The 11th installment of the Verizon Data Breach Investigations Report (DBIR) was recently released, with the goal of informing its readers of the cyber-threats they face today and how to best protect against them. Although 2018’s DBIR confirms 53,000 incidents and 2,216 breaches for the past year – a rather dismal report that paints a bleak picture of what we can expect for 2018 – the report offers an undertone that provides a more positive outlook for the future.
“We all crave safety, but it seems there’s no safety to be had in today’s world. The reality is that there has never been a world devoid of risk at any time, but at least in the past no one was bombarded by incessant negativity, with rumors of disaster, economic collapse, war and famine pouring in an unending stream into their lives from TVs, laptops, tablets and phones. Modernity affords us little refuge from the onslaught of depressing and distressing media headlines. What then should we do? Unplug everything?”
The authors of the DBIR think not, suggesting that accepting that while there is little guarantee of total safety, there does exist the ability to proactively act to protect what you value.
Rather than simply seeing the DBIR as a litany of nefarious events that have been successfully perpetrated against others and therefore, may happen to you, think of it more as a recipe for success. If you want your security program to prosper and mature, defend against the threats exposed in the pages (of this report).
The Big Picture
This year’s DBIR follows its usual format, showing high-level trends and findings from 2017 data, with a focus on the standard suspects – malware, ransomware, and the social engineering aspect of cybercrime. From there, the report reviews the nine incident classification patterns, with a deep dive into the industries most effected by incidents and data breaches.
Much like the results in 2016, this year’s report shows that hackers have been very successful in their efforts to steal data, with 73% of the breaches caused by outsiders and 50% of breaches carried out by organized criminal groups. The old saying “if it isn’t broken, don’t fix it” holds true for breach tactics as well, as hacking again proves to be the most successful type of breach (48% of breaches featured hacking), while 30% of the breaches included malware.
What’s worse is that these breaches are taking a long time to be detected – 68% of the breaches took months to discover – causing more damage to those hit and making the breach more lucrative for the hackers, which is why 75% of the breaches are financially motivated.
Hackers will target any business, but the most vulnerable have also proven to be the most heavily affected. Whether the vulnerability is due to outdated networks or large amounts of stored data, hackers took advantage of these weaknesses, hitting healthcare organizations in 24% of the breaches, accommodation and food services in 15%, and small businesses in an astounding 58% of the reported breaches. We will discuss each industry in more depth in part 2 of this blog.
Social attacks – To error is human
The DBIR features a section on social attacks, discussing the two main varieties – phishing and pretexting. Phishing and pretexting represent 98% of social incidents and 93% of breaches, with email as the most common vector (98%).
Pretexting is the creation of a false narrative, with the goal of obtaining information or influencing behavior through back and forth dialog. While malware was found in less than 10% of pretexting incidents, this type of social attack is more about acquiring information directly from the actions taken by the target.
For example, pretexting often targets employees who work within finance or human resources. Finance employees are emailed by the threat actor who is impersonating the CEO or other executive, influencing the employee into transferring funds. Human resource employees most often receive a similar type of impersonating email, requesting W-2 information that is loaded with salary and other personal information. Pretexting incidents rose from 61 incidents in the 2017 DBIR to 170 for this year’s report.
Phishing, which is the crafting of a message typically sent via email, is designed to influence the recipient, “taking the bait via a simple mouse click.” Once the recipient clicks the attachment or link, credentials are requested and malware is dropped into the recipient’s system. Phishing occurred in 1,192 incidents – with malware present two-thirds of the time – with 236 confirmed data breaches.
While these results show how susceptible organizations are to phishing, it is surprising that the DBIR’s results from phishing simulations showed that in the normal (median) organization, 78% of people don’t click a single phish all year. Unfortunately, the data also revealed that 4% of people in any given phishing campaign will click – proof that a phishing attack only needs one person to them let in.
Ransomware and botnets
While botnets are new to the DBIR, ransomware has been a doom and gloom breach tactic that has been discussed in the report since 2013.
Ransomware was first mentioned in the 2013 DBIR and we referenced that these schemes could “blossom as an effective tool of choice for online criminals”. And blossom they did! Now we have seen this style of malware overtake all others to be the most prevalent variety of malicious code for this year’s dataset.
Ransomware is an interesting phenomenon that, when viewed through the mind of an attacker, makes perfect sense. Ransomware can be:
- Used in completely opportunistic attacks affecting individuals’ home computers as well as targeted strikes against organizations
- Attempted with little risk or cost to the adversary involved
- Successful with no reliance on having to monetize stolen data
- Deployed across numerous devices in organizations to inflict bigger impacts and thus command bigger ransoms
Botnet infections were so prevalent in this year’s report that the DBIR pulled these breaches out to look at separately, so that it doesn’t overshadow other findings. The report reveals over 43,000 breaches involving use of customer credentials stolen from botnet infected clients – a massive, world-wide problem.
Geographic spread of botnet breaches
As the report states, botnets can affect you in different ways. In one way, you never even see the bot. Instead, your users download the bot, it steals their credentials, and then uses them to log in to your systems. The aforementioned bounty of data provided through botnet takedowns represents this case. This attack primarily targeted banking organizations (91%) though Information (5%) and Professional Services organizations (2%) were victims as well.
In another way, organizations that are affected involve compromised hosts within your network acting as foot soldiers in a botnet. The reports data shows that most organizations clear most bots in the first month, but others are struggling to clear the infection. The reports suggest adding a second factor to the user authentication.
Malware
Although the data for ransomware and botnets seem daunting, the report offers an insightful look into malware. Analyzing data on 444 million malware detections across 130,000 organizations, it was discovered that the median organization received 22 or less pieces of malware per year. In fact, most companies receive malware on six or fewer days a year.
The report does describe the different forms that malware can take, emphasizing that organizations should not rely on malware they have seen in the past, because most likely, it won’t look the same in the future.
JavaScript (.js), Visual Basic Script (.vbs), MS Office and PDF tend to be the file types found in first-stage malware. They’re what sneaks in the door. They then drop the second-stage malware. In this case, it’s predominantly Windows executables. Note, once the first – stage malware is in the door, they can invite their second- stage friends in any way they want. They can be dressed up as something else. They can invite them in via another route. Once the first unwelcome guest is in, it’s much harder to catch the rest before they execute and wreck the place.
Regardless of the type of attack, the reported incidents and breaches share commonalities that enable the DBIR to categorize them and study how often each pattern is found in a particular industry’s dataset.
In part two of this blog, we will examine DBIR’s nine incident classifications patterns, and discuss how incidents and breaches affect each individual industry.