2017 Verizon DBIR Highlights: Analyzing the Latest Breach Data in 10 Years of Incident Trends


10 years and counting! Such is the milestone of Verizon’s 2017 Materials Breach Investigations Report (DBIR). Like in years past, the 10th variant of Verizon’s research initiative highlights new patterns, evolving trends, and captivating findings in the information security field. It does so by synthesizing reports that Verizon net of discovered security incidents and breaches, or incidents with confirmed matter disclosure. All these events occurred in 2016 and fit at least one threat manner category in the Vocabulary for Event Recording and Incident Sharing framework.Here are some evidence points that stood out in Verizon’s latest report.Big Picture Stats

Verizon 2017 DBIR verso 3 As you can see, external actors were responsible for three-quarters of the breaches reported to Verizon, whereas internal actors accounted for the other division. Some of these data disclosure events involved multiple groups and/or business partners. However, those instances were less common at 3 percent and 2 percent, respectively.Overall, Verizon saw a downtick in the percentage of cracks involving external actors and an increase with respect to internal actors. One justification for this development is the decline of two external attack types in 2016: password-stealing botnets and point-of-sale (POS) intrusions. Regardless, breaches driven by internal partners remained relatively constant in faultless terms.It’s not surprising to learn that attackers’ motivations shape their systems and targets. For instance, most organized criminal groups or actors with a monetary motivation use stolen credentials, a C2, or a keylogger to hack a web application, gain backdoor network access, or root malware on a victim’s computer using an infected email attachment. The done can be said for state (affiliated) groups or actors wishing to commit espionage, although sexually transmitted engineering attacks such as phishing are more common in their type. Taken together, financial motivations and espionage accounted for 93 percent of the fissures analyzed by Verizon.

Verizon 2017 DBIR page 6The decline of password-stealing botnets and POS intrusions didn’t only reduce the percentage of external breaches. It also diminished the number of alienations whose time-to-compromise registered in the seconds or minutes. Their reduction notwithstanding, these events quiet accounted for 98 percent of all compromises.As for breach disclosure, Verizon contemplated a correction away from the spike that law enforcement exhibited in its 2016 describe. That rise, which was driven by the Dridex botnet, settled down because of upped card skimming and POS crime. In the meantime, employee notifications remained the scad common means of internal discovery. Rates of detection and disclosure thoroughly internal audits and third-parties also went up.Social Attacks

Verizon 2017 DBIR send for 33There were 1,616 social attacks in 2016, approximately half (828) of which with verified data disclosure. Those events accounted for 43 percent of all alienations in the 2017 DBIR’s dataset. Nearly all the social incidents (99 percent) tortuous an external actor.In 95 percent of cases, attackers followed up a thriving phish with software installation. That’s to be expected given ton social attackers’ motivations and targets. Two-thirds of these actors pursuit after financial gain, whereas another third is in it for conducting espionage. Both these motivations comprise the theft of credentials, personal information, and trade secrets.Across the visitors that contributed data to Verizon’s report, 7.3 percent of their operators fell for a phish. Fifteen percent of that grouping took the bait a B time, with one percent of users clicking on a suspicious link or email devotion more than three times. Acknowledging the persistence of these individuals’ behavior, federations shouldn’t just focus on phishing prevention. They should also idle on emphasizing detection and encouraging employees to report when they’ve clicked.RansomwareA standard payload of phishing attacks is ransomware, which became the fifth most shared malware in Verizon’s report. Part of this growth in popularity resulted from new ransomware technology and extortion methods. Some ransomware, for as it happens, lock the Master Boot Record instead of encrypting individual files. Others use systems like unexpected command-line arguments to avoid detection or rely on attainment kits like RIG to spread them around the web. Others still leverage ransomware-as-a-service (RaaS) party lines to increase their exposure among less tech-savvy criminals, who can then customize a toss ones hat in the ring to infect individual systems as well as target vulnerable organizations.In 2016, ransomware spread in the first two quarters. It then dropped slightly in Q3 2016 before employ drop back by 70 percent in the subsequent quarter. This decline is due to the reduction of non-specialized ransomware detections and a decrease in the variants for Locky and CryptoWall, two of the top ransomware genera in 2016.

Verizon 2017 DBIR page 35Companies aren’t letting ransomware propagate unchecked, however. The security industry is addressing the threat by equipping devices with the ability to enable earlier detection as well as promoting collaboration with law enforcement and Damoclean sword intelligence sharing. Some of its members are also launching initiatives breed No More Ransom that are designed to help ransomware victims regain access to their arranges without paying the ransom.Introducing IndustriesFor the first time in its gunfire series, Verizon introduced an “Industries” section that focuses in on industry-specific declarations. Table 1 in the report encapsulates this new effort.

