The 2016 Verizon Data Breach Investigations Report, or DBIR, is going back to basics. Rather than trying to estimate...
the cost of a breach like last year -- a notoriously difficult thing to do -- this year's Verizon DBIR tries to drill home that IT security needs to focus on issues that have consistently, and historically, been used as attack vectors, including phishing, vulnerabilities and compromised credentials.
The 2016 Verizon DBIR, released today, is Verizon's ninth annual benchmark report, offering an unparalleled analysis of the previous year's data breaches and advice for enterprises on how to avoid future breaches.
As in years past, all incident data in the report is standardized using the VERIS incident-sharing framework -- Verizon's own schema for analyzing security incident data using common categories, including threat actor, incident type, discovery, and mitigation and impact.
This year's report includes breach incident data contributed by 67 organizations -- down slightly from 70 contributors last year -- and includes 17 new contributors. (See the list of contributors below.)
Despite fewer contributors, Verizon saw confirmed data breaches rise 48% year-over-year to 3,141, and security incidents -- defined by Verizon as any event that compromises the confidentiality, integrity or availability of an information asset -- rose more than 25% to over 100,000.
However, Dave Ostertag, global investigations manager for Verizon, admitted the numbers "rely on the partners that contribute, rather than going out and doing an in-depth study," so industries with more strict regulations may have accurate reports, while others could underreport incidents.
Multivector attacks on the rise
Regardless of the numbers, Ostertag said the Yogi Berra quote that opens the 2016 Verizon DBIR, "It's like déjà vu, all over again," highlights that this year's report is about continuing trends in the data, including the continuing rise of multivector attacks.
"There really isn't anything outstanding or brand new this year. We see a continuation of the same trend, which leads to us talking a lot about the playbook and methodology of the bad guys to understand what they do, and use it against them in our detection and prevention," Ostertag told SearchSecurity. "In the playbook and the methodology, we see over and over again in the vast majority of the breach incidents you have a compromise of infrastructure, repurposing it for malicious use -- using it as a command and control point, pivot points, as data aggregators or data exfiltration points."
Christina Richmond, program director for worldwide security services at IDC, agreed and said there are "variations on themes that seem to rotate" in security, but there is one new aspect to the report.
"The thing that is new that I think they do call out well is the combination, and that is over the last few years, we have seen a rise of multivector attacks," Richmond told SearchSecurity. "And so, the attacks are getting more complex. What you start seeing [in the data] is where the greatest percentage of attacks are by industry, and start to see also the pattern of types of attacks and how they're combined."
Richmond pointed to the charts in the report that break down the percentage of incidents by attack vector in each industry, compared with the percentage of confirmed data breaches. She noted that across the board, industries are seeing a large number of denial-of-service (DoS) incidents, but the actual data breaches come from other types of attacks.
For example, the entertainment industry saw 99% of incidents were DoS attacks, but the vast majority of data breaches for that industry were from Web application (50%) and point-of-sale (47%) attacks. Similarly, the manufacturing industry saw the majority of incidents from DoS (33%) and the nebulous "everything else" category (33%), but breaches were from cyberespionage (47%), privilege misuse (24%) and Web app attacks (21%).
"It just sets people's hair on fire, because if you're having a DDoS attack and you see your traffic slow down or come to a grinding halt on your site, you turn all your attention to that. And, meanwhile, someone is walking up the backdoor through malware and taking out your intellectual property or your customer data and they've smoke-screened you," Richmond said. "That's the thing that is so maddening for security personnel, because you can't always tell where the fire is."
This trend can also be seen in the Verizon DBIR chart of the number of breaches per threat action category over the past 10 years, where hacking -- which includes stolen credentials, backdoors, brute-force attacks and DoS -- malware, and social engineering usage has spiked in the past five years; these are now by far the most prevalent threat actions in breaches.
"Any one incident, or in a lot of cases, any of the charts, the metrics could include more than one category," Ostertag said. "A hacker may use malware and hacking and credentials as part of an individual breach."
Richmond said these findings spoke to the rising sophistication of attackers.
"Whether they are nation states or cybercriminals or individuals with capabilities, they have a network and a marketplace of tools that they share, and they have forums where they're educating each other," Richmond said. "And so, probably around 2010 or 2011, the capabilities around them sharing and educating one another came more online, and the awareness that you could use multivectors and that it would be more effective and less detectable became apparent. That's why you see the spike of all three of these things at one time."
Phishing continues to be a problem
Richmond noted that she was surprised social attacks, which include phishing, weren't reported more frequently.
"Social is one of the ways that cyberattackers have been trying to research their targets. There's a lot more recon going on and targeting of attacks," Richmond said. "It's one of those vectors that helps glean credentials, or names, or birthdate or any kind of information that might be useful to then get access."
According to this year's data set, 30% of phishing messages were opened by the target across all campaigns; 12% of targets clicked on the malicious attachment or link, which is "a significant rise from last year's report in the number of folks who opened the email (23%)," but not much of a change in the number who clicked on the attachment (11%).
However, Ostertag confirmed the more important statistic to consider is the number of users who clicked on a malicious attachment or link, because the act of opening a message could have been nothing more than selecting a message to delete it and having it automatically open in a preview pane.
"Continuously, we see the numbers on phishing of the people that will open the email, that will click on the link, that will open the attachment, is pretty consistent no matter how much training we do or how much we write about it. So, more and more, the bad guys are using phishing because it works," Ostertag said. "They don't change it because it works. You hear from them that they're businessmen and they want, just like any other business, to extend the least amount of expenses and resource and time to get the most benefit. Phishing is very efficient; it works well for them, and they don't have to change because it does work."
