Dan Russo (DR): You’re listening to the Verizon Insights Podcast. The thoughts and opinions expressed in this podcast are those of the individual speaker and do not necessarily reflect the views of Verizon or any other entity mentioned in the podcast.
Hi. I’m Dan Russo. Today we’ll be talking with Bryan Sartin, Executive Director, Global Security Services, and John Loveland, Global Head of Cyber Security Strategy & Marketing, at Verizon Enterprise Solutions.
Bryan heads the Enterprise Solutions group, responsible for cyber-intelligence and handling civil and criminal incidents both on and off the Verizon network. It operates in 19 countries and six labs around the world. Bryan is also the founder of the Verizon Investigative Response Team, one of the world’s largest non-military IT investigations groups.
John is a tech veteran and entrepreneur who has been a pioneer in the information risk management disciplines. He’s founded companies in the areas of cyber risk, electronic discovery, regulatory compliance, data privacy, and enterprise information governance. He leads cyber security strategy and marketing for Verizon Enterprise Solutions.
Today, Bryan and John are going to be sharing some key findings from the Data Breach Investigations Report — otherwise known as the DBIR. The DBIR is an annual publication that analyzes details of incidents and confirmed breaches from 65 contributors around the globe. These range from private companies to NGOs and government organizations.
The DBIR is now in its tenth edition. So back in 2008, when it launched, the big finding was that most attacks could have been carried out by criminals with basic hacking skills. In 2012, during a period of social uprising — including the Arab Spring — 58% of incidents were tied to hacktivist groups.
What’s the big story in 2017? Looking at the recent press, you’d expect it to be around cyber-espionage. Does that bear out in your analysis?
JL: It does, Dan. Cyber-espionage is clearly a big issue. At our roundtable discussion at this year’s RSA Conference, it was one of the hot topics. We found that 21% of the breaches in this year’s data set were related to espionage. And cyber-espionage was particularly a threat in manufacturing, where it accounted for 86% of the breaches, and the public sector — at 41%.
BS: Yeah, you know, we did see a rise in espionage this year. No question. And that’s no small degree to a drop in banking Trojan botnets and point-of-sale intrusions as well. So a drop in the financially motivated attacks but despite that rise, by far and away the biggest motivation behind cyberattacks still remains money. So 73% or so of breaches, almost ¾ of them, were financially motivated still. The majority of attacks that we’re seeing are very much carried out by criminals — both inside and outside of the targeted victim organizations — who are looking for anything they can convert into cash. Of course though you’ve got, I think with the rise in espionage you’ve got a healthy balance of financially motivated attacks, activism, and espionage all happening at the same time. That’s important to understand how we’re diagnosing it, some of the outcomes we’ve produced this year. Obviously counter-measure strategies are a bit more complicated these days than they have been in the past.
DR: So if financial gain is the big motive, who’s really most at risk? I guess most of us would expect that financial services would be squarely in the crosshairs, retail certainly being squarely in the crosshairs. Are we right to assume that or are there other folks who are being targeted for this financial gain?
BS: Unlike other cybersecurity reports, as you may know, the DBIR isn’t based on a survey. We analyze real breaches to provide what we think is the best possible insight into cybercrime. Even a recipe for success to stay out of the headlines based upon the analysis of actual breaches that actually occurred. The causal factors to say do these things at this time based on our analysis and you can mitigate the risk of a large swath of real world breaches. Upwards of ¾ or more, and that’s smart, compelling security. But, because our data isn’t randomized, there’s more margin for error when we’re asked questions like who’s most squarely in the crosshairs. All that said, three industries stand out as the most targeted this year without question: financial services, retail and accommodation, and healthcare.
JL: Yeah, and to that end Bryan, financial services accounted for the greatest proportion of confirmed breaches — about a quarter of them. Retail and accommodations combined accounted for another 15%. Healthcare, not surprisingly, was also big for cybercriminals 15% involved healthcare organizations. And really the focus of healthcare organizations, not surprising is the value of the protected healthcare information (PHI) they hold. But ya know, I would say put a big emphasis on “industries most at risk” but that can be unhelpful because I think it may distract from the idea that every organization is a potential target.
BS: Absolutely. No organization should be resting on its laurels, thinking that the cybercriminals won’t be interested in them. They’re not going to be targeted is simply not true. Whether it’s design plans, medical records or good, old-fashioned payment card details — somebody, somewhere will see it as their meal ticket and as an opportunity to get a hold of that, exploit vulnerabilities, find that data, get it out, exfiltrate it, try to convert it into cash. And most cybercriminals aren’t that fussy about who they steal from. And in many cases we see in our very own investigations that it’s quite visible that in many cases the perpetrator of a cyberattacks may not even have much knowledge about who they’re stealing from in the first place.
