Verizon DBIR: Web App Attacks and Security Errors Surge

Threatpost talks to Verizon DBIR co-author Gabriel Bassett about the top takeaways from this year’s Data Breach Investigations Report.

Verizon’s 2020 Data Breach Investigations Report (DBIR), released Tuesday, analyzed 32,002 security incidents and 3,950 data breaches to sniff out the top causes of data breaches over the past year. While cyber-espionage attacks and malware decreased, other trends, such as security “errors” (cloud misconfigurations, etc.), denial-of-service (DoS) campaigns and web application attacks saw startling growth. DBIR co-author Gabe Bassett, who is the senior information security data scientist at Verizon, talked to Threatpost about the biggest takeaways from the report for this year.

Listen to the full podcast below, or download direct here. 

Below find a lightly-edited transcript of the podcast.

Lindsey O’Donnell-Welch: Hello, welcome back to the Threatpost podcast. This is Lindsey O’Donnell Welch with Threatpost and we’re going to talk today about the Verizon data breach investigations report, known as DBIR for short. I’m joined today by Gabriel Bassett, a data scientist and DBIR co-author with Verizon. Gabe, thanks so much for joining us.

Gabriel Bassett: Thank you for having me.

LO: Yeah, so Verizon released its DBIR for 2020. And this report really gives kind of a comprehensive view of data breaches, how they occur, who the victims are, and the attackers and what kind of tools are used, what industries are impacted, and much, much more. So just to start, can you give us kind of a high profile overview about this year’s report, really, how many incidents and breaches were reported and kind of what went into the background report there?

GB: Sure. So the DBIR, the goal is to provide kind of a statistical look at what happens to the normal organization. Right? Rather than the outliers we want to provide data so that an organization can go in and say, what’s most likely to happen to me. And we do that by collecting a lot of incidents and breaches. This year, we collected 32,000 incidents and we analyzed another, almost 4,000 breaches, 3,950, and billions of non-incident records, which are things like malware blocks, vulnerability scans, phishing tests, honeypot data, things like that. The data we get comes from 81 countries around the world, as well as 81 contributors, government organizations, companies, law firms, insurance organizations, both in the U.S. and around the world, who all contribute their data so that we can go together and kind of produce a report that can help organizations understand and plan for their security future.

LO: Right. That’s a lot of data. How long does that take you usually?

GB: The answer is longer than you would expect. So we start collecting data in November. And it takes us really several months just to collect the data, to collect it and aggregate it and normalize it. Normally through February and maybe even a little into March, just to get the data and clean it, especially prior incident and breach data, it all comes in in a schema that we published publicly, because years ago, we realized that you know, when one person said breach, it didn’t mean the same thing as the next person. And so we defined all of our terms so that we can all speak in kind of a common language. And so we get all the breach data into that format, but all the other types of data tend to have kind of their own structure. And so we end up with around 40 contributors or 40 different data sets, that all have to be kind of individually cleaned and analyzed. And you just think, how many days there are a month versus 40 pieces of data. And I mean, it’s an everyday thing for several months just to get the data clean and analyzed and get some of the insights just so we can start writing.

LO: Right. I think that’s a really interesting point about defining the right term, especially in the security industry, where kind of these definitions are so important. And I noticed within the report, just before we get into kind of the further details, that there were a couple of different terms that were being used, including security incidents, data breaches, hacking and things like that. So I just thought that was interesting how you guys kind of clarified that because it is so widespread across the industry in terms of misconfigurations versus actual hacks versus breaches. I think that’s a really good point.

GB: Yeah, it’s really important that we all kind of speak the same language, even if we think we’re speaking the same language that we explain what we’re talking about, so that, if it turns out that we’re wrong, we’re still communicating well, you know, we tend to every year put in some unique charts or such. And, you know, we’ve started taking a page or two to explain some of the unique charts so that people can get the most out of them, because we don’t expect people to come into the report, and just inherently know all of kind of the the specifics about it that, maybe they would know if they read it for the last, you know, 13 years.

LO: Right.

GB:And so we’re glad to be able to provide kind of that commonality to the community.

LO: Right, definitely. Well, so looking at the report that was released this week, I know that every year it really varies in terms of what the different themes are. And for instance, last year, the top rising themes seem to be around cloud misconfigurations, and business email compromise or BEC, and IP theft. So can you talk about three biggest takeaways from the report this year, if you are able to kind of pinpoint those at a very high level?

