Threat Actors Increasingly Target the C-Suite
When considering a new business venture, companies look to where they can get the highest return on their investment. Malicious cyber actors engage in the same process. And in the past year, that process led them to target C-level executives with access to sensitive corporate information.
This attack focus is highlighted in the annual Verizon 2019 Data Breach Investigations Report (DBIR), which found that senior executives are 12 times more likely to be the target of social incidents and nine times more likely to be the target of social breaches than they were in the 2018 report.
“A successful pretexting attack on senior executives can reap large dividends as a result of their—often unchallenged—approval authority, and privileged access into critical systems,” according to the report. “Typically time-starved and under pressure to deliver, senior executives quickly review and click on emails prior to moving on to the next (or have assistants managing email on their behalf), making suspicious emails more likely to go through.”
The 12th version of the annual report analyzed 41,686 security incidents and 2,013 confirmed breaches from 86 countries. Verizon also worked with 73 contributors on the report, including the FBI for the first time.
Alex Pinto, head of Verizon security research and author of the report, says this was the main narrative that emerged after reviewing the data—that attackers are prioritizing targets that will give them the largest payout.
“The nature of phishing hasn’t changed,” Pinto adds, but Verizon saw a “huge uptick from maybe 1.5 percent of executives being targeted to 20 percent of executives this year.”
Executives are being targeted through a variety of attacks, including business email compromise (BEC) schemes (see “Spoofing the CEO,” Security Management, October 2016). Stressful work environments are also helping these types of attacks succeed, Verizon found.
“The increasing success of social attacks, such as business email compromises (which represent 370 incidents or 248 confirmed breaches of those analyzed), can be linked to the unhealthy combination of a stressful business environment combined with a lack of focused education on the risks of cybercrime,” according to the report.
The industries that saw the largest increase in this type of activity were professional services, such as law offices and consulting partners.
“It’s interesting because, arguably, given how these companies work, they would probably be one of the best to target if you’re looking to exfiltrate email or have a combination of financial outcomes and secret data,” Pinto adds. “Those would be good C-level executives to target.”
Kevin O’Brien, CEO of cybersecurity firm GreatHorn, agrees with Pinto’s assessment and says that it’s no surprise that cyber criminals are increasingly targeting the C-suite.
“A well-timed email from the CEO can get employees to share sensitive financial information, while stolen credentials from this group grant them access to most of a company’s sensitive information,” he explains. “The majority of these attacks are coming via BEC attacks, which is why businesses need to use a holistic approach to email security that identifies, addresses, and reinforces business processes vulnerable to phishing.”
One positive finding in the report, however, is that when a successful BEC attack—one where an individual transferred money to a fraudster—was reported to the FBI’s Internet Crime Complaint Center (IC3) Recovery Asset Team, it was able to work with the destination bank to recover or freeze 99 percent of the funds in half of all cases.
“Only 9 percent had nothing recovered,” according to the report. “Let that sink in. BECs do not play out as well as it initially appears, and just because the attacker won the first round doesn’t mean you shouldn’t keep fighting.”
Another major finding from the report is the rising trend to share and store data in cloud-based solutions, which comes with its own set of security risks.
“Analysis found that there was a substantial shift towards compromise of cloud-based email accounts via the use of stolen credentials,” according to the report. “In addition, publishing errors in the cloud are increasing year-over-year. Misconfiguration led to a number of massive, cloud-based file storage breaches, exposing at least 60 million records in the DBIR dataset. This accounts for 21 percent of breaches caused by error.”
For instance, in February 2019, UW Medicine confirmed that a misconfigured Web server made internal files available and visible online on 24 December 2018—potentially affecting 974,000 patients.
“The files contained protected health information about reporting that UW Medicine is legally required to track, such as reporting to various regulatory bodies, in compliance with Washington state reporting requirements,” the hospital said in a statement.
The hospital became aware that the information was online after a patient googled their name and found a file containing their personal health information. The patient reported it to UW Medicine. The hospital then worked with Google to have the files removed from its search results by 10 January 2019.
“We believe the risk of identity theft to you is negligible since no financial information or Social Security numbers were exposed,” UW Medicine said. “Even though the files contained your name and medical record number, the medical record number generally is only used for internal purposes, not for communicating with patients.”
To prevent similar incidents from happening, corporations need to have processes to identify and assess security risks from new technology.
Businesses “need access to cyber detection tools to gain access to a daily view of their security posture, supported with statistics on the latest cyber threats,” said Bryan Sartin, executive director of security professional services at Verizon, in a press release. “Security needs to be seen as a flexible and smart strategic asset that constantly delivers to the businesses and impacts the bottom line.”
While the report found that specific targets and attack locations are changing over time, the tactics that criminals use to infiltrate them are largely remaining the same.
“There is an urgent need for businesses—large and small—to put the security of their business and protection of customer data first,” Sartin said. “Often, even basic security practices and common sense deter cybercrime.”
These general recommendations include implementing two-factor authentication, providing security training, and regularly assessing user privileges to prevent excessive access.
To aid organizations further, Verizon also included a variety of recommendations for each industry sector based on the trends identified in its 2018 data set.
For instance, in the professional, technical, and scientific services category, Verizon saw a rise in phishing and credential theft associated with cloud-based email accounts—similar to BEC attacks.
“Financial staff were the most likely to be compromised in incidents involving fraudulent transactions, but it should be noted that executives were compromised in 20 percent of the incidents and are six times more likely to be asset compromised in Professional Services breaches than the median industry,” according to the report.
To prevent this, the report’s authors recommended that these industry vectors use password managers and two-factor authentication to prevent static password use.
“Don’t forget to audit where all your doors are,” the authors added. “It doesn’t help to put XO-9s on most of your entrances if you’ve got one in the back rocking a screen door.”
The report’s authors also recommended monitoring email for links and executables and creating ways to report potential phishing.
“Set your staff up for success. Monitor what processes access personal data and add in redundant controls so that a single mistake doesn’t result in a breach,” they explained.
Verizon found that the healthcare sector stands out because most breaches are associated with internal actors who have access to the organization’s system.
“Effectively monitoring and flagging unusual and/or inappropriate access to data that is not necessary for valid business use or required for patient care is a matter of real concern for this vertical,” the report explained. “Across all industries, internal actor breaches have been more difficult to detect, more often taking years to detect than do those breaches involving external actors.”
To address these problems, the report recommended healthcare organizations identify where their data stores are, limit access to them, and track access attempts.
“Start with monitoring the users who have a lot of access that might not be necessary to perform their jobs, and make a goal of finding any unnecessary lookups,” it explained.
Some organizations will not be able to implement these recommendations immediately, but Pinto says that they are designed to give organizations goals to move towards to improve their overall cybersecurity posture.
“Our job here is to give people a North Star,” he says. “We know that you have finite resources.”