Each and every year the security industry eagerly awaits the Verizon Data Breach Investigations Report (DBIR). With data from over 50+ organisations around the globe (95 countries represented) and over 63,000 security incidents analysed, the DBIR provides the most comprehensive information on our current threat landscape. The report can be downloaded here.
This year’s DBIR has a fantastic and fresh new way of interpreting the data. I frequently get asked when I am speaking at events or discussing statistics with clients how to make sense of all, what does a threat actor vs an action mean, and how do I find what’s relevant to my company?
This year they have introduced the “top 9 patterns” breakdown, a new “at a glance range”, and have made it even easier to see where the risks are, and how to mitigate such attacks. More to come on that later…
Let’s delve straight into some of the stats for last year.
Verizon identified 9 patterns that cover 92% of the security incidents they analysed over the last 10 years and 94% of the breaches that they looked at in 2013.
The categories are:
Point of Sale (POS) Intrusions
When attackers compromise the computers and servers that run POS applications, with the intention of capturing payment data.
Web App Attacks
When attackers use stolen credentials or exploit vulnerabilities in web applications — such as content management systems (CMS) or e-commerce platforms.
This is mainly by insiders misuse, but outsiders (due to collusion) and partners (because they are granted privileges) show up as well. Potential culprits come from every level of the business, from the frontline to the boardroom.
The loss or theft of laptops, USB drives, printed papers and other information assets, mostly from offices, but also from vehicles and homes.
Simply, any mistake that compromises security. This may mean accidentally posting private data to a public site, sending information to the wrong recipients, or failing to dispose of documents or assets securely.
Crimeware is a broad category, covering any use of malware (often web-based) to compromise systems such as servers and desktops. This pattern includes phishing attacks.
Payment Card Skimmers
The physical installation of a “skimmer” on an ATM, forecourt gas pump or POS terminal, to read your card data as you pay.
Denial of Service (DoS) Attacks
These are attacks, not attempted breaches. Attackers use “botnets” of PCs and powerful servers to overwhelm an organisation’s systems and applications with malicious traffic, causing normal business operations to grind to a halt.
When state-affiliated actors breach an organisation, often via targeted phishing attacks, to obtain intellectual property.
If we look at the percentage of breaches for last year, in 2013 we saw Web App Attacks taking the top spot, followed by Cyber Espionage and POS Intrusions. Last year was most definitely the year for POS attacks, with the attacks on Target, Neiman-Marcus and Michaels to name a few.
If we look at data breaches by industry, this year reinforces (like every other year), that no industry is immune from cyber attacks, nor do cyber attacks discriminate against how big or small you are.
We see that the finance industry caught the brunt of the attacks last year, followed by public/government and the retail industries:
Verizon also introduced a fantastic addition this year – graphing of statistics over the past 10 years – which show us just how things have changed over the years, and also reinforces what us security folk see everyday in our jobs.
If we look at the number of breaches per category over the last 10 years, external attacks/attackers still account for the majority (I don’t personally think that will ever change), but more importantly internal/insider threats such as malicious employees are still prominent and steady, and are one area of the business that I see organisations ignore or forget about, time and time again.
So how have companies been getting hacked over the years, and more importantly in 2013? Well last year we saw hacking as the number one way companies were attacked, (which was similar to previous years), followed by malware and social tactics, such as social engineering and spear phishing. Notice how the hacking and malware categories explode upward in 2009 and social tactics begin to climb in 2010. These have parallel stories in the real world (e.g. better automated attack tools and DIY malware kits). It’s interesting to see how the link between the general evolution of data storage, cloud, and IaaS has caused a massive drop in physical attacks, and various other attack methods.
If we look at the changes in the top 10 actions against last year, we see that the use of stolen credentials is now number 1, followed by export of data via malware, and then phishing attacks. These are areas that companies of all types and size, need to place a greater emphasis.
So what assets are attackers going after? We see that servers is still number 1 (same as last year) so no real surprises there. Attackers know this is where the data for an organisation is held. User devices have been growing over time because they offer an easy foot in the door, and of course people – exploiting (usually) the weakest link in an organisation’s security chain, by exploiting the human weakness, such as social engineering attacks.
This data is especially useful because it reveals the “footprint” of attackers as they travel through the victim’s environment in search of data. As defenders, it gives us a sense of what may need extra attention or protection, but to be honest, I personally see weaknesses in these top 3 areas, day-in and day-out on engagements.
When it comes to the time to compromise, from the time to discovery, it is clearly showing us that each and every year attackers are getting better and better at breaching organisations. They require less and less time to breach a network (usually days or less), and in most cases, (although organisations are slowly getting better), it usually takes organisations an extraordinary large amount of time (anywhere from weeks to years) to detect and remove access from the intruder(s).
If we look at the frequency of incident classification patterns, we see Web App Attacks taking out the top spot, followed by Cyber Espionage Attacks and POS Intrusions:
With the patterns telling a similar story:
If we look at the victims per industry the report makes it easy for organisation’s to review where their main risks are, and where they need to focus their efforts based on the top 9, a fantastic addition to this year’s DBIR.
The report also breaks down the top 9 categories into individual time frames from initial compromise through to containment, which is quite an interesting read, and then assigns recommended controls (remediation).
Here’s the excerpt from the Web App Attacks section:
Verizon also provide a great overview infographic available here.
So…in my opinion, the primary takeaways that need to be hammered into organisations include:
- It could be you. All sizes of business and all industries are at risk of some kind of security event. Even if you think your organisation is at low risk of external attacks, there remains the possibility of insider misuse and errors that harm systems and expose data.
- Most attacks are perpetrated by external actors, as opposed to employees and partners, but rest assured, you should be reviewing and assessing both areas of the organisation, through scheduling penetration testing.
- Defense-in-depth strategy is key, although the report highlights areas that organisations need to focus on, organisations need to round off a defence-in-depth strategy by addressing all areas of the business, from people and processes, through to design, implementations and monitoring and detection.
- Although attackers are mainly going for payment and bank data, which they can quickly convert into cash, user credentials are also a popular target, but mainly as a gateway to other kinds of data or other systems.
- Attackers have got faster at breaching systems. Defenders are getting faster too — but they’re falling further behind.
- Organisations now more than ever, need to invest time and capital into protecting their assets, and ensure that they are making it as hard as possible for attackers to breach into their networks, every breach has flow-on effects to both industry and individuals.
- Make security a key priority in your budgetary planning for the next financial year.
If you would like some more information on the services we offer to help organisations meet their security goals, please get in touch or alternatively you can catch me speaking at the Crisis & Consumer Response Data Breach Conference (CCR14) in Sydney on the 23rd of May.
Till next time, Dan