The Verizon DBIR report has been made public today, and the key findings indicate an increase in cyberespionage and nation state attacks.
Some of the key findings of the reports:
- C-Suite executives are the high target of social engineering attacks.
- Increase in Cyberspionage attacked (12% compared to 2018)
- Financially motivated breaches fell from 76% to 71%
- 32% of breaches and 78% of cyberespionage are victim of phishing.
- Most of the malware arrived via email (90%)
- 60% of web application attacks were on cloud-based email servers
- 52% of cyberattacks involve hacking
- 34% of attacks involved insiders
- 43% of cyberattacks were on small businesses
- A significant increase on HR personnel.
- 21% breaches in cloud platform caused by misconfiguration.
— IT Security News – www.itsecuritynews.info (@IT_securitynews) May 8, 2019
Tim Erlin, VP, Product Management and Strategy at Tripwire:
“If you’re going to be making decisions based on the DBIR, you better make sure you’re clear on the difference between ‘incidents’ and ‘breaches’; and make sure you know which one you’re talking about when you cite a statistic.
It can be fun and illuminating to play the anti-hype-statistic game with DBIR data by specifically looking at results that dispel some industry hype. For example, ‘less than a third of breaches involved malware.’ The split between external and internal attackers provides another interesting view. If you’re spending most of your time worrying about insider threat, you’re not in line with the data.
There are core questions that CISOs and cybersecurity professionals look to answer with the DBIR, like ‘where am I not spending enough’ and ‘where am I spending too much’ of the cybersecurity budget.
It’s really interesting to see how little has changed since 2013 in regards to threat actions in breaches. The biggest changes are in social engineering and attacks involving a real person. Those changes are indicative of how our connectedness has changes since 2013, and of attackers taking advantage of those changes.
While the pattern of attacking web applications affects a lot of sectors, retail is the most affected by this type of attack. The increase in web applications as an attack pattern in retail since 2014 is substantial. We saw a corresponding decrease in point-of-sale as an attack pattern over the same time frame. It’s likely that the shift to EMV cards, mandated in 2015, helped drive the shift in attack types as well.
It’s no surprise that there’s strong alignment between cyber-espionage and the Public sector.
Public sector companies have a lot to worry about, or a lot of opportunities for improvement. They’re near the top of the chart for malware, hacking, and social engineering as attack patterns.
The impact of ‘miscellaneous errors’ on the healthcare sector is noteworthy. This patter includes misconfigured servers, in addition to mis-delivery of sensitive data. These are errors that are largely preventable.
It’s good to see that physical attacks against ATMs have declined. Unfortunately, it’s rare for this industry to see positive progress reflected in these reports.
The financial services industry has seen a significant increase in the use of compromised credentials in breaches since 2013. The industry response to this pattern is multi-factor authentication, but adoption of the solution lags adoption of the attack.
While the summary data would tell you that the majority of incidents are driven by external actors, if you’re in healthcare, the details are important. Healthcare stands alone as the sector where insiders are the majority of threat actors, but given than the most common attack pattern for this sector is ‘miscellaneous errors,’ the insider threat is more accidental than malicious.”
Mitchell Jukanovich, Vice President of Federal at Tripwire:
“It’s no surprise that the most clear and present threat across the public sector is Cyber Espionage which is effectively executed using social exploitation and advanced malware.”
“The key to mitigating aggressive social engineering campaigns as well as malware attacks happens at the human level — cyber training and education. It sounds elementary, but a sound cyber training and education program can reduce the risk exposure to an agency, department or branch service. This year’s VBR report reinforces the need for agencies to have a cyber response plan and to practice executing against it.”
“‘Dwell time’ or how long a bad actor has been inside a network is a key reporting metric for the government’s large system integrators. A robust change management solution can provide the situational awareness required to minimize ‘dwell time’ in government agency and contractor networks.”
Martin Jartelius, CSO at Outpost24:
“The Verizon DBIR is widely regarded as the leading annual cybersecurity research study and each year its findings are graver than the last.
This year the report has big focus on state-sponsored attacks and, while not surprising, the findings show just how frequently cybercrime is being used by governments to target adversaries.
The report also highlights that hacking is still playing a huge role in cyberattacks and reinforces the importance of organisations monitoring for vulnerabilities that can easily be exploited, so they can be remediated and patched before any damage occurs.”
Shlomie Liberow, Technical Program Manager at HackerOne:
“With the 2019 Verizon DBIR revealing that phishing was involved in 32 percent of breaches, organisations are clearly still not taking employee cybersecurity education seriously enough.
When it comes to organisational or institutional security, a lot of what we can do to bolster our protection has nothing to do with technology and more comes down to employee education.
Encouraging employees to question requests, double check on records and be just a little paranoid are all critical in improving overall cybersecurity posture.
Companies who blame employees for poor passwords or bad behaviour with email aren’t spending enough time, money, or energy driving home security. Preventing phishing attacks can be closely tied to corporate culture. Is it normal for an exec to demand something like a bank transfer to a vendor, or a large purchase from a random site with no questions asked either because of fear or sternness? Welcome to phishing heaven. It’s up to IT and security teams to enable, empower and educate employees as part of strengthening the weakest links.”
