2019 Verizon DBIR Key Findings

Two Trends and Themes Worth Thinking About

Why do we all get so excited about the Verizon Data Breach Investigations Report (DBIR) every year? For me, it’s not just the subject matter. It’s mostly the snarky tone and the pop-culture references. Call it what you will, but the injection of humor into an otherwise serious set of findings of our seemingly collective ineptitude makes it at least palatable to read and thus easier to digest.

Seriously though, while it’s not all bad, the dataset for this year’s analysis was again frightening. “41,686 security incidents and 2,013 data breaches” in the past calendar year? That’s well over 100 events per day!

Whether that scares you or not, here are two trends and themes I think are worth thinking more deeply about in this year’s report.

Verizon Data Breach Investigations Report: An Alarming Trend

Some of the most interesting pieces of information within the DBIR every year are the noticeable trends in comparison with previous years’ statistics. One finding in particular that jumped out at me right out of the gate in the “Results and analysis” section was the following regarding the “Threat actors” involved in the analyzed data “breaches”:

“System administrators are creeping up and while the rogue admin planting logic bombs and other mayhem makes for a good story, the presence of insiders is most often in the form of errors. These are either by misconfiguring servers to allow for unwanted access or publishing data to a server that should not have been accessible by all site viewers. Please, close those buckets!” (2019 Data Breach Investigations Report, Page 7)

To me, this is a problem that is within our reach and control to solve. It’s not an easy problem per se, but it’s really a blocking and tackling kind of thing. Maybe it’s even more of a stop the bleeding kind of thing too.

Discipline is the primary ingredient missing from this recipe, but I don’t mean laziness when I say that. It’s hard not to make any mistakes, especially when we know system administrators are stretched so thin and worked so hard. It’s also hard to follow process to a “T” when there are deadlines to meet.

VDBIR: What to Do Now?

Configuration management and policy enforcement solutions exist to force us to cross the I’s and dot the T’s. They promote focus on foundation-level security controls, which in turn increases the effectiveness of the fancier solutions you’re relying on to catch the bad guys in the act.

Bottom Line: Self-inflicted wounds are perhaps the ones that hurt the most, and unfortunately, according to this year’s DBIR, we’re doing it more often than in years passed.

Verizon Data Breach Investigations Report: “Stolen Creds” are a Central Theme

Normally I’d be worried about someone calling me out for being biased as we’re always obsessing about “Credentials and Data” here at STEALTHbits, but the facts are the facts. Stolen credentials and the (ab)use of stolen credentials dominated the rankings in this year’s study.

• 52% of breaches featured Hacking
  • Top “threat action” varieties in breaches?
    • Use of stolen credentials was #2 out of 15 categories
  • Top hacking action “variety” in breaches?
    • “Use of stolen creds” was #1 by double that of #2 (Use of backdoor or C2)
  • Top data varieties compromised in breaches?
    • Internal and Credential data are #1 and #2 (statistically even), followed by Personal, Medical, and Payment data

This makes sense though.  After all, it’s kind of hard to obtain access to valuable assets in the digital world without a valid set of credentials – unless it’s just completely wide open, which is also a possibility.

VDBIR: WHAT TO DO?

Verizon says,

“Like all good stories, attackers need somewhere to begin, and whether this starting point is with a list of vulnerable servers, phished emails, or stolen credentials, if the proverbial lever is long enough they will breach your perimeter. Therefore, it is wise to do all that you can to reduce the number of starting points that they are provided. After all, vulns can usually be patched and creds can be better protected with multi-factor authentication.” (2019 Data Breach Investigations Report, Page 27)

I agree. And given Active Directory is where the vast majority of internal users’ credentials are contained for 90% of businesses worldwide, you might want to see how strong your users’ passwords are and the state of other conditions and vulnerabilities attackers exploit to compromise your credentials and data.

Bottom Line: There are two common denominators in every breach scenario – credentials and data. This year’s DBIR very clearly supports this fact.

How Shall We Proceed?

“There’s definitely a feeling in InfoSec that the attackers are outpacing us. They’ve got all the creds, the vulns, and the shells, not to mention the possibility of huge monetary incentives.” (2019 Data Breach Investigations Report, Page 27)

I’ll never say anything relating to cybersecurity is easy. There are just too many moving pieces, too many factors, too many threat vectors. Like anything in life though, it’s got to be one day at a time, one foot in front of the other.

The DBIR is not just a status check on how well we’re doing each year. It’s a call to arms to do something about the problem. The question is not whether you’re going to fight, however. The question is which weapon you’re going to use.

Fortify the foundation? Control the creds? Defend the data? Or pray for an unprecedented advancement in AI that will detect, quarantine, and eradicate all the threats we face by the end of the year?

I think we know what we need to do.

Verizon DBIR Definitions

Definition of a “Threat actor” (Verizon DBIR)“

Definition of a “Threat action” (Verizon DBIR)

Definition of a “Variety” (Verizon DBIR)

Definition of a “Breach” (Verizon DBIR)