Dive Brief:

• Between 2014 and 2020, software installation accounted for 91% of cyber espionage-related breaches, according to Verizon's 2020 Cyber Espionage Report and Data Breach Investigations Report (DBIR). Across other kinds of breaches, software installation was only present in 43% of incidents.
• To qualify as a cyber espionage campaign, the incident has to have a combination of a data breach and provocation by an outside threat actor in an unauthorized fashion, said John Grim, distinguished architect, head of Research, Development, Innovation at Verizon Threat Research Advisory Center, during the SANS Institute Cyber Threat Intelligence Summit Thursday.
• It takes a matter of days to execute a compromise in more than one-quarter of cyber espionage campaigns, according to the report. Only 4% take months. By comparison, the time to compromise for 70% of all other breaches is minutes.

Dive Insight:

Cyber espionage breaches are one of the most difficult types of compromises to respond and recover from — as industry is seeing play out in the SolarWinds hack. 

When the initial compromise is complete, 30% of espionage threat actors exfiltrate the data in a matter of minutes. For all other types of breaches, data exfiltration is nearly evenly split between minutes (38%) and days (37%). 

"They're looking to gain access to heavily defended environments, they're moving low and slow," before exiting a network undetected, said Grim. 

Half of cyber espionage breaches are found because companies identified suspicious activity. Less than one-quarter of espionage cases are found via antivirus solutions and only 7% of cases are found by an emergency response team. Law enforcement and fraud detection typically uncover other types of breaches, according to Verizon. 

Finding suspicious activity is dependent on whether a company has Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) tools, and the talent to distinguish if the issue is malicious or rooted in an operational problem, said Grim. 

Breach-related attributes are modeled after the CIA triad of confidentiality, integrity and availability. Cyber espionage breaches and all other breaches have 100% confidentiality attributes, and 95% of cyber espionage breaches also have impact on integrity, according to Verizon. All other breaches only have 56% integrity attribution. 

Software installation speaks to the integrity attribution of breaches, whereas trade secrets or credentials are confidentiality-related. That kind of data is "probably harder to define, harder to monitor. You may not be able to define it in terms of your rules," Grim said. The data is "less tangible," in terms of personally identifiable information (PII), payment card industry (PCI) and protected health information (PHI) data. 

Unlike regulated data which typically has regulatory compliance, where cybercriminals would try to exchange it for money, "we wouldn't expect to see stolen cyber espionage-related data being sold on the dark web, we wouldn't expect that at all," said Grim. "We'd expect that to be a closed loop, where the threat actors are keeping that data to themselves for their specific objectives."