2016 Verizon DBIR Contributor Insights

This year MWR is again a core contributor into the Verizon DBIR - sharing metrics from the incident response investigations we deliver across the UK and internationally.

In order to protect the victims, these cases are ordinarily not publicly disclosed and due to this, often the only we way can share our insights from these breaches is through reports such as this.  As a result, this is a key publication for any business – providing real world examples from MWR and other incident response service providers.

What have we seen in 2015?

Financial services really came under fire in 2015. Of the confirmed data breaches where sensitive data was lost, over 35% were in the financial services sector. We have also seen that, relative to any other attacker motivation, financially motivated breaches continue their three year upward march, leaving espionage in decline and every other motivation practically off the map.

The Detection Deficit

 Figure 9

In this year’s report, of all the figures shared, figure 8 is one the security industry must take a good hard look at and then hang its head in shame. Over the past decade there has been a consistently diverging gap between time to compromise and time to detect. Attackers have increased their efficiency to the point where they successfully compromise a network in less than a week nearly 100% of the time. Defenders, however, despite all their investment in “flashy blinky boxes”, have not increased their ability to detect these attacks in less than a week much above the 25% mark. This is a critical gap to close in order for organizations to limit losses and time to containment and remediation.

To just drive that point home, the vast majority of data breach incidents are being discovered through the worst possible mechanism - external notifications. Internal detection continues to decline, probably as the effectiveness of legacy passive host based and network signature detection technologies become less effective. Internal detection outlined in figure 9 shows that internal discovery is trending downwards significantly. Of course, when external discovery is the route, the horse has not only bolted, it’s probably died of old age and your logs aren’t going to be much good telling you what was taken.

 figure 2

Key Assets Under Attack

This year, social engineering and phishing attacks that have resulted in endpoint compromise have steadily increased in percentage again. Figure 6 in the report demonstrates this, showing that the combination of employees and their workstations being compromised as part of a data breach have increased from about 30% 5 years ago, to over 50% last year.

 figure 3

The data in this year’s report shows a common thread - social engineering and compromise of user devices is the biggest growing threat and traditional detection is declining in effectiveness.

If businesses are to deal with these key threats, they must work to proactively change their security posture and really address these trends. In order to help you get there, we have provided you with some key areas to focus on so you as an organization can mitigate this trend:


  • Having read this data and seen the trends - you must proactively make the move (right now) to change your organization’s security posture.


  • Look at your email filtering solution and tune it to the common threats. If your users can execute unsigned documents with macros, they probably will.
  • Implement user awareness training and get users reporting phishing attempts. Careful implementation of VDI solutions and cutting right back on local administrator privileges greatly reduces the risk of these attacks being successful or persisting.


  • Step away from passive alert driven signature detection, such as AV and MSSPs. Move to more effective endpoint detection and response (EDR) technologies that look for common malware attributes, such as process injection and hooking that differentiate between well understood malware families and those that may be targeted at your organization.
  • Leverage user phishing reporting as an early warning sign to go hunting for malware dropped by attackers.
  • Where possible, implement sandbox analysis of executables and next gen AV, but be mindful, malware is rapidly adapting to defeat these technologies.


  • Where successful infections are detected, which will happen if the above are true, develop an internal first response and incident triage capability.
  • You need good people to fill this gap and have a clear escalation path to bring in specialist support before the horse has bolted.
  • Incident response teams like ours, would much rather be the surgeons than the coroner and help you contain an incident, rather than carry out a post mortem examination.

This year’s report is another solid addition to the series and an essential read for any security manager. As a contributor to the DBIR, we would like to extend to you the opportunity to benefit and learn from the trials we see others face in the real world on a daily basis.

The Verizon DBIR is a free publication and is available at the following link:

Author biography:

Paul Pratley is head of investigations and incident response at MWR. Paul brings to bear ten years of experience leading high profile data breach investigations around the world including state affiliated critical infrastructure breaches, industrial espionage, payment card data and targeted attacks. Paul currently leads a team of highly skilled incident response investigators that help organizations of all types in their times of greatest need when under attack from skilled and organized adversaries.

Emergency Incident Response Hotline – Call 0330 223 3292




Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.