Verizon has dropped their latest Data Breach Investigation Report, or DBIR. Here’s some key highlights:
- Attackers have four key paths to hack into an enterprise; credentials, phishing, exploiting vulnerabilities and malicious botnets
- 50% of breaches revolve around remote access and web applications
- 25% were contributed to by social engineering
- Credential reuse was involved in 45% of breaches
- Supply chain breaches are the “new hotness” for hackers
Jake Williams, Executive Director of Cyber Threat Intelligence at SCYTHE added these thoughts:
The DBIR showed that threat actors continue to gain access to networks using a relatively small number of high-level techniques. Once in a network however, threat actors most often reuse the same set of post-exploitation procedures to perform system reconnaissance, privilege escalation, and lateral movement in the target environment. While organizations can’t realistically expect to keep all threat actors out of their networks, through CTI-led adversary emulation and detection engineering, they can ensure that threat actors are detected as early in the intrusion as possible. When threat actors gain a foothold in their network, organizations should be able to ensure it never expands beyond that.
This year’s DBIR should be required reading for any enterprise as it will provide a roadmap as to how to protect your enterprise from getting pwned by hackers.
UPDATE: I have additional commentary from Artur Kane, VP of Product of GoodAccess:
Ransomware attacks are no longer limited to the large or the vulnerable. We are seeing government entities, healthcare institutions, or critical infrastructure operators fall victim to ransomware. But that is not all — small private enterprises and even individuals are finding themselves targeted. Size doesn’t matter; if you curate sensitive data, you are a candidate.
Organizations must realize that conservative cybersecurity approaches are no longer enough to keep them protected. They cannot rely on a secure perimeter to repel cyberattacks any more, because the perimeter is disappearing and move to the internet.
Many users now connect remotely, often from unsecured networks, and companies migrate their infrastructure to the cloud, which is removing critical assets outside of the trusted safe-zone and spreading them beyond the reach of legacy security solutions. Companies often do not have control over the devices that users are connecting with, nor the infrastructure they are on.
The threat surface is simply enormous, and cybercriminals like to exploit it to gain unlawful access to internal systems and user data, often targeting unwitting users with phishing scams, spoofing attacks, or other methods to steal access credentials and infiltrate internal systems.
Once inside, there is little to stop them from doing damage or stealing sensitive data. Organizations must therefore implement security measures to tackle these threats.
Besides regular hardware and firmware updates and software patches, it is important to reduce the attack surface to minimize chances of initial intrusion. Organizations can do this by insisting on strong authentication of both users and devices, supported by multi-factor user authentication, and granting user privileges on a strictly need-to basis and allowing access only to a pool of strictly necessary systems and no further.
This makes it more difficult for attackers to actually use the stolen credentials, and if they do succeed in penetrating the network, they do not get free access to the entire network, but only a segment, which makes it difficult for them to move laterally and escalate the attack.
In addition, strong encryption should be employed on all connections, whether this is users, remote branches, or clouds. It is vital to conceal all company traffic from the eyes of potential attacker — they can’t steal what they can’t see.
But even with all these measures in place, compromises will happen, often through simple human error. Besides the aforementioned network segmentation by access privileges, it is also vital to have a real-time threat detection capability to expose threats in their infancy. Security administrators also need to have solid response and recovery plans in place for these occurrences, and should conduct regular trainings and drills.
Keeping continuous access logs can be an invaluable source of intelligence for tracing the journey of a cybercriminal through layers of security, which is vital for preventing similar attacks in the future. Also, regular backups are an absolute must, as post-breach data recovery can be very costly.
Last but not least, user training can greatly contribute to improving the overall company security posture. As a large part of ransomware attacks opens with a phishing lure, training employees in how to spot them can save millions of dollars in later breach recovery.
Ransomware attacks can only be expected to rise in both intensity and severity, as both profit-oriented and nation-sponsored hacker groups intensify their activities amid the increase in global tensions. All organizations, both private and public, must adapt to this threat both in their own interest and in the interest of the society as a whole.”
UPDATE: Christopher Prewitt, Chief Technology Officer of MRK Technologies had this to say:
As expected credentials and phishing are the leading paths for breaches. As defenses improve, attackers have utilized credentials to walk right through the front door, even using phishing as means to acquire credentials.
As in years past, over 80% of breaches occur involve the human element. Attackers continue to target humans and their want to be helpful or can be tricked into clicking on something, opening a document, or providing their credentials to the attacker. With this, whatever we are doing for email security, it clearly isn’t working well.
Ransomware is a strong influencer to the DBIR data, where “Actor Disclosure” is over 50% for discovery method for breaches. Historically DBIR had shown that dwell time was North of 200 days. As ransoms become more common, its smash and grab effects have greatly reduced the dwell time. Ransomware attacks almost doubled year over year. Stolen credentials and phishing account for 70% of how ransomware is deployed.
With more and more investment in cloud and SaaS, it shouldn’t be surprising to see a significant increase in Basic Web Application attacks.
Supply chain isn’t only our consumer related industries. Almost all companies are reliant on a digital supply chain in order to transact, whether its with customers, suppliers, or partners. Supply chains are also a source of risk, with 90% of the supply chain incidents involve losing control of credentials or introducing ransomware.