Verizon 2017 DBIR servant 9The researchers at Verizon made a special point of putting their matter into context:“The totals within Table 1 provide information on the representation size for this year’s study and are not indicative of one industry being sundry or less secure than another. It is more of an indication of how well an commerce is represented by our data contributors…. Think of Table 1 as opening up the fridge to see due what ingredients you have to cook with, and if you have enough of an labour to ‘make the bread rise.’” — Verizon 2017 DBIR time 9Taken together, Information, Retail, Finance, and Education all featured turbulent numbers of distributed denial of service (DDoS) attacks. These efforts, which rely on a web presence to do business and to communicate with customers, also saw the largest median DDoS seize sizes. But just because other industries didn’t see as many or as ample of attacks doesn’t mean they’re secure against DDoS efforts.Only six contributors sent Verizon vulnerability-scanning data. But that communication did reveal some important insights regarding industry patch circles. For example, Information, Manufacturing, Healthcare, Accommodation, and Retail all fixed between 25 percent and 50 percent of vulnerabilities within the commencement week, whereas Public, Finance, and Education took a bit longer to bailiwick sometimes a lesser percentage of flaws.

Verizon 2017 DBIR announce 13Verizon shared its thoughts on this observation:“In your environment, you may from longer or shorter patch cycles that are dependent on the particular vulnerabilities learned as well as the assets on which the findings are triggered. The vulnerabilities are treated as ‘brothers’ in the chart below—organizations will need to factor in threat evaluation in any cases as well as potential impact to establish their own time-to-patch duration to over again [completed-on-time] COT.” — Verizon 2017 DBIR page 13The report then elements industry-specific findings. For instance, Accommodation and Food Services primarily clashed financially motivated actors who targeted their POS terminals. Meanwhile, Monetary and Insurance experienced lots of Denial of Service attacks.A Look at Event Classification PatternsVerizon finished off its report by returning to its nine occasion classification patterns. It dedicated an entire section to these attack typefaces because 88 percent of all the breaches it analyzed fell into one of the nine divisions. Here are three categories worth examining.Web Application AttacksThe ton prevalent category in 2017 DBIR was Web Application Attacks. This regularity saw 6,502 confirmed incidents, 3,583 with secondary motivations and 571 with encouraged data disclosure. Driven by the information gathered by contributors involved in the Dridex botnet takedown, these abuses targeted Finance, Public, and Information companies with social mugs. They then leveraged Dridex malware to steal customers’ credentials and rule over their actions.Compared to 2015, there was a higher number of Web Industry incidents. But there were fewer breaches this time enveloping. In fact, most were website defacements and used stolen credentials, phishing, and C2/backdoors.Recantation of ServiceVerizon found that Denial of Service attacks dethroned various errors, the number one incident classification pattern in the 2016 DBIR. This ranking saw 11,246 incidents, five with confirmed data disclosure. Relaxation, Professional Services, Public, Information, and Finance saw the most instances of this listing, with large organizations the targets in 98 percent of attacks.Across the provisions, the median size of DoS attacks decreased. Most attacks also didn’t last for numberless than a few days. But the security industry still witnessed some singular attacks driven by IoT botnets, including Mirai’s DDoS attack manoeuvres against Dyn on 21 October 2016.POS IntrusionsAccommodation and Food Services as splendidly as Retail suffered the greatest from POS intrusions. In total, there were lawful 212 incidents, 207 with confirmed data disclosure. Assorted of these attacks involved RAM scraping. However, keylogging/spyware also played a mainly.ConclusionIt might be easy for readers of the 2017 DBIR to despair and keen a persistently insecure world. But Verizon hopes this doesn’t upon:“…[W]e are aware that there are numerous success stories out there—it is not all bad front-page news for the good guys. Our hope comes from the fact that we be suffering with been able to present these findings to the public for 10 years continual. Our hope comes from how we have grown this publication from sole one organization to include contributions from 65 sources, providing a incontestable corpus sample of security incidents and data breaches from which to learn.” — Verizon 2017 DBIR page 2All readers can use the reveal to better protect their organization’s security. At the same time, assorted companies should consider contributing data in the coming years to stop Verizon present a more comprehensive overview of the digital threat aspect.To join the discussion, download your copy of Verizon’s report here.

Leave a Reply

Your email address will not be published. Required fields are marked *