Based on data collected for a previous Verizon Data Breach Investigations Report (DBIR), this latest report ranks cyber espionage sixth overall in terms of types of cyberattacks. The most prevalent type of attack overall is against web applications. However, the report finds the most prevalent type of cyber espionage attack involves installing software on an endpoint.
According to the report, approaches to cyberespionage typically involve malware (90%), social (83%) and hacking (80%). That compares to hacking (56%), malware (39%) and social (29%) for all types of data breaches.
John Grim, head of research, development, innovation at Verizon Threat Research Advisory Center, said much of that software is being installed using the remote desktop management tools that IT organizations already have in place. Rather than trying to install malware using their own tools, organizations that engage in cyber espionage finds it easier to compromise tools that are already installed, he noted.
That approach makes it significantly more difficult for internal IT teams to discover activity that appears to be just another routine IT support incident, he said.
Endpoints are being targeted because the primary motivation for a cyber espionage attack is not financial. Rather than looking to extort money, Grim said these attacks primarily are conducted by entities working on behalf of nation-states that are looking to steal intellectual property to benefit their own economies. If a new competitor emerges with an offering that appears to be strikingly similar to a product an organization currently offers, it’s a strong indication that an organization’s IP was compromised, noted Grim.
Organizations, of course, will spend years researching and developing IP, so the economic damage is substantial when it’s stolen. Proving that IP was stolen is exceedingly difficult, so suing a new competitor doesn’t tend to bring much satisfaction. It’s up to each organization to make sure that R&D departments are especially secure, he said.
Unfortunately, according to the Verizon report, the time it takes for entities to compromise a system is measured in seconds to days, while the time to discover is measured in months and years. Not only is the dwell time for these attacks long, but Grim also noted it can take organizations weeks to contain them.
Defending IP requires constant vigilance that many organizations may not have the internal resources to deliver. Grim said organizations should evaluate which digital assets might require the expertise of a managed security service provider (MSSP) to protect. At a time when cybersecurity expertise is still scarce, organizations that rely solely on internal IT teams to secure their IP are asking a lot of a team that is already stretched thin, he noted.
Of course, it’s difficult to say whether cyber espionage attacks are increasing or decreasing with absolute certainty. However, as the global economy remains challenging, chances are good more nation-states will be looking to cut as many R&D corners as they can.