The Verizon DBIR report has been made public today, and the key findings indicate an increase in cyberespionage and nation state attacks.
Some of the key findings of the reports:
- C-Suite executives are the high target of social engineering attacks.
- Increase in Cyberspionage attacked (12% compared to 2018)
- Financially motivated breaches fell from 76% to 71%
- 32% of breaches and 78% of cyberespionage are victim of phishing.
- Most of the malware arrived via email (90%)
- 60% of web application attacks were on cloud-based email servers
- 52% of cyberattacks involve hacking
- 34% of attacks involved insiders
- 43% of cyberattacks were on small businesses
- A significant increase on HR personnel.
- 21% breaches in cloud platform caused by misconfiguration.
Highlights from the Verizon DBIR 2019: Every year the Verizon Data Breach Investigations Report comes out… https://t.co/Mh6kbrnARh #infosec
— IT Security News – www.itsecuritynews.info (@IT_securitynews) May 8, 2019
Experts Comments:
Tim Erlin, VP, Product Management and Strategy at Tripwire:
“If you’re going to be making decisions based on the DBIR, you better make sure you’re clear on the difference between ‘incidents’ and ‘breaches’; and make sure you know which one you’re talking about when you cite a statistic.
It can be fun and illuminating to play the anti-hype-statistic game with DBIR data by specifically looking at results that dispel some industry hype. For example, ‘less than a third of breaches involved malware.’ The split between external and internal attackers provides another interesting view. If you’re spending most of your time worrying about insider threat, you’re not in line with the data.
There are core questions that CISOs and cybersecurity professionals look to answer with the DBIR, like ‘where am I not spending enough’ and ‘where am I spending too much’ of the cybersecurity budget.
It’s really interesting to see how little has changed since 2013 in regards to threat actions in breaches. The biggest changes are in social engineering and attacks involving a real person. Those changes are indicative of how our connectedness has changes since 2013, and of attackers taking advantage of those changes.
While the pattern of attacking web applications affects a lot of sectors, retail is the most affected by this type of attack. The increase in web applications as an attack pattern in retail since 2014 is substantial. We saw a corresponding decrease in point-of-sale as an attack pattern over the same time frame. It’s likely that the shift to EMV cards, mandated in 2015, helped drive the shift in attack types as well.
It’s no surprise that there’s strong alignment between cyber-espionage and the Public sector.
Public sector companies have a lot to worry about, or a lot of opportunities for improvement. They’re near the top of the chart for malware, hacking, and social engineering as attack patterns.
The impact of ‘miscellaneous errors’ on the healthcare sector is noteworthy. This patter includes misconfigured servers, in addition to mis-delivery of sensitive data. These are errors that are largely preventable.
It’s good to see that physical attacks against ATMs have declined. Unfortunately, it’s rare for this industry to see positive progress reflected in these reports.
The financial services industry has seen a significant increase in the use of compromised credentials in breaches since 2013. The industry response to this pattern is multi-factor authentication, but adoption of the solution lags adoption of the attack.
While the summary data would tell you that the majority of incidents are driven by external actors, if you’re in healthcare, the details are important. Healthcare stands alone as the sector where insiders are the majority of threat actors, but given than the most common attack pattern for this sector is ‘miscellaneous errors,’ the insider threat is more accidental than malicious.”
Mitchell Jukanovich, Vice President of Federal at Tripwire:
“The key to mitigating aggressive social engineering campaigns as well as malware attacks happens at the human level — cyber training and education. It sounds elementary, but a sound cyber training and education program can reduce the risk exposure to an agency, department or branch service. This year’s VBR report reinforces the need for agencies to have a cyber response plan and to practice executing against it.”
“‘Dwell time’ or how long a bad actor has been inside a network is a key reporting metric for the government’s large system integrators. A robust change management solution can provide the situational awareness required to minimize ‘dwell time’ in government agency and contractor networks.”
