So How Good Are Sectors for Predicting Risk?

Based on these analyses, it appears that the answer is “not bad, but it depends.” On one hand, we can identify specific patterns that seem to map to characteristics about those sectors. We already knew that the Retail Trade sector is heavily targeted by attacks that are efficient for harvesting payment card information. The Finance and Insurance sector is notably variable in terms of breach methods but features few web exploits; human mistakes, not vulnerabilities, make up a large number of its incidents. On that level, it looks like sectors are a useful piece of information to collect about breaches.

However, the prevalence of targeted campaigns of web exploits against sectors like Educational Services and Other Services (meaning, for our purposes, professional advocacy organizations and trade unions) also shows that the moment that sector no longer correlates to more tactical target attributes like stored information type, it loses much of its predictive power. A heavy, concerted campaign of web exploits against secondary schools probably wouldn’t have been a primary concern to anyone—until a vendor shipped e-learning software with an exploitable vulnerability in it. The attackers then moved to seize an opportunity that presented itself, irrespective of what a sectoral analysis might have predicted.

This, in essence, is the clue to what sectors are good for. They give us a rough sense of what to expect in the absence of more precise targeting information. However, the moment something changes about the target—such as an extant vulnerability, the publication of a weaponized exploit, or a shift in business model that alters the type of data stored—the sector no longer serves as a good indicator.

This observation, in turn, provides us with a sense of how the kind of analyses contained in this article and in the broader APR report relate to tactical threat intelligence whose output is automated signatures and not articles. Threat intelligence, narrowly conceived, starts at the level of vulnerability and ends at the level of exploit. Broader security research starts, and often ends, at the level of sectors, and by association, compliance. This is also the level at which a lot of technological sales and strategy happens. One of the future goals for the APR series is to gather and analyze data that allows us to link these two disparate realms, in keeping with our goal to unite tactics and strategy in cybersecurity.