EP 119: The 2022 Verizon Data Breach Investigations Report (DBIR) Part 1
Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.
Sign Up Now!
About this episode
November 22, 2022
Have you read the Verizon DBIR report for 2022? Find out what it contains in the first of two episodes on this extremely useful report with your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.
Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your house are Kip Boyle, virtual Chief Information Security Officer at Cyber Risk Opportunities, and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.
Jake Bernstein: So Kip, what are we going to talk about today on episode 119 of the Cyber Risk Management podcast?
Kip Boyle: We haven't been serving our audience as well as we'd like. We're finally, although I know we talked about wanting to do this before now, but we're finally going to do our annual Verizon data breach investigation report, episodes DBRI episodes. So we're going to see what we can learn from the 2022 edition of this amazing report. So, hooray. It's back.
Jake Bernstein: Yay, it's back.
Kip Boyle: Okay. And this is going to be a two part miniseries, but we don't encourage anybody to binge. We're not going to drop these episodes at the same time. So we're going to give you a couple of weeks between these two episodes to clear your palette. And so we're just going to have to take it that way. So, sorry, it's been almost 18 months since we did our last DBIR episode, which is shocking to me because it just seems like we just recorded it in my brain. But looking at it from the listener's point of view, we just have to fess up to that. But having said that, it's a big year because it's the 15th annual DBIR, and as usual, it never gets old and crusty. It's always freshly baked and delicious. So we're going to look at the overall findings in this episode. And in the next episode we're going to dive specifically into how various industries are doing. And I think it's a great way to break up the content. There's just so much here.
Jake Bernstein: There really is. And just as a reminder, and I'm not sure we've talked about this before, but I think it's relevant given the time differences when we're actually doing this episode, but the 2022 DBIR actually deals with data collected between November 1st, 2020 and October 31st, 2021. And that makes sense. Obviously, I believe this report comes out, I want to say it's in the spring, usually.
Kip Boyle: It is. And remember, we did an episode with a couple of the people who create the report and they gave us a behind the scenes glimpse at just the Herculean efforts that they go through every year to do the analysis. There's a lot to it. So we got some trailing data from the thick of the pandemic quarantines.
Jake Bernstein: And I think what is particularly interesting here is, we happen to be doing it, so the October... It was just October, so the new data collection is starting now.
Kip Boyle: That's right. For the '23 report.
Jake Bernstein: Yep, for the 2023 report. And I think if anything seems out of date here, it's only proof that things move real fast in the world of cyber security. So moving to the content, I don't want to belabor the definitions because we talked about it last year, but I think we do need to review quickly. And once again, I just wanted to draw special attention to how the DBIR in particular handles breach versus incident. And this is really a key definition, as it always is, not just for the DBIR, but for all cybersecurity discussions.
Kip Boyle: And being an attorney, you love definitions.
Jake Bernstein: Yes, I do. I do. I do love definitions a lot. And the incident under DBIR is a security event that compromises the integrity, confidentiality, or availability of an information asset. And a breach is an incident that results in the confirmed disclosure, as opposed to a potential disclosure, of data to an unauthorized party. And as they say later on, the data breach by definition compromises the confidentiality attribute. If people recall last year, this is the first time they really brought the attributes, the CIA triad into the report, and we will talk about that again.
Kip Boyle: Yeah, that's great. I'm on a tight rope without a net right now when I say that all breaches are incidents, not all incidents are breaches.
Jake Bernstein: No, that's correct.
Kip Boyle: That's another way of thinking about it, right.
Jake Bernstein: No, you're on solid ground.
Kip Boyle: Okay, good. It felt shaky for a moment there. But anyway, so that's a shorthand way of thinking about it. And that's important because where do we get most of our information during the year? Well, it's probably from news articles and headlines. And I don't think the popular media really hues to these definitions so we hear about incidents all the time and getting confused with breaches. So it's a really important distinction here. But one of the things we're learning from this latest report is that there's actually a shift in how we have to think about incidents because many ransomware attacks that historically wouldn't have been considered breaches by these definitions, actually now are starting to result in breaches. That is to say, confidentiality exploits because... Well, I guess we'll get into it, won't we?
