Recently, I wrote a series of three blogs covering the current state of security, external attacks, and attack behaviors all based on the Cisco® 2017 Annual Cybersecurity Report. While a very informative report, the definitive standard for information around data breaches is the Verizon® Annual Data Breach Investigations Report (affectionately referred to as the DBIR in the industry). If you haven’t added this report to your annual repertoire of reports to read, the DBIR (now in its 10th year) is the highlight of just about any cybercrime report you’ll get all year.
What Is Verizon’s DBIR
With this year’s reports utilizing data from over 42,000 incidents, nearly 2,000 confirmed breaches, from 65 contributing vendors and companies, the 2017 DBIR represents the most statistically relevant data around data breaches, trends, and cybersecurity. (For you statistics geeks, they cite a 95% confidence level with a margin of error of only 0.4% for incidents, and 1.4% for breaches.)
Now that you know what the DBIR is all about, let’s look at some high-level trends using the top 10 attack classification patterns in descending order of occurrence. (This way, I’m covering them from the standpoint of most to least in frequency of attack methods.) As part of this, I’ll also give a brief overview of what to expect from each attack vector and provide direction on how to help mitigate the threat.
1. Denial of Service
Overwhelming an application, system, or network is one of the easiest ways for attackers to shut you down—even if only temporarily. And, while DDoS attacks themselves aren’t the means by which data is breached, a DDoS attack on, say, an email scanning appliance can cause malicious email to be rerouted directly into an organization, giving attackers an entry point. Proper responses include assessing externally facing assets and determining how an outage of those services would impact the company’s productivity, availability, and security.
2. Insider and Privilege Misuse
This category includes any kind of unapproved or malicious use of organizational resources. It can be the result of both an actual insider (81% of the time), an external attacker utilizing compromised credentials (7% of the time), or a combination of both (8% of the time). With 82% of these incidents taking months or years to be detected, what’s needed is the detection of misuse. Knowing where sensitive data is, monitoring its access, and using analytics to determine when that access is abnormal all help to lessen the risk of this attack vector.
Of the 10 types of crimeware cited in the report, the overwhelming attack vector is ransomware. Representing nearly half the crimeware incidents, this is your biggest malware threat today. Proper responses include a robust malware strategy at the endpoint, at malware gateways, application whitelisting, and attachment sandboxing.
4. Web Application Attacks
Most attacks of this type are done using botnets with the intent normally found to be defacing of sites and repurposing of systems (e.g. for malware command and control (C2) activity)—followed by more expected actions, such as stealing credentials, setting up phishing sites, and theft of personal information within application databases. Proper responses include limiting the storage of personal data or credentials on web application servers, as well as considering the use of two-factor authentication (2FA) that would require additional attack patterns different from those used to compromise a password.
5. Physical Theft and Loss
This isn’t so much a malicious attack vector (as there are some cases of actual theft represented in the report), but more a careless user issue (as most incidents revolve around property loss). Leave your company laptop in the car only to be stolen or lose a USB drive on your way to work—both with company data on them—and there’s your data breach. Proper responses revolve around encrypting devices and data, strict policies around when, where, and how company data can be taken out of the organization’s network, and monitoring for data being transferred to external devices or via web email.
In my next blog, we’ll take a closer look at the remaining five attack classifications—Miscellaneous Errors, Everything Else, Cyber-Espionage, Point of Sale Intrusions, and Payment Card Skimmers.
Nick Cavalancia has over 20 years of enterprise IT experience and is an accomplished executive, consultant, trainer, speaker, and columnist. He has authored, co-authored and contributed to over a dozen books on Windows®, Active Directory®, Exchange™ and other Microsoft® technologies. Nick has also held executive positions at ScriptLogic®, SpectorSoft® and Netwrix® and now focuses on the evangelism of technology solutions.
Follow Nick on Twitter® at @nickcavalancia
Click here to find out more about the SolarWinds Layered Security offering and how it can help you secure your clients’ business.
© 2017 SolarWinds MSP UK Ltd. All rights reserved.