Fraser Kyne, EMEA CTO at Bromium:
This year’s report shows cybercriminals are choosing to take a subtler approach.Hackers don’t want to announce their presence anymore – as they would with noisy ransomware attacks. Instead, they silently gain access to conduct reconnaissance, insert backdoors, escalate privileges and exfiltrate data.The longer the ‘dwell time’ – i.e. the time a hacker has unauthorised access to systems – the more dangerous the attack can be.
Protecting high value assets has turned into a game of cat and mouse. Yet to win such a game, you need to spot the clues, however this report shows that it’s taking months or longer to discover a breach.To address this, organisations must adopt layered defences that utilise application isolation to identify and contain malicious threats. This prevents hackers from gaining a foothold in the network by applying protection at the most common entry point, the endpoint, reducing the attack surface by closing off the most common routes into the enterprise like emails, the browser and downloads.
By turning the endpoint from a traditional weakness into an intelligence gathering strength, organisations get rich-threat telemetry about the hacker’s intent that hardens the entire defensive infrastructure. This gives security teams the big picture, reduces false positives and allows malware to detonate safely with no impact. Isolation stops hackers at the point of entry and provides security teams with the time and information they need to analyse the real threats they are facing.”
Igor Baikalov, Chief Scientist at Securonix:
“There was a dramatic 74% increase in the number of breaches attributed to the nation-state or state-affiliated actors. It might be explained by more aggressive attribution, since it’s in line with the number of breaches associated with espionage and seems to come at the expense of a reduction in the number of breaches attributed to organized crime.
Phishing awareness and cyber hygiene training seem to be working, as the number of clicks on phishing emails in simulations continues its steady decline, but the concern is the 3% that still click on ANY phishing email. Internet access as well as access to sensitive data for this population has to be tightly controlled and even restricted for repeat offenders.
Another high-risk category that is increasingly targeted in social engineering attacks is C-level executives. CEO Fraud, or Business Email Compromise (BEC) in FBI parlor, almost doubled in the last year, with reported losses over $1.2 billion. Cybersecurity teams have to review their defense mechanisms as many email monitoring programs are not even configured to capture the information exploited in BEC-type attacks.”
Satya Gupta, CTO and Co-founder at Virsec:
The latest Verizon DBIR highlights that cyberattacks are becoming much more targeted and dangerous. They noted a huge increase in C-level executives being individually targeted. The same trend is happening with specific network tools and industrial equipment. Attackers are prolific at scanning networks and finding specific types of vulnerable equipment, then targeted them with specific malware designed for these devices.
The vast majority of security tools focus on user endpoints – laptops, desktops, mobile. But 80-90% of current incidents involve corporate servers, whether on-premises or in the cloud. Analysts like Gartner are stressing that user endpoint security tools are not effective protecting servers or cloud workloads – in fact, they are dangerous because the provide a false sense of security. Server-side security requires much more attention.
There continues to be a temporal disconnect between the time frame for attacks versus response. The report points out that attack chains act “within minutes” while “the time to discovery is more likely to be months.” This gap must be tightened and security tools need to focus on real-time attack detection if we are to have any chance to curtail these breaches.
Bob Huber, CSO at Tenable:
“As today’s Verizon DBIR attests, the threat landscape organisations face is complex, multi-faceted and evolving. The sheer volume of security incidents and confirmed breaches analysed is incredible, and this is just a percentage of the overall total of insecurities that have seen organisations affected – whether it’s a network outage, malware infection or data breach.
“There will be criminals looking to exploit vulnerabilities to perform illicit activities while they can monetise their efforts and that’s where organisations need to focus – stopping them or at least making them work harder for it.
“While many reports will talk about nation-state hacking or advanced threats what this year’s DBIR shows, as it has for many years now, is that the attacks that are most successful are not new or even particularly clever — they’re just effective. Business email compromise attacks; malware infections and the tried and tested credential abuse make up the reports key findings. Translating this simply — it’s a lack of basic cyber hygiene that is still to blame for nearly all 41,686 security incidents and 2,013 confirmed breaches.
“If we’re ever to see these figures decrease, organisations need to focus on doing the basics – understanding what they’ve got, what’s important to the business and then making sure it’s protected 24/7.”
Chris Ross, Cybersecurity Expert at Barracuda Networks:
The Verizon 2019 Data Breach Investigations Report results highlight just how critical email protection is. Phishing remains big business, with 32% of data breaches utilising phishing techniques.
The most worrying finding, however, was the focus that cyber criminals are now placing on targeting C-level executives. As we all know, senior execs often have wide ranging access due to their seniority in the business. However, they’re also extremely time poor and sometimes have executive assistants managing their email accounts for them.
The report reveals that senior execs are 12 times more likely to be the target of social incidents, and 9 times more likely to be targeted by social breaches than in previous years. This comes as no surprise to us, as senior executive attacks are often extremely lucrative, adding many zeros onto the end of cybercriminal revenues.
