Here is my collection of favorites and highlights from Verizon 2013 Data Breach Investigations Report [PDF]
- “If your organization is indeed a target of choice, understand as much as you can about what your opponent is likely to do and how far they are willing to go ” <- a REALLY key point!
- “State-affiliated actors tied to China are the biggest mover in 2012. Their efforts to steal IP comprise about one-fifth of all breaches in this dataset.” <- 1/5 is HUGE!!! I expected a lot, but not that much, to be honest.
- “Collect, analyze, and share tactical threat intelligence, especially Indicators of Compromise (IOCs), that can greatly aid defense and detection.” <- a great recommendation indeed!
- “In a streak that remains unbroken, direct installation of malware by an attacker who has gained access to a system is again the most common vector. ” <- however, this does NOT mean that “threat = malware”!
- “State-affiliated actors often use the same formula and pieces of multifunctional malware during their campaigns, and this is reflected in the statistics throughout this report.” <- this means that even when specific signatures fail, detecting higher level patterns of activity will work well!
- “more than 95% of all attacks of this genre [= espionage] employed phishing as a means of establishing a foothold in their intended victims’ systems.” <- sure, why change if this works well for them?
- “With respect to mobile devices, obviously mobile malware is a legitimate concern. Nevertheless, data breaches involving mobile devices in the breach event chain are still uncommon.” <- keep this in mind before freaking out over “MOBILE THREATS!!!”
- “Some interpret attack difficulty as synonymous with the skill of the attacker, and while there’s some truth to that, it almost certainly reveals much more about the skill and readiness of the defender.” <- NO COMMENT
- “Approximately 70% of breaches were discovered by external parties who then notified the victim. This is admittedly better than the 92% observed in our last report” <- I am pretty sure that a token optimist on the team inserted this statement in the report …
- “Matching this [collected from various sources] IOC library with victim-side evidence kick starts an investigation and allows for much quicker and more effective progress.” <- please print this and post in your cube
- “As history has shown, focusing on finding specific vulnerabilities and blocking specific exploits is a losing battle.” <- planning to buy a new/better scanner? Are you sure? CAN you patch as fast as the scanner can scan? NO!
Finally, at the risk of quoting too much – my favorite table from the report is shown on the right.