Gabriel Bassett is the lead data scientist and a contributing author on the Data Breach Investigations Report team at Verizon Enterprise Solutions, specializing in data science and graph theory applications to cyber security (including VERIS and Attack Flow). He supports several information security data science conferences, is game architect for the Pros vs Joes Capture the Flag series, and has previously held cyber security risk management, testing, intelligence, architect, and program management positions at the Missile Defense Agency and Hospital Corporation of America.
What should be the top three security priorities for CISOs and other security practitioners based on the findings in the 2022 Verizon DBIR?
In the DBIR last year, we talked about engineering for the expected and operations for the exceptional. The 2022 DBIR expands on this by discussing the four key access methods to the estate: Credentials, Phishing, Exploiting Vulnerabilities, and Botnets. These represent the expected attacks and places where CISOs can target engineering through two-factor authentication and password managers, mail and web filters, asset management, consistent patch processes, and minimized internet attack surface, and finally anti-virus to catch latent malware. If the expected is priority one, priority two is the human element. We found that 82% of breaches involved the human element. Finding mitigations for it and measuring the effectiveness of those mitigations (something addressed in Appendix C: Changing Behavior) is critical to the human element. The third priority should be operations. As we note on page 15 of the report, “The category of “Other” has stealthily crept into one of the top three spots (of Figure 19) this year as well. This is largely due to the dataset being long “tailed” and diverse. In other words, there are a lot of different things that aren’t in the top 10, but are still “noteworthy.” To address the long tail, an organization needs security operations, no matter its size. Large organizations can have a dedicated Security Operations Center. Medium-sized organizations can have a managed security services provider. And small organizations can buy IT services, like email, payment processing, or desktop management, that have security built in.
Ransomware attacks continue to rise (a 13% increase from 2020 to 2021). Yet the report also states that a large portion of ransomware incidents resulted in little or no profit at all. What motivates attackers to continue to use ransomware?
We had similar questions that resulted in Appendix E to the report this year. In Appendix E, we model ransomware from an attacker’s point of view. It models an attacker who’s more of a business person than a tech savvy type. Our simulated attacker buys access on a criminal forum and then monetizes that access through Ransomware as a Service. What we expected was to see something more like a business. Invest a little money, get a little return. Instead, it looks more like a lottery. It’s very inexpensive to ‘play’ (attempt to access an organization) and while many plays don’t pay out, the ones that do can still make a tidy profit. In our simulation of 500 ransomware actors, each with 300 simulated ransoms, the median profit was $178,465. The maximum was $3.6 million while only 1.4% of simulated actors lost money. It’s like going to a casino where you mostly lose, but when you win, it more than pays for your losses. In that case, the best bet is to play as much as you can. And so as long as there is easy access to be had, attackers will continue to prey on it.
What progress, if any, have organizations had in reducing attacker dwell time?
In the timeline section we note that while detection times of days or less have continued to improve, it’s often driven by “Actor Disclosure”. That often means Ransomware. In other words, even though we’re detecting faster, it’s because the attackers are finishing their attack faster. We’re still behind. On the other hand, I do think that we’re driving most attackers to faster attacks. Attacks with more actions may potentially have bigger payoffs, but, for most attackers, the extra work and risk isn’t worth it. We’re driving attackers to shorter, more repeatable attacks. That’s good news for the organizations that mitigate the subset of actions attackers are taking most often. It’s bad news for organizations who are not making data-driven security decisions.
According to the report, 82% of breaches involved the human element. Based on that finding, what should practitioners – and security vendors – keep in mind as they head to the RSA Conference next week?
The bad news is there is currently no perfect mitigation for the human element. That said, I’m encouraged by the fact that we see many companies trying new mitigations: improvements in training, testing (such as phishing), security quizzes, simulations, and things we’ve never even thought of. The next step is to consistently test what works and what doesn’t. That’s where Appendix C of the DBIR, Changing Behavior, comes in. It lays out what to expect from a test that shows whether human element mitigations are working or not. This can be something organizations run themselves or request from their vendor. It’s our way of helping the process of finding mitigations to the human element.
The report does include some good news such as the dramatic decrease in incidents in the Accommodation and Food Services market. What other progress can you highlight? What are organizations doing right when it comes to security?
I think a big, good news story from the DBIR this year is a second year of improvements in misconfigurations. In 2019, misconfigurations were at their highest point leading to breaches of data from cloud storage services. Since then, the cloud providers have put in a lot of effort to make the security impacts of configuration decisions clear, which gives us hope that the drop is due to folks maintaining cloud systems, better configuring their services and exposing less data.
In general, though, no one should walk away from the DBIR disheartened. It explicitly looks at the areas in which we falter in security without acknowledging the multitude of organizations succeeding. As we say in the DBIR, “nothing is perfect. Not people, not processes, not tools, not systems. (Not DBIR authors.)” But that doesn’t mean we should give up. Security is more like a season than a championship game. There will be mostly wins. A few losses. And almost always, another round on the field.