One of the most respected publications in cybersecurity is the Verizon Data Breach Investigations Report (DBIR), analyzing over 150,000 incidents and providing a comprehensive analysis covering the 32,002 incidents and 3950 breaches that meet Verizon’s quality standards. I liked very much how they choose to represent the concept that no industry, no region, no market is excluded; using a page of differently colored squares to illustrate how wide, pervasive, and data-driven their 3950 breaches analyzed has been.
Concerning the findings, nearly half (45%) of the breaches featured Hacking. The large majority of them have been perpetrated by external actors, which reinforces the idea that a value chain is present behind almost all hacking attempts. This evidence is also highlighted by the common denominators section, showing that 86% of breaches are financially motivated.
This same section shows that near the half (43%) of the breaches involved Web Applications. This shows the crucial importance of having a solid CI/CD pipeline where security is totally integrated as early as possible in the DevOps lifecycle.
This pervasive role of security must include a continuous assessment before and after the production stage, to ensure that vulnerabilities causing compromises and breaches are detected early enough and surfaced to developers in a consumable format so they can be fixed with a minimum time to remediate (TTR).
The high percentage of breaches where web apps were the primary attack vector shows a lot of room for greater understanding of the importance of DevOps security.
Another commonality that needs attention is that 37% of breaches stole or used credentials, highlighting that too many attacks don’t need sophisticated malware to succeed and weaponize the attacker’s strategy. Asset misconfiguration, scarce security awareness, or mistakes in verifying compliance are normally great risk amplifiers for attacks where credential theft is the root cause of the breach. It’s also worth noting that breaches where misconfiguration was leveraged have increased by 4.9% from last year and since 2015 there has been a steady growth of this technique.
Misconfiguration and Misdelivery
Looking at the supporting actions section, error – especially Misconfiguration – comes immediately after Hacking and it has practically the same popularity as social.
While Misconfiguration and Misdelivery are not counted much among the top threat actions in incidents, they hold a very high spot when the focus is on the top threat action in breaches. This is a clear sign of the underestimation of Compliance verification within the wider vulnerability management programs.
A solid solution like Qualys VMDR (Vulnerability Management, Detection, and Response) focuses not only on infrastructural and software vulnerability detection, but also expands the scope to validate the overall compliance and security posture as per CIS benchmarks. This capability can be expanded to other compliance frameworks for more comprehensive validation.
One curious area in this same section is the use of weaponized malware: while this category has seen a decrease in overall usage, it also saw a polarization between advanced attacks and smash-and-grab, opportunistic compromises.
These two attack types affect business and aim to steal valuable data or compromise service continuity. Since malware injection is often part of the vulnerability exploitation process, this polarization highlights the need for an effective vulnerability management and remediation program.
Aiming to shorten TTR with a granular and highly efficient prioritization program leads to the minimization of any exposed or vulnerable surface, reducing furthermore the likelihood of a malware-rooted breach.
Another interesting chapter is the Exploiting Vulnerabilities one, because it starts almost minimizing the problem and saying that vulnerability exploitation hasn’t played a major role, accounting for a peak 5 percent in 2017. Nonetheless, the chapter also highlights that vulnerability exploitation is in second place in breaches caused by Hacking because this technique is part of practically every attack strategy.
It also stresses the crucial importance of a continuous and effective detection and remediation program, because too many opportunities are low hanging fruit for attackers to use. Hosts that are still vulnerable to exploit have existed for years. All cyber attacks are powered by a value chain, and easy, widely available exploits are much cheaper to find and use than sophisticated zero-days coded for the purpose!
Validating and managing the huge amount of vulnerabilities continuously discovered remains a big challenge that can be faced and solved only with a very effective prioritization program that needs to start from capabilities like digital landscape visibility and detection accuracy. This prioritization should be based on variables like detection age, real-time threat indicators, and the impact of the most dangerous vulnerabilities on your network. Orchestrating these values and mapping them to logically tagged perimeters is a very effective way to reduce the overall amount of vulnerabilities, while augmenting effectiveness in remediation over time.
The DBIR greatly advocates the need for an asset management program that is integrated with security and compliance. The digital biodiversity we have to deal with nowadays includes many digital species, including non-digital ones like human users and semi-digital ones like Operational Technology, not to mention the universe of IoT, Cloud instances, and mobile devices. Each of these categories has a variety of attributes that should be organically catalogued, organized and normalized into a global IT asset inventory where many other IT, security, and compliance processes are grounded.
This approach creates a solid, actionable, single source of truth that is critical when vulnerable surfaces become attack surfaces because vulnerabilities are left hanging there for a long time… and eventually when the inevitable breaches turn them into compromised assets.
The scale that such inventory – and the processes that it enables – should reach is potentially very high; but it must also be flexible to grow, to shrink, to expand and contract at the pace imposed by the digital velocity.
Thirteen Years of Experience
The Verizon DBIR celebrates its thirteenth year with a level of maturity that is impressive, grounded on data science and on a great capability of summarizing a huge amount of raw data into meaningful and actionable information, greatly refined by experience.
The wrap up on page 101 reiterating the crucial importance of using the CIS Top 20 controls as a guidance for the security posture validation is the perfect conclusion for a very informative read.