Jake Bernstein: We will. And I think just real quick on this ransomware point, I love that this is a gem from early in the report. It's important to remember, ransomware by itself is really just a model of monetizing an organization's access. So one could say that, and I think this is true, from a purely technical cybersecurity standpoint, ransomware itself isn't really something that you even can or try to defend against because it's not a useful term. Instead, consider the four paths leading to your estate as the DBIR says, credentials, phishing, exploiting vulnerabilities, and bot nets. These are the things that are actually going to lead to ransomware attacks. And in the summary of findings, DBIR notes, again, no organization is safe without a plan to handle all four of these paths.
Kip Boyle: Yeah, and it reminds me of the MIRT attack framework where you're dissecting what are the sequence of events that culminates in a ransomware detonation? And that's really where defenders have to spend their time if they really want to be effective. But again, I just love how DBIR never gets stale, never gets less useful. It doesn't just rehash what it did last year. It's constantly evolving. And I think it's a great model for how defenders should behave in general. Okay, let's look at some numbers though. So this year we've got 23,896 analyzed security incidents, and there was only a fraction of them that were confirmed data breaches, 5,212. Now the percentage of analyzed security incidents as confirmed breaches is going up. So even though it's only a fraction, still, more of the incidents are being classified as breaches. Last year was only 18%, and this year it's 22%. So that's actually a pretty big jump.
Jake Bernstein: It is.
Kip Boyle: And there's also a huge change this year, which is that when we talked about the quality standards, in other words, they get data from all over the place, but they don't put every data... Every dataset that they get doesn't make it into the dataset that they actually analyze and report on. And so for example, last year, in order to get about 29,000 acceptably complete incidents, sufficient quality to do their work, the DBIR team had to look at 80,000 incidents. So from 80,000 they were able to get 29,000 worth examining. But this year they had a lot more friends come to the party. So they had 87 partners contribute. They contributed almost nine terabytes of data. And last year they looked at 80,000 incidents. Now, this year, 914,574 incidents, almost 1,000,200, and 234,638 breaches, almost a quarter of a million. And of course, only a small percentage of those had data that was good enough to put into the report. But wow, what a boon for the DBIR, and how helpful for us. This is great.
Jake Bernstein: Yeah, it's great. And at the end of the report you can find a listing of all the organizations that contributed. So I think it's pretty interesting to see how really it's a coming together of the cybersecurity community, which, who doesn't love a warm and fuzzy feeling.
Kip Boyle: And it's interesting how trust evolves over time because if you look at organizations that are only now contributing data to the data set 15 years into the report, it's like, "Wow, it took you a long time to warm up to this, didn't it?"
Jake Bernstein: It did. And we don't know the background. Maybe they never even asked. Who knows?
Kip Boyle: Yeah, I don't know. But I just think it's a good thing. So there you go. The report's even more useful because the data set is just so much bigger. So having said that, the report is actually a little shorter, 108 pages instead of 119. And the data visualization is mostly the same last year, but they're constantly trying to figure out how to do a better job of visualizing the data. So they got this pictogram chart, which is kind of new. And it's trying to capture uncertainty. And boy, I got to tell you, I love the fact that they innovate on these graphics, but I don't always take them up very easily. This is not one that I'm taking up too easily.
Jake Bernstein: Yeah.
Kip Boyle: How about you?
Jake Bernstein: I'm don't honestly, either. Some of them are more intuitive than others, what they're trying to show. I really like this slanted bar chart concept and these spaghetti plots, those all make sense to me. But yeah, your mileage may vary. That's why they do it.
Kip Boyle: Yeah.
Jake Bernstein: Okay. Well, let's look at a few more key findings. So in 2021, ransomware increase by 13%, which continues the upward trend started back in 2017. And maybe that doesn't sound like a lot, but keep this in mind. The increase from 2020 to 2021 on its own, this 13%, is the same as the increase in ransomware from the previous five years combined. Now, this intuitively does make sense for anybody who spent any time doing incident response during the pandemic. Things were very, very busy, constantly blowing up, regular ransomware attacks, just an immense quantity of them. So I think that does make sense. Now, what's really interesting to me is going to be what do we see in the 2023 report? Because I feel like since the end of 2021, ransomware does... Well, I should say this. Since Russia has started its war on Ukraine, ransomware attacks seem to have gone down. And I'm curious if the data reflects that.