However, there’s good news for those working in HR. Attacks on human resources teams are down – 6 times fewer HR personnel have been impacted this year, compared to last year.
The report suggests financial motivation remains the key driver, and with that in mind, it’s clear that cyber criminals are still going where the money is. If we’ve learnt anything in our time in cyber security, it’s that criminals always respond to what is going to net them the most income, and attacks aimed at senior execs are clearly what’s working at the moment.
All of this illustrates more clearly than ever, that security technology by itself is no longer enough. It is imperative that employers educate their staff – at all levels – to be more aware, especially when it comes to phishing and social engineering attacks.
Corin Imai, Senior Security Advisor at DomainTools:
“Phishing remains to be a key theme of the Verizon DBIR for another year with 62% of non-self-inflicted breaches involving the use of stolen credentials, brute force, or phishing. Although the click rates for phishing attempts has reduced, the rise of social engineering (spear-phishing, business email compromise, etc.) and cyber-espionage continue to be extremely lucrative for the adversary. The DBIR is a great reminder of where organizations should focus their preventative efforts.”
Ryan Wilk, Vice President at NuData Security:
“As this report illustrates, cybercriminals are using and inventing every possible technique to make a grab for personal information. Unfortunately, from the moment a breach occurs until it is discovered – sometimes up to months, cybercriminals have ample time to broker the stolen data, leaving customers open to the impacts of identity theft. After a breach occurs and data is stolen, the heart of the problem is differentiating real customers from imposters who have the stolen credentials. All customer information is valuable to fraudsters. Name, physical and email addresses, passwords, the content of emails – everything that can be used to compile an identity will be used. We must change the current equation of “breach = fraud” by changing how we think about online identity verification. We need to protect all customer data, but more importantly, we need to make it valueless. Multi-layered technology that thwarts fraud exists right now. Passive biometrics technology is making stolen data valueless by verifying users based on their inherent behaviour instead of relying on their data. This makes it impossible for bad actors to access illegitimate accounts, as they can’t replicate the customer’s inherent behaviour. Analysing customer behaviour with passive biometrics is completely invisible to users. It has the added benefit of providing valid users with a great experience without the extra friction that often comes with other customer identification techniques. When fraudsters try to use stolen customer data or login credentials, they will find the data is useless. The balance of power will return to customer protection when more companies implement such techniques and technology.”
Sam Curry, Chief Security Officer at Cybereason:
“Much as notorious bank robber Willie Sutton was often cited as saying, you rob banks because that’s where the money is, going after the C suite makes sense. Not only does the C suite have the best business intel, insight and access, they often negotiate exceptions to security or bypass them confidently and arrogantly. They make great targets for attackers, along with privileged business super-users, admins and those who have accumulated too many rights in a career.
Cybercrime pays. Almost all cyber versions of real world activities, from crime to war (and from gaming to work) are more efficient, less risky with bigger margins and more opportunities then their kinetic world counterparts. If you’re an old school gangster knocking over bank branches and liquor stores, you’re a dying breed: the real money, the security of anonymity and hiding thousands of miles away and the ability to do business at an unprecedented scale are all online. Real crime pays, and it’s just a click away.
I believe that the lionisation of ransomware happened because it causes real damage and continues to do so; However, it is for the most part a retrograde motion. Most attacks are becoming more subtle, more persistent, less obvious because attackers generally benefit from longer time in networks and systems without being detected. Some want to smash and grab money, but for the most part the advanced attackers use ransomware to trigger autonomic responses in Enterprises to cover their tracks when IT re-images systems or returns to operational state. Sometimes the ransomware is there to make a quick buck and sometimes it’s there to hide the real crime. However you look at it, it’s here and hurting people even if it is an anomaly among other cyber trends.”
Mandeep Sandhu, Principle Solutions Engineer at SentinelOne:
The Verizon DBIR 2019 again highlights that organisations’ lack of visibility into their infrastructure is still a key issue. However, with the volume of security alerts and incidents (this report analysed 41,000 security incidents) to manage, teams are often overwhelmed. Autonomous security can help with these high volumes, allowing for more focus on monitoring and securing high target systems (as 60% of attacks involved hacking a web application) or individuals (like the C-level executives mentioned within the report).
With cyber attacks increasing in their complexity, security teams need to be able to quickly identify and understand all cybercriminal activity across their organisation’s environment. And that includes third party/supply chain environments too. Organisations should aim to use technologies designed to detect and respond to cybercriminal activity, as they often have access to all attack details and therefore have the ability to restore files and system configurations with minimal impact to business operations, which is especially important in ransomware attacks.
Lamar Bailey, Senior Director of Security at Tripwire:
“In Cybersecurity we tend to focus on external threats but the DBIR report shows that 34% of the breaches were from internal actors. Are your defenses set up to detect and stop internal actors? Network segregation, Identity and Asset Management (IAM), User Activity Monitoring, Data Leakage protection, and good physical security are a requirement to combat and discover these threats.”