Verizon’s Data Breach Digest – Perspective is Reality

by John Grim
RISK Team | Verizon

2017 is here and this means it’s Data Breach Digest season. This year, just like last, we released the 2017 Digest at the RSA Conference in San Francisco, CA. What makes this year’s Digest different from last year? Stakeholders!

So, what do we mean by stakeholders?

Well, data breaches are complex affairs often involving some combination of human factors, hardware devices, exploited configurations, or malicious software. Data breach response activities—investigation, containment, eradication, notification, and recovery—are correspondingly complex. These activities, and the lingering post-breach after-affects, aren’t just an IT security problem; they’re an enterprise problem involving Legal Counsel, Human Resources, Corporate Communications, and other Incident Response (IR) stakeholders. Each stakeholder brings a different perspective to the breach response effort.

To illustrate this complexity, this year’s “Data Breach Digest – Perspective is Reality” (a.k.a. “the IR Stakeholder Edition”) presents each breach scenario from a different stakeholders point of view (PoV). Within this PoV, the stakeholder narration looks at critical decision pivot-points, split-second actions-taken, and crucial lessons-learned from cases investigated by us – the Verizon RISK Team.

These IR stakeholders often include top-level leadership (i.e., the “strategic” decision-makers), middle-level managers (i.e., the “tactical” decision-makers), and a variety of technical and non-technical subject matter experts (i.e. “the trusted advisors”) on cyber-security and breach response. If organized by relationship to the victim organization, there are two groups: “internal” stakeholders – those who are part of the victim organization, and “external” stakeholders – those who are outside the victim organization, such as the Verizon RISK Team.

For the 2017 Data Breach Digest, 16 different stakeholders present a data breach scenario from their respective PoV. Within this group, ten internal (a.k.a. victim) stakeholder PoVs are represented: CIO, CISO, Legal Counsel, Human Resources, Corporate Communications, Incident Commander, Internal Investigator, IT Security Manager, SOC Analyst, and Endpoint Detection and Response (EDR) Technician. We round this out with six external (RISK Team) stakeholder PoVs: Lead Investigator, Endpoint Forensics Examiner, Malware Reverse Engineer, Network Forensics Specialist, CIP/CS Specialist, and PFI Investigator.

As was the case last year, we organized the data breach scenarios into one of four “Clustered Groupings”:

  • The Human Element – four scenarios highlighting human-related threat actors or targeted victims
  • Conduit Devices – four scenarios covering device misuse or tampering
  • Configuration Exploitation – four scenarios focusing on reconfigured or misconfigured settings
  • Malicious Software – four scenarios centering on sophisticated or special-purposed illicit software

Each breach scenario consists of an “Attack-Defend Card” along with a scenario narrative. Each Attack-Defend Card is specific to the scenario and covers four areas: “breach scenario,” “incident pattern,” “threat actor,” and “targeted victim.” We drew this content from the previous three years of RISK Team caseload, as well as VERIS, NAICS, and CIS Critical Security Controls (CSCs). Each scenario is brought to life through a narrative told from a unique stakeholder PoV to walk the reader from initial incident detection (and validation), to response and investigation, and then to lessons-learned.

To use the 2017 Data Breach Digest, here are four approaches:

  1. “The Kitchen Sink” – dive in and read from start to finish
  2. Scenario – hone in on a specific Clustered Grouping
  3. Industry or Data Breach Investigation Report (DBIR) Incident or Both – use the Digest’s Usage Matrix to map victim NAICS industry to DBIR incident pattern to the most applicable scenario(s)
  4. IR Stakeholder – leverage the Attack-Defend Card “Key Stakeholders” sub-category to focus on certain stakeholders

The Data Breach Digest provides a great data breach study reference for not just IT security practitioners, but for nontechnical IR stakeholders as well.

We hope you enjoy reading our latest installment of the Data Breach Digest and in doing so, gain that new perspective on data breach response!


Data Breach Digest Update: Data Ransomware – the Catch 22

by John Grim

RISK Team/Verizon

The Data Breach Digest—a compilation of scenarios issued by the Verizon RISK Team at the beginning of the year—was written as a companion to the Data Breach Investigations Report (DBIR). In creating this DBIR companion, we tried to make it both entertaining and informative. To tell our story, we took the approach of making more of an investigations ride-along and brought the DBIR and its underlying VERIS data to life for a broader audience beyond the typical IT security folks.