JL: I think the other point there is that a lot of times size doesn’t matter. It’s not just the big multinationals at risk. Name brand companies. Nearly two-thirds of the data breach victims this year are businesses with employees under 1,000.
BS: Yes, you don’t need to be big and famous to fall victim to cybercrime. Start-ups are targeted for their breakthrough technology. Some companies simply present themselves as a soft target and act as a stepping stone to access their partner’s systems.
DR: So there’s always a market for data, it sounds like. It doesn’t matter whether it’s PHI, or straight dollars from a bank account, there’s a market for all types of secure data that we’re trying to keep within the organization’s walls, right?
BS: Is there a market for the data, absolutely. There’s a massive market and that market is growing in so many ways. There are more outlets when you do compromise, obtain information through unauthorized access in the course of a data breach or in other physical ways. There are more outlets to buy, sell and trade stolen information these days than there ever has been in the past. And there are easier ways to move currency behind these transactions as well. And naturally, for Verizon, staying close to those pockets in the dark web, the deep web, the places on the internet where the preponderance of stolen data is bought, sold, and traded. That gives us really compelling visibility, actionable visibility into potential victims of cyberattacks importantly, visibility into those attacks before the victim finds out themselves. Being the first point of notification, that’s an important role for Verizon to play.
DR: So, we’ve talked about motive and targets. What are you seeing in terms of how cybercriminals carry out attacks? Are they having to use more sophisticated techniques as people wise up? Or are falling victim to the same basic phishing e-mails?
BS: There is very sophisticated malware out there that cybercriminals are using to exfiltrate data. But in many ways, the big story this year is around what hasn’t changed. Cybercriminals are still finding that the old tried and trusted methods are getting them results they’re after.
JL: I think that’s right, Bryan. What we’ve seen this year is that the phishing e-mails are getting more and more sophisticated. So the proliferation of information that’s on social media, and a variety of other sources, bad guys are able to customize their phishing e-mails to be that much more precise and convincing, if you will. Organizations really think they’ve got the basics covered and realize they haven’t —People still falling for phishing. Around 1 in 14 users were tricked into clicking a link or opening an attachment — and a quarter of those went on to be duped more than once. Phishing opens the door so that the bad guys can then get malware into an organization’s systems. 95% of phishing attacks that led to a breach were followed by some sort of software installation.
BS: It’s like humans have become easier to exploit. And more opportune to exploit than the classic computer-based vulnerabilities. Which is really shocking. People are still making the crooks’ lives far too easy. For many years, we’ve been encouraging the use of complex passwords and multi-factor, 2-factor authentication. But this year’s DBIR suggests that people are still relying on single-factor passwords. It’s something like 80% to be exact of hacking-related breaches leveraged either stolen and/or weak or guessable passwords. Stolen, weak, default or easily guessable passwords. I can’t emphasize enough the importance of setting strong passwords. It’s a huge issue that needs addressing — particularly when you start thinking about all the Internet of Things devices out there, which is a whole other attack surface and these have been left oftentimes with factory-set, factory-default passwords. We still continue to see that so frequently in the course of our field investigations.
JL: That’s right, Bryan. Getting the basics right can make a huge difference. But that doesn’t mean you can rely on the same defenses from year to year. You really have to keep up with changes in the cybercrime landscape and understand the threats you face today because they do change. So for example, ransomware. In the 2014 DBIR, it was the 22nd most common form of malware. This year it’s fifth. And it’s a very easy to execute attack that can be leveled against the largest organizations down to the individual consumer. And for the attacker, holding files for ransom is fast, low risk and easily monetizable—especially with Bitcoin to collect the anonymous payments.
DR: How can organizations identify the threats that they’ll face? And then how do you recommend they mitigate those risks?
BS: They can start by reading the DBIR, of course! That’s always a smart place to start. But I think it’s something we really want to encourage for readers of the study and it’s always been the case. As we start to analyze breaches, there’s a macro-level view but then we can take that macro view and break it down by industry and see what the compelling preventative countermeasures that make a difference right now, today based on that study of real world data from one sector to the next. In other words, we see uniquely where the smart money lies in terms of security right now vs. a year ago vs. a year before in one industry vs. the next. And that’s an important thing for our readers to remember. To get out of it, not just this macros level view but what really makes a difference in your sector today.
JL: That’s a great point, Bryan. The DBIR faithful readers who joined us over the past 10 years will be familiar with the nine incident patterns we first introduced in 2014. 88% of the breaches still fall into the nine patterns but when you look across different industry verticals those numbers change. And you see that certain industries there’s more prevalence of certain types of attacks than other industries. So Bryan’s point of getting more granular level look, and you can get this by reading the DBIR, about which attacks you’re most likely to face, is a great approach to prioritizing where you spend your time and effort.
