« 2009 DBIR: Attack targeting
2009 DBIR: Sources of Data Breaches »

2009 DBIR: Attack Difficulty

admin
April 15th, 2009

by Chris Porter

The relative difficulty of attacks leading to data compromise is an excellent indicator of both the current threat environment and the state of modern security programs. After each forensic investigation, our VzB investigators assess the attack and classify the difficulty into the following categories: None, Low, Moderate and High.

There are several rather interesting finds within the data this year. One is that attackers used simple methods of attack in over 50% of the breaches. The basic conclusion from this is that attackers still do not have to work very hard to get the data they desire.

Another interesting find in this data set is related to a new metric that we have added. This year the attacks have also been analyzed for the number of records breached. If you look at the highly difficult attacks in this data set, they are responsible for 95% of the 285 million records breached.

I also found it interesting that when you look at an attack from end to end, the difficult part typically occurs after the criminal penetrates the perimeter. Most highly difficult attacks were given that classification because of the elaborate nature of the malware used to capture data rather than the hack used to get in the door. The latter is usually involves more run-of-the-mill techniques.

What did you find interesting? Please share in the comments section below.

Tags: , , , , , ,

This entry was posted on Wednesday, April 15th, 2009 at 1:00 am and is filed under 2009 Data Breach Report. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Comments

  1. Chris,

    This is a bit confusing – if 83% of attacks were categorized as less than highly difficult, then what does 50% of breaches = “simple methods of attack” mean? What about the other 33%?

    And, if 95% of the records stolen required attacks of high difficulty, who cares about the 5% of data that did not require attacks of high difficulty, especially if you are not a financial services company, where 93% of records were lost?

    It seems that the message is that most attackers gain initial access with relative ease, and then, depending upon the robustness of other controls after that point, expend more or less effort.

    So, I would have found two sets of categorizations helpfu – a first one regarding initial access and a second one regarding difficulty of stealing something.

    Regards,

    Patrick Florer
    Dallas, Texas

    Posted by: Patrick Florer on April 17th, 2009 at 2:07 pm

  2. Figure 22 in the report clarifies this a little further. We have attack difficulty broken down into 4 categories, None, Low, Moderate and High. The 31% for moderate are described as “Skilled techniques, some customization, and/or significant resources required.”

    You are correct in that most attackers gain initial access through easy means (default credentials!). What we found in our data is that the attackers typically employed more sophisticated methods once inside the network to get the data.

    Also, we don’t know that 95% of records stolen *required* attacks of high difficulty, we just know that attacks of high difficulty were used.

    Posted by: chris.porter on April 17th, 2009 at 8:15 pm

Leave a Comment

All submissions, like other use of this site, are subject to the Terms of Use. By using the site, I agree to those terms.