It’s DBIR season! Put your pens away, stop watching the last dance and read the most important results of the 13th dance. Verizon’s Annual Data Breach Investigation Report released!
If experience is just a name that people have given to their mistakes, as Oscar Wilde said in The Picture of Dorian Gray, then the more we know about the threats we face and how we respond to them, the more likely we are that our information and the name of our company will not make the headlines for the wrong reasons.
This year’s report analysed 32,000 incidents, of which 3,950 were confirmed as data protection breaches. What is new in this issue is that the results have been split up into 16 sector-specific vertical sectors and are geared to the MITRE ATT&CK and CIS control concept.
Let’s look at the key findings of the report with comments from Tim Erlin, Tripwire’s Vice President of Product Management and Strategy.
- Many believe that internal shadow rapporteurs are the most common cause of non-compliance, but DBIR data show that 70% of this year’s non-compliance was caused by outsiders.
- 86% of violations were motivated by financial considerations, although espionage and threats were the most active.
- Theft of assets, social attacks (i.e. phishing and compromising business mail) and errors were the main sources of non-compliance (67% or more).
- Ransom requests are responsible for 27% of malware incidents, while 18% of organizations block at least part of the ransom.
- Attacks on web applications account for 43% of violations, more than double last year. When workflows go to services in the cloud, it makes sense for intruders to keep an eye on things. The most common methods of attacking web applications are the use of stolen or illegally obtained access data.
- Personal data is increasingly being misappropriated or at least such misappropriations are reported more frequently as a result of legal regulations. In any case, 58% of the breaches concerned personal data, almost twice as many as last year. This is a big advantage of the OPI.
- Most (81%) of the crimes reported were registered within a few days or less, while the majority of the victims came from large companies (72%).
We often see ransom as a violation, but DBIR classifies most ransom actions as an incident because, although you lost access to the data, the attacker did not actually steal it. This may reassure you, but it does not mean that an incident involving a ransom programme for security personnel dealing with it is much less important, according to Mr Erlin, who commented on the main findings of the report.
The fact that configuration errors are among the five most common violations is an important finding, namely that not all incidents are the result of exploiting a vulnerability. An incorrect configuration actually causes more malfunctions than running systems, but organisations often put less effort into assessing them than into looking for vulnerabilities. At a high level, the most important things to fear for any organization are brute force and identity theft and web applications.
According to the report, cloud assets were involved in approximately 24% of violations, while local assets accounted for 70% of reported violations. In 73% of the cases, cloud bursts were associated with an email or web application server. In addition, 77% of these cloud breakthroughs were also associated with reference violations.
Just as the economy takes on a hybrid workload, so do criminals. These results are not so much an indictment of security in the clouds as an illustration of a trend that cybercriminals are finding the fastest and easiest way to reach their victims.
Cloud assets remain a minority of targets at 24% compared to 70% at local level. Why change tactics when they’re working? The cloud has a learning curve for both criminals and businesses, according to Erlene.
IT security vs. security OT
This year, the report started with tracking the goods in question from the perspective of information technology (IT) versus operational technology (OT). The results are not particularly surprising: 96% of offences are computer-related, while 4% relate to office automation. Although they may seem few in number, all these offences relating to EO assets are cases where the perpetrators have attempted to compromise the reliability and availability of essential services, such as the water supply system, which relies on EO equipment. There seems to be sufficient cause for concern; the industries concerned should take all possible precautions to reduce the risk of irregularities in relation to their EO businesses.
Safety of mobile equipment
Almost all (97%) of the incidents reported on mobile devices were errors, which meant the loss of the aircraft. Although this is disappointing and needs to be addressed, it is not surprising. It is interesting to note that the remaining 3% related to espionage and financial motives. And while financially motivated incidents ranged from theft to the use of a device as an excuse, espionage incidents were purely mobile malware designed to protect and facilitate the exfiltration of data by advanced government agencies.
If you are concerned about mobile devices in your business, the data suggests that your primary concern should be theft or physical loss. Only 3% of incidents with mobile devices were different from this primary type of loss, Tim Erlin said.
Asset and vulnerability management
The findings of the report show that hosts that are vulnerable to major new vulnerabilities are still vulnerable to many old vulnerabilities. Although this conclusion seems to indicate that the patch works, it also indicates that the asset management does not work.
Let’s be more specific. The report found that organisations access the Internet over the same network for approximately 43% of their IP addresses. However, the most common number of networks an organisation has is five, and half of the organisations are represented in seven or more networks. The question is, do you know where these networks are and do you have any idea of the benefits they offer?
Otherwise you have an asset management problem. It may therefore not only be a question of asset management, but also one that you did not know you had. Erlene made it clear:
It is tempting to minimise the management of vulnerabilities on the basis of this data, but the details show that organisations that are doing well enough are generally safer and organisations that are not very, very vulnerable. An important lesson, however, is that an organization can do both. The old adage You can’t protect what you don’t know also applies to the management of weaknesses. Asset management is a prerequisite for managing vulnerabilities.
How many steps for a breakthrough?