Martin Jartelius, CSO at Outpost24:
This year the report has big focus on state-sponsored attacks and, while not surprising, the findings show just how frequently cybercrime is being used by governments to target adversaries.
The report also highlights that hacking is still playing a huge role in cyberattacks and reinforces the importance of organisations monitoring for vulnerabilities that can easily be exploited, so they can be remediated and patched before any damage occurs.”
Shlomie Liberow, Technical Program Manager at HackerOne:
When it comes to organisational or institutional security, a lot of what we can do to bolster our protection has nothing to do with technology and more comes down to employee education.
Encouraging employees to question requests, double check on records and be just a little paranoid are all critical in improving overall cybersecurity posture.
Companies who blame employees for poor passwords or bad behaviour with email aren’t spending enough time, money, or energy driving home security. Preventing phishing attacks can be closely tied to corporate culture. Is it normal for an exec to demand something like a bank transfer to a vendor, or a large purchase from a random site with no questions asked either because of fear or sternness? Welcome to phishing heaven. It’s up to IT and security teams to enable, empower and educate employees as part of strengthening the weakest links.”
Fraser Kyne, EMEA CTO at Bromium:
Protecting high value assets has turned into a game of cat and mouse. Yet to win such a game, you need to spot the clues, however this report shows that it’s taking months or longer to discover a breach.To address this, organisations must adopt layered defences that utilise application isolation to identify and contain malicious threats. This prevents hackers from gaining a foothold in the network by applying protection at the most common entry point, the endpoint, reducing the attack surface by closing off the most common routes into the enterprise like emails, the browser and downloads.
By turning the endpoint from a traditional weakness into an intelligence gathering strength, organisations get rich-threat telemetry about the hacker’s intent that hardens the entire defensive infrastructure. This gives security teams the big picture, reduces false positives and allows malware to detonate safely with no impact. Isolation stops hackers at the point of entry and provides security teams with the time and information they need to analyse the real threats they are facing.”
Igor Baikalov, Chief Scientist at Securonix:
“There was a dramatic 74% increase in the number of breaches attributed to the nation-state or state-affiliated actors. It might be explained by more aggressive attribution, since it’s in line with the number of breaches associated with espionage and seems to come at the expense of a reduction in the number of breaches attributed to organized crime.
Phishing awareness and cyber hygiene training seem to be working, as the number of clicks on phishing emails in simulations continues its steady decline, but the concern is the 3% that still click on ANY phishing email. Internet access as well as access to sensitive data for this population has to be tightly controlled and even restricted for repeat offenders.
Another high-risk category that is increasingly targeted in social engineering attacks is C-level executives. CEO Fraud, or Business Email Compromise (BEC) in FBI parlor, almost doubled in the last year, with reported losses over $1.2 billion. Cybersecurity teams have to review their defense mechanisms as many email monitoring programs are not even configured to capture the information exploited in BEC-type attacks.”
Satya Gupta, CTO and Co-founder at Virsec:
The latest Verizon DBIR highlights that cyberattacks are becoming much more targeted and dangerous. They noted a huge increase in C-level executives being individually targeted. The same trend is happening with specific network tools and industrial equipment. Attackers are prolific at scanning networks and finding specific types of vulnerable equipment, then targeted them with specific malware designed for these devices.
Targeting Servers
The vast majority of security tools focus on user endpoints – laptops, desktops, mobile. But 80-90% of current incidents involve corporate servers, whether on-premises or in the cloud. Analysts like Gartner are stressing that user endpoint security tools are not effective protecting servers or cloud workloads – in fact, they are dangerous because the provide a false sense of security. Server-side security requires much more attention.
Dwell Time
There continues to be a temporal disconnect between the time frame for attacks versus response. The report points out that attack chains act “within minutes” while “the time to discovery is more likely to be months.” This gap must be tightened and security tools need to focus on real-time attack detection if we are to have any chance to curtail these breaches.
