It’s that time of year again.
The 2017 Verizon DBIR is out and information security professionals are scouring the pages for insights and best practices to bring to their organizations. This year’s “InfoSec coddiwomple” offers many of the staple features they’ve reported on over the last ten years (Oh yea, this is the 10th birthday of the report. Only a few more years until the hormones start surging and the DBIR will begin asking to borrow your car. Let’s take a moment to be present in these waning moments of adolescent serenity), including their nine classification patterns as well as overall cheeky speak. But on this noteworthy anniversary the report also gives the world some new and useful insights. Cyber espionage (should this really be a compound word?) is an emerging trend the data contributors like us identified and provided to the Verizon team; but the report also makes some formatting changes and includes industry-specific focuses which they believe will make the report more actionable for practitioners. So, let’s dive into the meat grinder and begin to pull out their findings and apply them to what we already know.
Note: All readers of the 2017 Verizon DBIR need to keep in mind that the data merely reflects that which the contributors gave them and is not reflective of an all-encompassing report of every data breach which took place in 2016. … we just need to be clear on that.
Breaches were perpetrated 3-1 by external actors, and 18% came from state-affiliated actors. Half were connected to known criminal organizations.
Year over year this trend of external breaches is falling while the trend of internal breaches is rising.
The classics prevail. 62% of breaches featured hacks, 51% included malware. Of the hacks, 81% leveraged stolen or weak passwords. 43% of the breaches involved social engineering 100% of the time.
Year over year these numbers have been on a steady rise with the exception of hacking, which is actually trending down since 2014. Most notable is the consistent rise of social engineering.
The top three sectors are actually four sectors…
- Financial organizations (24%)
- Healthcare, retail and accommodation (15%, 15%)
- Public sector (12%).
Financial motives and espionage are the biggest trend this year. These reflect that monetary gains and competitive intel still compel hackers to get out of bed every day. Even the 700 pounders.
Year over year we see financial motivations trending down but stabilizing in 2015 and 2016. Espionage is on a steady climb which almost parallels the tactic of social engineering… go figure (the two go hand in hand).
Page six of the report dives deeper into the methods and vectors connected to each of the motivational factors discussed (espionage, financial, fun/curiosity) and tells us each of their stories:
Espionage is carried out primarily by establishing command and control or exploiting backdoors. This is done either through hacking or the use of malware. We can infer from the rest of the data that they implement these tactics through traditional social engineering tactics, phishing emails being most prevalent.
Those motivated financially prefer a balanced approach of hacking, malware, and social engineering. They hack web applications to steal credentials or establish backdoors/C2 and they are firm believers in social engineering through phishing email campaigns in an attempt to deliver malware that will steal credentials or export data directly.
Those motivated by the thrill of doing naughty things (fun/curiosity) come on our radar through various methods of privilege abuse and general misuse… as expected.
Page 7 of the report points out what all the baddies are after: PII and credentials.
And finally, page 8 reminds us who is helping and how fast they can do it. On the breach timeline front we still see that “compromises are measured in minutes or less 98% of the time”. What’s interesting are the trends in breach discovery methods. Most noteworthy is the huge drop of law enforcement efforts in 2016 and the resurgence of internal and third party efforts. While the feds may have been solely focused on the 2016 Presidential campaign, the report also points out that law enforcement’s success of 2015 was closely connected to their takedown of the Dridex Botnet. Dridex really skewed their numbers. If we balance the outliers, we see law enforcement remains a constant, middle of the pack contributor. However, the best news of the report can be found on this page as well. In 2016 we see third parties climbing back into relevancy and see the strongest numbers from internal teams that the report has ever seen.
“Hope is the pillar of the world” – Pliny the Elder.
The 2017 Verizon DBIR report opens with this quote and sets the reader on the path to seek out the good while sifting through 70 pages of what went wrong. We at GRA Quantum want to echo this call for hope and suggest that despite the persistence of those who would do us all harm, the information security community is tirelessly standing guard and training the next wave of cyber defenders to make the world a safer place. While all the headlines around this year’s report will undoubtedly mention that cyber espionage is taking American companies by storm and that there is no signs of slowing the enemies, we want everyone to know that help is out there and we are proud to lead the pack of next-generation cyber defenders.
In conclusion, we’d like to leave you with the words Pliny used to describe his own work, Naturalis Historiæ. He states,“…there is not one of us who has made the same venture, nor yet one among the Greeks who has tackled single-handed all departments of the subject.”
His words ring true that we all have our own experiences and all have something to contribute to the greater good. Or plainly put,
“We are stronger together” – 2017 Verizon DBIR.
Learn more about our team at GRA Quantum.
Read the full Verizon 2017 DBIR report here.