Article

Inside the 2017 Verizon DBIR

The tenth edition of the Verizon Data Breach Investigations Report is now available and MWR is again a contributor to the data analyzed. 

It’s that time of year again when we reflect back, comb through the data, and look to see what we can garner to combat emerging trends in data breach incidents. 

As a contributor once again to the 2017 DBIR, all metrics from MWR’s global Investigations & Incident Response practice are represented in the data set. We’re big advocates of sharing insights to the root causes behind major breaches so that all can benefit from the misfortunes of the few. In doing so, we hope readers can help us reduce the frequency of incidents we see repeated in industry sectors that need to understand the threats they should be focusing on.

Highlights

  • 81% of hacking-related breaches leveraged stolen and/or weak passwords
  • 43% were social attacks
  • 62% of breaches featured hacking
  • 51% of breaches included malware
  • 66% of malware was installed via malicious email attachments
  • 73% of breaches were financially motivated
  • 27% of breaches were discovered by third parties.
  • 93% of breaches involved either financial or espionage related motivations

How to get the most from the report?

The DBIR is seen by many as a fascinating insight into what really goes on in data breaches, but the real value is in using it as a means to direct investment in security controls that have the greatest impact on mitigating real world threats to your business.

Incident patterns, the naturally forming clusters identified first in 2014 when comparing the spread of incident metrics, are key to unlocking this value. This year’s report, more than ever, has an industry specific focus. As such, there is something for everyone and valuable insights into what the causes of and motivations are for breaches in each industry vertical. For this, figure 9 is your key to getting the most from the report, showing which incident patterns are associated most prominently within each industry vertical. Diving into the details of incident patterns that affect your corner of the security world is the best way to begin using the data most effectively.

The big threats

All the passwords

Over a billion credentials are known to have been stolen in the last year, particularly from web portals and sites that exclude online retail. If you run an online service where users authenticate, it’s time to brace yourselves for the script kiddie account checker scripts and start thinking multi-factor authentication if you haven’t already.

DBIR fig 6

Figure 6 – Number of records per data variety over time

Espionage

Whether associated with economic, political or military advantage, and whether actually carried out by nation states or others, espionage is proportionately trending up in the breach data. 

DBIR fig 3

Figure 3 – Threat actor motives over time

Certain industries are bearing the brunt of this threat. With almost half of the data breaches in the public administration vertical linked to state affiliated actors, these are unsurprisingly the playground of intelligence agencies.

If you happen to be in Manufacturing and didn’t know it already, industrial espionage is your biggest threat. Amazingly in this vertical, 91% of data compromised was classed as secrets, 93% of threat actors were classified as external and 94% of breaches were associated with espionage as a threat actor motivation.

The good news is that, while these attacks are often quite advanced, they are also long running with over half of these taking years to discover. This means there is genuinely an opportunity to apply modern attack detection techniques such as threat hunting to pick up and contain these attacks early.

With social engineering through email phishing still being a key factor to the success of espionage incidents, good user behavior programs and tooling to detect or allow reporting of phishing are key controls to focus on.

Ransomware

Ransomware continues onward and upward in its prevalence and is the fifth most common form of malware in this year’s report. While progress is being made combatting the commodity variants and dealing with the growing “Ransomware as a Service” threat, attackers have moved from single endpoints towards interactive attacks that target organizations. This is reflected in this year’s report and is certainly reflected in MWR’s caseload, which saw a 250% increase in ransomware cases last year, compared with 2015.

“Perhaps the most significant change to ransomware in 2016 was the swing away from infecting individual consumer systems toward targeting vulnerable organizations.” - 2017 Verizon DBIR

In 2016, the US-CERT observed a 300 % year-on-year growth in infections, and this trend continues into 2017. How does this stack up with what we are seeing? MWR conducts the majority of its incident response casework across Europe and Africa. As we have seen, the ransomware threat continues to evolve, with the prevalence of organized crime groups targeting corporate networks rapidly increasing due to the profitability of such attacks.

While there has been a rapid expansion in capabilities of ransomware to target network shares, encrypting vast amounts of corporate data, attackers soon learned that large organizations were willing and capable of paying much more than individual users. This in turn has pushed forward the ransomware capabilities and delivery techniques to replicate those of espionage type attacks effecting widespread domain compromise, ransoms in the million dollar ranges, online backup destruction and enterprise wide infection.

With this in mind, MWR has developed an anti-ransomware agent, RansomFlare, which uses a combination of machine learning and behavioral analysis to identify ransomware as soon as it runs on a computer system with rapid remote incident response and containment.

To get your incident readiness where it needs to be, find out more about MWR’s Ransomware Prevention and Incident Response offerings.

MWR CSIR member3MWR CIR member3

 

 

 

Accreditations

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.