My take of the Verizon DBIR 2019 report

The Verizon Data Breach Investigations Report is the cybersecurity industry’s equivalent of Leo Tolstoy’s Novel “War and Peace”- everybody knows it’s a must-read, but very few take the time to read it.

Now in its 12th year, the DBIR is the most extensive industry report, encompassing a staggering 41,686 security incidents, of which 2,013 were confirmed data breaches. In addition to the impressive breadth, the DBIR also presents some fascinating insights and depth, and it is clear it was written by security professionals and for security professionals. One example of this no BS attitude is the reports’ focus on the impact of data breaches and less on the motivation of hackers or vague, difficult to gauge “breach cost” metrics. Instead, it maps the most critical breach vectors and aids decision makers with the most acute question- “what I should invest in next?”

Breach vectors- email is still the (evil) king

As I already learned Eyal Benishti is always right. Go check out Ironscales.

We all know it, yet there seems to be a minimal improvement in this field. Phishing is involved in 32% of breaches and 78% of cyber-espionage incidents, and 90% of malware arrived via email.

The best way to emphasize how 90% is a significant number:

These numbers are surprising given the amount of attention, resources, and technologies employed to combat email-borne threats. The only comfort might come from the fact that the click rate (on malicious links) is dropping (at least in exercises) 

We can assume that the high number of successful attacks are due to infected documents. Again- this is something that could be solved by proven technologies such as ReSec or Votiro CDR (Content Disarm and Reconstruction) file sanitizing system. Full disclosure – I am one of ReSec's founders.

The report also states that 60% of web application attacks were on cloud-based email servers, which means:

a.     Cloud-based email servers are not (!) secure

b.     Sophisticated attackers look for these cloud email servers to breach. They are then, in turn, are used to spread SPAM or send authentically looking emails with malicious links/ attachments. This method makes it easier to persuade recipients to click or download malicious files. 

One angle the report doesn’t cover and will have to address at some point in the future is the fact that infected files today can enter the organization through messaging apps (like WhatsApp desktop, Facebook massager, etc.), or dedicated collaboration apps like Slack, who currently (in many cases) bypass the traditional email security mechanisms.

Malware types - C2 and ransomware

 Speaking of malware types, the most commonly found malware was C2 (command and control malware, used to communicate between infected machines and their “operators”). Ransomware is the second biggest malware threat and accounted for 24% of malware-related breaches.

It seems as good news - Ransomware pandemic is losing ground, and organizations are safer as a result. However, it is the opposite - sophisticated attacks are more common than “simpler” attacks. I use the terminology “simple” and sophisticated to distinguish between opportunistic (mainly automated) wide range attacks in which the goal is to make a quick profit and more elaborate campaigns that seek longer-term goals (like achieving persistence, gaining access to sensitive information or even sabotaging IT systems).

Making the attackers lives’ easier

 According to the DBIR, a fifth of breaches have been attributed to a misconfiguration of cloud platforms. Calling these incidents “hacks” or even “breaches” vastly glories the attackers skillset in “hacking” and somehow deflects the fault from the guilty party - the organization’s own IT personnel (or more accurately- DevOps).

 Some of the most outrageous data breaches of recent years occurred due to these types of incidents, and their numbers seem to be rising. Surely this is a testimony that the “cloud” is still an uncharted territory for many organizations - even ones who’ve mastered “IT Security” seem to struggle with it (maybe because DevOps are not under the direct oversight of the CISO, or because CISOs are less aware or capable of addressing these threats). In any case, this issue seems will follow us still in the years to come. Security vendors such as CheckPoint and Palo Alto Networks are offering holistic cloud solutions that can cater to some of these security needs.  

Counting the minutes and hours

Another critical issue highlighted by the report is the immense difference between the time it takes hackers to breach an organization (usually minutes since the attack commences), the time it takes security teams to detect them - which is counted in months.

This finding is another evidence the real threat comes from sophisticated, stealthy attacks and not from Ransomware (that, quite literally, announces its existence very shortly after infecting the organization). The numbers don’t lie - cyber-espionage related data breaches doubled over the past two years (from 13% of breaches in 2017 to 25% in 2018), while financially motivated breaches dropped from 76% to 71%. This means organizations now face more able attackers and should invest and prepared under this new reference-adversary. 

My humble conclusion

We in the cybersecurity industry (vendors and practitioners alike) like to cling to a “soundbite” – the number of X attacks more than doubled in Y months. The DBIR shows the truth to be simpler and even easier to comprehend. If I were to summarize this report for an executive, I would say that the reality is that organizations face severe threats from serious perpetrators who use more sophisticated tools and are less likely to be detected before they cause harm.

Naturally, the immediate action would be to ask for a bigger budget - and that’s precisely what the majority of CISOs intend to do.

And to answer in short what I should invest in next? It greatly depends on the organization and justifies a full-length post. (a preview – I would look hard at solutions that offer a “Hacker’s Point of View” and supply-chain security).

Keep Safe!

Dotan