Kip Boyle: Yeah, boy. Well, one thing that I feel is reasonable to take away from this is the fact that I don't see an end in sight to cyber criminals and cyber soldiers running a muck on the internet, which is awful. And so it just seems like the more they do it, the more confident they get and they just do it some more. But it's not just outsiders. Errors is a continuing major problem and it's responsible for 13% of all breaches. And even though, as a pattern it's flattened out compared to 2019, we're just shooting ourselves in the foot here. We're just misconfiguring cloud storage systems. And then there's the human element too. 82% of breaches, there's error related to human beings, people trying to get work done.
So they're losing control of their credentials, which are getting stolen. There's phishing is succeeding, misuse, and just our good friend, the error category. And I say this to my customers a lot, "Yes, there's some awful bad characters running around on the internet. You live in a bad neighborhood all of a sudden, but you actually have a lot more control than you realize because it's really your staff that's getting exploited here."
Jake Bernstein: Yep. And that continues to be true. And so as we dive into the results and analysis, which is always my favorite part, first the age old question, how many insiders are involved in data breaches, kip? And I got to say the answer is not that many these days,. 80% of breaches are caused by actors external to the victim organization. And it's hard to say in raw numbers, if the number of internal or insider threats has decreased over time. What's clear though is that the world of cyber attacks is so much bigger that as a percentage insider attacks have decreased significantly, as a percentage of the overall numbers here. But this links up to the second question, which is why are people doing this? And I love how this year's edition of the DBIR really celebrates its 15 year history.
And just as a point of reference, the first DBIR came out one year after the original iPhone made it debut, the original iPhone. The little tiny three and a half inch... Honestly, it was on 2G or Edge, it didn't even have 3G.
Kip Boyle: There were no apps.
Jake Bernstein: There were no apps There was no app store. It really was a very different time.
Kip Boyle: I was clutching my Blackberry.
Jake Bernstein: I bet you were. So these days, really no surprise, there's really two significant motives, financial and espionage. And financial really outweighs espionage. It's 85% to 15%.
Kip Boyle: Yeah.
Jake Bernstein: Again, I want to caution people from, and the DBIR authors do this throughout the document, you can't misunderstand the statistics. Just because financial motives are now far outweighing espionage doesn't necessarily mean that espionage is less of a threat. What it means is that, again, just like insiders versus the external actors, it's really reflective of the overall poor of cyber attacks, which have just gone up and up and up.
Kip Boyle: Now, one distinction that I want to make here, because if anyone's listening carefully, they probably picked up, I know I did, on the fact that the human element I said was a major driver and breaches involved in 82% of breaches. And so I made a comment about just how much insiders are involved in breaches. And then Jake, then you came in and you said, "Well actually 80% of all breaches are caused by actors external to the organization." That can seem a little confusing. But what I think the nuance there is that a lot of insiders get manipulated by outsiders to do things that they shouldn't do. And so even though it's an outsider instigating the breach, there's still an insider aspect. Somebody clicked on a link, they shouldn't have clicked on, somebody fell for a credential steel, or what have you. So I just wanted to clarify that point.
Jake Bernstein: And just to be clear, the statistic of the human element is not the same thing as saying insiders. Phishing, use of stolen credentials, privilege misuse, errors, really I would say the errors and the privilege misuse are more likely to be insiders classified as an insider attack. But all phishing and most use of stolen credentials involves the human element, but it's an external actor. So just to be clear on that.
Kip Boyle: And I just want to make the point again that as a manager, as a senior decision maker, you can influence. You can influence whether somebody wants to initiate an attack against you, somebody who's on your payroll, or you can also influence whether somebody's going to get manipulated by an outsider based on how you train them and encourage them. So you actually have a lot more control than you may think just based on the surface information here. But anyway, let's keep going. We have so much we need to talk about.
Jake Bernstein: Yes, exactly. And let's say you find all of this terribly exciting, and I don't know how you couldn't, but you really just want us to tell you how to use the DBIR to better defend your organization. So I'm glad that you asked. Pages 14 and 15 discuss actions. And actions, if you'll recall, they tell the story of how the security incident or breach played out. This means that you can use the insights about actions to prioritize defenses that may be particularly effective against the most common attack stories.
Kip Boyle: Yeah. So actions in the DBIR are described as the type of action and the vector. So that mean...
Jake Bernstein: It's a variety. You got to use that. The variety.
Kip Boyle: Yes, it's a variety.
