As information security professionals, we crave reliable information about our adversaries and their tactics. As you can imagine, this kind of data can be difficult to get (for a variety of reasons), so we take full advantage of any good information we can obtain. One of the great sources of information over the past few years is the annual Verizon Data Breach Investigations Report (DBIR).
The DBIR started out as Verizon Enterprise (the part of the division that was previously known as Cybertrust) publishing anonymous statistics on the cases they had conducted over the previous year. Since they were only called in when it was already known that a security incident resulting in information loss occurred, they were in a good position to describe the chain of events leading to a data breach and look for patterns there.
Over the years, a number of other groups have added their caseload to the study. The DBIR team has continued to refine their approach, and are consistently looking to use a new perspective to see if patterns emerge from the data. This year the report includes all security incidents, not just cases where data loss was confirmed. This helps to grow the sample size of cases. The annual DBIR is one of the best insights we have into how the bad guys work, and something we always look forward to reading.
There are lots of great pieces in this year’s report, and a lot of it aligns with trends we have seen in the past year as well. In this year’s DBIR, a fresh perspective revealed that 92% of all information security attacks can be described with 9 basic patterns. This proves that a) these attack patterns are successful across industry verticals and b) the vast majority of attacks don’t require an extraordinary level of sophistication. Which is both good and bad news.
One of the more eye-opening data points within the report every year is the difference in time between how long the initial (successful) attack takes (usually measured in minutes) and then compare it to discovery and containment (usually measured in months!). This year’s report doesn’t disappoint in this area. To the charts!
The above chart shows that the attackers have a much better ratio of successful attacks in less than a week than defenders do in just finding the evidence of the attack. And the attackers are getting better. Let’s look at one of the nine specific attack patterns highlighted in this year’s DBIR to see the gap between compromise to containment:
There were several publicized breaches involving retailers in 2013. As you can see (from the mildly terrifying graph above) the attacker successfully compromises their target and exfiltrates data from the network in minutes. The information security team responsible for defending these systems may not find out that they have a problem for weeks. But how did they find out they had a problem?
Turns out that (for the POS attack vector) it’s always an external party that makes the discovery, usually because the data the attackers exfiltrated in for sale on the various marketplaces that traffic in such things. While the overall trend isn’t quite that bad, it’s not great either:
As you can see, internal detection checks in as the source of detection in 20% of the cases over the last 10 years.
We’ve got to do better. We can do better. We’ve got two major places to improve: detection and response time.
It’s a (sad) fact of life in the information security field these days, but we know that prevention isn’t enough. We’ve got to be able to detect and correct when our preventative defenses are breached. We’ve got to build better segmentation into our networks, manage the configurations and patch levels of our systems, and ensure we provide our defenders time to look around and find potential problems.
Even with increased detection, how do we fix the response time gap? The DBIR notes in a few places that the attacker speed is most likely an indication that the attack sequence has been heavily automated. It’s time for the blue teamers to automate too. And we’re not talking about scripts for specific tasks. We’re talking about digital robots executing the same standard operating procedures you’re security analysts would use, only faster and at scale.
Over the next few weeks we’ll be following up with some of our strategies on both detection and automation. Let’s make a dent in these numbers for next year!
Thanks for reading!