"That's one of the key messages this year -- that in order for phishing to work, a person needs to take an action. So, you have an internal person falling for the phishing email and opening the attachment or clicking on the link," Ostertag said. "There are two people involved there in order for the breach to happen. The first is the attacker, the threat actor, and then the second is the insider falling for the attack ruse."
In the Verizon DBIR, the recommended actions to reduce phishing are to be more vigilant with email filtering, provide more training, and in the worst case scenario, where both of those precautions fail, make it more difficult for attackers to pivot "by segmenting the network and implementing strong authentication between the user networks and anything of importance."
Verizon DBIR list of contributors
The following organizations contributed to the 2016 Verizon DBIR (* indicates new contributor):
Anti-Phishing Working Group Inc. (APWG)
Arbor Networks Inc.
Australian Federal Police (AFP)
Center for Internet Security
CERT Insider Threat Center
Champlain College's Senator Patrick Leahy Center for Digital Investigation
Cisco Security Services*
Computer Incident Response Center Luxembourg (CIRCL), Luxembourg
Council on CyberSecurity
CyberSecurity Malaysia, an agency under the Ministry of Science, Technology and Innovation (MOSTI)
Daylight Security Group*
Deloitte and Touche LLP
European Cybercrime Center (EC3)*
G-C Partners LLC
Guidance Software Inc.
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
Interset Software Inc.
Irish Reporting and Information Security Service (IRISS-CERT)
Japan Computer Emergency Response (JPCERT/CC)
Juniper Networks Inc.*
Law and Forensics*
Mishcon de Reya LLP
National Cybersecurity and Communications Integration Center (NCCIC)
Palo Alto Networks Inc.
Policia Metropolitana Ciudad de Buenos Aires, Argentina
Recorded Future Inc.
SANS Securing the Human
Tenable Network Security*
United Kingdom Computer Emergency Response Team (CERT-UK)
U.S. Secret Service
US Computer Emergency Readiness Team (US-CERT)
Verizon Cyber Intelligence Center
Verizon DoS Defense
Verizon RISK Team
Winston & Strawn LLP
Wombat Security Technologies
Credentials lost, stolen and easy to guess
The report noted the vast majority of phishing schemes were designed to steal credentials, and "63% of confirmed data breaches involved leveraging weak, default or stolen passwords." Verizon clarified to SearchSecurity that 41% of breaches included credentials being stolen, 48% included breaches using stolen credentials and 13% used default or brute-forced credentials; these total more than 63%, because a single breach may involve multiple enumerations.
Ostertag said his team has seen time and time again that organizations know that it is better to use multifactor authentication and to change default passwords, but fail to do so.
"Multifactor would kill it completely; you wouldn't have to worry about the password change because of that random characteristic. I can't tell you how many companies we go in and have the username and password [both set] as the name of the application, name of the company or 'administrator,'" Ostertag said. He noted organizations have even said they continue using defaults because it's "hard to keep track of multiple passwords."
"Well, your customers are coming in and spending millions of dollars on the cost of a breach," Ostertag said. "[Changing passwords] is the least you could do. I've been fighting that battle for 20 years, and in the end, we're still having the same problem."
As with last year's report, the 2016 Verizon DBIR showed just 10 vulnerabilities accounted for 85% of all successful exploit traffic. Worse, six of those 10 vulnerabilities were disclosed between 1999 and 2003, including a Universal Plug and Play vulnerability that affected Windows 98, 98SE, ME and XP. Of the newer vulnerabilities in that top 10, one vulnerability in Windows Secure Channel and one vulnerability in OpenSSL were both related to FREAK.
"And the fact that there's only 10 of them that count for such a high number of these exploits -- if nothing else, pay attention to those 10, right?" Ostertag said. "Microsoft is the easiest one of all [to patch]. Run your patches every month. Do it once a month, or do it every six months. I mean, if you do it every six months, you wouldn't be in that statistic."
Wolfgang Kandek, CTO at Qualys Inc., based in Redwood City, Calif., said traditional methods of vulnerability disclosure may be to blame.
"For vulnerability management, we have to make it more accessible and enable the defenders to accurately know this inventory and pinpoint the most critical vulnerabilities," Kandek said. "Our traditional methods are not restrictive enough and yield a huge number of vulnerabilities, all tagged as critical -- in essence, overwhelming all but the most structured and mature organizations."
"This gets at a core and often ignored vulnerability management constraint -- sometimes, you just can't fix a vulnerability -- be it because of a business process, a lack of a patch or incompatibilities," the report said. "At that point, for whatever reason, you may have to live with those residual vulnerabilities. It's important to realize that mitigation is often just as useful as remediation -- and sometimes, it's your only option."
Richmond said the ultimate message of this year's Verizon DBIR is "you really have to do the basics, and people still are not doing the basics."
"Someone was saying at RSA [Conference], there's still not enough reason for companies of certain sizes and certain industries to focus on security, because the cost-to-risk ratio is not tipping in favor of spending more money. It's tipping in favor of allowing more risk," Richmond said. "When you, as an entrepreneur, need to turn your lights on every day, your cost-to-risk ratio is going to heavily favor incurring more risk so that you can reduce your cost, because you've got to keep your business open. If you're not highly regulated and forced into the governance risk and compliance assessments because of possible penalties, which immediately impact your bottom line, you may not want to look at security, because you need to look at how you keep your costs down and keep your business functioning, until and if you face a breach that is really challenging to you."
Compare the top vulnerability management tools.
Learn how to avoid phishing emails spoofing TLDs.
Find out how to deal with the aftermath of a data breach.