A Perspective on the Verizon Data Breach Investigations (DBIR) Report
If you were emailing fellow security geeks last week, the response may have been a little slow. The majority of us were hunkered down with a cup of coffee, diving into the Verizon Data Breach Investigations Report (DBIR). Not unlike the premiere of Game of Thrones (yes Jon Snow is dead, no he isn’t!), we laughed a little, cried a little and learned a lot (about hackers, breach data and embarrassment of pandas!).
If you didn’t have time to read the report, here are some insights:
According to this year’s Verizon data breach report, 82% of attacks compromise systems within minutes (time to compromise), while in 68% of breaches, data exfiltration occurs within days (time to exfiltration). 99% of malware hashes are seen for only 58 seconds or less. In fact, most malware was seen only once.
This reflects how quickly hackers are modifying their code to avoid detection. In the majority of cases, the impacted organization doesn’t even realize they’ve been breached until informed by third-parties.
Sound familiar? None of these data points critical to defenders such as time-to-compromise and time-to exfiltration have improved. Hackers are getting faster and more sophisticated. The only improvement has been in the reduction of the number of breaches staying open months or longer.
No surprise-- phishing campaigns continue to be successful, similar to what we saw in our own customer deployments as outlined in the “Hacker’s Playbook”. According to the DBIR, there were a total of 9,576 total incidents last year, 96 with confirmed data disclosure. In sanctioned phishing tests, 30% of users opened phishing messages and 12% clicked on attachments in less than 4 minutes.
Verizon suggested filtering emails, awareness training and monitoring of lateral movement and data exfiltration. Our recent RSA Peer to Peer session offers some additional suggestions from participants. We also recommend implementing cyberwar games that can validate your assumptions about people, process and technology.
As expected, attacks are getting more complex. The DBIR (and graph referenced below) shows an increase in hacking, malware and social engineering over the past five years—these encompass techniques ranging from phishing, brute force and backdoors to stolen credentials and spyware. More importantly, within B2B customers, a foothold in the door within one breach is being used against other customers. For example, credentials exfiltrated in a breach targeting point-of-sale vendors is then used against a second group of victims. This trend of multi-vector, multi-org breaches means that security defenders must not only secure their environment against a comprehensive set of hacker breach methods, but also understand and map how their risks align with those in their connected network - suppliers, partners and others in the industry.
Similar to last year, most attacks exploit known vulnerabilities that have never been patched despite patches being available for months, or even years. The top 10 vulnerabilities still account for 85% of successful exploit traffic. Half of all exploitations happen between 10 and 100 days after the vulnerability is published, with the median around 30 days. But, there are some odd discrepancies on the vulnerability data, as raised here. Until we get more clarification, keep patching but remember that patching and compliance does not equate to security (see hacker’s repertoire above).
Ransomware attacks have increased, and risen to the number two type of malware within the category of “crimeware”. In many cases of ransomware, Flash is being exploited as a foothold into the organization. Interestingly enough, the rise in ransomware attacks could be attributed to attackers looking for more compelling ways to make a profit because of the decrease in the cost of per payment record (outlined in the Appendix and contributed by Intel Security).
The Verizon Data Breach Investigations Report is an amazing reference for understanding attacks and breach patterns from incidents last year. Ideally, you should be doing this analysis within your own organization. If you can better map your own attack paths, you can better understand your risks and identify the remediation that’s most effective. As advised by the DBIR, “…if you are not addressing, to an appropriate level, your entire attack surface, you may be adding locks to a door while a window is left open.”
If you’re ready to understand your security posture from the perspective of an attacker, sign up for a SafeBreach assessment today.