Last week I hosted a webinar with Nicholas J. Percoco, VP of Strategic Services at Rapid7, where we discussed the latest Verizon DBIR. This year's report, as always, is recommended reading for any security professional as it's probably the most comprehensive piece of research, covering information gathered about 63,000 incidents and 1,300 confirmed breaches, sourced from 50 contributing organizations from 95 countries. This gives a comprehensive outlook over the years on the changing attack landscape. Here are our nine takeaways from this year's DBIR:
1- Attackers shift their methodologies: hacking, malware and social engineering are on the rise, physical is decreasing
It's interesting to see that physical attacks are decreasing as attackers can deploy different methodologies to attack from remote with greater success, using techniques like social engineering. We predict that these trends will increase, because of the increased amount of data shared and generated by people which is a fruitful ground for attackers.
2 - Stolen Credentials - the no. 1 attack methodology
Overlooking a decade of attacks, 2013 was the year where stolen credentials were booming, as they became the most used attack methodology, rising from 3rd in 2012. We expect this trend to increase, as we already saw the eBay breach last week, in which stolen user credentials enabled the attacker's to break into eBay, potentially revealing the passwords of 145 million users, or the recently announced Avast breach where apparently 400,000 usernames, emails and passwords were leaked. Each of these events exposes millions of passwords and serves as a pivot point for attackers to gain access to other networks and companies, as users re-use passwords across services and systems.
3 - Focus on the attack patterns relevant to YOU
According to DBIR, 95% of all attacks fall into 9 common patterns. By categorizing these 9 patterns and providing specific recommended actions, DBIR helps security professionals focus on the most relevant attack patterns to their industry/type of data/threat landscape and prioritize actions and investments. It is interesting to see at the DBIR that some attack patterns generate more incidents than actual breaches while others are more "successful" in leading to an actual breach. This is also an helpful way to prioritize our efforts in managing these threat patterns.
4 - POS intrusions - Watch out for brute forcing and stolen vendor credentials
POS intrusions gets attention with the 2013 large retailer breaches. Our recommendation: while brute forcing is still the most used methodology for cracking these machines, stolen credentials in general, and vendor credentials in particular, is the one that is on the rise. We recommend that every retailer puts in place detection capabilities to discover brute forcing and compromised credentials to respond to these major industry threats.
5 - In cases of Insider Misuse - look at privileges
88% of attacks done by an insider abuse privileges to get hold of data. This is obviously not exclusive to an malicious insider threat, as many other attack methodologies would escalate and leverage account privileges to be able to move within the network and access critical assets. Make sure you have good visibility to account privileges and get a good feel when abnormal behavior of administrators is taking place.
6 - Cyber Espionage leverages the most varied toolbox, still - phishing is THE way to break in
Most of the cases cyber espionage campaigns break in using phishing emails: 78% by attachment in a mail, 20% a mail drive by . That's not surprising, as phishing just works.
7 - Yes, phishing works...
18% of users receiving phishing emails would click on a drive-by, 9% will fill up a form and 9% will click on an attachment in a phishing email. That means that if an attacker sends emails to a large enough set of users, there is an excellent chance that he'd be able to compromise at least one user.
8 - What can we do to detect things FASTER?
While compromise and data exfiltration takes seconds to minutes, detection takes days, and in many cases weeks and months. This is a bad sign for all of us as an industry, showing that we lag behind the attackers, and we are not even improving... There is much to be done to be able to detect FASTER!
9 - How to make DBIR work for you?
We recommend you use the DBIR for your planning and prioritization. Take your own key learnings and share with your management. Use it as a tool to direct your budget planning. There is great insight on what threats YOU are facing and what gaps YOU may have that can help you build your own program.
Worried about stolen credentials and user-based attacks? We recommend that you try the free limited features edition of UserInsight for faster detection and investigation of compromised accounts.