RSA: Verizon details data breaches from pirates to pwned water district
In another, attackers took control of the mainframe at a water district, mixed sewage with the drinking water, boosted the chlorine to dangerous levels and stole customer information.
These are two of 18 representative case studies in Verizon’s new Data Breach Digest, a compendium of anonymized customer investigations performed by the company’s Research, Investigations, Solutions and Knowledge (RISK) Team and released at RSA Conference 2016.
+ NOT AT THE SHOW Follow all the news from RSA 2016 +
The Data Breach Digest, new this year, is a companion to Verizon’s well established annual Data Breach Investigations Report (DBIR), which is heavy on metrics, graphs and statistics about cyber-threat trends, how to predict them and how to prevent them.
The Data Breach Digest tells the stories behind the metrics that give readers a trench-level view of what it’s like to investigate these breaches and a sense of what it feels like to be the victim.
The goal of the report is to give a trench-level view of the predicaments breach victims find themselves in, and the stories serve as object lessons readers can use to defend their own networks, says Bryan Sartin, director of the RISK Team. “The DBD is a great big book of monsters,” he says.
Bryan Sartin, director of the RISK Team
For the digest, Verizon looked at three years of data breach investigations – about 1,200 customer cases. “What we found completely shocked us,” he says. “Almost 65% of the investigations can be explained in 12 breach categories.” These are the same bad stories that play out in somebody’s back office, one enterprise after another,” Sartin says.
To that dozen, Verizon added six more categories because they were the most lethal, not because they were common. That brings the total to 18, which Verizon then broke down into four types:
In its war against breaches, Verizon took a page from the U.S. Army’s combat-engagement model that has troops study the most lethal and common methods of engagement they are most likely to face in actual combat. “That’s exactly what we’ve done here,” he says.
The value is that it can help teach smart security by learning from others’ mistakes, he says. It’s organized so, for example, a security pro in retail can look up cases that were carried out against retailers. Just three or four attack scenarios might account for 50% or 60% of all breaches in their sector, helping to focus their defenses.
The digest refers to the case of the hacked water district as Dark Shadow. The district called Verizon in for an assessment and were adamant they didn’t have a breach, but it soon became apparent some kind of breach was underway.
The Verizon team discovered unauthorized access on a Web server where customers could check water-meter readings and pay their bills. A breach of that server led to compromise of personally identifiable information on the server, and that compromise led to exploiting some weak configurations on other devices. Specifically it compromised the mainframe that controlled the valves and ducts that routed the water.
“They started basically joyriding on that,” Sartin says. They connected fresh water and sewage lines, which was caught by monitoring devices. They also leaked large quantities of chlorine into the water supply up to dangerous levels.
In the case of the pirates, dubbed The Roman Holiday, Verizon was called in to investigate a suspected breach at a container shipping company.
Pirates in certain parts of the world were raiding the company’s ships, and the crews would lock themselves in a safe area as per protocol and let the pirates do what they wanted and leave. “The pirates would come in and very quickly and surgically identify a certain container based upon bar code and/or serial number, cut into that container, take certain valuables in it…and then they would leave,” he says. In particular they were looking for jewelry.
A breach on a content management server located 1,000 miles away that contained manifest information about shipping routes and schedules and the content of each container. The data was sold to a gang that sold it to another gang till it wound up in the hands of the pirates. “I can’t speak in that case whether or not the pirates were actually captured,” he says.