Jake Bernstein: The variety is the type of action. And the vector is through what means the action took place. Sorry, these definitions I get excited about.
Kip Boyle: Well, no, and it's good. And it's why we take the time to make sure that we're clear about this because if we muddle the definitions, then it's difficult to understand the data and the conclusions that are being drawn from them. Because if you're going to use the DBIR to affect your cyber risk strategy, and I think you should if you're a defender, you still have to be able to explain this to your senior decision makers. So you've really got to be literate on this and you've got to be very, very clear. Anyway, so thanks, Jake. The report also uses categories of which there's only a few. So let me review. So there's hacking, malware, error, social, misuse, physical and environmental. Those are the categories. Now, we're not going to deep dive define each one of those. If we did, this episode would probably be four hours long by the time we got done. But go to page 14 of the 2022 DBIR and you'll see it all laid out there.
Jake Bernstein: Yeah. And the reason this matters is, what you're going to hear is we're going to be talking about the vectors and the variety of actions. And every time we mention a vector or variety, we'll also mention the categories that particular vector and variety is part of. And again, if you just think about it, what the DBIR is trying to do is impart structure on chaos. And it's simply difficult and challenging. So yes, in order to get useful insights from all this data and all this work, it's just important to really understand the terminology being used here. So I'm going to go ahead and start okay with the action vectors.
Kip Boyle: So you're going to show me what my vector is, Victor?
Jake Bernstein: Yes. And by the way, there's only a handful of those categories, I believe I mentioned this elsewhere in the script somewhere, but I'll try to remember it now, there's about 120 varieties out there in the report recognized. We're only going to share vectors and varieties that occur at least 10% or more of incidents, because otherwise the episode's going to be way too long. And the other thing about that is, keep in mind what we're saying here, a vector or variety, and you need both, you got to pick one of each for things. But this is not necessarily the whole story of any given breach. These percentages are the number of breaches usually, or incidents, we'll be clear to make that distinction, where they are present. So as an example, I'm going to start with the action vectors, way ahead of the pack we have web application In the hacking category as the number one vector present in about 70% of incidents, not breaches.
The next three are all present in about 15% of incidents. So it's hard to tell what order they should be in. It's really close. But the way that they list in the DBIR is email in both social and malware categories. And what does that mean? So a social email is phish, and a malware email would be something that has, it's less of a phish, more of a direct attempt to download or install something via an email attachment.
Kip Boyle: Like a macro in a Word doc?
Jake Bernstein: Exactly. By the way, we'll talk about that possibly next time we do it, but the old Office doc is still one of the most common actual tools. Okay. Sorry. The next one here is partner in the malware category, and software update, also malware. And you'll see why that is the case. It's pretty interesting. But that's just incidents. Okay, so I'm going to switch over to the vectors for breaches. It is a little different. Web application...
Kip Boyle: inaudible clearance, go for it.
Jake Bernstein: Yep. Breaches. Okay breaches. Web application remains number one, but the categories are hacking and social. So that's a little bit different. Email is second, social and malware, but it's a much closer second place. Previously I said it was 70% to about 15%, now it's 45 and 35. And then in a strong third place comes one of my favorite phrases, carelessness, which has got to be the quintessential example of the error category, which it is, at around 18%. And then fourth, at a still significant 14%, is desktop sharing software in the categorizes as hacking. And given the pandemic, I'm not surprised.
Kip Boyle: Yeah, RDP for the win.
Jake Bernstein: And all of this data aligns very well with one of the DBIR's, man, I can't say that, conclusions, which is the main ways in which your business is exposed to the internet are the main ways that your business is exposed to the bad guys. It should be obvious, but I think it's worth pointing out that the data backs that up. So my advice here is that if you have a web application, man, you better be securing that thing and then checking it as often as possible as we'll learn more about throughout this episode and the next one. You still can't let your guard down when it comes to the people and vendors and credentials man, credentials.
Kip Boyle: Yeah. I like the way the DBIR said it. If you're exposed to the internet, you're exposed to the bad guys, which is just my way of saying, well, another way of saying what I tell my customers, which is, "When you moved in the internet was a nice neighborhood. Now it's not. And you didn't do anything wrong or bad. You're on the internet for great reasons, but unless you're going to move to some other internet, of which there is none, you're stuck. So you've got to deal with the fact that the internet and the bad guys and gals are just one and the same these days." And again, I just don't expect that to change anytime soon. So we've got to figure this out, and I love that we have the DBIR to help us figure it out.
