Plaintext: What DBIR Tells Us About Security Patterns

Welcome to Dark Reading in Plaintext, brought to your inbox this week by Deloitte . In this issue of Plaintext, we dig deep into the Data Breach Investigations Report. The 100 page report, as always, is full of charts, patterns, and trends. What jumped out at you? How do you use the report? If you enjoy Plaintext, please share with friends and colleagues !

Key DBIR Takeaways. Verizon Business releases its highly-anticipated Data Breach Investigations Report around this time of the year (although this year felt really early) so that we can pore over the 100 pages of charts and insights. The team behind this year’s DBIR analyzed 30,548 security incidents, out of which 10,626 were confirmed data breaches. The data spanned 94 countries and includes incidents the Verizon Business team investigated as well as data contributed by dozens of global partners, including law enforcement agencies, security vendors, platform providers, and incident response firms.

One significant number from the report: DBIR investigators identified 1,567 individual breaches connected to the exploitation of the flaw in MOVEit File Transfer utility (based on breach description and the timing of the breach). "This was the sort of result we were expecting in the 2023 DBIR when we analyzed the impact of the Log4j vulnerabilities,” the report said. The vulnerability in MOVEit resulted in a worst case scenario despite being lesser known because the product was so widely deployed .

Fastly's Kelly Shortridge outlined three theories as to why MOVEit dwarfed Log4shell in terms of impact. One theory was that MOVEit was the responsibility of the IT department while Log4Shell was the province of software engineering. It makes sense that software designed for end users will be easier to update than software designed as a library to use in other systems,” Shortridge noted.

“With MOVEit, you can download all the data and documents within and hope that some will contain sensitive stuff that the victim does not want exposed. Thus, 0day in MOVEit checks the boxes on both scalability and ease of use in a way Log4Shell did not.” — Kelly Shortridge , Fastly

Dark Reading in Plaintext is brought to you by Deloitte

Deloitte launches CyberSphere platform

Cybersecurity just got simpler. CyberSphere, a vendor-neutral integrated platform, brings Deloitte specialists and technology together to help operate your cyber solutions from a single platform. Check it out .

Making DBIR Actionable. DBIR notes that human error is still a major problem in security, as human error played a role in 68% of breaches. Part of the reason is that users are falling for phishing attacks. The median time for users to click on a phishing simulation link was just 21 seconds. The median time to submit sensitive data to the simulated phishing site was just 28 seconds. More than 40% of social engineering attacks involved pretexting, a tactic generally associated with business email compromise .

DBIR maps incident classification patterns to the Center for Internet Security’s Critical Security Controls. VulnCheck ’s Patrick Garrity ?????? posted a one-pager outlining which CIS Critical Security Controls to prioritize to address issues most frequently involved in breaches. Garrity also mapped all the techniques to incident classifications, and then back to tactics in MITRE’s ATT&CK framework . It’s striking how frequently social engineering appears across the phases: Reconnaissance, Resource Development, Initial Access, Persistence, Privilege Escalation, Defense Evasion, Lateral Movement, and Discovery.

There was a silver lining in the phishing cloud: 20% of users reported the simulated phishing email without clicking on the link. Even among those who clicked on the simulated phishing link, 11% still reported the email. Phishing awareness training seems to be sticking somewhat, and changing some behaviors.

What We Are Reading

• [Deloitte ] Explore a first-of-its-kind cybersecurity platform.
• 5 hard truths about the state of cloud security in 2024.
• Manage your own email? Why haven’t you set up DMARC yet?
• Ouch. Dropbox Sign credentials and authentication data exposed
• Some countries are mandating cybersecurity firms to be licensed and certified .

What We Heard On-Air

Tune in to our on-demand webinar?“DevSecOps: The Smart Way to Shift Left ” to learn about how organizations can shift left for better security.

"The smart way to shift left is to make it a team sport, where cross organization buy-in is a must." — Tom Parker , CEO, Hubble Technology

From Our Library

Check out some of the latest reports from our?Dark Reading Library .

• [Deloitte ] Experience CyberSphere at RSA Conference 2024
• Tech Insight: Outsourcing Security Without Inviting Risk and Wasting Money
• Dark Reading Research: How Enterprises Secure Their Applications
• Tech Insight: How Supply Chain Attacks Work — and How to Secure Against Them
• Dark Reading Research: The State of Incident Response

On That Note

Psst, have you heard about Dark Reading Confidential? Dark Reading is launching a brand-new podcast this month. Dark Reading Confidential will bring you firsthand stories from cybersecurity practitioners in the trenches. We will be on all the major platforms: Spotify , Apple Podcasts (any day now), Amazon Music , Pocket Cast (coming soon!), and Deezer . Follow and subscribe so that you don’t miss Episode 1!

Dark Reading in Plaintext is brought to you by?Deloitte