Timely detection and response – thoughts on the Verizon 2018 DBIR
The 11th Verizon Data Breach Investigations Report (DBIR) was released yesterday to the usual fanfare that accompanies this collation of trends and insights. During the last decade the annual report has been viewed as a helpful benchmark of the state of the threat landscape. This year Verizon pulled data from 53,308 real-world security incidents including 2,216 confirmed data breaches to arrive at their analysis of risks with motives, causes and potential solutions offered too.
It is worth noting that even Verizon points out the data is only as good as the information it gathers from contributors – and so while this is a large collection of data, consider examining the sources of the breaches to understand if that skews the relevance to your organization. There is, for example, a large proportion of reports which come from either public sector or Verizon’s own services, and a large number of the organizations reporting were SMBs.
This blog is designed to help you understand the report, uncover and explain the identified trends and offer ways to better protect your business in 2018.
If you haven’t read the DBIR before we provide a few tips at the end of this blog.
With that said let’s proceed to look at the report.
The importance of timely detection and response
A worrying trend that stood out to me was the challenge organizations experience in discovering a breach or incident. With compromise and data exfiltration taking just minutes but discovery taking months it is clear that attackers have the upper hand. We have spoken much about Dwell Time here at Forcepoint and how it is so important to reduce the duration that an attacker is within your organization. Adding automation to your response and enforcement policies could mean the difference between lost productivity, revenue and data or a catastrophic data breach.
With GDPR enforcement just around the corner (25 May 2018) businesses will have just 72 hours to inform their supervisory authority of a data breach once they are aware of one. I look forward to the day when businesses reduce the discovery time to days or even minutes.
Never before has data been so valuable to attackers and defenders. With GDPR enforcement on the horizon defenders must identify their most important data (personal data, intellectual property) and seek to protect it. Threat actors have realised the value of FULLZ, Electronic Health Records, payment data and credentials on the underground markets and for the purposes of fraud. I urge data custodians to build out their data protection and incident response plan in advance of GDPR enforcement on 25 May 2018. Start by identifying the important data, map the flow of data in and out of the organization and be prepared to respond to the almost inevitable incident or data breach. Consider Data Loss Protection tools to achieve compliance and protect your intellectual property.
Sophisticated threats require a new approach to data protection
Your credentials and those of your system admins and end-users can be obtained and abused by cybercriminals who want to steal your critical data and trade secrets for monetary or other malicious aims. Understanding how those credentials are normally used and knowing when they are being used in an anomalous fashion can give an early warning for the 22 percent of confirmed data breaches reported in 2018 DBIR. This is especially important when considering the security of your cloud applications when shadow IT is factored in.
It is key to understand the context of interactions of your users with systems and data to better spot sophisticated threats. 2018 DBIR reports that 76 percent of breaches were financially motivated. There is big money in cybercrime and it is natural that organised criminal groups will look to take advantage of opportunities that exist. 13 percent of breaches were classified as being motivated by the gain of strategic advantage (espionage) – a clear message to protect our corporate secrets.
Half of all breaches were attributed to organised criminal groups, with 12 percent being identified as nation-state or state-affiliated. Attribution is a challenge in any environment and never more so than in cyber attacks. By understanding the methods deployed by such groups it becomes possible to protect from the methodology irrespective of the group conducting the attack.
Doing the basics well
The 2018 DBIR is a call to do the basics well.
The email attack vector is one that continues to result in data breaches. Phishing and pretexting (“the creation of a false narrative to obtain information or influence behaviour”) resulted in 17 percent of data breaches. An email was involved in 96 percent of those attacks. Unfortunately the report states 4 percent of employees will proceed to click that link. It then becomes necessary to defend from the web attack vector and consider a continuing education plan to promote your employees into your defense plan by giving the knowledge they need to identify and report suspect activity.
Small businesses accounted for half of the victims of data breaches (see note above on source of data). Such organizations are fundamental to larger supply chains and a breach at a small business could be just as comparatively damaging as one at a larger enterprise. Without the resources of larger enterprises smaller businesses are often seen as easy targets by threat actors.
Ransomware is the top variety of malware found in data breaches according to the report (56 percent). As the entire ecosystem that supports ransomware continues (cryptocurrency, willingness to pay the ransom, challenges for law enforcement) we anticipate ransomware attacks to continue to plague businesses around the world. It makes sense therefore to work to stop the incoming lures, the subsequent malicious payload, the encryption activity and any command and control traffic. Consider firewalls, web security gateways and advanced sandboxes to reduce the risk of successful encryption of your files.
Download the report
Download link for Verizon 2018 DBIR. An archive of reports going back to 2009 is available via the same link.
The shorter Executive Summary is available here.
Tips on how to interpret DBIR
(skip this section if you are a DBIR veteran)
If you have not read the DBIR before you will need to understand the terms used in the report. To quote the 2018 DBIR an incident is defined as “A security event that compromises the integrity, confidentiality or availability of an information asset.” A breach is defined as “An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party”.
As you read the summaries and charts ensure you are aware of the meaning of the phrasing used. For example, page 5 of the report states that 48 percent of breaches feature hacking which is then described as credential theft (page 7) and Denial Of Service (page 8).
Also be aware of the caveats and exclusions. The 2018 DBIR calls out the removal of credential-stealing botnets from the majority of the analysis lest it bias the statistics. The report discusses these separately in section “Ransomware, botnets, and other malware”.
Often times you will find the industry-specific breakdowns lead to conclusions that resonate with you more so than the global data set. You will find these on page 25 of the report.