10 key takeaways from the 2018 Verizon Data Breach Investigations Report (DBIR)

tinheadshot
By Tin Zaw, Director of Security Solutions

For more than 10 years, Verizon’s annual Data Breach Investigations Report (DBIR) has offered insight into global cybersecurity trends, based on an analysis of tens of thousands of security incidents and breaches from around the world.

Last year, my colleague Richard Yew and I analyzed the 2017 DBIR from the perspective of the exterior perimeter, where the cyber defenses of our content delivery network (CDN) sit. For this post, we consider what organizations themselves can do to defend their core infrastructure and what strategies they can employ to keep their perimeter safe.

Here are my 10 key takeaways:

  1. 2017 was the year of ransomware.

    As the DBIR’s authors predicted in 2013, ransomware has become the tool of choice for cybercriminals in 2017, with more than 40% of malware incidents involving ransomware. That’s the highest that number has been since we began tracking it in 2012. The reason for the increase is simple: ransomware attacks are easy to pull off with a kit downloaded from the internet, and using ransomware is profitable. Because ransomware must pass through an exterior perimeter to communicate with its command servers, one can defend against it by applying a black hole to ransomware traffic by monitoring its DNS lookups. Additionally, malicious attachments in the email can be filtered, and access to suspicious sites can be blocked at the perimeter.

ransomeware

  1. Cybercriminals do it for the money.

    Unsurprisingly, ransomware attacks are usually accompanied by a ransom note demanding significant sums of money. About three out of four attacks were financially motivated last year, a trend that has been consistent since 2012. With money being the motive, cybercriminals are bound by the same principles of economics, such as return on (criminal) investment. This insight gives defenders some advantage in building cyber defenses.

  1. Denial-of-service (DoS) is the leading cause of security incidents.

    DoS incidents have been constant for the past several years. About 40% of incidents analyzed are attributed to a DoS attack. These attacks rarely come from one source but rather from a botnet of thousands of compromised machines. Defending against such distributed attacks often requires a distributed defense in the cloud. Edge cloud services such as a content delivery network (CDN) are a powerful tool against these attacks.

  1. Most network DoS attacks are neither big nor long.

    Though Tbps (terabits per second) DoS attacks make headlines, they don’t have to be big and long to do damage. Targeted application layer attacks, especially against microservices, can cause outages. And they are not expensive to launch. Defenders must take a holistic approach to DoS protection that covers both network and application layers and considers bot traffic.

length_ddos

  1. Most attacks come from the outside.

    In 2017, as in previous years, most troubles came from the outside. Organizations that build a strong perimeter defense will be able to fend off the majority of attacks that could lead to breaches.

  1. Patterns of incidents and breaches vary by industry.

    This is an almost timeless truth. Manufacturing organizations are more likely to see crimeware attacks. Companies in the information industry – classified in NAICS Code 51, which includes newspaper and software publishers as well as television and telecommunication providers – should be on the lookout for web application and DoS attacks. This information can help organizations decide where to focus energy and resources in building cyber defenses.

pattern3

  1. Four percent of people will click on any given phishing campaign.

    It’s easy to understand the lasting appeal of social engineering as a strategy for attackers. Even though 78% of people are too savvy to click on any phishing campaigns, a small percentage of people inevitably will.

  1. Email is by far the most common malware vector.

    It’s far more likely that malware enters a company’s infrastructure through email than anything else. More than 92% of malware vectors originated in an email link. By first running employee email through a filter trained to detect common vectors, companies can shut out the majority of these types of attacks.

traffic_type

  1. Stolen credentials are the leading cause of all breaches.

    However, not all credentials are stolen through social engineering attacks. Attackers increasingly deploy programs to brute-force logins with stolen credentials. That’s what happened to one Singapore Airlines customer who had her frequent flyer miles stolen earlier this year. Protecting against account takeovers by automated attacks must be part of the perimeter defense.

  1. Botnets are global.

    It’s a scary world. Botnets are found on every continent, with the only possible exception being Antarctica. A strong perimeter defense is necessary to keep a company’s core infrastructure safe. A sophisticated application firewall with bot mitigation capabilities is a bare minimum defense against today’s increasingly prevalent automated threats. The threats are out there, but with a little foresight and technological diligence, you can properly defend against them.

Ready to reinforce your company’s approach to digital security? Read the complete 2018 Verizon Data Breach Investigations Report (DBIR) here.