The Data Breach Digest proved to be such a hit that we decided to release several follow-up publications in the form of three scenario updates for Incident Response stakeholders and 18 Cyber Security Awareness Month (CSAM) posters intended for the end user audience. More about the scenario updates in a minute.

These CSAM posters, which can be printed and hung up on your organization’s break room message board or disseminated digitally, can be accessed and downloaded from here.

The three follow-ups to the original 18 scenarios are as follows:

Update #1 – In September, we followed-up on Scenario #12:  ‘CMS Compromise – the Roman Holiday’ and provided five mitigation recommendations and five response recommendations specific to this rather prevalent scenario.

Update #2 – Then in October, we followed-up on Scenario #8:  ‘Hacktivist Attack – the Dark Shadow’ by providing five mitigation / five response recommendations specific to this lethal scenario.

Update #3 – And finally, this month, we decided to take another look at Scenario #15:  ‘Data Ransomware – the Catch 22’ by providing a ‘Key3x5x5 Approach’ to detecting, responding to, and mitigating crypto malware attacks.

Scenario #15 – ‘Data ransomware—the Catch 22’ was identified as one of six ‘lethal’ scenarios.  Since the Data Breach Digest publication, the RISK Team has had several cases involving different varieties of ransomware, to include CryptoWall, TeslaCrypt, KeRanger, Locky, and Cerber variants. Nonetheless, the ‘Key3x5x5 Approach’ of detection, response, and mitigation essentially remains the same. So check out the ‘Data Breach Digest – Update:  Data Ransomware:  User and File Space Error’.

Download the Data Breach Digest. Download the three scenario updates. Download the 18 CSAM posters. Use them to help improve your Incident Response posture for mitigating, detecting, and responding to the most prevalent and most lethal data breach scenarios.

As social engineering activities increase buyer beware of tech support scams

By Roy Porter
Verizon Cyber Intelligence Center
Remote Tech Support Report

Threat Vector: Social Engineering

VCIC has tracked consistent variations in social engineering tactics throughout 2016 to include wire fraud, tech support scams, and tactics used to entice the opening of malicious email attachments. Active threat reporting by Microsoft in October 2016 further highlights the prevalence of this problem, with two out of three people being targeted in the past year for a specific type of social engineering attack known as remote tech support scams. One in five of those targeted end up victimized by downloading software, visiting a malicious site, allowing remote access, or transferring financial information. Microsoft estimated that in 2015, tech support scammers stole an estimated $1.5 billion. The financial loss could be immediate, take the form of information loss, as well as render an organization unable to operate.

Recent Case Highlights

In today’s organizations, users expect IT helpdesk support via remote administration. In this environment, a tech support scammer’s goal is to establish a remote session whereby malicious software is installed, data ex-filtrated, or configuration changes are made. This method isn’t new; it’s now being combined with recent tactics, such as ransomware. For example, in March 2016, the popular TeamViewer software, reportedly used by 90%+ of Fortune 500s, was the main delivery vector for the Surprise ransomware variant. Additionally, Symantec has observed a new feature in the tech support scams it is detecting – the use of code obfuscation in the pop-ups used to lure victims, in an effort to avoid automated detection.

Several recent cases involving remote tech support scams are highlighted here including tactics, tools and procedures used to by the attackers to gain a remote session. 

Case 1:

  • User encounters pop-up on corporate laptop with a suspicious activity warning
  • User calls support number listed on the popup
  • Scammer convinces user to visit hxxp:// and download/execute anydesk.exe
  • Scammer establishes session with corporate laptop

Case 2:

  • User receives unsolicited phone call after browsing non-business related websites on corporate system
  • Scammer directs user to visit hxxp:// and download/execute teamviewer.exe
  • Scammer establishes session with corporate system

Case 3:

  • User receives unsolicited phone call regarding a qualifying refund
  • Scammer convinces user to allow access to system via Logmein Rescue software
  • User directed to scammer controlled site that is actually a fake portal for a refund service
  • Scammer establishes session and sniffs user’s banking credentials


Even as attackers evolve their tactics in carrying out a remote tech support scam, there are general security practices that organizations can take to lessen the chances of falling victim. VCIC recommends considering the following:

  • Restrict software installation rights to privileged users
  • Block access to popular remote access software sites
  • Establish policies and practices whereby users can verify the validity of any contact with personnel offering tech support
  • Maintain a whitelist of approved software and enforce at endpoints
  • Educate users that they will never be instructed by tech support to install additional software downloaded from the internet

Cyber Insurance Part V

by Mark Rasch,

Managing Principal, Cybersecurity

You get a call at 2AM from your sysadmin with the four worst words you can hear from a sysadmin.  “Oh, by the way…” You have had a breach.  A big one.  You assemble your internal team.  You put into place your data breach, forensics and investigation plan.

Because you had planned ahead for this eventuality, and had a Rapid Response Retainer program from Verizon, you call in their team of investigators, researchers and analysts.  You bring in your legal team (in house and outside counsel.) You coordinate your activities with relevant law enforcement agencies.  You bring in your HR and crisis communications team.  You prepare press releases for your CIO or CISO or CEO or whomever, depending on the scope and scale of the breach.  You retain and bring in a data breach notification team to send out the tens of thousands of data breach notification letters or emails.  You retain a company to provide credit freeze or credit monitoring for affected customers.  You obtain documents and records from the relevant ISPs to track down the bad guys.  You monitor the dark web to see whether any purloined information shows up on the black market.  You prepare for potential class action lawsuits by shareholders, customers, business partners, credit card issuers, or third party merchants.  You prepare for litigation with the FTC or state consumer protection regulators.  You prepare your international response; all the things that you prepared for when you retained Verizon’s rapid response team – except one.

One of the things you did (and it is looking pretty smart right now) was purchased cyber insurance.  Not general cyber insurance, mind you.  But data breach insurance.  Exactly what you need.  You’ve been paying premiums for a couple of years, and now that investment has paid off.  Maybe.   Data breach and cyber insurance policies are frequently written in a way that creates ambiguities about what breach costs are covered and which are not.  Exclusions for things like criminal activities of insiders may be used to limit coverage when the breach occurs as a result of an employee’s conduct with respect to phishing, and “first party” coverage may limit payments only to your customers, and not to their banks, credit card companies, card brands, or other merchants who are impacted by stolen credit cards.  If medical records are breached, you may have a conflict between your breach insurance policy and your publicity policy (that’s your general liability policy that covers breach of privacy or publicity) especially if issued by different carriers.  But none of these policies provide any coverage if you don’t notify your insurer.

Insurance policies typically contain at least two duties of the insured as a condition of coverage.  A duty to promptly notify of the claim and a duty to cooperate with the insurer with respect to the claim.  Policies typically require that the insurer “promptly be notified, in writing, of any casualty loss, third-party liability claim, or occurrence that could give rise to a liability claim.”  Seems simple, no?  No.  What does “in writing” mean?  Mail?  E-Mail? Text message? Does prompt oral notification suffice for notice?  And what is an “occurrence that could give rise to a liability claim?”  A breach?  A potential breach?  An investigation of a potential breach?  Oh, and of course, what is “promptly?”  It’s so much better to get these terms worked out (at least informally) before a claim than litigated afterwards.  All of the costs you incurred before notifying the insurer may end up being for naught if you don’t notify.

The duty to cooperate extends the duty to notify and generally would require the insured to keep the insurance company apprised of all material facts concerning the loss or underlying claim, and to respond fairly to all reasonable insurer requests for information and documentation.  Many data breach insurers may insist that you use their data breach investigators, or their counsel, or their forensics teams, or at least teams that have been approved by them as a condition of coverage.   If you want to continue to use the team that you know and trust, the one that you have retained in advance, the one with knowledge and awareness of your policies and procedures, networks and devices, then tell your breach insurers that you intend to use your own team and that you have a Rapid Response Retainer service, and get them to buy in.  In fact, since such a retainer service can help limit the cost and impact of a breach, your breach insurer is not only likely to let you use your own team, but may reduce your premiums or increase your coverage for having the foresight to have planned for potential breaches.  It’s worth a conversation.  ‘Cause everyone loves talking about insurance, amirite?

