The Verizon Data Breach Investigation Report always arrives with a whoosh as one of the most interesting – and entertaining – pieces of research to test my memory of quotes from Star Wars and The Princess Bride (I particularly enjoyed the subtle reference to Iocane Powder).
In all seriousness, this year’s DBIR reinforces some key trends and areas of focus. First off, the bad news: Attackers get in fast, steal data very quickly, and can hang out and stay a while. Close to 100% of attacks show that attackers are getting in within “days” but less than a quarter of attacks are detected during that time (Figure 13). Once attackers are in, they have the time to embed themselves and compromise more assets. Looking at the intrusion data for POS systems throws the data into sharp relief: 87% of breaches were completed within minutes, 88% of the data was exfiltrated within minutes but 85% of the breaches weren’t reported for weeks. The hang time within the network remains equally bad in other areas where most cyber-espionage breaches weren’t caught for months (62%) or years (5%).
Those of us at Rapid7 are unsurprised to see that Stolen Credentials – which was in the middle of the pack as an attack vector in 2009 – is now the most common way for people to get into the network. With the number of recent mega breaches from compromised credentials and continued rise of phishing you could tell this was coming.
In fact, compromised credentials trail only the more easily-monetizable bank and payment information as the most commonly poached items. The report cites one instance where a retailer was breached by stolen vendor credentials that were the same across all organizations managed by the vendor. (Is it permissible to say, “C’mon, people?!?”)
Way back in the 2013 report (which seems like a different epoch after everything that happened in 2013!), Verizon called out that 77% of breaches used unsophisticated techniques for the initial compromise. While the 2014 version doesn’t break things out the same way, the general trend appears to hold. With unpatched systems, basic controls not in place, poorly segmented networks and insufficient monitoring of credentials, it’s too easy for people to get in. While the report doesn’t cite it explicitly, the challenge gets worse when you consider the number of user-supplied devices and cloud services being brought into the environment.
After you’ve had a chance to read through the report – and maybe knock back a stiff scotch thinking about the results – there are a few things that I’d invite you to consider.
Look at Your Users and Password Hygiene
This report underscores why good password hygiene is so essential, and it might be worth reminding people once again that, post-Heartbleed, it’s a good idea to change their passwords on any site that has any sensitive information stored. And don’t reuse passwords across multiple sites!
Consider how you detect when somebody’s password may have been compromised and becomes a point of entry for your network. Looking at your users may also help you to determine when a user’s behavior has changed and help reduce the time to contain an intrusion. With Rapid7 UserInsight, we help teams to detect incidents based on compromised or stolen credentials across on-premise, cloud and mobile environments. But detecting compromised users doesn’t stop with just detecting stolen credentials. We’ve also followed some attacks through the network to identify and alert on patterns of suspicious behavior such as privilege escalation to help you spot –and stop – lateral movement within the network. In fact, the report explicitly calls out the need to “Watch for user behavior anomalies stemming from compromised accounts."
Nail The Basics
Reading the list of advice for how to address cyber-espionage (page 42) provides a good overview of some of the best practices that every security team should look at: Patch All The Things, Update Anti-Virus, Train Users, Segment the Network and Keep Good Logs. All of these are security best practices but teams are going to get overwhelmed with the number of requests coming in…particularly in light of this report.
Prioritizing what actions you can take to improve security is one area where Rapid7 has really focused. With Nexpose, the recently-introduced RealContext gives you visibility into which assets (and which vulnerabilities) are most critical to your business and automatically prioritizes those fixes. The integration of Nexpose and Metasploit through closed-loop vulnerability validation enables you to detect a vulnerability in Nexpose, automatically test whether it can be exploited in Metasploit, and then prioritize the associated fix(es).
For those who are looking to roll out a more complete solution for securing endpoints, I’d invite you to take a look at ControlsInsight that identifies and prioritizes all of the key best practices and controls you can put in place with your endpoints. ControlsInsight helps you put the right tools in place to “Break the delivery-exploitation-installation chain” that the report calls out as a part of responding to Cyber-espionage.
The Data Breach Investigations Report is one of the most influential pieces of research that comes out every year and I’m sure that we’ll see much more analysis – and many more stats – going forward. However, I’d invite your feedback on the pieces that I’ve highlighted. Are there other things which you consider vital?