Paul Pratley, Associate Director, Head of Investigations and Incident Response
5 mins read
The DBIR is seen by many as a fascinating insight into what really goes on in data breaches, but the real value is in using it as a means to direct investment in security controls that have the greatest impact on mitigating real world threats to your business.
Incident patterns, the naturally forming clusters identified first in 2014 when comparing the spread of incident metrics, are key to unlocking this value. This year’s report, more than ever, has an industry specific focus. As such, there is something for everyone and valuable insights into what the causes of and motivations are for breaches in each industry vertical. For this, figure 9 is your key to getting the most from the report, showing which incident patterns are associated most prominently within each industry vertical. Diving into the details of incident patterns that affect your corner of the security world is the best way to begin using the data most effectively.
Over a billion credentials are known to have been stolen in the last year, particularly from web portals and sites that exclude online retail. If you run an online service where users authenticate, it’s time to brace yourselves for the script kiddie account checker scripts and start thinking multi-factor authentication if you haven’t already.
Figure 6 – Number of records per data variety over time
Whether associated with economic, political or military advantage, and whether actually carried out by nation states or others, espionage is proportionately trending up in the breach data.
Figure 3 – Threat actor motives over time
Certain industries are bearing the brunt of this threat. With almost half of the data breaches in the public administration vertical linked to state affiliated actors, these are unsurprisingly the playground of intelligence agencies.
If you happen to be in manufacturing and didn’t know it already, industrial espionage is your biggest threat. Amazingly in this vertical, 91% of data compromised was classed as secrets, 93% of threat actors were classified as external and 94% of breaches were associated with espionage as a threat actor motivation. The good news is that while these attacks are often quite advanced, they are also long running with over half of these taking years to discover. This means there is genuinely an opportunity to apply modern attack detection techniques such as threat hunting to pick up and contain these attacks early.
With social engineering through email phishing still being a key factor to the success of espionage incidents, good user behavior programs and tooling to detect or allow reporting of phishing are key controls to focus on.
Ransomware continues onward and upward in its prevalence and is the fifth most common form of malware in this year’s report. While progress is being made combatting the commodity variants and dealing with the growing “Ransomware as a Service” threat, attackers have moved from single endpoints towards interactive attacks that target organizations. This is reflected in this year’s report and is certainly reflected inF-Secure Consulting’s caseload, which saw a 250% increase in ransomware cases last year, compared with 2015.
“Perhaps the most significant change to ransomware in 2016 was the swing away from infecting individual consumer systems toward targeting vulnerable organizations.”
- 2017 Verizon DBIR
In 2016, the US-CERT observed a 300 % year-on-year growth in infections, and this trend continues into 2017. How does this stack up with what we are seeing? F-Secure Consulting conducts the majority of its incident response casework across Europe and Africa. As we have seen, the ransomware threat continues to evolve, with the prevalence of organized crime groups targeting corporate networks rapidly increasing due to the profitability of such attacks.
While there has been a rapid expansion in capabilities of ransomware to target network shares, encrypting vast amounts of corporate data, attackers soon learned that large organizations were willing and capable of paying much more than individual users. This in turn has pushed forward the ransomware capabilities and delivery techniques to replicate those of espionage type attacks effecting widespread domain compromise, ransoms in the million dollar ranges, online backup destruction and enterprise wide infection.
With this in mind, F-Secure Consulting has developed an anti-ransomware agent, RansomFlare, which uses a combination of machine learning and behavioral analysis to identify ransomware as soon as it runs on a computer system with rapid remote incident response and containment.
To get your incident readiness where it needs to be, find out more about F-Secure Consulting’s Ransomware Prevention and Incident Response offerings.