Jake Bernstein: And Kip, I apologize for what you are about to attempt. This is complicated. So good luck to you.
Kip Boyle: Yes. Jake has just handed me the varieties section, and so I get to take us through that now. Now, varieties are the type of action. So here we go. First up is the easy to perform, denial of service attack, which is categorized as a form of hacking. And that appeared in about 46% of incidents. And it's not surprising, but it's also not the most dangerous of the varieties. So the next two require bit of explanation. So you've got backdoor or C2, and that comes...
Jake Bernstein: And by the way, this is important. That's one phrase, backdoor or C2. You're going to hate me for this, but keep going.
Kip Boyle: Yep. And that's 17% of all incidents. And backdoor by itself is slightly less, 14%. And there is a difference. And so Jake has kindly provided me with a quote straight out of the report to help you understand what the difference is. Here we go.
Jake Bernstein: To be honest, to help us understand what the difference is.
Kip Boyle: Yeah. Gosh, there's a lot here.
Jake Bernstein: There's so much.
Kip Boyle: You have to study it. You just have to really study it. Okay, here we go. Back doors provide a direct access point for human operators. C2's, which is shorthand for command and control, right Jake? That's what a C2 is.
Jake Bernstein: Yep. That's what a C2 is.
Kip Boyle: Yep. So command and controls are indirect connections to your computer that are used by malware. So they're both remote access, but they're different. So backdoor or C2 as a variety...
Jake Bernstein: It's a variety.
Kip Boyle: Got to be careful to keep my terminology straight here. Okay. So backdoor or C2 contains both back doors and C2, are provided only by malware, while backdoor covers both backdoor provided by malware and backdoor provided by hacking. Yikes. And why are we doing this? Because neither is a subset of the other, so we have to keep them both. And as a reader, your takeaway should be that remote access established by the attacker is important and that there are a slew of ways of creating that persistent access, that sweet sweet persistent access that they love so much. That was me editorializing there with the sweet, sweet.
Jake Bernstein: Yeah. So I got to say, I think I read this quote four or five times, and I'm still not a hundred percent sure that I understand it, but it is...
Kip Boyle: They're splitting hairs because that's what they do. They love to slice and dice the data. But I appreciate that they said, "Well, look, whether you understood what we just said or not, here's your takeaway."
Jake Bernstein: Yeah, I appreciate that too.
Kip Boyle: I would just say focus on the takeaway unless you have to really get in there for some reason as you operationalize these findings and recommendations. Okay. Now, after those three, you get ransomware, which is at about 13%, and it's another variety. And like the previous two, it's all categorized as malware. Then you get the ever popular other. So other is 10%. And then finally we get phishing at 8%. And the use of stolen credentials at 7%.
Jake Bernstein: And just to be clear, just to clear, phishing is in the social category, and use of stolen creds is in the hacking category. And again, if you want to understand those categories, I think we said that was page 14.
Kip Boyle: Yep. So you got to get in there and read up on this stuff. Yeah, I love this report, but this is where it gets hard. Now, the percentages that I just read off, those are approximations. They have slanted bar charts in the DBIR that give you the nuance and let you see how these numbers actually break out. But anyway, we just wanted to give you the approximate average here, since you're probably not looking at the report as we talk about this. Okay, that's all for incidents. Everything I just said was for incidents, that large data set. Now, let's take a look at the breach figures. So use of stolen credentials, which is a form of hacking, at 42%. That's the top one. Other at 30%, which is unfortunate because other is a lot. Ransomware, which is the malware category at 25%. Phishing, which is the sole category, 18%. And then backdoor or C2 as one variety. And then pre-texting exploit vulnerability misdelivery as a error. Export data as a malware, misconfiguration as an error, and scan network, which is a malware.
All of those are between five and 10%. So they'll just cluster around there at the bottom. They're the muck at the bottom of the pond. Now, the other variety. The DBIR recognizes more than 180 different action varieties.
Jake Bernstein: Oh, I was wrong. It's 180. I think I said 120. So yeah, I was wrong. It's 180 different action varieties.
Kip Boyle: 180, but 73% of breach varieties can be found in the top 10, which just tells us that there's a long, long tail of diverse varieties in the data set, which is another way of saying the castle has so many cracks in the walls.
