Authored by: Carolyn Crandall, Chief Deception Officer, Attivo Networks – For those in the cybersecurity industry, the Verizon Data Breach Investigations Report (DBIR) is one of the most anticipated publications of the year. The report always includes interesting data and research, helping to shed light on some of the most important issues facing the cybersecurity industry today. The 2020 DBIR is no exception, but it is also not the only interesting report published within the past several months. FireEye Mandiant has also released its M-Trends 2020 report and its 2020 Security Effectiveness report, and—taken together rather than individually—these new reports provide real insight into the state of the industry. Below, you can find our top 10 takeaways.
Top 10 Takeaways
- Criminal groups and APTs are leading the charge. At 55%, the DBIR indicates that criminal groups remain the leading driver of breaches, well ahead of nation-states (10%), sysadmins (10%), and internal end-users (10%). Mandiant concurs that malicious breaches continue to dominate, noting that the rise in activity from criminal actors, hacktivists, and others reinforces the need to test and validate specific controls and policies continuously.
- Criminals are not necessarily looking to go low and slow anymore. Short attacks seem to do just as well as long ones today, and the DBIR identifies a clear preference for attacks to be carried out in as few steps as possible. Verizon’s research shows a clear drop off in the number of successful attacks that require beyond 2-4 steps. “Attackers prefer short paths and rarely attempt long paths,” Verizon notes. “This means anything you can easily throw in their way to increase the number of actions they have to take is likely to significantly decrease their chance of absconding with the data.”
- Credential theft continues to be a leading cause of breaches. Even as criminals increasingly turn to tools like AI, Verizon notes that a whopping 80% of hacking-related breaches involve brute force or stolen credentials. The cloud has proven particularly vulnerable, and although it only makes up 24% of assets breached (compared to 70% on-premises), stolen credentials drove 77% of those breaches. Overall, 37% of breaches used stolen or compromised credentials according to the DBIR, and Verizon says, “It is apparent that use of credentials has been on a meteoric rise.” Mandiant concurs, noting that the move to the cloud has complicated visibility and defenders’ ability to validate that controls such as network segmentation and credential management are operating as intended. Furthermore, the M-Trends report identifies credential theft as a driver in the recent surge in ransomware attacks.
- Lateral movement detection and reconnaissance detection need to improve. When testing certain security technologies against reconnaissance activity, Mandiant discovered that they missed 54% of reconnaissance activity altogether, and although they prevented 37% and detected 26%, just 4% generated an alert for defenders. Their data for detecting lateral movement tactics was precisely the same: 54% missed entirely, and only 4% alerted. These findings are particularly disturbing in light of the M-Trends report noting that Ransomware 2.0 involves attackers moving laterally to get to the most critical data and ensure the largest payout. Given that Verizon asserts that cyber criminals show a clear preference for attacks requiring the fewest possible steps, the addition of lateral movement detection has the potential to derail a significant number of would-be breaches.
- Most breaches still involve external attackers, and better alerting is needed. 70% of breaches are caused by external actors, compared with 30% originating internally, but detection lags. Globally, external compromise notifications were at 53%, compared with 47% internal. According to Verizon, the most common internal method of breach discovery is “reported by employee,” which sits at under 10%, well behind discovery by security researchers, customers, and other third parties. Given that dwell time remains in the two-month range for external breaches, improving detection is a must.
- Mistakes and policy violations are on the rise. Verizon called errors the year’s “best-supporting action,” and noted that misconfigurations and other mistakes are on the rise. In fact, the percentage of error-driven breaches caused by misconfigurations rose from just under 20% last year to just over 40%. Mandiant concurs, pointing out that the move to the cloud has put organizations at higher risk for misconfigurations as multiple systems must interact. Mandiant’s research indicates that misconfigurations constitute a significant factor in organizations’ failure to detect specific attacker actions, and their report noted that 65% of policy evasion activity goes undetected. The M-Trends report also points to misconfigurations as a critical factor in both cloud and ransomware attacks, with attackers exploiting them to steal access keys, conduct recon, and exfiltrate data.
- The need for more reliable alerting is on full display. Mandiant’s research highlights noteworthy shortfalls in reporting across a wide range of attack actions. Just 4% of reconnaissance activity generated an alert according to their tests, along with 7% of infiltration and ransomware activity, 23% of malicious file transfer activity, 3% of command and control activity, 11% of data exfiltration activity, and 4% of lateral movement activity. The research revealed that only 9% of attacks generated alerts across the board, but there remains a disconnect between how effective security teams believe their alerting is and how effective it actually is.
- The need for more robust cloud security is growing. As previously noted, increased adoption of cloud technology has put organizations at higher risk for misconfigurations and gaps in security coverage. Although on-premises attacks are still more numerous than cloud attacks, the percentage is growing—and the fact that 77% of cloud breaches also involved breached credentials helps illustrate how other cybersecurity trends play into this growth. Compromised credentials, misconfigurations, lack of visibility into the network, and other issues all facilitate cloud attacks, highlighting the need for more effective security.
- Ransomware 2.0 is here, and it’s a growing problem. Much of the M-Trends report highlighted the increasing danger of Ransomware 2.0. A departure from the older, “smash and grab” model of ransomware, these attacks are targeted and human-directed, moving laterally to go after critical data, steal credentials, perform AD reconnaissance, and more. These attackers delay making ransomware demands until they have established a presence in as many systems as possible, with access to critical, valuable data. Verizon notes that ransomware is on the rise, even as malware overall is down, and points to increased use of compromised credentials as a reason for ransomware’s continued effectiveness.
- Dwell time is down, but it’s still too high. According to the M-Trends report, dwell time is down to just 30 days for internal detections—a massive drop from 80 days only four years ago. Dwell time is roughly twice as long for external detection, but this, too, is an improvement. However, the M-Trends report is careful to note that, while dwell time improvements are undeniably positive, attackers are utilizing today’s technology to carry out attacks faster than ever. Some may attribute this reduction because the sample comes from Mandiant’s customers, who have made an investment in them to improve their defenses. Thirty days is still a long time to allow an intruder access to a corporate network, and this further underscores Mandiant’s findings regarding the need for more reliable detection capabilities following the initial compromise. Dwell time improvements are great, but they can always be better.
Reports like the Verizon DBIR are always interesting on their own, but when viewed in the context of other key cybersecurity findings, a clearer picture of industry trends and needs begins to coalesce. Decreases in malware attacks are positive—but industries must address the rise of ransomware. Falling dwell time is desired—but contextualizes the need for better internal detection. Identifying and remaining ahead of these industry trends has allowed Attivo to make constant improvements to our ThreadDefend platform, which deploys new advanced capabilities to detect lateral movement and disrupt Ransomware 2.0. As our understanding of cyber criminals and their tactics continue to evolve, it will be more vital than ever for defenders to develop with them.