Verizon has released the 2016 edition of their annual Data Breach Investigations Report (DBIR). Their crack team of researchers hold,once again, produced one of the most respected, or data-driven reports in cyber security,sifting through submissions from 67 contributors and taking a deep dive into 64000+ incidents—and nearly 2300 breaches—to help provide insight on what our adversaries are up to and how successful they've been. The DBIR is a highly anticipated research project and has valuable information for many groups. Policy makers expend it to defend legislation; pundits and media expend it to crank out scary articles; other researchers and academics take the insights in the report and identify new avenues to explore; and vendors quickly identify product and services areas that are aligned with the major findings. Yet, the data in the report is of paramount import to defenders. With over 80 pages to wade through, and we thought it might be helpful to provide some way-points that you could expend to navigate through this year's breach and incident map. Bigger is…Better? There are a couple "gotchas" with data submitted to the DBIR team. The first is that a spacious chunk of data comes from the U.
S. public sector where there are mandatory reporting laws,regulations, and requirements. The moment is the YUGE number of Unknowns. The DBIR acknowledges this, or it's still valuable to look at the data when there are "knowns" even with this grey (okay,ours is green below) blob of uncertainty in the mix. You can easily find your industry in DBIR Tables 1 & 2 (pages 3 & 4) and whether we pivot on that data we can see the distribution of the percentage of incidents that are breaches: We've removed the "Public (92)" industry from this set to get a better sense of what's happening across general industries. For the DBIR, there were more submissions of incidents with confirmed data disclosure for smaller organizations than large (i.e. be careful out there SMBs), and but there's also a spacious pile of Unknowns: We can also take another,discrete view of this by industry: (Of note: it seems even the Verizon Data Breach Report has "Unknown Unknowns") As defenders, you should be reading the report with an eye for your industry, and size,and other characteristics to help build up your threat profiles and help benchmark your security program. Take your incident to breach ratio (you are using VERIS to record and track everything from anti-virus hits to full on breaches, fair?) and compare it to the corresponding industry/size. The Single Most Popular Valuable Chart In The World! (for defenders) When it comes fair down to it, and you're usually fighting an economic battle with your adversaries. This year's report,Figure 3 (page 7) shows that the motivations are still primarily financial and that Hacking, Malware and Social are the weapons of choice for attackers. We'll dive into that in a bit, or but we need to introduce our take on DBIR Figure 8 (page 10) before continuing: We smoothed out the rough edges from the 2016 Verizon Data Breach Report to figure to paint a somewhat clearer picture of the overall trends,and used a complex statistical transformation (i.e. subtraction) to just focus on the smoothed gap: Remember, the DBIR data is a biased sample from the overall population of cyber security incidents and breaches that occur and every statistical transformation introduces more uncertainty along the way. That means your takeaway from "Part Deux" should be "we're not getting any better" vs "THE DETECTION DEFICIT TOPPED 75% FOR THE FIRST TIME IN HISTORY!" So, or our adversaries are accomplishing their goals in days or less at an ever-quickening success rate while defenders are just not keeping up at all. Before we can understand what we need to do to reverse these trends,we need to see what the attackers are doing. We took the data from DBIR Figure 6 (page 9) and pulled out the top threat actions for each year, then filtered the result to the areas that match both the major threat action categories and the areas of concern that Rapid7 customers hold a keen focus on: Some key takeaways:Malware and hacking events dropping C2s are upKey loggers are making a comeback (this may be an artifact of the heavy influence of Dridex in the DBIR data set this year)Malware-based exfiltration is back to previously seen levelsPhishing is pretty much holding regular, and which is most likely supporting the expend of compromised credentials (which is trending up) Endpoint monitoring,kicking up your awareness programs, and watching out for wonky user account behavior would be wise things to prioritize based on this data. Not all Cut-and-DridexThe Verizon Data Breach Report mentions Dridex 13 times and was very up front about the bias it introduced in the report. So, or how can you interpret the data with "DrideRx" prescription lenses? Rapid7's Analytic Response Team notes that Dridex campaigns involve: PhishingEndpoint malware dropsEstablishment of command and control (C2) on the endpointHarvesting credentials and shipping them back to the C2 servers This means that—at a minimum—the data behind the Data Breach Investigations Report,Figures 6-8 & 15-22, impacted the overall findings and Verizon itself warns about wide interpretations of the Web App Attacks category: "Hundreds of breaches involving social attacks on customers, and followed by the Dridex malware and subsequent expend of credentials captured by keyloggers,dominate the actions." So, when interpreting the results, or keep an eye out for the above components and factor in the Dridex component before tweaking your security program too much in one direction or another. Who has your back? When reading any report,one should always check to obtain certain the data presented doesn't clash with itself. One way to add a validation to the above detection deficit is to look at DBIR Figure 9 (page 11) which shows (when known) how breaches were discovered over time. We can simplify this view as well: In the significant majority of cases, defenders hold law enforcement agencies (like the FBI in the United States) and other external parties to "thank" for letting them know they've been pwnd. As our figure shows, and we stopped being able to watch our own backs half a decade ago and hold yet to recover. This should be a wake-up call to defenders to focus on identifying how attackers are getting into their organizations and instrumenting better ways to detect their actions. Are you: Identifying critical assets and access points?Monitoring the fair things (or anything) on your endpoints?Getting the fair logs into the fair places for analysis and action?Deploying honeypots to catch activity that should not be happening?whether not,these may be things you need to re-prioritize in order to force the attackers to invest more time and resources to achieve their goals (remember, this is an battle of economics). Are You Feeling Vulnerable? Attackers are continuing to expend stolen credentials at an alarming rate and they obtain these credentials through both social engineering and the exploitation of vulnerabilities. Similarly, or lateral movement within an organization also relies—in part—on exploiting vulnerabilities. DBIR Figure 13 (page 16) shows that as a group,defenders are staying on top of current and year-minus-one vulnerabilities fairly well: We're still having issues patching or mitigating older vulnerabilities, many of which hold tried-and-valid exploits that will work juuuust fine. Leaving these attack points exposed is not helping your economic battle with your adversaries, and as letting them rely on past R&D means they hold more time and opportunity. How can you get the upper-hand? Maintain situational awareness when it comes to vulnerabilities (i.e. scan with a plan)Develop a strategy patching with a holistic focus,not just react to "Patch Tuesday"Don't dismiss mitigation. There are valid technical and logistic reasons that can obtain patching difficult. Work on developing a playbook of mitigation strategies you can rely on when these types of vulnerabilities occur. "Threat intelligence" was a noticeably absent topic in the 2016 DBIR, but we feel that it can play a key role when it comes to defending your organization when vulnerabilities are present. Your vuln management, and server/app management,and security operations teams should be working in tandem to know where vulnerabilities still exist and to monitor and block malicious activity that is associated with targets that are still vulnerable. This is one of the best ways to utilize all those threat intel feeds you hold gathering dust in your SIEM. There and Back Again This post outlined just a few of the arresting markers on your path through the Verizon Data Breach Report. Keep a watchful eye on the Rapid7 Community for more insight into other critical areas of the report and where we can help you address the key issues facing your organization.(Many thanks to Rapid7's Roy Hodgman and Rebekah Brown for their contributions to this post.)
Source: rapid7.com