In the third edition of CyberInsights LongReads, we look at the Verizon DBIR and analyse it to get actionable insights for the cybersecurity professional
Know someone who might find this useful? Share it with them:
It’s the 15th edition of the Verizon Data Breach Investigation Report (DBIR). You can download the pdf from here.
Being a follower of the report for a long time, I have come to realise its usefulness for cybersecurity professionals. This report provides us with the following:
An overview of incidents and breaches in the year
A trend of incidents and breaches
Types of incidents and where they occurred
Industries/ Geographies being targeted in cyber breaches
The DBIR is still a relatively small sample size, but the data volume is increasing each year.
Incidents turning to breaches
In 2022, the DBIR analysed 23,896 incidents, of which, 5212 were confirmed breaches
This is immediate gold for the cybersecurity professional. We can now answer the question: How many incidents turn into breaches?
How do we do that?
We can start with a simple percentage - 21.8% of incidents turn into breaches! We can be happy and do a little dance about this. Or we can analyse a bit more.
(Ignore this if you are not very keen on Cyber Risk Quantification (CRQ))
We can take these two numbers as hits and misses on a beta distribution and plot the probability density function for the same. Here is how that would look:
Doing a little more analysis, we can see that our 90% confidence interval for this is between 21.37% to 22.25%.
For the quants: please note that you have to factor in the Bayesian Priors for your organisation to get a real taste.
This means that we can be 90% confident that 21.37 percent to 22.25% of incidents will turn to breaches.
We are still on the ‘Introduction’ section of the DBIR and we have so much data already! 😀
Path to breaches.
The DBIR has narrowed down 4 paths that lead to data breaches:
Credentials (Stealing) - approximately 45-50% of cases
Phishing - approximately 15-20% of cases
Exploiting of vulnerabilities - around 5-10% of cases
Botnets - a minuscule percentage
Breaches due to error and misuse are not a part of this.
As cybersecurity professionals, we might be tempted to focus on protecting our organisations against credential theft and phishing. That would not be very wise.
The low percentage of exploitation of vulnerabilities could be because of our focus on VA/ PT, AppSec, DevSecOps, SAST, patching, threat hunting, 24/7 monitoring, et al. Plus these are easy to measure, hence easy to monitor and act upon.
You might have noticed a bit of an overlap - doesn’t phishing lead to credential stealing? It seems logical. I have no way to tell that from the report.
So, is there an overlap? Maybe. The report is not clear on this.
Who is responsible for breaches?
Nearly 80% of actors are external. Meaning, they come from outside the organisation. Putting this in other words, 4 in 5 breaches occur due to outsiders.
Ever since the first DBIR report of 2008, the reported breaches comprise of ‘external’ actors. As infosec professionals, our radar tells us that ‘internal’ actors are more probable and have far greater access than an external actor could. However, the data tells us otherwise.
How do we then reconcile our internal radar with the consistent data?
One explanation that comes to mind is that organisations “report” breaches only if they are external. Internal breaches might be going unreported. We might not be sure of this, but an infosec professional’s radar should not be ignored.
This gets confirmed when you read the next part of the report. The number of records breached is much higher when it comes to insiders.
While external actors are responsible for more breaches, the internal actors get more bang for the buck. They compromise more records per breach.
This means we cannot ignore internal actors, inspire of numbers being much lower.
Why was the data breached?
Motivation of actors gives the professional a direction for controls to be implemented to prevent breaches. The DBIR says that most actors are motivated by financial gains. Meaning, that the actors are mostly professional cyber criminals (who depend on cyber crime to put food on their plate…)
The second motivator, however, is different from the past. It is espionage. We must consider corporate or nation state espionage when we build our controls.
What did the attackers do?
The top four attack vector for incidents were:
Web Application (Hacking)
Email (Social and Malware)
Partner (Malware)!!
Software Update (Malware)!!
Partner is a new addition. The supply chain risk that most CISOs were concerned about seems to be corroborated by reported incident data.
Software update malware also makes a grand entry in 2022!
The top three attack vectors for breaches were:
Web Application (Hacking)
Email (Social and Malware)
Carelessness (Error)
So, more incidents through partners, but more breaches through carelessness!
As infosec professionals, this gives us a clear direction of areas to strengthen.
What assets were breached?
Servers.
Web Application Servers / Mail Servers contributed for more than 70% of compromised assets, with desktops and laptops coming in a distant second at under 20%.
What kind of data was compromised?
Personal information and Credentials. Payment data, however, seems to be slowly getting more secure.
Clusters of incidents
The DBIR clusters ‘like’ incidents together to give us a better understanding of patterns.
As you can see, Basic Web Application Attacks seem to increase.
From the attack vectors and the incident patterns, it is quite evident that the security industry should focus on improving the quality of web application security.
The ‘Shift Left’ strategy, where security is baked earlier and earlier in the DevSecOps process is essential!
The patterns in breaches follow a slightly different trajectory, where ‘system intrusion’ takes the top spot. Well, a confirmed breach would have some form of system being intruded into, I guess.
Ransomware increased phenomenally this year, as expected.
Social Engineering
82% of breaches involved the human element.
Let me repeat that. 82% of breaches involved people.
This is worth digging into.
The data shows that 2.9% of people click on links. This is a much lower than what we have observed in our phishing exercises at Risk Quotient.
Given the size of the data, we should definitely trust the data from the DBIR. As our data size grows, we will be able to have a more comparable data set.
Also, the DBIR is reported phishes, while RQ has data on phishing simulation. This could also mean that more people fall prey to simulation exercises than to actual phishing.
Incidents and Breaches by Industry Type
This piece of data is always very useful to the infosec professional. We decide if we are risky industry by analysing the data here. If more incidents are observed in this report, we can conclude that we are a targeted industry and we should consider more control.
It could serve as a pointer to the CISO to get more budget from the board!
Professional services, Public Administration & Finance seem to be the top 3.
Healthcare breaches seem to be lower than other industries, including manufacturing. This could be due to more stringent regulations in the industry.
Conclusion
For those of you who want to dig further and do more data analysis, there is a lot of data available in the report. You can slice and dice the data in each industry type and even by region.
Here, I just highlighted the top things that I felt you should consider. Again, you can download the pdf from here.
NOTE: This is my personal analysis from the Verizon DBIR. Please do your own review and analysis before you take action. My views do not represent the views of any organisation.
CyberInsights LongReads is a part of CyberInsights and delves into one topic in detail each month. If you like what you are reading, you can subscribe to get LongReads in your email. Just remember to check your spam in case you do not receive these mails.