Hacktivist Attack – the Dark Shadow

by John Grim

RISK Team/Verizon

The Data Breach Digest—authored and published by the Verizon RISK Team earlier this year—slices through the FUD, the Fear, Uncertainty, and Doubt, that’s so prevalent in the world of cyber security. In doing so, the Data Breach Digest reveals what’s really happening in the world of cyber investigations. And more importantly, what you, the Incident Response stakeholder, should do when faced with a data breach.

We took a ‘RISK Team ride-a-long’ approach to telling our story, and selected 12 of the most prevalent scenarios we have seen, and six of the most lethal scenarios we have seen in the past three years of our caseload. Each scenario narrative follows a common path:

  • ⎯ ‘detection and validation’ – the state of the data breach prior to us getting involved
  • ⎯ ‘response and investigation’ – us responding and working hand-in-hand with the victim
  • ⎯ ‘remediation and recovery’ – our final feedback to the victim – expert, experienced feedback to get them back on their feet

For this month, we selected one of the six lethal scenarios to follow-up on:  Scenario #8 of the Data Breach Digest, ‘Hacktivist Attack—the Dark Shadow’, which detailed the breach of a critical infrastructure provider by a determined hacktivist seeking to punish or embarrass their target rather than seeking personal financial benefit. The associated scenario follow-up takes a ‘Key 5×5 Approach’ by providing five recommendations on mitigating and five recommendations on responding to hacktivist attacks.

Download the Data Breach Digest. Read about the Dark Shadow and the 17 other RISK Team-experienced scenarios, and use the lessons-learned to mitigate and respond to those most prevalent and most lethal data breaches.

Data Breach Digest Update: CMS Compromise

by John Grim
RISK Team/Verizon

The Data Breach Digest—released this past February by the Verizon RISK Team—has brought a fresh perspective to the security conversation. It’s underlying premise was that ‘many data breach victims believe they are in isolation, dealing with sophisticated tactics and zero-day malware never seen before.  The RISK Team has seen otherwise. To us, few breaches have been unique – there is tremendous commonality in real-word cyber-attacks.

Based on 18 actual cases that we’ve investigated, the Data Breach Digest makes security tangible and real to not only the technical Incident Response stakeholders, but all stakeholders who are involved in incident response. And, in doing so, it encourages everyone to become an important link within the security chain.

One of the cases we investigated involved actual pirates hacking a global shipping company’s content management system (CMS) to steal the freight records and target their theft of valuables. This Update provides recommendations on how you can mitigate the threat of a CMS attack and how you should respond if you are breached.

Download the Data Breach Digest.  Read it, learn from it, and use it to mitigate and respond to those most prevalent and lethal data breaches that we – the RISK Team – have come across.


Making the Most of Limited Security Resources

Author: Joan Ross, Managing Principal, Cybersecurity

“If your enemy has no ships, building submarines may not be the best use of your limited resources”, a CIO at a recent Verizon 2016 Data Breach Investigations Report (DBIR) session conveyed.  Accountable for building and maintaining major infrastructure, he and the chief information security officer were actively strategizing together as to how to best utilize and stretch their limited security resources for the year.  Knowing the threats to your industry is the first step in evolving the most effective security strategies, obtaining priority budget, and educating all personnel within your organization.

While the extent of security breach data represented in this year’s report is sobering, (especially, for example, internal organization detection of security breaches have greatly decreased), there is encouraging information in how to get ahead of these attacks. Eighteen of the most common attacks are detailed within the Verizon 2016 Data Breach Digest.

We know from empirical evidence that in 82% of security breaches, we found evidence leading up to the breach in the logs.  Thus, one of the significant activities security teams can do as part of their rapid response practice is gathering the last 90 days of their logs from critical and non-critical systems.

There should be standard operating procedures and training established for the team in gathering log data for two reasons:  One, it’s critical to rehearse incident response activities before an actual breach and collect evidentiary data that follows proper chain of custody handling quickly (within 24 hours).  This rehearsal gets valuable data rapidly into the expert hands of the responding experts when actual breaches may be occurring to more accurately source and defend against known attack patterns.

Secondly, and just as important, if you take the additional steps of getting the data from the rehearsal into the hands of trusted experts with the right tools, the early behaviors and reputations associated with increased attacks can be ascertained to help prevent a serious attack.  This puts valuable digital intelligence into the hands of your security team, executives and board of directors as to where potentially malicious traffic and connectivity is following known patterns.  While security incident event management systems (SIEMs) may detect perhaps up to 15% of potentially malicious activity, being proactive in your review by hunting for known malicious patterns and behaviors is increasingly useful in getting ahead of the 85% of more sophisticated attack queries.

