Chief information security officer, Earl Duby highlights some key points in the 2024 Verizon Data Breach Investigation Report. In this video, he breaks down key findings, analyzes trends in cybersecurity threats, and provides valuable insights into how these developments might impact our digital security landscape.
Transcript:
(0:06) So what are we going to talk about today?
(0:09) Well, Jackie, we’re going to talk about one of my favorite topics, which is the Verizon Data Breach Investigations report.
(0:17) It just came out last week, and I’m going to run through this report in the next five minutes.
(0:22) Alright, so in the next five minutes, I want to talk about the top ten things that I took out of this year’s DBIR.
(0:29) First thing is, there’s a chart on page 11, which talks about the different attack methods or the different ways in that the adversary gets in.
(0:40) The key thing I want to take away from this is the fact that exploit vulnerabilities is on the increase.
(0:47) It’s up 180% from last year.
(0:50) The next thing I want to talk about is the attack actors, like who is actually executing on these attacks.
(1:01) Consistently for many years, we’ve been saying, hey, it’s the external, it’s the external, it’s the outside adversary, and that’s typically run around 80%.
(1:10) Amazingly, this year, Verizon says that the external actor is only responsible for 65% of the attacks.
(1:18) Meanwhile, internal actors are responsible for 35%, which is up pretty significantly over last year’s number, which was only 20% coming from the internal.
(1:29) Now, this needs a little caveat, though, because a lot of that internal actor activity is through mistakes as opposed to malicious activity, so just keep that in mind.
(1:41) You don’t have to go get out the lie detectors just yet.
(1:45) The other interesting thing on page 15 is just the motives in these different breaches.
(1:53) Overwhelmingly, and this is no surprise, but I was just amazed at how much the financial motive is in terms of it’s almost nearly 95% is financially motivated. (
2:08) The remaining is just espionage, so pretty interesting there that the financial motive is so high.
(2:17) One of the most interesting aspects of this report, and anyone who’s ever listened knows that I’m a huge proponent of vulnerability management just because I think you have to understand the attack surface in order to defend the attack surface.
(2:35) This report is just amazing to me in the sense that on page 21 of the report, it talks about the exploitation of known vulnerabilities.
(2:47) There’s a section in here that talks about the CISA, which is the Cybersecurity and Infrastructure Security Agency of the federal government.
(2:57) They have a database called the Known Exploited Vulnerabilities Catalog.
(3:03) These are just amazing statistics in here, and you can look at the chart yourself.
(3:09) These are vulnerabilities that are known to be exploitable.
(3:14) After 30 days of release of that notification, 85% of the vulnerabilities are still unremediated.
(3:21) After 55 days, 50% of the vulnerabilities are still unremediated.
(3:27) These are people that know that there’s a critical vulnerability that has a known exploit, and after 55 days, half of those vulnerabilities are still out there to be exploited.
(3:41) You couple that with zero-day attacks where there isn’t even a known exploit or a known vulnerability, that’s a pretty big attack surface for companies to be dealing with.
(3:54) Hopefully, we can get better at vulnerability management and understanding where our vulnerabilities are, and then putting processes in place to remediate those vulnerabilities.
(4:05) The next thing that I thought was interesting is the server, the assets that are attacked.
(4:15) We kind of all know that people get exploited through phishing emails, and we all think that our people are our weakest link, or at least that’s what people say all the time, and I try to resist that as much as I can.
(4:28) But this report clearly shows that people aren’t the weakest link, servers are the weakest link.
(4:34) Over 80% of the assets that were attacked in the incidents that Verizon investigated last year were servers, and people came in second.
(4:46) But this kind of shows you that with the vulnerabilities, they’re typically impacting servers, so get that vulnerability management in place, understand your server farm, and patch things quickly.
(5:00) The other interesting thing is when you look at the time that a vulnerability is published on the CISA known exploited vulnerability catalog to the point in time where they see scanning for those vulnerabilities happening, if it’s in that KEV database, five days from the time of release until the time that the adversary is starting to scan for those vulnerabilities.
(5:35) Compare that to things that are not critical or don’t have a known exploit, it’s 68 days.
(5:43) So what this is saying is the window of opportunity for patching a critical known exploited vulnerability is less than five days.
(5:55) Most companies don’t have a process in place to handle that type of speed, so we have to adapt, we have to get quicker, because the adversary is getting quicker.
(6:06) The next thing I want to talk about is exactly what servers are being attacked.
(6:13) So mainly it’s web applications and mail servers.
(6:17) Yeah, there’s still people that have on-premise exchange servers, and those are highly targeted, but then it’s also attacking your externally facing web applications.
(6:29) And so if you really want to focus your efforts someplace and prioritize your controls, point them towards web applications and mail servers.
(6:41) And for those of you in the security awareness field that are doing your phishing exercises and getting out those quarterly phishing campaigns, there’s some pretty disturbing statistics in this report for you guys as well.
(7:00) The time between an email being delivered and somebody clicking the link in that email is 21 seconds.
(7:07) So if that email makes it through your email filter and gets into somebody’s inbox, they are rapidly clicking that in 21 seconds.
(7:17) Then even more amazing is the time between clicking the link and going to a harvesting site or some malicious website to the point where the user is going to input data is 28 seconds.
(7:34) So if you add all this stuff up, the time between an email landing in an inbox and a user giving up data is less than one minute.
(7:44) So anybody that isn’t running an email filter, that should be a huge wake up call to you that that’s how quickly an adversary can get into your network within a minute of delivering a phishing email to your organization.
(7:59) There’s also a pretty good chart in the report about just the different industries and how often they are attacked.
(8:06) I think you should download the report, take a look at this chart.
(8:10) Obviously, you have the financial services that are a big target.
(8:15) You have manufacturing companies that are in like third place.
(8:20) But then surprisingly, the number one attacked industry is public administration.
(8:25) So if you’re in public service or, you know, which makes sense if you think about what you read in the newspapers that, you know, small police departments, small government entities are getting hit with ransomware.
(8:37) But these are pretty chilling statistics where you look at the amount of attacks against public administration, which is over 12,000 versus the next one, which is finance at 3,000.
(8:49) So if you’re defending a small municipality, you have your hands full.
(8:55) And then at the end of the report, there’s a year in review, which goes month by month and talks about the big attacks that happened that Verizon responded to.
(9:02) So that’s pretty interesting to read.
(9:04) And then the last thing is in Appendix C, there’s an article in here from the U.S. Secret Service and just how they’re combating cyber crime and just the different things that the Secret Service is doing, which is a pretty good insight into how that organization is working.
(9:20) So well worth the time to read that.
(9:23) So that, in a nutshell, is the 2024 Verizon Data Breach Investigations Report.
(9:30) Pick it up, enjoy it.
(9:31) I always do.
(9:33) So drop me a note if you want to talk about it.
(9:36) Thanks.
