Verizon has released the 2016 edition of its annual Data Breach Investigations Report (DBIR). Its crack team of researchers have, once again, produced one of the most respected, data-driven reports in cybersecurity, sifting through submissions from 67 contributors and taking a deep dive into more than 64,000 incidents—and nearly 2,300 breaches—to help provide insight on what our adversaries are up to and how successful they've been.
The DBIR is a highly anticipated research project and has valuable information for many groups. Policy makers use it to defend legislation; pundits and media use it to crank out scary articles; other researchers and academics take the insights in the report and identify new avenues to explore; and vendors quickly identify product and service areas that are aligned with the major findings. Yet the data in the report is of paramount import to defenders. With over 80 pages to wade through, I thought it might be helpful to provide some waypoints that you could use to navigate this year's breach and incident map.
[I dig deeper into the 2016 Verizon Data Breach Investigations Report findings in a new webcast. A recording of the session is now available to view on-demand.]
Bigger is…better?
There are a couple of gotchas with data submitted to the DBIR team. The first is that a big chunk of the data comes from the U.S. public sector, where there are mandatory reporting laws, regulations, and requirements. The second is the huge number of unknowns. The DBIR acknowledges this, and it's still valuable to look at the data, even with this gray blob (okay, ours is green, below) of uncertainty in the mix. You can easily find your industry in DBIR Tables 1 & 2 (pages 3 & 4), and if we pivot on that data, we can see the distribution of the percentage of incidents that are breaches:
We've removed the "Public (92)" industry from this set to get a better sense of what's happening across general industries. For the DBIR, there were more submissions of incidents with confirmed data disclosure for smaller organizations than large (i.e., be careful out there, SMBs), but there's also a big pile of unknowns:
We can also take another, discrete view of this by industry:
(Of note: it seems that even the DBIR has unknown unknowns.)
As defenders, you should be reading the report with an eye toward your industry, size, and other characteristics to help build up your threat profiles and benchmark your security program. Take your incident-to-breach ratio (you are using VERIS to record and track everything from antivirus hits to full on breaches, right?) and compare it to the corresponding industry/size.
The single most valuable chart in the world (for defenders)
When it comes right down to it, you're usually fighting an economic battle with your adversaries. In this year's report, Figure 3 (page 7) shows that the motivations are still primarily financial and that hacking, malware, and social engineering are the weapons of choice for attackers. We'll dive into that in a bit, but we need to introduce our take on DBIR Figure 8 (page 10) before continuing:
We smoothed out the rough edges from the 2016 Verizon Data Breach Report to paint a somewhat clearer picture of the overall trends and used a complex statistical transformation (i.e., subtraction) to just focus on the smoothed gap:
Remember, the DBIR data is a biased sample from the overall population of cybersecurity incidents and breaches that occur, and every statistical transformation introduces more uncertainty along the way. That means your takeaway from "Part Deux" should be "We're not getting any better" vs "THE DETECTION DEFICIT TOPPED 75 PERCENT FOR THE FIRST TIME IN HISTORY!"
So our adversaries are accomplishing their goals in days or less at an ever-quickening success rate, while defenders are just not keeping up at all. Before we can understand what we need to do to reverse these trends, we need to see what the attackers are doing. We took the data from DBIR Figure 6 (page 9) and pulled out the top threat actions for each year, then filtered the result to the areas that match both the major threat action categories and the areas of concern that Rapid7 customers have a keen focus on:
Some key takeaways:
- Malware and hacking events dropping C2s are up.
- Keyloggers are making a comeback (this may be an artifact of the heavy influence of Dridex in the DBIR data set this year).
- Malware-based exfiltration is back to previously seen levels.
- Phishing is pretty much holding steady, which is most likely supporting the use of compromised credentials (which is trending up).
Endpoint monitoring, kicking up your awareness programs, and watching out for wonky user account behavior would be wise things to prioritize based on this data.
Not all Cut-and-Dridex
The Verizon Data Breach Report mentions Dridex 13 times and was very up front about the bias it introduced in the report. So how can you interpret the data with "DrideRx" prescription lenses? Rapid7's Analytic Response Teamnotes that Dridex campaigns involve:
- Phishing
- Endpoint malware drops
- Establishment of command and control (C2) on the endpoint
- Harvesting credentials and shipping them back to the C2 servers
This means that—at a minimum—the data behind the Data Breach Investigations Report, Figures 6-8 & 15-22, impacted the overall findings and Verizon itself warns about broad interpretations of the Web App Attacks category:
"Hundreds of breaches involving social attacks on customers, followed by the Dridex malware and subsequent use of credentials captured by keyloggers, dominate the actions."
So, when interpreting the results, keep an eye out for the above components and factor in the Dridex component before tweaking your security program too much in one direction or another.
Who has your back?
When reading any report, one should always check to make sure the data presented doesn't conflict with itself. One way to add a validation to the above detection deficit is to look at DBIR Figure 9 (page 11), which shows (when known) how breaches were discovered over time. We can simplify this view as well:
In the significant majority of cases, defenders have law enforcement agencies (such as the FBI in the United States) and other external parties to "thank" for letting them know they've been pwnd. As our figure shows, we stopped being able to watch our own backs half a decade ago and have yet to recover. This should be a wake-up call to defenders to focus on identifying how attackers are getting into their organizations and instrumenting better ways to detect their actions.
Are you:
- Identifying critical assets and access points?
- Monitoring the right things (or anything) on your endpoints?
- Getting the right logs into the right places for analysis and action?
- Deploying honeypots to catch activity that should not be happening?
If not, these may be things you need to reprioritize in order to force the attackers to invest more time and resources to accomplish their goals (remember, this is a battle of economics).
Are you feeling vulnerable?
Attackers are continuing to use stolen credentials at an alarming rate, and they obtain these credentials through both social engineering and the exploitation of vulnerabilities. Similarly, lateral movement within an organization also relies—in part—on exploiting vulnerabilities. DBIR Figure 13 (page 16) shows that, as a group, defenders are staying on top of current and year-minus-one vulnerabilities fairly well:
We're still having issues patching or mitigating older vulnerabilities, many of which have tried-and-true exploits that will work juuuust fine. Leaving these attack points exposed is not helping your economic battle with your adversaries, as letting them rely on past R&D means they have more time and opportunity. How can you get the upper hand?
- Maintain situational awareness when it comes to vulnerabilities (i.e. scan with a plan).
- Develop a strategy patching with a holistic focus, not just react to Patch Tuesday.
- Don't dismiss mitigation. There are legitimate technical and logistic reasons that can make patching difficult. Work on developing a playbook of mitigation strategies you can rely on when these types of vulnerabilities arise.
"Threat intelligence" was a noticeably absent topic in the 2016 DBIR, but we feel that it can play a key role when it comes to defending your organization when vulnerabilities are present. Your vuln management, server/app management, and security operations teams should be working in tandem to know where vulnerabilities still exist and to monitor and block malicious activity that is associated with targets that are still vulnerable. This is one of the best ways to utilize all those threat intel feeds you have gathering dust in your SIEM.
There and back againThis post outlined just a few of the interesting markers on your path through the Verizon Data Breach Report. Share your thoughts below.
Watch my short take on this year's Verizon Data Breach Investigations Report.
(Many thanks to Rapid7's Roy Hodgman and Rebekah Brown for their contributions to this post.)
[I dig deeper into the 2016 Verizon Data Breach Investigations Report findings in a new webcast. A recording of the session is now available to view on-demand.]
Image credit: Flickr
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