A very interesting part of the report is an analysis of the measures taken by the aggressors to eventually break through. Analysis of the incidents and violations has shown that the attacks come in different shapes and sizes, but most are short and include only a few stages. Long is typically hacking and malware that breaks confidentiality and integrity because the attacker systematically works across the network and increases its resilience (sideways movement).
Attackers prefer short paths and rarely try to take long ones. This means that anything you can easily put in their way to increase the number of actions they have to take is likely to reduce their chances of damaging the data. For example, although two-factor authentication is not perfect, it is useful to add an extra step for the attacker. The difference between two steps and three or four steps can be important for your defense strategy.
Figure 1 : The number of actions to be taken for each incident and violation. The photo was kindly provided by Verizon.
The advantage is that attackers who know the areas they are most likely to pass through on their way to an outbreak leave you the choice of where to intercept them. Erlene agrees:
One of the important lessons of DBIR is that a trade-off often consists of multiple attacks, so as a defender you have different ways to stop an attacker. The concept of deep protection applies here. The conclusions presented on how multi-stage trade-offs are made are crucial. Malware is rarely the first step. So if you detect malware in your area, you should look for what was there before. The hacker is much more difficult to treat because he plays a role in the early, intermediate and final stages of the injury.
Phases of compromise, Figure 2 : Stages of compromise. The photo was kindly provided by Verizon.
As mentioned at the beginning of the article, this year’s RIAS is a breakdown of the results into 16 sector-specific verticals.
Finance and insurance
Attacks in this sector were committed by external persons financially motivated to obtain easily marketable data (63%), internal persons financially motivated (18%) and internal persons who make mistakes (9%). Attacks on web applications that use stolen access data continue to affect this sector as well. Offences caused by internal organs have evolved from malicious acts to unintentional mistakes such as misdeliveries, although both still cause damage.
The production was attacked by external actors (75%) who used malicious password recovery software and stolen credentials to penetrate systems and steal data, according to the report. Although most attacks were motivated by financial reasons (73%), the sector also showed signs of cyber-espionage attacks (27%). Internal employees (25%) who misused their access to bypass the data continued to be concerned about this vertical.
Oil and gas
Violations in this sector consisted of several actions, but social attacks such as phishing and simulation dominated the incident data. Attacks motivated by cyber intelligence and incidents involving EO devices have also raised concerns in these sectors.
Blackmail is a major problem for this sector, with 61% of related malware cases. The ransom was preferred by financially motivated attackers (75%) who used it to attack various government institutions. Delivery errors and incorrect settings are also registered in this area. When confidential information arrives at the wrong destination and data warehouses are in the cloud without the necessary security measures to protect the data from unauthorized access, this can become a serious problem.
This sector is occupied by financially motivated organised criminals who use attacks on web applications. But mistakes made by employees, such as leaving large databases unchecked, were also a constant problem. In combination with social engineering in the form of phishing and fake attacks, they were responsible for most of the violations in this sector.
The industry analysis of DBIR is invaluable, according to Erlene. If you can identify the most relevant resources, measures and models for your sector, you can act much more decisively as an advocate. For example, you should be more concerned than any other industry about the criminal programs introduced into production by malware and social engineering. If you work in healthcare, errors in your threat model are much more visible than in other sectors.
Small and medium-sized enterprises (SMEs)
While the differences between small and medium-sized enterprises (SMEs) and large organisations persist, the evolution towards the cloud and its countless online tools, as well as the steady increase in social attacks, has narrowed the line between them. As SMEs have adapted their business model, criminals have adapted their actions to evolve over time and choose the quickest and easiest path for their victims.
Figure 3 : Comparison between small and large companies. The image was kindly provided by Verizon.
American and Canadian organizations are severely affected by financially motivated attacks on their web application infrastructure. Cracking with stolen access data was the most common actor, followed by social engineering attacks that facilitated the exchange of this access data. Personnel errors were also regularly found.
Although 69 percent of all incidents and 55 percent of all violations in the GOMD dataset occurred in the region, this is due to strict reporting requirements in the financial sector, healthcare and public administration. A similar trend can be observed in Europe, where the UBW and the NOS oblige the industry to report all incidents and violations.
Recommendations based on DISchecks
In order to reconcile the findings of the report with the safety efforts of the companies, the DBIR has included a section comparing the results with the CIS regulators. And there are good reasons to opt for CIS controls, as they are a relatively short list of high quality defence measures that are a must and a starting point for any company that wants to improve its cyber security. You can read a short overview of all CIS controllers in this article about Tripwire.
Activating the GPL after a break is a good addition for defenders. The CIS is highly respected in the sector and the control measures provide sufficient information to be effective but not overburdened, concluded Mr Erlin.
Based on the findings of the report, the following control measures are recommended for the CIS:
- Ongoing vulnerability management (SCC 3)
- Secure configuration (CSC 5 and CSC 11)
- E-mail and web browser security (CSC 7)
- Restriction and control of network ports, protocols and services (CSC 9)
- border protection (CSC 12)
- Data Protection (CSC 13)
- Auditing (SCC 16)
- Implement the security awareness and training programme (CSC 17).
Tripwire helps you meet CIS inspection requirements and implement a highly effective security program. For more information you can download this article.