Verizon Enterprise’s 2015 Data Breach Investigations Report (DBIR) was recently released, and SecureState is here to give you some of the big takeaways from this massive report. Verizon works with thousands of partner companies to correlate information on the past year’s worth of data breaches and security incidents, identifying trends and information that can guide security efforts in the year to come. They combine all of their efforts into this massive report, which we have read over and pulled out some of the key issues highlighted.
Due to the length and amount of detail in this report, we will be bringing you a two part breakdown of the contents. This first blog focuses on some of the early sections of the report, where Verizon calls attention to some of the interesting observations and conclusions they could draw from studying the breaches. Section two will cover the Incident Classification Patterns that Verizon introduced in the 2014 DBIR.
2014 saw a significant drop in the number of companies affected by data breaches, down to 61 from 93 in 2013. Of the 79,790 security incidents examined, 2,122 were confirmed breaches. The top industries affected were the Public sector, Information companies, and the Financial Sector, which was similar to 2013.
For the breaches that occurred, approximately 85% of them originated with external threat actors. Approximately14% were internal threat actors, and nearly 1% were from partner organizations. In 70% of the attacks where a specific motive could be determined,a secondary (or collateral ) target was included. In these attacks, Verizon noted a significant increase in the use of RAM scraping attacks, and a significant decrease in the use of keyloggers.
In a bit of potentially positive news, Verizon also noted that the number of attackers who compromise a target fully within one day is on decreasing. Similarly, the number of detections of an attack within the first day is increasing. However, there is a significant gap (45%) between these, and as long as that gap exists, there is cause for concern.
Takeaways: The targets for breaches remain largely the same, but no industry is completely safe. Though companies are increasingly focusing on early detection, the gap between compromise and detection still needs to be closed.
A big topic among security companies and IT professionals is the use of threat intelligence feeds, and the DBIR has a few interesting observations on this front. In examining open source threat intelligence feeds, Verizon found that inbound feeds (information on sources of scans and phishing attempts) had a lot of overlap between different feeds. However, outbound feeds (information on destinations sending traffic out of a target system, for example to command and control servers) had only a 3% overlap between various feeds, meaning that each feed tends to contain information that is vastly different from other feeds. In light of this, Verizon (and any Threat Intel expert) recommends using multiple feeds to provide the best protection.
Verizon also focuses on the need for increased speed in sharing threat intel data between companies. In the attacks Verizon investigated, 75% of them spread from the first victim to the second in under 24 hours. Despite this, it often takes more than 24 hours to share threat data, making it less useful for protection against early attacks. Closing this gap is key to improve the viability of threat intelligence.
Takeaways: Using multiple threat intelligence feeds is always better than relying on a single feed. Information sharing needs to be quick and reliable to be effective.
Verizon observed a slight increase in the effectiveness of phishing attacks, which went from between 10-20% effective in 20134 to 23% effective in 2014. Most responses to phishing attacks still occur within the first hour after the attack is sent out. In fact, the median time to the first click response to a phishing attempt was found to be just 1 minute, 22 seconds.
Takeaways: Phishing still works, and companies need to focus on training their employees to spot attempts and properly avoid them.
Verizon determined that 99.9% of the vulnerabilities exploited in data breaches were compromised more than a year after the CVE had been released. A significant number of these had CVEs release more than ten years ago. 97% of the vulnerabilities exploited in 2014 were tied to 10 CVEs. Additionally, most exploitation of any single CVE occurs with in the first four weeks after the release of the CVE.
Takeaways: Patch your devices. The vulnerabilities being exploited are, largely, well known and addressed, and are only exploited due to a lack of proper patching and configuration.
Based on Verizon’s research and the information provided by their partners, mobile devices and applications are still not a preferred vector for data breaches. Out of all mobile devices the researchers had access to, the number infected with truly malicious exploits is 0.03%. Of the malware found, 95% of mobile malware types showed up for less than a month.
Takeaways: Mobile still is not a primary attack vector for data breaches, but companies should remain vigilant and careful concerning mobile applications.
Verizon determined that, on average, five malware events occurs every second, though this isn’t evenly spread across all systems, as some are targeted more than others. Different industries have different numbers of average malware events, with the education sector leading in the sheer number of events. 70-90% of malware samples are unique, but this could be due to attackers making minor modifications to avoid hashing/detection efforts.
Takeaways: Focusing on stricter security helps prevent malware intrusions, as the education sector is widely believed to have somewhat loose standards given the number of students and teachers and the wide variety of hardware being used. Early detection is improving, though attackers are finding new ways to prevent detection as a whole.
Verizon found that incidents in many industry sectors share similar characteristics, including threat actors, threat actions, which assets were compromised, and so on. Interestingly, wildly unrelated industries often had similar incident profiles, suggesting that methodologies and asset targets do not significantly change specifically based on the industry of the victim.
Takeaways: Focusing on specific industries might not be the most effective approach in analyzing attack patterns.
The Impact of Data Breaches
Despite their best efforts, Verizon has found that quantifying the losses to an organization due to a data breach is difficult if not impossible. Based on their analysis, the average cost of a breach is $0.58 per record, though smaller breaches have higher per record cost. Similarly, larger breaches have a much lower per record cost. Due to this, estimating any cost related to a breach is often an exercise in futility.
Verizon attempted to develop a new model for cost estimations, but even with this improved model, there is still a variance of more than 50% that can’t be accounted for in the model. Additionally, higher record counts make the predictions generated by this model even less accurate.
Takeaways: Estimating the impact of data breaches is an inexact science at best. More research needs to be done to determine all of the factors that affect the cost before reliable estimates can be made.
For more takeaways from this report, be sure to see our next blog on the Verizon DBIR.