burglars, and car thieves are notorious for their ability to quickly enter private property, locate valuables, and disappear, leaving as little evidence as possible. The widespread adoption of IDS/IPS systems and a heightened awareness to the existence of digital attacks has made attackers require the skills of both stealth and speed.
Compromised Credentials: Public Dumps & Private Trades
The trends identified by Verizon coincides with the threat intelligence that has been obtained over the course of the last year by SecurityScorecard. A prolific rise in the release of compromised credentials in the public domain combined with a rise in the trading of compromised credentials within underground communities indicates that that attackers are becoming more adept in the tradecraft of bulk data theft. Granular analysis of chatter collected by SecurityScorecard sensors reveals that the majority of the publicly traded credentials are results of web application vulnerabilities, most commonly SQL injections, and the privately traded credentials are usually the results of phishing campaigns. The public dumps are mostly released by hackers to build their own reputations and/or engage in a form of hacktivism, whereby privately traded credentials are more targeted usually have form of value (bank logins, PayPals, email accounts).
Public dumps are usually of dubious quality, and malicious actors make use of ‘checker’ scripts to confirm valid credentials. These ‘checker’ scripts are coded by hackers to mimic the login sequences of various e-commerce websites and e-mail service providers while rotating through lists of proxy servers. A bulk list of credentials is fed to the script, and the script outputs a list of valid credentials and invalid credentials. The valid parsed accounts are then examined further by attackers for potential uses. The lifetime of a publicly released credential is short, whereby a privately traded credential can stay active for long periods of time when treated with care.
Sounds horrific, how can companies deal with this?
The emphasis of most enterprise security controls remains on the perimeter, and when an attacker masquerades as a legitimate user using pilfered credentials then detection of anomalous behavior becomes more difficult.
One way to deal with this risk is to assume that all end users will eventually be compromised through a client side attack or password reuse, and will end up revealing their credentials to an attacker. Implementation of two factor authentication, historical IP geolocation, hard to guess secret questions, user audit trails, and web application security controls that go beyond the login portal will stifle most unauthorized access attempts.
These implementations will make the use of compromised credentials more difficult, requiring the use of proxy servers, malicious mobile apps, and/or social engineering. At this juncture in time, these requirements would eliminate all but the most dedicated of attackers, as most would seek out easier targets.