Experts Comment: Verizon DBIR

The Verizon DBIR report has been made public today, and the key findings indicate an increase in cyberespionage and nation state attacks.  

Some of the key findings of the reports: 

  • C-Suite executives are the high target of social engineering attacks. 
  • Increase in Cyberspionage attacked (12% compared to 2018) 
  • Financially motivated breaches fell from 76% to 71% 
  • 32% of breaches and 78% of cyberespionage are victim of phishing.  
  • Most of the malware arrived via email (90%) 
  • 60% of web application attacks were on cloud-based email servers 
  • 52% of cyberattacks involve hacking 
  • 34% of attacks involved insiders 
  • 43% of cyberattacks were on small businesses 
  • A significant increase on HR personnel. 
  • 21% breaches in cloud platform caused by misconfiguration. 

Experts Comments:  

Tim Erlin, VP, Product Management and Strategy at Tripwire: 

“If you’re going to be making decisions based on the DBIR, you better make sure you’re clear on the difference between ‘incidents’ and ‘breaches’; and make sure you know which one you’re talking about when you cite a statistic.   

It can be fun and illuminating to play the anti-hype-statistic game with DBIR data by specifically looking at results that dispel some industry hype. For example, ‘less than a third of breaches involved malware.’ The split between external and internal attackers provides another interesting view. If you’re spending most of your time worrying about insider threat, you’re not in line with the data.   

There are core questions that CISOs and cybersecurity professionals look to answer with the DBIR, like ‘where am I not spending enough’ and ‘where am I spending too much’ of the cybersecurity budget.   

It’s really interesting to see how little has changed since 2013 in regards to threat actions in breaches. The biggest changes are in social engineering and attacks involving a real person. Those changes are indicative of how our connectedness has changes since 2013, and of attackers taking advantage of those changes.   

While the pattern of attacking web applications affects a lot of sectors, retail is the most affected by this type of attack. The increase in web applications as an attack pattern in retail since 2014 is substantial. We saw a corresponding decrease in point-of-sale as an attack pattern over the same time frame. It’s likely that the shift to EMV cards, mandated in 2015, helped drive the shift in attack types as well.   

It’s no surprise that there’s strong alignment between cyber-espionage and the Public sector.   

Public sector companies have a lot to worry about, or a lot of opportunities for improvement. They’re near the top of the chart for malware, hacking, and social engineering as attack patterns.   

The impact of ‘miscellaneous errors’ on the healthcare sector is noteworthy. This patter includes misconfigured servers, in addition to mis-delivery of sensitive data. These are errors that are largely preventable.    

It’s good to see that physical attacks against ATMs have declined. Unfortunately, it’s rare for this industry to see positive progress reflected in these reports.   

The financial services industry has seen a significant increase in the use of compromised credentials in breaches since 2013. The industry response to this pattern is multi-factor authentication, but adoption of the solution lags adoption of the attack.   

While the summary data would tell you that the majority of incidents are driven by external actors, if you’re in healthcare, the details are important. Healthcare stands alone as the sector where insiders are the majority of threat actors, but given than the most common attack pattern for this sector is ‘miscellaneous errors,’ the insider threat is more accidental than malicious.”   

Mitchell Jukanovich, Vice President of Federal at Tripwire:  

“It’s no surprise that the most clear and present threat across the public sector is Cyber Espionage which is effectively executed using social exploitation and advanced malware.”   

“The key to mitigating aggressive social engineering campaigns as well as malware attacks happens at the human level — cyber training and education. It sounds elementary, but a sound cyber training and education program can reduce the risk exposure to an agency, department or branch service. This year’s VBR report reinforces the need for agencies to have a cyber response plan and to practice executing against it.”   

“‘Dwell time’ or how long a bad actor has been inside a network is a key reporting metric for the government’s large system integrators. A robust change management solution can provide the situational awareness required to minimize ‘dwell time’ in government agency and contractor networks.”   

Martin Jartelius, CSO at Outpost24:   

“The Verizon DBIR is widely regarded as the leading annual cybersecurity research study and each year its findings are graver than the last.   

This year the report has big focus on state-sponsored attacks and, while not surprising, the findings show just how frequently cybercrime is being used by governments to target adversaries.   

The report also highlights that hacking is still playing a huge role in cyberattacks and reinforces the importance of organisations monitoring for vulnerabilities that can easily be exploited, so they can be remediated and patched before any damage occurs.”  

Shlomie Liberow, Technical Program Manager at HackerOne:  

“With the 2019 Verizon DBIR revealing that phishing was involved in 32 percent of breaches, organisations are clearly still not taking employee cybersecurity education seriously enough. 

When it comes to organisational or institutional security, a lot of what we can do to bolster our protection has nothing to do with technology and more comes down to employee education. 

Encouraging employees to question requests, double check on records and be just a little paranoid are all critical in improving overall cybersecurity posture. 

Companies who blame employees for poor passwords or bad behaviour with email aren’t spending enough time, money, or energy driving home security. Preventing phishing attacks can be closely tied to corporate culture. Is it normal for an exec to demand something like a bank transfer to a vendor, or a large purchase from a random site with no questions asked either because of fear or sternness? Welcome to phishing heaven. It’s up to IT and security teams to enable, empower and educate employees as part of strengthening the weakest links.” 

Fraser Kyne, EMEA CTO at Bromium: 

This year’s report shows cybercriminals are choosing to take a subtler approach.Hackers don’t want to announce their presence anymore – as they would with noisy ransomware attacks. Instead, they silently gain access to conduct reconnaissance, insert backdoors, escalate privileges and exfiltrate data.The longer the ‘dwell time’ – i.e. the time a hacker has unauthorised access to systems – the more dangerous the attack can be.   

Protecting high value assets has turned into a game of cat and mouse. Yet to win such a game, you need to spot the clues, however this report shows that it’s taking months or longer to discover a breach.To address this, organisations must adopt layered defences that utilise application isolation to identify and contain malicious threats. This prevents hackers from gaining a foothold in the network by applying protection at the most common entry point, the endpoint, reducing the attack surface by closing off the most common routes into the enterprise like emails, the browser and downloads.   

By turning the endpoint from a traditional weakness into an intelligence gathering strength, organisations get rich-threat telemetry about the hacker’s intent that hardens the entire defensive infrastructure. This gives security teams the big picture, reduces false positives and allows malware to detonate safely with no impact. Isolation stops hackers at the point of entry and provides security teams with the time and information they need to analyse the real threats they are facing.”