Verizon’s 2019 Data Breach Investigations Report (DBIR) is probably this year’s second-most anticipated report (after Robert Mueller’s). In its 12th edition, the security report contains details on more than 2,000 confirmed data breaches in 2018, taken from more than 70 reporting sources and analyzing more than 40,000 separate security incidents.
What sets the DBIR apart is that it combines breach data from multiple sources using the common industry collection, VERIS, a third-party repository where threat data is uploaded and made anonymous. This gives the report a solid authoritative voice, which is one reason why it’s frequently quoted. Report citations also come from vendor telemetry sources, so it is also a bit self-referential.
I’m calling these megatrends because they are big issues, and my intent is to provide a larger context. I broke them into two distinct groups: one where there is general agreement between the DBIR and other sources, and one group where opinions are mixed. Read the report to determine what applies to your specific situation, but in the meantime, let’s take a look at the big six.
Three commonly agreed-upon trends
The C-suite has become the weakest link in enterprise security. This is especially true as general phishing success continues to decline. Executives are up to 12 times more likely to be the target of breaches than in the past, largely through the use of better spear-phishing techniques. The report cites a range of rates depending on the particular vertical market for the business involved. For example, executives in professional services firms are six times more likely than other executives to be spear-phishing targets.
“A successful pretexting attack on senior executives can reap large dividends as a result of their—often unchallenged—approval authority and privileged access into critical systems,” according to the DBIR. CloudStrike agrees with the trend in its 2019 Global Threat Report, citing several well-known malware campaigns conducted by a variety of North Korean, Russian, and Chinese state-sponsored agencies.
“Increasing targeting of C-level execs is the new reality, and [these executives] must make sure that the critical data is secured where it is stored,” says Dan Tuchler, chief marketing officer at SecurityFirst.
Senior executives are also more likely—by wide margins—to be targets of breaches that involve attacks that use social media ploys. “The drastic increase in social attacks on C-level personnel points to the increased demand for cybersecurity awareness in the C-suite,” says George Wrenn, founder and CEO at CyberSaint Security.
IT takeaways: Use periodic security awareness training. Set up treasury and payment processing duties with two-party signoffs and multifactor authentication (MFA) protection on these users’ accounts. Also, spend more time to understand how to better protect your executives.
The rise of nation-state actors continues. Once, nation-state hacking groups went after specific targets, such as Iranian nuclear plants or Ukraine power grids. Now, everyone is fair game. These government-sponsored political groups are targeting all kinds of industries and networks in the hopes of disrupting business, stealing trade secrets, and scoring points back home with dictators and other corrupt leaders. The DBIR shows a marked increase in nation-state attacks, with 25 percent of all breaches now motivated by cyber-espionage—a number consistent with other anecdotal research. The report authors make it clear that the increase could be due to better attribution to these nation-state sources, rather than just more such breaches.
IT takeaways: Not every breach has a direct monetary loss. IT managers must expand their definition of sensitive data to include business secrets, such as customer purchase details and proprietary sales figures. Also, the majority of nation-state breaches were caused by phishing lures, so better and more frequent security awareness training also applies here.
Careless cloud users continue to thwart even the best-laid security plans. The news is filled with reports of compromised online accounts that leaked various data storage repositories all because someone forgot to set a password on their cloud account or database. What’s most often behind this carelessness is frequent reuse of passwords and how many user credentials have already been stolen, thanks to the numerous mega-breaches over the past decade. “Certainly, credential theft seems to be more prevalent and consistent in many more breaches,” says Adam Laub, senior vice president of product management at StealthBits Technologies. “Why try to hack into an organization when you can just reuse easily guessed passwords?” notes Tyler Owen, director of solution engineering at CipherCloud.
Another aspect of careless cloud usage is how often cloud-based email services are compromised. The DBIR cites 60 percent of web app compromises happen with the front ends to cloud-based email servers. Why choose this route? Mainly because web-based email can provide entry into many different corporate resources. “Criminals are also finding it far easier to target the cloud to use stolen passwords, API vulnerabilities, or misconfiguration to take over accounts and access all information like an authorized user,” says Pravin Kothari, CEO at CipherCloud.
IT takeaways: Spend more time and effort in protecting your cloud services and in enforcing MFA credentials for every cloud account. Investigate cloud access security broker products. Also, examine public sources of breaches, such as HaveIBeenPwned, to determine if any corporate credentials are already available in the wild.
Three trends where opinions are mixed
Are insider or outsider threats more important? Depending on who or what you read, you can come down on either side of this question. The DBIR says outsiders accounted for two-thirds of the breaches it analyzed last year. That is certainly consistent with a number of other sources, such as this chart from The Breach Level Index that summarizes the largest historical data breaches: Virtually none of them were inside jobs.