GB: Sure, and I think you hit one of them, just there. And that, you know, last year, we saw this big rise in cloud email compromises, as well as cloud storage compromises. And those cloud storage compromises have moved “errors” from the fourth most common action to the third behind the use of stolen credentials and phishing, and have displaced malware in the top three types of actions that caused breaches and for those who may not be familiar with the DBIR, an error is anything that is caused unintentionally. And so it could be something like sending person A’s data to Person B in an email. It could also be configuring cloud storage to be publicly accessible, but then putting private data in it, having that found. There was no intention to cause a breach anywhere along the process. But a breach occurs nevertheless. And then those kinds of accidental breaches have jumped into the third spot, particularly on the backs of cloud storage. Where, what tends to happen, is a security researcher finds data either in a database or in just Cloud Storage that contains personal information, it gets publicly disclosed and then the organization has to explain the breach, and so I don’t think that these are new errors. I think the errors have been happening, there just hasn’t been a good path for their disclosure because we look at industries like healthcare and the public sector, that have mandatory reporting requirements, they’ve always had very high error rates, you know, and it’s only now that we’re starting to get error rates and other industries from this  one type of disclosure.

But the couple of points for industry or for organizations is you need to make error a top tier target for your risk mitigation processes. Look at industries like manufacturing has worked to reduce error for decades and decades. You know, they can help teach us how we can reduce error but the other part is we need to normalize error disclosure. I’m not perfect. None of the people defending networks are perfect and other people using networks, none of the attackers are perfect. No one’s perfect. And so the only way we’re going to become more secure is if we acknowledge that and normalize reporting of errors, fixing them and just moving on rather than making a big issue about them every time they come up. And so that’s maybe number one is errors.

Number two, I think is is drop in malware and it ties into an maybe a bigger chain of “good news stories.” While some types of malware as such as ransomware and password dumpers are increasing – the password dumpers of course goes with the use of stolen credential – Some of the common types of malware we think about, such as Trojans and RAM scrapers have dropped significantly. And to that end, you know, in the DBIR, we collect data on the breaches that succeed. And that means we have a bias, we have a bias toward towards what works for the attackers, which isn’t really a problem because that’s kind of what you want to defend against, right. But there’s the other side, which is what the attacker try and fail at. And it turns out that our nonce incident data has that, things like malware blocks. And so we see the attackers trying things like trojans. There’s a lot of them out there, different types of malware, but we don’t see them occurring in breaches. And so I think that there’s a good news story around our web proxies, our mail proxies, our antivirus. And that, you know, they’re not perfect, but they are stopping malware. That’s good to know.

Along those same lines from a good news story is thinking about exploiting vulnerabilities. You know, I think it’s something that we all kind of feel nervous about. We see new vulnerabilities every day and you know, big vulnerabilities and we see how widely they’re distributed. Now we know kind of in our own organizations like we patch, but man, is it good enough? What we found is that most organizations are not, patching a lot, would be a good way to say it. In the industry section there are some figures that show patching. There’s an overall line in it that says that most organizations are patching 57 percent of their significant vulnerabilities in the first quarter, which is not really what you consider a passing grade. But when we look at the use of exploiting vulnerabilities in our breach data, we see that vulnerabilities are always single digits in exploitation. They’re just not exploited a lot. They’re not the easiest way for attackers to attack. And so that tells me that even though we’re not perfect patching, that patching we’re doing, plus our ability to look for vulnerabilities in our domain. And our ability to filter through things, you know, firewalls and such, is doing a good job of keeping exploiting vulnerabilities a step above what the attackers are willing to do at this point. You know, and that’s a good news story. It means some of our defenses are working. And there’s a couple other good news stories in the report as well. Those are two of the big ones.

Now, in the third key takeaway from the report would be that web applications has doubled year over year in breaches. You know, and this is a kind of a worrying trend, because there are probably a lot of organizations that are prepared for this. They spent the last several years moving to cloud services and the ability to conduct all their security actions whether a system is on prem or off. But for the organizations that haven’t made that transition, the attackers are already there. They’re already attacking those service oriented workflows, particularly using things like credentials, which is 80 percent of the attacks. But there’s also 20 percent exploiting known web app vulnerabilities, stuff that like could easily be patched. And so that jumping web app is a big trend in the report as well and one that I don’t think we can overlook, given how many people are working from home right now.

