Blog post

Highlights From Verizon Data Breach Report 2016

By Anton Chuvakin | May 04, 2016 | 2 Comments


Here are my favorite “data-bits”, quotes and fun items from Verizon’s 2016 Data Breach Investigations Report:dbir2016-gap

  • The Actors in breaches are predominantly external. While this goes against InfoSec folklore, the story the data consistently tells is that, when it comes to data disclosure, the attacker is not coming from inside the house.” <- a useful reminder, outsiders is where the action is, not the insiders [of course, outsiders tend to get inside pretty quickly via phishing and malware – so THREATS INSIDE matter, while INSIDER THREATS may not matter as much] /see page 7 for details/
  • Attackers ”time to exfiltration” is measured in days, in most cases <- this is the point I’ve been making for years! Years!!! You need to detect fast – but fast often means “the next morning”, not the next micro-second [but also not the next year!] /pg 10/
  • “If you have a system that cannot be patched or receive the latest-and-greatest software update, identify it, and apply other risk mitigations in the form of configuration changes or isolation” and “mitigation is often just as useful as remediation—and sometimes your only option.” <- another very useful reminder: if you cannot remediate [fix, patch, etc], then MITIGATE! We also see this in our research. It is shocking how many organization only see 2 choices: PATCH or WHINE :–) /pg 16/
  • “Monitor outbound traffic for suspicious connections and potential exfiltration of data to remote hosts” <- yet another useful reminder, in the context of detecting when the phiser has a WIN. [OK, some of you are like “dude, 2003 called and it wants its security control back” and to this I say “….and your point it?”] /pg 19/
  • 63% of confirmed data breaches [across all actors – A.C. ] involved leveraging weak/default/stolen passwords.” <- multi-factor, UBA / UEBA, etc to the rescue. /pg 20/
  • IMHO, POS ownage [and thus payment card theft] is a a better criminal business than ransomware, but now we also have this: “This year continued the trend of the criminal
    sprees in our data being associated with attacks against POS vendors followed by using their access into their customer base” /pg 33/
  • Still, “Ransomware, in the number two spot, realized the biggest jump in our data and this will continue to be an element that we track.” /pg 46/
  • ”We found that the incidents that take the longest to discover were these inside jobs [incidents where internal actor is involved]“ <- again, not surprising but useful as a reminder, detection is hard, but insider threat detection is very, very, very hard. /pg 37/
  • “We saw that about 20,000 MD5 hashes existed across multiple organizations out of almost 3.8 million unique hashes.” <- i.e. unique malware does NOT mean advanced and dedicated threat actors nowadays, everybody gets hit by it /pg 47/
  • ”<obvious>if you have something someone can use to their advantage, you are a potential target of Cyber-espionage</obvious>.” <- provided with no additional comments :–)
  • “Malicious software was involved in 90% of our Cyber-espionage incidents this year.” <- sure, Powershell and CLI work too, but malware often works better /pg 54/
  • DoS attacks are either large in magnitude or they are long in duration, but typically not both.” <- logical, if you think about it, but also confirmed by the report data /pg 57/
  • To summarize, a] phishing b] malware c] valid credential abuse [mostly by outsiders] and d] web app hacking covers the majority of problems most organizations face…. but then again, we sort of knew that already :–) Essentially, the most generic pattern of attacks today is: phish –> send malware –> gather and then use valid credentials to get to your goal /in case you have to ask: why send malware if you can phish for credentials? malware can get you MORE and BETTER credentials/

There you have it, now go enjoy the DBIR 2016!

Past DBIR and other Verizon reports blog discussions:

Comments are closed


  • Andrew Johnson says:

    I really wish more people paid attention to the time to exfiltration being days.

    It’s the same as focusing on ‘APT’ style attacks when most attacks are based on unpatched or misconfigured systems based on page 15.