DR: Can you give an example of what that might look like?
JL: Sure. If you look across all the verticals that we gather information on we see some real highlights in terms of types of attacks by vertical. So for example, point of sale attacks are far and away the most common attacks for the accommodation and retail industry. The education industry, the largest type of attack is Denial of Service, which is interesting. Clearly from a financial services perspective we’re seeing everything from DDos attacks, web attacks, and then in manufacturing we’re seeing an awful lot of crimeware type attack. So you can see that as you look at different industry verticals, the types of attacks can vary while again, these 9 incident patterns comprise the majority of the types of attacks as you drill down a bit more into verticals you can see which are more prevalent.
BS: These are great examples I think and that’s again something we really encourage the readers to checkout is what’s the movers and shakers right now today based on our dissecting and studying real world breaches. What are those 5 or 6 preventative countermeasures that have the greatest impact uniquely in their sector. So that kind of a recipe to keep your organization your brand and your enterprise out of the headlines as the next victim, that’s precisely what the DBIR is all about
DR: How do you encourage somebody to get the most from the data from the DBIR? What’s the best way to use the DBIR as a tool?
BS: Well, although our authors might not agree 100% with me I would approach the DBIR not to be read as a book but as a reference. There’s a great key in the study this year that breaks out the 9 incident patterns. Our analysis shows that upwards of 90% of all real world incidents fall into just 9 basic patterns when you slice through all the fear, uncertainty and doubt that’s so common in the cybersecurity narrative. So we’ve got this great key that says, by industry and by sector which ones of those 9 incident patterns affect you the most. So that way you can find out, and say for example you’re in retail you’re in the public sector, you’re in the financial services, you open and for example denial of service or physical attacks or crimeware for example might affect you the most, you can zero in on those parts of the study, find out what countermeasures speak to those patterns most squarely. Again, find where the smart money lies uniquely for you, your enterprise, your part of the world, and your sector. Use it like a reference.
JL: Yeah, I think that’s well said, Bryan. Where we’re moving to from a cybersecurity perspective is more focused spending on the areas that are going to generate the most bang for the buck, right. And that starts with understanding the nature of threats you’ll likely to face and understanding the repercussions of the exposure to certain asset classes. So if you can use the DBIR to focus that spending at least initially, then that gives you a higher likelihood that you’re going to focus on the right types of threats to the organization, thereby gaining higher ROI on your security spending.
DR: Thank you Bryan and John for your insight into this year’s DBIR and this year’s cybersecurity trends that we’re seeing. So, I just wanted to ask you about the attention the DBIR gets. It’s the flagship report that comes out of Verizon. So over the past few years, it seems the coverage has increased as our awareness perhaps has increased to cybersecurity and breaches in the public eye, simply as individuals, So how do you feel about all this coverage your baby is now getting?
JL: We’re of course delighted. It seems the coverage gets broader and broader every year. Look, it’s really important that cybersecurity professionals can come together as a community and share their opinions and best practices, learnings and intel. Again, the goal here ought to be a collective defense against cybercrime and we think the DBIR provides a foundation for that, so we’re very pleased.
BS: It’s also helping to raise awareness of the importance of cybersecurity outside of that community. That’s really important because cybercrime isn’t just an issue for security professionals and practitioners. As organizations become more and more reliant on digital technologies, it’s clearly become an issue for the whole business. Security is an issue for the whole business. It affects the brand of the business as well and for more and more they’re recognizing that security is a center stage concern. Its part of what they do and what they bring to market rather than a backburner item. So understanding the risks and acting to mitigate those risks based on some of the steps and suggestions that we make systematically through the DBIR I think it will help organizations accelerate that digital transformation.
DR: Great. So how do people find you? Twitter? LinkedIn?
JL: Yeah, so of course, all of the above. I’m reachable on LinkedIn, and my Twitter handle is john_vzcyber
BS: And Bryan Sartin here. I’m also available on all the above. I’m on LinkedIn and I’m on twitter @bsartin
DR: That’s about all we have time for. Thanks to our guests, Bryan Sartin, Executive Director of the Global Security Services and John Loveland, Global Head of CyberSecurity Strategy & Marketing. And thanks to our listeners for joining us today.
To get your copy of the 2017 Data Breach Investigations Report, visit: Verizonenterprise.com/dbir2017. As always, you can find us on Twitter @VZEnterprise and on LinkedIn.
Thanks so much. Have a great day.