LO: Right. Yeah, that’s really interesting. In particular, I remember when, you know, I was reading through industry by industry, the financial and insurance industries and then also, accommodation and food services industries, were some of the ones that were really seeing kind of this rise up in web application attack too so it seems like certain industries are really struggling with that.

GB: Absolutely. And I think that some are seeing a very clear transition, like a combination of food services and retail. It used to be that those were driven by attacks on the point of sale systems, malware would be deployed that would read credit card numbers out of system memory. And that just hasn’t been the case in the last year or two instead. What is more common is attacks on their web app infrastructure. We’ve seen breaches both of personal information as well as breaches that are installing malware on the web app, or installing some type of software to capture credit card numbers and other data that’s flowing through the web app for the attackers. And so I think that attackers have somewhat pivoted, and whether it’s because point of sale systems are becoming more secure, or there’s just a larger volume of online retail targets, our data doesn’t tell us that, but either way, if you’re in an industry or if you’re moving to a online sales system, which, I suspect is relatively common right now, for businesses that have traditionally been tied to brick and mortar – It’s important to plan for how you will maintain the security of that system. Now, if you can afford to, or have the skills to secure yourself, do so. But if you don’t as an organization, it’s important to take advantage of economies of scale, right? You can, even if you can’t afford your own security operations center, you can afford potentially managed security or you can afford a platform that you lease like an online retail system that you purchase as a service. And then part of that service is the security that’s built into it. And security operations and that way, you know, you don’t have to bear that burden individually as a smaller medium sized business.

LO: Right, right. Well, you were talking earlier about the positive takeaways from this report, which I always, you know, like to focus on the middle of security stories. And one thing that stuck out to me, at least, and this kind of goes hand in hand with what you’re talking about in terms of patch management earlier, is when you guys were looking at the data breach incident response timelines, and it looked like the number of companies that were discovering incidents, the level of time when it was days or less was increasing. And containment in that same timeframe had, as you guys said, surpassed its historic 2017 peak, so it looked like there were some positive angles there in terms of breach timelines that may have to be taken with a grain of salt. But, you know, what were you guys seeing with that?

GB: Yeah and we really do see that, we’re always kind of hesitant about the timeline trends, because longer breaches tend to be well longer. And so they’re less likely to enter the data set early, particularly things like years or more. If it takes a year for the breach to occur, we won’t find out about it until a year after. So it’s a bit of a lagging indicator. But you know, we’re cautiously optimistic that discovery times are improving. Part of this, as the section indicates, is driven by more breaches associated with detection by managed security services. And those certainly have brought down the number and on the one side, it’s you know, you can potentially think about as a bias in the data set. You can also think about as this is a real trend, potentially that the use of managed security services decreases the time to detect a breach. And that makes sense, right? If you don’t have any security operations, like we just talked about, the way you find out about a breach, particularly something like a credit card breach, is the credit card company calls you and tells you that all the credit cards that were used at your site between time A and time B are being used maliciously, right? It’s a very lagging process. On the other hand, if you have some type of security operations, no matter how you supply it, you potentially have the ability to catch that attack while it’s happening. And that decreases detection significantly. So I’m a big believer that every organization no matter their size, should have some level of security operations, whether directly or indirectly through some type of service.

LO: One other thing I wanted to ask you about, and this was kind of a takeaway from the report that was surprising to me. But you guys found that cyber-espionage attacks actually saw a downward spiral, which was different from what you had found last year. But that was surprising for me just because it seemed as though there were more cyber-espionage campaigns that had been hitting the news over the past year. But as we know, like, you know, what you see in the news is not necessarily what’s being reported in the background. So can you talk a little bit more about kind of what really went into that drop and on the flip side, why financial motivated campaigns seem to  not only be on the rise, but are beating out espionage campaigns by a wide margin.

GB:And this is one that we really try to impress every year because even though espionage tends to be somewhat cyclic, you know, it goes up and down every two years. It never really gets above around 30 percent of breaches. Financial breaches have always been the most common motive in the DBIR. It’s one of the things that I think a lot of times people just don’t realize. But it makes a lot of sense, right? Espionage is valuable in a limited case. Financially motivated braces are valuable in that everyone who is willing to take that route, right? Like, there’s no point at which you’re like, you know what, I don’t need more money.

And so, if there are targets – and  there are always are targets – financially motivated attacks are going to continue to grow. And it’s really only constrained by the number of attackers and their ability to automate their attack, which is one of the reasons that throughout the report, we kind of hit on the importance of the simple attacks, right, because for the attackers, the simpler, the more automated they can make their attack, the more money they’re gonna make. And so it’s defenders, our job for protecting our organization isn’t to be perfect. It’s to be strong enough that we don’t look like a valuable target, like it will take too much time to attack us. Because even if my organization is imperfect, and I know it’s imperfect, I know there are ways to break into my organization. But if I built my defenses such that, maybe I take twice as long as the average company that the attackers are targeting, there’s absolutely no reason for them to go after us ever because there’s an infinite number of targets, who are twice as easy and they can compromise two of those in the time that would take to attack me. And so as defenders, you know, it’s okay to be imperfect. It’s okay to have those things where you’ve got that system that you just can’t quite do everything you want about it to secure it. Do what you can, bring yourself up, add those extra controls even if they’re not perfect. Because they make a big difference.

LO: Right? Yeah. Gabe, before we wrap up, I wanted to ask one other thing, I know that you touched on errors. And part of this is the DBIR had talked a little bit about internal actors versus external actors and how those can trigger breaches. Can you talk a little bit more about what you guys found when it comes to insider actors? I know that the majority of breaches were actually coming from external actors. But, you know, with insider threat being such a big topic seemed it seemed like DBIR was pointing to the fact that, you know, insider threats don’t seem to be as big of a threat, as they may have been reflected on in the past.

GB:Yeah, this is another one where we see a big discrepancy between what a lot of people kind of intrinsically feel and what the data shows. The data shows external actors have always been more common than internal actors in our data set. And this makes sense. Because given what we just talked about, on the financial side, if most breaches are financially motivated, more than likely, you’re already paying the insider guys. And so there’s not quite as much incentive for them to want to attack you, on the other hand there’s a huge number, there’s billions of people outside your organization who have a financial incentive to attack you. And so really, the external attacker is the driver, even when the breach is attributed to the inside, the majority of time it’s attributed due to a mistake, right? It’s an error. It’s unintentional, the person was not acting with malice inside your organization. It’s important to remember that, because we don’t want to spend our time hunting ghosts within an organization and looking for malice where it doesn’t occur. Now and there is some misuse within orgs. But even that, a lot of it tends to be around accidental – or not accidental – but non-malicious misuse, things like sending my work files to my personal email because it’s a little bit easier to do my work that way. Things like that. Now, and there are insider breaches, there are places where people take information from within their organization, and then sell it outside to make a little extra money on the side. But you know, more than likely as an organization, if you’re going to turn to look to your inside of users, to help decrease your breaches, look to what you can do to improve processes and set your inside employees up for success so that they are less likely to make mistakes. And when they do make mistakes, they don’t have a big impact.

LO: Right. And I think that’s really important to highlight in terms of insider actors as opposed to kind of insider threats or malicious actors, so I appreciated you guys highlighting that in the report. Gabe anything else you want to mention, any other kind of big takeaways or anything that caught you by surprise when you guys were kind of crunching all these numbers?

GB:I think that a lot of people so far have told us that they like path section. Figure 40 in the report is still kind of mystifying to people. But we’ve done a better job of explaining this year, there’s a black call out on, I think it’s page 39. But I’m not absolutely sure. Oh, excuse me, page 32. That helps explain it. But in general, I think that this is another good story because it gives defenders a new way to think about security, instead of thinking about breaches as something that either hasn’t started or has ended and now I’m responding after the fact if you think about breaches as a path, that takes time to accomplish, you can think about different ways of defending it. You can think about where do I want to meet the attacker in that path? What can I do to lengthen the attack path so the attacker just doesn’t want to accomplish it. Or even, you know, what have I not seen this attack path based off of what I have seen. We cover all those in the path section. And so I think people will enjoy that.

LO: Right. Well, that’s great. And, Gabe, thank you again for coming on to talk about the Verizon DBIR.

GB: It’s been my pleasure. Thank you for having me.

LO: Great. And once again, this is Lindsey O’Donnell Welch with Gabe bessette. And catch us next week on the Threatpost podcast.

Also, check out our podcast microsite, where we go beyond the headlines on the latest news.

 

Suggested articles