The best way to get ahead of security breaches is to familiarize your team with these patterns, and build your strategy based on relevant, empirical evidence for your organization.

Making the Move to Managed Security Services

Author: Joan Ross, Managing Principal, Cybersecurity

One of the hardest realities for chief information security officers (CISOs) to confront is what concrete protections can be achieved with the annual resources available to them.  Theirs is a vital function, albeit typically with a smaller staff and budget than other divisions.  One must constantly evaluate and protect against the ongoing concern that someone with malicious intent will breach or disrupt the organization’s operations, and obtain sensitive customer information and secret business intellectual property.  Being a CISO is not for the faint of heart.

Prioritizing relevant risk to their organization and determining appropriate treatment with their executive team is an ongoing process. When necessary security funding is not allocated, or resources are few, the CISO is in a difficult position.  Ultimately, they bear the responsibility of a breach, even should it occur through a business supplier on systems outside of their control.  There may be limited people and mitigating controls to provide quality information security assurance.

2016 is the year more CISOs are making an honest evaluation of their team’s core security competencies and annual funding.  While difficult to relinquish control, the realization is they have no control or insight if the security functions are not being fulfilled.  This is when the tough decision is made to move the most time-consuming and burdensome security activities to a quality managed security services provider (MSSP).

In hindsight, CISOs relay moving to a MSSP has been one of the best decisions for the organization, given they select a strong MSSP.  They’re able to obtain more actionable security intelligence by experts at recognizing patterns and events, and if frees up their limited resources to devote their efforts to the evolving business security strategy and improvements.

Expanding access capabilities, burgeoning security devices, and the continual monitoring of threats and vulnerabilities takes a toll, both professionally and financially. MSSPs are an acceptable option provided the CISO conducts the appropriate due diligence on the third-party provider.  This is where experience, skill, certifications, reputation and investment in ongoing personnel training of the MSS provider matters, the selection criteria must be greater than any cost efficiencies.

At a minimum, today’s CISO needs a rapid response retainer in place.  Established organizations are moving to contractually require these contracts with their critical business partners.  The reason for this is simple: preventing, detecting, containing and managing information security requires trained professionals, reliable processes, chain of custody expertise, and forensics experts available at a moment’s notice.  With a retainer in place, organizations can report suspicious activity and have it qualified, or have response on course of action within minutes.  In seventy-percent of the targeted breaches we analyzed, the incident spread to the secondary victim(s) in twenty-four hours once the attack was successful – a risk no CISO takes lightly in consideration of their organization, customers, and business partners.

Briefing the Board: Directing Security Evolvement

Author: Joan Ross, Managing Principal, Cybersecurity

If an organization’s CISO is not regularly updating the Board of Directors (BoD), there is an inherent disconnect in the security viability of the organization.  The function of the BoD is to act on the behalf of the best interests of shareholders and stakeholders in validating a well-managed company.

A CISO’s agenda for the BoD begins with three primary areas:

  1. What we know and have tested recently regarding security controls.
  2. What we don’t know or haven’t effectively evaluated at this time.
  3. Priorities for risk, budget, and evolving strategy based on a combination of #1, #2, current and planned business model, and current threat intelligence for your industry.

Verizon publishes the Data Breach Investigations Report (DBIR) on an annual basis for the greater good of the security community at no cost. This intelligence is heavily leveraged for the empirical research and investigation findings it provides, including trends in the common attack patterns.  Every security organization has it available to them to utilize as the basis for their BoD presentations and ongoing security awareness training for the organization.

CISOs convey that the most important graphic for them to begin their BoD presentation is the DBIR Incident Classification Patterns and percentages for their industry.  Annual budgets and periodic new budget needs can leverage the attack trends to justify requests.  While many security professionals may be aware of the proliferation of these patterns and methods, rarely is the BoD.  Today’s CISO educates their BoD as part of every briefing opportunity on how the organization remains potentially vulnerable.