Bob Huber, CSO at Tenable:
“There will be criminals looking to exploit vulnerabilities to perform illicit activities while they can monetise their efforts and that’s where organisations need to focus – stopping them or at least making them work harder for it.
“While many reports will talk about nation-state hacking or advanced threats what this year’s DBIR shows, as it has for many years now, is that the attacks that are most successful are not new or even particularly clever — they’re just effective. Business email compromise attacks; malware infections and the tried and tested credential abuse make up the reports key findings. Translating this simply — it’s a lack of basic cyber hygiene that is still to blame for nearly all 41,686 security incidents and 2,013 confirmed breaches.
“If we’re ever to see these figures decrease, organisations need to focus on doing the basics – understanding what they’ve got, what’s important to the business and then making sure it’s protected 24/7.”
Chris Ross, Cybersecurity Expert at Barracuda Networks:
The most worrying finding, however, was the focus that cyber criminals are now placing on targeting C-level executives. As we all know, senior execs often have wide ranging access due to their seniority in the business. However, they’re also extremely time poor and sometimes have executive assistants managing their email accounts for them.
The report reveals that senior execs are 12 times more likely to be the target of social incidents, and 9 times more likely to be targeted by social breaches than in previous years. This comes as no surprise to us, as senior executive attacks are often extremely lucrative, adding many zeros onto the end of cybercriminal revenues.
However, there’s good news for those working in HR. Attacks on human resources teams are down – 6 times fewer HR personnel have been impacted this year, compared to last year.
The report suggests financial motivation remains the key driver, and with that in mind, it’s clear that cyber criminals are still going where the money is. If we’ve learnt anything in our time in cyber security, it’s that criminals always respond to what is going to net them the most income, and attacks aimed at senior execs are clearly what’s working at the moment.
All of this illustrates more clearly than ever, that security technology by itself is no longer enough. It is imperative that employers educate their staff – at all levels – to be more aware, especially when it comes to phishing and social engineering attacks.
Corin Imai, Senior Security Advisor at DomainTools:
.
Ryan Wilk, Vice President at NuData Security:
Sam Curry, Chief Security Officer at Cybereason:
Cybercrime pays. Almost all cyber versions of real world activities, from crime to war (and from gaming to work) are more efficient, less risky with bigger margins and more opportunities then their kinetic world counterparts. If you’re an old school gangster knocking over bank branches and liquor stores, you’re a dying breed: the real money, the security of anonymity and hiding thousands of miles away and the ability to do business at an unprecedented scale are all online. Real crime pays, and it’s just a click away.
I believe that the lionisation of ransomware happened because it causes real damage and continues to do so; However, it is for the most part a retrograde motion. Most attacks are becoming more subtle, more persistent, less obvious because attackers generally benefit from longer time in networks and systems without being detected. Some want to smash and grab money, but for the most part the advanced attackers use ransomware to trigger autonomic responses in Enterprises to cover their tracks when IT re-images systems or returns to operational state. Sometimes the ransomware is there to make a quick buck and sometimes it’s there to hide the real crime. However you look at it, it’s here and hurting people even if it is an anomaly among other cyber trends.”
Mandeep Sandhu, Principle Solutions Engineer at SentinelOne:
With cyber attacks increasing in their complexity, security teams need to be able to quickly identify and understand all cybercriminal activity across their organisation’s environment. And that includes third party/supply chain environments too. Organisations should aim to use technologies designed to detect and respond to cybercriminal activity, as they often have access to all attack details and therefore have the ability to restore files and system configurations with minimal impact to business operations, which is especially important in ransomware attacks.
Lamar Bailey, Senior Director of Security at Tripwire:
“In Cybersecurity we tend to focus on external threats but the DBIR report shows that 34% of the breaches were from internal actors. Are your defenses set up to detect and stop internal actors? Network segregation, Identity and Asset Management (IAM), User Activity Monitoring, Data Leakage protection, and good physical security are a requirement to combat and discover these threats.”
.
The opinions expressed in this article belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.