Hacktivists have become big-time data thieves, widely use DDoS diversionary tactics, Verizon breach report shows

By | March 22, 2012

Posted in: Network Security Trends

The sudden emergence of hacktivists as data thieves on a massive scale, revealed in this year’s Verizon Data Breach Investigations Report, is game-changing news. In 2011, hacktivists were responsible for 100 million of the 174 million records stolen in cases investigated by Verizon and participating international law enforcement agencies. By comparison, the number of records stolen in hacktivist breaches in 2010 were too low to be worth noting.

While you’re still trying to absorb that shock, absorb this: Those trademark DDoS attacks that have put hacktivist groups, such as LulzSec  and Anonymous, on the virtual map are generally used as smoke screens to divert attention from the real target: data theft.We’ve been well aware that DDoS is often used as a smoke screen to hide surreptitious attacks on sensitive data (the theft of 77 million customer records in the Sony PlayStation Network data breach, for example, was preceded by a DDoS attack), but Verizon now provides metrics to support the scope of the threat. It’s a very common tactic employed to steal information on a massive scale.

“These tactics are very, very popular. Very often, denial of service attacks are  just diversionary tactics to divert security professionals in the victim organization to deal with that problem while real attack is happening behind the scenes,” says Bryan Sartin, Verizon Business’ director of investigative response.  “We’ve become quite adept at recognizing that nested attack. More often than not we keep getting engaged in situations where the company thought they were going to take the breach and deal with it head on themselves and didn’t see the diversionary tactic at all.”

If the need to detect and stop DDoS attacks has been low among your priorities, this news may raise it a notch.These startling findings also undercut the arguments that DDoS is a legitimate form of protest. This is not civil disobedience.

The number of hacktivist-executed data breach cases was actually quite low — only 3% of the 855 cases investigated — but the victim companies were almost exclusively larger organizations and the records haul consequently out of proportion. It stands to reason that hacktivists’ targets will usually be high-profile organizations that will suffer publically for whatever reason the attackers have singled them out. (There are exceptions, such as the theft of2.6 GB of email from Puckett Faraj, which represented the U.S. Marine accused of leading a massacre of civilians in Iraq.)

The numbers held true among the cases across the contributing organizations, Sartin says. In addition to Verizon, which accounted for about 10% of the breaches included in the report, the participants include the United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting and Information Security Service and the Police Central e-Crime Unit of the London Metropolitan Police.

Hacktivists, perhaps surprisingly, are also executing the most sophisticated attacks, by and large. Again, it stands to reason. The victims are among the largest organizations, with strong security policies and controls, better detection tools, and more, better trained, more experienced security personnel than smaller organizations. Cyber criminals, on the other hand, are increasingly preying on smaller, weaker organizations with automated attack tools — what Verizon dubs “the industrialization trend” in cyber crime.

Further evidence: Half the victims of hacktivist breaches know in advance they are going to be hit, by whom and even when within a window of as little as four hours. They pick up intelligence via Interent chatter, Twitter, etc. And yet, the attacks usually succeed, because of their sophisticated tactics and mechanisms.

“So they know all this about the attack, yet the attacks are still so often they are successful,” Sartin  says. “There are many different examples of this, but one of the most compelling is the diversionary DDoS tactics.

“Hacktivism is definitely here to stay. This year saw dramatic change: More of the data is stolen by hacktivism  than any other category. By next year I would not be surprised if most of the cases we see are hacktivist in nature. It’s a trend that will be here for a while.”

In tomorrow’s post, I’ll go into some more of the findings in this year’s report, and draw some perspective from what we’ve learned from Verizon and the Symantec-sponsored Ponemon Institute annual report on the cost of data breaches issued earlier this week.

You May Also Be Interested In: