Written by: Carolyn Crandall, Attivo Networks Chief Deception Officer & CMO
We’re are at the half way mark of 2018, and over the past few months there have been several comprehensive, in-depth industry reports released from a number of large organizations. Each of these reports in their own way are designed to help security professionals better understand the state of the cybersecurity market and the challenges that businesses are facing to secure their networks from hackers and cybercriminals. Information sharing and knowledge for building a stronger defense are critical in slowing down attackers and making it much more difficult to complete their attack.
In this blog, we take a look into the annual Verizon Data Breach Investigation Report (DBIR) from Verizon Enterprise Solutions. The 2018 report examined over 53,000 incidents and 2,216 confirmed data breaches. As with past Verizon reports, the findings underscore an increasingly stark reality –cybercrime continues to have a far-reaching impact on businesses across all regions and industries. Some of the biggest takeaways from this year’s data include below along with things an organization can do to be proactive in responding to these challenges.
- Small businesses make up 58 percent of data breach victims and healthcare organizations account for nearly 25 percent of all data breaches. While hackers still target large organizations, small and mid-market companies are regarded as low-hanging fruit because they generally do not have the resources to purchase and manage the latest security technologies.
- Accept that smaller organizations will be a target and make the changes to have a security strategy based upon prevention, detection, and response
- Look at managed services to augment 24X7 response and less critical alerts
- Make sure to have an ongoing training program on the importance of patching and not falling prey to phishing emails
- Define a response plan so that if you do get breached that you know what steps to take
- 73 percent of cyberattacks were caused by outsiders and 50 percent of cyberattacks were attributed to organized crime. Cybercriminals are becoming increasingly sophisticated and many are equipped with the tools and resources necessary to bypass traditional security controls.
- Attack surfaces are rapidly evolving as are attack methods. Organizations need to outline risk scenarios for each environment, understand where the weakest links are, and take a different approach to security to address today’s threat scape
- With 1 in 4 attacks coming from insiders, companies should also invest in detection systems for detecting not only attack information, but also policy violations that would inform them early of undesirable actions.
- Some would say that there are only two kinds of companies. Ones that have been breached and ones that just don’t know it yet. Running your security under the assumption that threats are in the network will drive a focus on early detection and the reduction of dwell time, which can reduce the likelihood of attacker success.
- A large majority of cybercriminals view malware as a single-use strategy, with at least 37 percent of malware hashes appearing only once. Attackers are getting smarter about how they avoid prevention and signature-based security controls, pointing to a need for solutions that can detect unknown attacks.
- Relying on signatures for detection or even attempting to do pattern matching or database look up will result in gaps in detection. Organizations should look for systems that will reliably alert on all attack methods and give visibility into in-network threats.
- Traps or “tripwires” are also useful to deploy to detect quickly threats that have bypassed security controls. This will pick up often missed lateral movement, reconnaissance, and credential theft.
- Once threat actors have compromised their target, the time it takes them to breach data is much shorter than the time it takes for victims (or third parties) to discover the attack. In fact, 87 percent of compromises took minutes or less and only 3 percent of compromises were discovered as quickly. Meanwhile, 68 percent of compromises took months or years to be discovered. Clearly, early detection and remediation of threats that have bypassed prevention security controls remains a problem.
- As per above, early detection is critical in finding and derailing attacks early. That said, given alert noise fatigue, critical alerts are often buried in the masses. It is important to have high-fidelity controls that will not get lost in the sea of alerts.
- Deception technology is recognized for its efficiency in detecting, but also in the fidelity of its alert. Alerts are only raised when an attacker engages with a decoy or attempts to use deception credentials or other bait. Alerts are also substantiated, making it easy for teams to quickly and accurately respond.
- Native integrations will also make sure that incident response is automated and can ensure consistency in how incident handling is performed.
The key takeaway from the DBIR is this: early and accurate detection and remediation of in network threats is more critical than ever before. As the number of breaches continues to skyrocket and dwell times remain high, it is evident that prevention technologies alone aren’t enough. In many cases, it has left businesses working to mend public perception after a costly and disruptive breach. To combat this, organizations, no matter the size or industry, should consider adding to their arsenal of security strategies deception-based detection technology for early detection and active defense techniques for improved incident response and proactive countermeasures.
Deception provides an extremely efficient approach for gaining the upper hand against attackers by using decoys, bait, and lures that appear identical to production assets to dramatically increase the difficulty of executing an attack and inevitably causing an attacker to make mistakes and reveal their presence. Dynamic deception technology also empowers organizations to easily reset the synthetic network “game board” on demand. This form of countermeasure forces the attacker to restart their attack or risk being discovered and quarantined, collectively increasing the cost of an attack.
Budgets are always tight and demand high. It’s time for organizations to start thinking like an attacker and using many of their own methods, like deception, to change the asymmetry of the attack and to outmaneuver their adversary. It is more popular than most people know, but it is deception so most prefer not to tip off the attacker.