Verizon’s Data Breach Investigation Report Makes For Some Interesting Reading
Posted in Commentary with tags verizon on May 24, 2022 by itnerdVerizon has dropped their latest Data Breach Investigation Report, or DBIR. Here’s some key highlights:
Jake Williams, Executive Director of Cyber Threat Intelligence at SCYTHE added these thoughts:
The DBIR showed that threat actors continue to gain access to networks using a relatively small number of high-level techniques. Once in a network however, threat actors most often reuse the same set of post-exploitation procedures to perform system reconnaissance, privilege escalation, and lateral movement in the target environment. While organizations can’t realistically expect to keep all threat actors out of their networks, through CTI-led adversary emulation and detection engineering, they can ensure that threat actors are detected as early in the intrusion as possible. When threat actors gain a foothold in their network, organizations should be able to ensure it never expands beyond that.
This year’s DBIR should be required reading for any enterprise as it will provide a roadmap as to how to protect your enterprise from getting pwned by hackers.
UPDATE: I have additional commentary from Artur Kane, VP of Product of GoodAccess:
Ransomware attacks are no longer limited to the large or the vulnerable. We are seeing government entities, healthcare institutions, or critical infrastructure operators fall victim to ransomware. But that is not all — small private enterprises and even individuals are finding themselves targeted. Size doesn’t matter; if you curate sensitive data, you are a candidate.
Organizations must realize that conservative cybersecurity approaches are no longer enough to keep them protected. They cannot rely on a secure perimeter to repel cyberattacks any more, because the perimeter is disappearing and move to the internet.
Many users now connect remotely, often from unsecured networks, and companies migrate their infrastructure to the cloud, which is removing critical assets outside of the trusted safe-zone and spreading them beyond the reach of legacy security solutions. Companies often do not have control over the devices that users are connecting with, nor the infrastructure they are on.
The threat surface is simply enormous, and cybercriminals like to exploit it to gain unlawful access to internal systems and user data, often targeting unwitting users with phishing scams, spoofing attacks, or other methods to steal access credentials and infiltrate internal systems.
Once inside, there is little to stop them from doing damage or stealing sensitive data. Organizations must therefore implement security measures to tackle these threats.
Besides regular hardware and firmware updates and software patches, it is important to reduce the attack surface to minimize chances of initial intrusion. Organizations can do this by insisting on strong authentication of both users and devices, supported by multi-factor user authentication, and granting user privileges on a strictly need-to basis and allowing access only to a pool of strictly necessary systems and no further.
This makes it more difficult for attackers to actually use the stolen credentials, and if they do succeed in penetrating the network, they do not get free access to the entire network, but only a segment, which makes it difficult for them to move laterally and escalate the attack.
In addition, strong encryption should be employed on all connections, whether this is users, remote branches, or clouds. It is vital to conceal all company traffic from the eyes of potential attacker — they can’t steal what they can’t see.
But even with all these measures in place, compromises will happen, often through simple human error. Besides the aforementioned network segmentation by access privileges, it is also vital to have a real-time threat detection capability to expose threats in their infancy. Security administrators also need to have solid response and recovery plans in place for these occurrences, and should conduct regular trainings and drills.
Keeping continuous access logs can be an invaluable source of intelligence for tracing the journey of a cybercriminal through layers of security, which is vital for preventing similar attacks in the future. Also, regular backups are an absolute must, as post-breach data recovery can be very costly.
Last but not least, user training can greatly contribute to improving the overall company security posture. As a large part of ransomware attacks opens with a phishing lure, training employees in how to spot them can save millions of dollars in later breach recovery.
Ransomware attacks can only be expected to rise in both intensity and severity, as both profit-oriented and nation-sponsored hacker groups intensify their activities amid the increase in global tensions. All organizations, both private and public, must adapt to this threat both in their own interest and in the interest of the society as a whole.”
UPDATE: Christopher Prewitt, Chief Technology Officer of MRK Technologies had this to say:
As expected credentials and phishing are the leading paths for breaches. As defenses improve, attackers have utilized credentials to walk right through the front door, even using phishing as means to acquire credentials.
As in years past, over 80% of breaches occur involve the human element. Attackers continue to target humans and their want to be helpful or can be tricked into clicking on something, opening a document, or providing their credentials to the attacker. With this, whatever we are doing for email security, it clearly isn’t working well.
Ransomware is a strong influencer to the DBIR data, where “Actor Disclosure” is over 50% for discovery method for breaches. Historically DBIR had shown that dwell time was North of 200 days. As ransoms become more common, its smash and grab effects have greatly reduced the dwell time. Ransomware attacks almost doubled year over year. Stolen credentials and phishing account for 70% of how ransomware is deployed.
With more and more investment in cloud and SaaS, it shouldn’t be surprising to see a significant increase in Basic Web Application attacks.
Supply chain isn’t only our consumer related industries. Almost all companies are reliant on a digital supply chain in order to transact, whether its with customers, suppliers, or partners. Supply chains are also a source of risk, with 90% of the supply chain incidents involve losing control of credentials or introducing ransomware.
1 Comment »