Jake Bernstein: It does say that, yes. So I'm disturbed by the presence of... Well, first of all, I want to point out one thing. The DOS, the denial of service attack. Note, you said it appeared in 46% of incidents. You didn't mention it at all in the breaches, which makes sense. I can't remember if it's even in there, but if it is, it's less than 1%. It's very small. The simple fact is that denial of service sometimes gets overlooked. And the DBIR authors talk about that. That is definitely in next time, our next episode. But just keep that in mind, that DOS hasn't gone away.
Kip Boyle: It hasn't, but it's not really a confidentiality issue.
Jake Bernstein: It's not. And we'll talk about that later. Okay. Anyway, I'm disturbed by the presence of this partner and software update among the top vectors this year. It's also the first time for software update. And I suppose we all can guess about that. And we'll save it for a little bit later to explain. But I'm glad that the only appearance at significant levels in the incident data and not in the breach data. Although partner as a vector considered part of the malware category did show up in the top 10 action vectors and breaches. Look, everything I just said might sound like, "What did he just say?" And I encourage you to hit the back button, rewind by 30 seconds, listen to it again. As the complexity of real life has gone up, so too has the difficulty of explaining the data also increased. And so we do the best we can and it feels like it's getting harder and harder, but we really encourage you to read the report as well.
Kip Boyle: Yeah. So isn't it fair to say partner and software update is a form of third party risk management and also it appears in the supply chain line of thinking too?
Jake Bernstein: Yep.
Kip Boyle: These are all externalities, things you bring in order to do whatever it is your mission is. However you serve your customers or constituents, you've got partners, you bring in software and...
Jake Bernstein: We will talk about that. So at the risk of moving or at the risk of interrupting you, and pushing you, let's go to asset.
Kip Boyle: Yeah, okay. Risk materialized. You've interrupted me and you've pushed me. And I will respond and move on to assets. I don't think much has changed here, so we can move quickly, but I think it's still critical to understand this concept of assets because this is going to tell you what the attackers are targeting. And we're going to be able to move this quickly because you're not surprised to probably hear that the most common asset involved in breaches by far is the server asset, 85% of the time. But after the server things drop off, there's a lot, but it drops off rapidly. A person is involved in about 25% of the breaches and user devices at 16%. And there's a whole, another long tale here. Web apps are 56%. Wait a minute, more specific asset varieties. Okay yeah.
So you got web apps on the servers, 56%. Followed by mail, which is also on a server, 28%. Desktops and laptops come in at 18%. And then we have the ever popular other, database, which is something on a server, finance, which is a person. And of course it just gets smaller from there. So that's all on page 17 of the DBIR That's all page 17. We've hardly opened up this report, we've only made it to page 17, and there's so much.
Jake Bernstein: Here's a side note, which is actually quite important. The data is still sparse, which I think is fortunate. But the DBIR is now seeing more and more OT related incidents, operational technology related incidents. Frankly, I'm just going to say this, we echo the authors. Please protect our critical infrastructure. We like to record these podcasts and we need power and heat, et cetera, and water to do so.
Kip Boyle: And I need to be able to heat my water to have tea.
Jake Bernstein: We got to be able to heat the water. So consider briefly the DOS attack. It seems, I don't know, pedestrian in a way to talk about denial of service like, "Oh, whatever." I think a lot of websites, there's enough big companies out there that provide protection against DOS attacks. Well, let me ask this. It won't be so funny if someone does a DOS attack on the electrical grid. Those OT devices, there doesn't have to be data that you mess with. Sometimes, and I think we forget this too often, something can have an immense impact just if it gets shut down, shut off, interrupted.
Kip Boyle: Yeah.
Jake Bernstein: That's really the point of reminding people about OT. And of course, Kip, you and I, we have clients who very much care about OT. And I think this is true for manufacturing, it's true for public spaces, it's true for obviously power and water.
Kip Boyle: You can't pack apples without operational technology.
Jake Bernstein: It's true.
Kip Boyle: You cannot palletize apples without operational technology. It's just crazy.
Jake Bernstein: Okay, so that was my side note. It's super important. Still not much data. Again, DBIR mentions why that might be. But okay, attributes, go.
