Every year, digital security experts, IT personnel and top executives from various industries look forward to the release of Verizon’s data-rich and analytical security report, which many consider to be the annual breach bible for the industry.
The 2019 Verizon Data Breach Investigation Report has just been released. For me, the DBIR provides some of the most insightful views on the evolving threat landscape and thus is one of the most valuable annual assets in the security industry. If you haven’t looked at it, you should.
Verizon writes, “The threats are real, the attackers motivated. But something stands between them and your organization’s data: you and your security teams, with the insight, perspective, and tools to take action. Understanding the threats can help you manage risk effectively. You’ll find that all right here.”
To help you take advantage of the 78-page report, I’ve highlighted some important insights that we can take from it:
1) The importance of looking at attack vectors
“Leveraging an attack path model is not only an important step towards formalizing our understanding of attacks, but also a means of understanding our defense. (…) The more we can understand the sequence of events happening in an attack, the more we as a community can make it harder for adversaries to reuse the same process.”
What started out as a small appendix in last year’s report is now making its way to the front. Talking about attack paths, the steps and actions that attackers take beyond the initial breach point is key to improving the security posture.
Considering the fact that over 60 percent of breaches involved simple techniques such as phishing (32 percent) and stolen credentials (29 percent), we can assume that an adversary will find its way into the organization (or “if the proverbial lever is long enough they will breach your perimeter”). Regarding phishing in particular, the report tells us that 94 percent of malware is delivered through email (“Malware delivery method: email – 94 percent”). Once installed, it’s most often used as a foothold for the injection of more malicious programs or ransomware commands.
This, of course, is not to say that you shouldn’t secure the perimeter, yet we must prepare for what happens after the initial breach. The fact that an attacker has managed to get access to your system doesn’t necessarily mean they will manage to cause great damage, and now it is much more in your control. (“Admittedly, there’s not a lot you can do about the development, preparation, targeting, distribution, and other shenanigans that take place on the part of the bad guy before the breach. However, what goes down after the breach is another story altogether”). We can see that the median loss in data breaches was $7,611, and in many breaches the loss was almost zero. What separates the costly breaches from the rest is how hard it was for the attacker to reach the crown jewels after the initial breach.
So, what did we learn about the attack paths? We can see that most incidents didn’t involve many steps and, while they may have started in a number of ways, malware and hacking are the predominant ways to progress inside and reach the crown jewels.
2) Disappointingly long time to discover breaches
“56 percent of breaches took months or longer to discover.”
While in other reports such as FireEye’s M-Trend 2019 we can see that we are improving our average time to discovery (from 416 days in 2011 to 78 in 2018), this is still very depressing. We must do better than allowing criminals to hide in our networks for months at a time.
3) Vulnerabilities vs. IT hygiene
“At most, six percent of breaches in our data set this year involved exploiting vulnerabilities.”
This is another thing we must emphasize. Vulnerabilities are important, and patching is crucial (and smart patching is even more crucial). Yet vulnerabilities are only a small portion of what attackers are doing. In fact, IBM and Gartner have shown in the Implement a “Risk-Based Approach to Vulnerability Management” report that the number of vulnerabilities exploited in the wild stays quite constant over the years, representing only a fraction of the vulnerabilities exposed each year.
What we need to pay more attention to is IT hygiene: misconfigurations, user error, and strong credentials spread across machines without any real reason. To quote Gartner, “By 2025, more than 85 percent of successful attacks against modern enterprise user endpoints will exploit configuration and user errors” (according to its “The Long-Term Evolution of Endpoints Will Reshape Enterprise Security” report released in May). This is something we need to put more focus on — our IT hygiene.
“Errors were causal events in 21 percent of breaches.”
Trivial mistakes are to blame for data breaches. In many cases, the attacker does not have to work all that hard because somebody left the door open.
“It is important to acknowledge that there will always be [vulnerability] findings. The key is to prioritize the important ones and have a plan for the remaining actionable vulnerabilities, and to be able to defend acceptance of unaddressed findings.”
Ray Ottey runs Verizon’s security business across the UK, Ireland, and the Nordics. In a recent interview with Forbes, he stated, “Every one of the incidents in this report is either where data has been stolen, or there was a quantified cyber incident. So it’s just facts, things that have happened. So we look at the analysis of that, how did they get in, what assets did they steal, how long did it take or how many steps do they take.”
It’s remarkable that the twelfth iteration of the DBIR compiles real-world data from almost 42,000 security incidents and more than 2,000 data breaches across 86 countries.
I am happy to applaud the fact that the 2019 Verizon Data Breach Investigation Report reflects a high accuracy and methodology, setting a high standard for the community. I strongly believe it should be more encouraged.
This article was originally published at https://www.itproportal.com/features/three-key-takeaways-from-the-2019-verizon-data-breach-investigations-report.