The BoD are responsible for gaining the understanding of the routine occurrence of many of these data breaches and asking their organization the tough questions on risk reduction to prevent, detect, defend against and mitigate these intrusions.  Verizon’s Data Breach Digest illustrates twelve of the most common recurring attacks and methods, and six of the emerging more sophisticated attack types to guard against.

With the publication of these reports and truly brief reads, there is no reason for top leadership, including the BoD, not to be aware of the risk, commonality and methods of the majority of security breaches to their industry.  The measurement of a well-managed company is evolving to where these attacks risks are mitigated based on BoD support.

What’s in your wallet?

Author: Mark Rasch, Managing Principal, Cybersecurity

When workers were tearing down the old Apollo Theater in Times Square, they discovered a cache of men’s wallets and women’s purses hidden in the attic.  Apparently in New York in the 1940’s and 1950’s, the Apollo was the epicenter for pickpockets – targeting tourists and residents alike.  The cache represented a time capsule of sorts, with photographs of sweethearts, friends and family members, stored fortune cookie fortunes, paycheck stubs, utility receipts, social security cards, and handwritten driver’s licenses.  Gone of course was any hint of cash – after all that was what the pickpockets were after.  Also conspicuously missing for 21st century mentalities are loyalty program cards, access cards, or credit cards (although Bank AmeriCard and Diner’s Club both existed back then).

I say this as my wallet gets thinner and thinner.  I keep a newly “secure” driver’s license with digital pictures, holograms and other security devices for identification.  And corporate and personal credit cards with a digital chip which occasionally gets scanned.  A box store membership card and a too infrequently used health club membership card.  And that’s it.  My kids, on the other hand have bulging thick wallets filled with nothing – or nothing important.

When we think of the items in our wallet or purse, we should consider them to be tokens.  A driver’s license is a token issued by the state indicating that we passed a minimum competence examination to operate a motor vehicle in that jurisdiction.  A credit card is a token issued by a bank indicating that we have an account (a bank account if a debit card, a revolving credit account if a credit card) with that institution and allowing third party merchants to interact with that account.  Loyalty cards are similarly tokens for accounts which establish a relationship with a particular merchant or club.  Even the cash in your wallet is a token issued by the government with whatever value society decides to imbue on it.

Every one of these tokens will soon be obsolete – if they aren’t already.  This doesn’t mean that they will disappear.  We have invested billions in the infrastructure necessary to issue, read, and interact with these tokens.  A folded note will still be easier to read than a file stored on an Android phone.  A tangible physical object serves as a reminder of our loyalty to a particular institution.   But the functionality of these tokens has already been duplicated in things like Apple Pay and Wallet, Android Pay, and other electronic wallet substitutes.  Our family pictures are on our devices and/or in the cloud (sometimes without or knowledge).  Electronic substitutes exist for identity, relationship, affiliation, authority, and access control.  There are even electronic substitutes for cash (like Bitcoin) despite the fact that a Florida court recently ruled that laundering Bitcoin does not constitute “money laundering.”

This move from physical objects to their electronic substitute is not without risk.  The Apollo theater attendees knew (or soon realized) that they had been robbed.  The contents of my electronic “wallet” can be stolen without my knowledge.  The Times Square visitors knew (or should have known) that the Times Square of the 40’s though 50’s was a wretched hive of scum and villainy.  For electronic records there is no safe haven.  If someone stole a 1950s wallet, there was little chance of false personation and identity theft.  Since much of our modern interaction is virtual; you steal my token, you steal my identity.  What’s worse, I can now get new credentials and new tokens in your name, and become you online.  And now new crimes of false personation, identity theft, identity fraud, and synthetic and virtual identity fraud exist that could not have been contemplated back then.

All of this is by way of saying that, in designing any token system – whether it’s a driver’s license, a financial instrument, an access card, or a user id and password, we must take particular care in determining how it will be used, and how it can be abused.  We misplace our trust in the token, rather than in the person presenting the token.  Multi-channel and

multi factor systems, sometimes with a biometric component should be considered – but the privacy and anonymity implications of such systems should also be considered.  We must preserve the right and the ability for people to interact without a permanent record of their actions.

When we think of information security, we have to think not only of computers and networks, but of how people interact with them – in the virtual and physical world.  And you can take that sentiment and put it on a note and stick it in your wallet.  The movie playing at the Apollo Theater in the summer of 1958 was Ben-Hur.  Some things never change.