Compass points and decoder keys
Welcome to the Cyber-Espionage Report (CER), our first-ever data-driven publication on advanced cyberattacks. The CER is one of the most comprehensive overviews of the Cyber- Espionage landscape, offering a deep dive into attackers, their motives, their methods and the victims who they target. The report serves as a tool for better understanding these threat actors and what organizations can do to hunt, detect and respond to Cyber-Espionage attacks.
This data-driven report draws from seven years of Data Breach Investigations Report (DBIR) content as well as more than 14 years of Verizon Threat Research Advisory Center (VTRAC) Cyber-Espionage data breach response expertise. The CER serves as a guide for cybersecurity professionals looking to bolster their organization’s cyberdefense posture and incident response (IR) capabilities against Cyber-Espionage attacks.
More specifically, the CER is an elaboration of the “Cyber-Espionage” Incident Classification Pattern as reflected in the 2020 DBIR. And as with the DBIR, we use the same naming conventions, terms and definitions. Content in this section and in “Appendix A: Frameworks” will help serve as your compass points and decoder keys for the rest of the report.
Using this report
Throughout the CER, we present and compare findings from a seven-year perspective (content from the 2014 DBIR through the 2020 DBIR): Cyber-Espionage breaches vs. all breaches. At times, we also address findings from a one-year (2020 DBIR) perspective: Cyber-Espionage breaches vs. all breaches. All references to years in this report are in DBIR years. For example, “2020 DBIR timeframe” refers to DBIR year 2020, which in turn correlates with the DBIR dataset timeframe of October 2018 to October 2019.
Data Breach Investigations Report
The 2020 DBIR is our 13th edition, covering global cybercrime trends. The DBIR combines real data from scores of sources and provides actionable insight into tackling cybercrime.
The Vocabulary for Event Recording and Incident Sharing (VERIS) framework is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. See “Appendix A: Frameworks”
Incident Classification Patterns
Way back in 2014, to help us better understand and communicate the DBIR dataset, we grouped “like” incidents together and called them “Incident Classification Patterns.” Nine patterns comprised the majority of data breaches back then and still do so today. These patterns are Crimeware, Cyber-Espionage, Denial of Service, Lost and Stolen Assets, Miscellaneous Errors, Payment Card Skimmers, Point of Sale, Privilege Misuse, Web Applications and the catchall Everything Else. For definitions and summaries, see pages 36 to 37 of the 2020 DBIR.
The DBIR Cyber-Espionage pattern consists of espionage enabled via unauthorized network or system access. Nation-state or state-affiliated threat actors looking for those oh-so-juicy secrets primarily fall within this pattern.
We align the CER with the North American Industry Classification System (NAICS), a standard for categorizing victim organizations. NAICS uses two- to six-digit codes to classify organizations. For the CER, we use the two-digit classification level. We provide detailed analyses for seven NAICS-coded industries in “Appendix B: Industry dossiers.”
NIST Cybersecurity Framework
We use the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) in this report. Specifically, we use the five functional areas of Identify, Protect, Detect, Respond and Recover. See “Appendix A: Frameworks”
CIS Critical Security Controls
We also use the 20 Center for Internet Security (CIS) Critical Security Controls (CSCs) in this report. See “Appendix A: Frameworks”