The Verizon 2019 Data Breach Investigations Report (DBIR) – 5 Key Insights
by Robert Bond
The Verizon 2019 Data Breach Investigations Report (DBIR) – 5 Key Insights
The release of the 2019 Verizon Data Breach Investigations Report (DBIR) has organizations on high alert for attacks that are gaining popularity and has brought renewed attention to cyber resilience, incident response, and dwell time as well as four other key insights I will touch on in this post. In a previous blog post I discussed several key takeaways from the 2019 DBIR; in this post, I dig further into the five key insights that can be uncovered through analysis of the data in the Verizon DBIR statistics and report for 2019.
Ransomware dominated the headlines throughout the year as criminals altered the code on many of the more popular ransomware strains and made the code available on the dark web to anyone willing to blackmail unsuspecting victims to get their data unlocked. In addition, new strains are being created daily and while defense has improved, ransomware appears likely to remain a consistent threat.
Whaling or phishing targeted at senior management is increasing significantly. Rather than launching massive, wide-spread campaigns, criminals are targeting decision-makers with sophisticated e-mail phishing tactics. Web application threats have replaced POS attacks and appear poised to increase as criminals have moved on from physical POS systems due to improved payment card and payment kiosk security.
Rounding out the top 5 key insights are old mainstays which include insider threats and incident response. Insiders continue to wreak havoc by stealing sensitive data, providing vulnerabilities for attackers, and maliciously attacking systems themselves. The final key insight is the lack of quality incident response; dwell time or the time between when a system is compromised and when the attack is discovered has become a persistent, consistent issue that organizations are clearly struggling to solve.
Let’s dig into the 5 key insights.
The 5 Key Insights from the Verizon DBIR Explained
Ransomware attacks are becoming more sophisticated and focused as compared to the WannaCry outbreak of 2017. Although the overall volume of attacks has significantly decreased over the last year, there has been an increase in the volume of attacks aimed directly at businesses.
There are over 1,000 active ransomware variants roaming the web today, and knowledge is a user’s best defense against them. Let’s review two of the most infamous ransomware variants and how to spot them.
A close relative of WannaCry and Petya, Bad Rabbit uses the EternalRomance exploit to spread across networks after a host becomes infected. The attack began spreading across Europe in late 2017 by using a drive-by download tactic.
Users are prompted to update Adobe Flash player by legitimate websites that, unbeknownst to the user or the host, have been compromised by Bad Rabbit. Upon download, the malware is injected into their computer, automatically encrypting their files. This attack is most common in and around Russia; notable victims of Bad Rabbit include Interfax, Odessa International Airport, and the Kiev Metro system.
A more sophisticated and evolved variant of ransomware, Cerber is distributed to cybercriminals as ransomware-as-a-service, or RaaS. Attackers receive 40% of all ransoms paid as a result of the attack, and the developer gets the remainder.
Since a variety of attackers widely use Cerber, it can be challenging to predict how they will target victims. Typically, users receive an e-mail with an infected Microsoft Word or Excel document attached. Opening the document triggers a background process that quietly encrypts data and is followed by a ransom demand.
2) Whaling on Senior Management
Phishing is one of the most popular methods that attackers use to gain access to an organization’s data and money. One type of phishing, known as whaling, targets executives and senior management. In fact, the 2019 DBIR indicates that c-suite executives are 12 times more likely to be targeted than non-executive employees.
Companies are often reluctant to publish information on their whaling incidents, lest they publicly declare themselves vulnerable to such breaches. Ubiquiti Networks, for example, announced that they were a victim of a whaling incident by using vague terminology in an SEC Form 8-K filing. The unnamed target wired $46.7 million to attackers. The exact methodology of the attack has not been revealed, the filing simply states, “The incident involved employee impersonation and fraudulent requests.”
As with other social engineering attacks, knowledge is one of the best defenses against whaling; however, many policy-based controls can be implemented to increase security defenses, such as creating a verification process for fund transfers and utilizing e-mail filtering systems.
3) E-commerce Payment Card Fraud
Two types of card data can be stolen and sold in the online black market: CVVs and dumps. CVVs are purchased by criminals who are looking to make purchases on online stores, which is known as “card not present” fraud. Dumps, on the other hand, are used to create debit and credit card clones to use at brick-and-mortar stores, also known as “card present” fraud.
Historically, dumps were worth anywhere from 2 to 10 times what CVVs were worth. Over the last year, the supply of CVVs has been unable to meet growing demand, driving their value higher and higher. With that shift, as expected, more cybercriminals are beginning to target web applications to steal payment card information. Infected eCommerce sites often have card-skimming code hidden in plain sight.
The media is littered with examples of breaches of this type. British Airways and Ticketmaster are two of many examples of large corporations targeted by the threat group Magecart, which is known for injecting scripts into online payments forms on e-commerce websites.
Protection from malware that installs card-skimming code starts at the infrastructure level. Web servers should be patched to their latest versions and follow best security practices.
4) Insider Threats
The most common cause of a security breach is employees. Some of the most common insider threats include:
- Modifying or stealing information for personal gain
- Stealing trade secrets or customer information
- Sabotaging organizational data or systems
Not all breaches are malicious; many are accidental or from poor system or software configuration. Employees can unknowingly share sensitive information with malicious third parties or become victims of social engineering attacks.
According to IS Decisions, an astounding 86% of IT professionals believe that insider threats are purely a cultural issue and cannot be avoided. While knowledge is a good line of defense, there are a multitude of technical implementations that can prevent user errors, including:
- Improve access management and control
- Use third-party tools such as UserLock or FileAudit
- Enable anomaly detection policies
5) Incident Response and Cyber Resilience
Incident response is an organizational approach to managing the aftermath of a discovered security breach or attack. Cyber resilience, on the other hand, measures an enterprise’s ability to manager cyber-attacks and data breaches while continuing business operations. The two concepts are closely related, but certainly not the same in practice.
A key feature of incident response is called an IRP, or incident response plan. According to the SANS Institute, the six phases of an incident response plan are:
- Preparing users and staff to handle incidents
- Identifying whether an event is or is not a security incident or attack
- Containing the damage of the incident and isolating infected systems
- Eradicating the infection by removing affected systems from production
- Recovering from the incident and pushing clean systems back to production
- Learning from the incident by completing documentation, performing analyses, and improving future response efforts
A key factor in incident response is dwell time, the duration for which a bad actor has access to a network and remains undetected. Average dwell time is anywhere from 49 to 150 days; some organizations take years to discover that they’ve been breached. Typically, the longer that it takes to identify the threat, the more costly breaches become.
Cyber Resilience is broken down into four main components which are listed below along with examples of techniques to increase resiliency.
- Threat Protection: Implement security precautions for protection against e-mail attacks and invest in an endpoint detection and response solution
- Recoverability: Conduct regular and thorough backups of data on a separate network and run regular simulations of data breach scenarios
- Adaptability: Invest in user awareness education and design flexible infrastructure
- Durability: Implement only supported technology and make regular system enhancements
The 2019 Verizon DBIR provides organizations and IT security professionals data and insights concerning issues that are impacting the cybersecurity community. Having an understanding of the data trends is interesting for certain, however digging into the major pain points within organizations and learning to resolve them is critical. Threats will continue to evolve as we have seen with the multitude of ransomware strains and whaling attacks. However, organizations must improve their education concerning social engineering and insider attacks as well as incident response and cyber resiliency capabilities.
June 23, 2020
June 16, 2020