On the other hand, other surveys point to insiders: For example, a Bitglass survey of 400 respondents found that 60 percent had experienced an insider attack in the past year. Another survey of 150 IT pros in Veriato’s 2019 Insider Threat Maturity Report found that “the majority of organizations have no formal team in place to establish inside-threat policies and processes, and a majority of those surveyed allocated no budget for a program despite being generally supportive of the idea.”
IT takeaways: No matter who you believe, always mitigate insider threats by carefully outboarding staff to remove their access rights when they quit or are terminated. But don’t lose sight that most of the potential threats originate from the outside world.
The rate of ransomware attacks isn’t clear. There is a difference of opinion as to whether the rate of ransomware attacks is increasing or decreasing. It’s hard to quantify, and analysts have cited opinion in both directions. Some researchers, such as MalwareBytes, have reported a rise in ransomware attacks, with the latest victims making news headlines. The city of Baltimore, for example, recently experienced a second attack on its infrastructure (the first, in March 2018, was on its 911 operations center).
But whether ransomware is on the wax or wane, what is significant about the DBIR is how it qualifies how ransomware is playing an increasingly important role in many exploits: “This is because it isn’t forced to rely on data theft in order to be lucrative,” say the report’s authors. They found almost 500 cases of ransomware, or nearly a quarter of the 2018 breaches. The problem is one of reporting, as the authors point out, because most organizations aren’t required to report breaches if there is no actual data loss. However, that isn’t the case for healthcare-related businesses, which must report ransoms regardless of data lost. Ransoms were part of 70 percent of total malware infections for the second straight year.
Brian Higgins, a security specialist at Comparitech, says ransomware “is easier than trading in stolen credit card details, less reliant on TOR, and a far more reliable moneymaker because, unfortunately, it’s still easier to pay up than report it even with GDPR hanging over your head.”
IT takeaways: Make sure your backups truly reflect your computing reality. Also, ensure that you have a solid workflow and disaster recovery plan and run regular practice drills to ensure you can respond quickly in a crisis.
Hackers continue to live inside our networks for longer than we’d like. This dwell time can extend for months after an initial infection. “The longer the time a hacker has unauthorized access to systems, the more dangerous the attack can be,” says Fraser Kyne, a CTO at Bromium. He also makes the interesting point: “We have to turn the endpoint from a traditional weakness into an intelligence-gathering strength.”
However, there is a great deal of bad reporting on what this dwell time metric is and what it really means, although most reports cite an overall reduction in the figure. Trustwave, for example, cites a drop in the median number of days from 83 in 2017 to 55 in 2018 between intrusion and detection for externally detected incidents—but that’s a lot of modifiers. Is it the starting time when the first hacking event happens, when an endpoint is first compromised, when it first was discovered, or when a defender first responds? Is the ending time when all stages of malware have been eradicated or just the destructive elements? “Discovery time is very dependent on the type of attack in question,” the DBIR authors say.
Part of the issue is that attackers are now combining multiple methods in their malware, making them more difficult to detect and neutralize. This is both good and bad: Once an attacker takes the initial step of trying to enter your network, they have to succeed at every step along the way and for each attack stage to result in data loss or extorting funds. This could mean that if you make an attacker’s life more difficult, they could abandon your shop and move on to another, easier mark.
One of the newer elements of the DBIR I like is the authors try to document the various malware stages and classify them into beginning, middle, and end periods. The first stage is likely to be some hacking element, such as social engineering, phishing, or credential compromise. Then malware tends to be deployed to do further reconnaissance and lateral movement around your network. The final operations are a mixture of hacking and malware elements. This means if your sensors pick up malware, you have already been breached and your network is in the middle of an attack. But if your sensors pick up phishing, you could be seeing the start of a breach to come.
“There continues to be a temporal disconnect between the time frame for attacks versus response,” says Satya Gupta, CTO at Virsec. “The DBIR report points out that attack chains act within minutes, while the time to discovery is more likely to be months. This gap must be tightened, and security tools need to focus on real-time attack detection if we are to have any chance to curtail these breaches.”
IT takeaways: Make sure you understand what your protective instruments are telling you and that you do a thorough investigation of the entire cyberevent chain to get to the root cause of your security incident.
One final takeaway: As you can see, there is a lot to learn from the Verizon DBIR, and you’ll see lots of interpretations in the coming weeks and months. Certainly, take the time to download the report and review it and come to your own conclusions. It also could serve as a template and call for action to improve your own enterprise security and be used to convince management to make future security investments.