Manufacturing is witnessing a significant hike in internal cyber threat actors linked to nation state schemes to disrupt operations and allow chosen businesses to gain competitive advantage and market share, David Ostertag, global investigation manager for Verizon’s investigative response unit, suggested Wednesday during a media briefing in downtown Toronto.
Not only is the development concerning, but so too is the unnerving way in which internal actors are being recruited to use their positions to compromise employer data.
Typically, foreign nationals working for manufacturing facilities are being approached by state-affiliated actors in their home state and directed to compromise company data under threat to either themselves or their families, Ostertag told reporters at the Verizon Enterprise Solutions briefing.
“So, absolutely, a very clear trend increasing in that area,” he said, pointing out that “96% of the breaches in manufacturing are cyber espionage, privilege misuse and then everything else.”
Across all regions and industries covered in the DBIR, there were more than 42,000 security incidents and 1,935 confirmed data breaches, Ostertag said. The latter is broken down into breach patterns: miscellaneous errors; privilege misuse; physical theft and loss; crimeware; web application attacks; point of sale; cyber espionage; payment card skimming; denial of service; and everything else.
“This year, 88% of the 1,935 breaches fall within one of those (first) nine breach patterns,” he told reporters.
Specifically for manufacturing, “when you make stuff, there is always someone else who wants to make it better, or at least cheaper. A great way to make something cheaper is to let someone else pay for all the R&D, and then simply steal their intellectual property,” notes the report.
That being the case, it is likely “no surprise that cyber espionage is, by far, the most predominant pattern associated with breaches in manufacturing,” the DBIR adds.
“The traditional thought of espionage is intellectual property being stolen. The majority of espionage cases that we see involve business deal information,” such as details regarding a merger or acquisition, real estate purchase or bids, Ostertag said.
That said, “we’re starting to see espionage security incidents in a different way,” he noted, with the production process the most likely target for initiating disruption.
“We’ve started to see disruption as that business advantage. If I disrupt my competitor’s ability to do business, I get a greater market share,” Ostertag said.
“Unlike the more run of the mill, ‘grab-the-loot-and-scram’ attacks we see in other verticals, espionage attacks were typically aimed at more long-term results,” the report notes. “The criminals want to infiltrate the network, find out where the secrets are kept, and then sit and slowly siphon off the nectar for as long as they can.”
Unfortunate trends are also being seen in the financial and insurance sector, where Ostertag reported 94% of the breaches explored in the DBIR were external.
In all, “96% (of the breaches) are financially motivated and 88% of the incidents fall within denial of service, web application attacks and payment card skimming,” he said during the briefing.
“Not only does the financial industry need to protect data that is easy to monetize, but investment banks and other non-commercial entities have information surrounding investment strategies, mergers and acquisitions and market influencers that would be sought after by actors motivated by espionage,” the report states.
“We see more multi-layered attacks in denial-of-service involving an initial, traditional DDoS type of attack,” Ostertag noted .
Once the organization is busy responding to and trying to manage the DDoS attack, customers move to calling the call centre rather than trying to access the online account centre, he said.
That initial attack is then made worse by a TDoS, a telephone denial of service attack. “So it interferes in the management of the DDoS incident as well as disrupts the customer’s ability to contact the bank through telephone rather than online.
In most industries, there will be three breach patterns that account for most threats, Ostertag reported. That means that rather than dedicating defence efforts against all nine, most of the focus can be on the three breach patterns most relevant to a particular industry.
Also key in defence efforts is the distinction between security incidents and data breaches: in both, access to the network or even data is gained, but a data breach involves data actually leaving the network, Ostertag explained.
That dividing line, he argued, is important. “You will often see differences – up to 180 degrees difference – between the patterns of incidents and the patterns of breaches. So our preferred use of the DBIR is to manage a security program from a risk-based perspective, and the risk being the likelihood of data being breached,” he said. “While incidents are important, if you’re really looking to protect your information, the sensitive information, focus on the data breaches not just the incidents.”
Cyber security is “top of mind not just for the IT organization that has the day-to-day responsibilities, but it’s increasingly become more important to the Board of Directors,” said Michele Dupré, group vice president at Verizon Enterprise Solutions, who heads up the company’s Canadian operation.
Those board members “have to become very savvy on what cyber security is, what it means to their brand,” Dupré said, which means they need a firm grasp of the risks and what their responsibilities are.