Kip Boyle: Right. Okay, so this is the next topic, attribute. This is the CIA triad. And the attributes over time in incidents graph in the report is really fascinating. So way back in 2017, all three were grouped relatively close together with confidentiality impacted the most often followed by availability, and then integrity. So that's CIA. And it was 60% C, 50% A, and 45% I. And for some reason availability attacks went way down in 2017. But then they rebounded... Sorry, 2018. But then they rebounded and they've been growing ever since. And that's due to ransomware. So as it stands, confidentiality and availability are now just about equal, although that hasn't been the case in the last several years.
Jake Bernstein: That's new this year.
Kip Boyle: Yeah. And it probably proves the notion that ransomware is just a monetization method and not a specific type of attack because now they can steal, encrypt, and then threaten to disclose your data. And what's happening too is that they're actually not always even bothering to encrypt. They just steal the data.
Jake Bernstein: I question whether that will actually be ransom? Oh no, I guess it is still... That's a good point, Kip. It is like ransomware. Oh god, that's so fascinating. I honestly hadn't considered this until I prepared for this episode. But if I just say ransomware, it actually doesn't have a ton of meaning in the technical sense anymore. It used to. It used to mean a specific type of malware that specifically would encrypt your files and then demand a ransom to get it back. But really now it's just any form of... It's like I said, it's a monetization method. Clever.
Kip Boyle: Using whatever method they can use.
Jake Bernstein: So a data breach, as I mentioned toward the start, is basically defined by a compromise of the confidentiality attribute. But Kip, you might be asking what variety of data is involved?
Kip Boyle: How did you know, I was just wondering that?
Jake Bernstein: I know you were, I could tell. Personal data, of course, remains popular, present in 40 to 50% of breaches between 2017 and today. So last five years, give or take. Curiously, PCI, so payment card industry data has fallen from a peak of 20% in 2017 to less than 10% today. There's probably a lot of reasons for that. My guess is that directly there's just more protections in place for credit card numbers and credit cards, and they've gotten better at stopping....
Kip Boyle: You can make a lot more money doing other things too.
Jake Bernstein: Yeah, exactly. Conversely, credentials man, and this is scary, have become incredibly popular. Back in 2017, credential theft was involved in only about 15% of breaches. Now it is just under personal data at about 45% today. So what are they going after? Credentials.
Kip Boyle: Yeah. And that's I think why we see increased emphasis on multifactor authentication as a form of mitigation. Okay, so let's talk about integrity because it's standing in the corner being a bit of a wallflower right now. Okay, listen, compromise of this attribute integrity has steadily occurred in about 40% of all incidents since 2019. And I think that makes sense. Whenever an attacker gains access to a system, any changes are a violation of integrity. So it's really common for attackers to escalate their privileges into the domain admin group when they get on a domain controller, and that's a violation of your group integrity. So it's interesting, we don't really think about that when we talk about how somebody manipulates our configuration, but that is exactly what's happening here. And ransomware and confidentiality, by the way...
Jake Bernstein: I apologize, Kip, I just left this in here as a note. So what the script says, which Kip is trying valiantly to interpret in real time, is that I just said we also have a good number for ransomware and confidentiality: 38%. What I meant by that is the correlation... Well, to me what this says is that 38% of ransomware attacks, the data actually shows that they are also stealing the data and threatening to release it. So anecdotally, people have been saying for, particularly the last couple of years, which again, remember the timeline of this data set that, "Oh, ransomware 2.0 is doing this thing." Well, now we have a number. It's approaching half. That's a huge number.
Kip Boyle: Yeah.
Jake Bernstein: Okay. You really have to look at the script for this next part, Kip. Now it's time to check in on the timeline. See what I did there? There we go, Kip laughed. So there's a graph and it continues to be deceptive. So what are we talking about? We're talking about the discovery time. It has continued to drop and we are far more likely to detect breaches within days rather than months. Sounds great, but things aren't that simple and here's why. It turns out that the top, and yeah I'm doing air quotes, discovery method, which makes me laugh, for breaches at more than 50% is actor disclosure, which just means that the bad guy said, "Hey, we did this bad thing to you." That is not a good reason to have, quote, discovered a breach in days rather than months.
Kip Boyle: This hasn't changed in a long time.
Jake Bernstein: No.
Kip Boyle: This has not changed in a long time. Having been told that you've been breached by an outside party has been the top form of discovery for years. It's just in the past, either a customer would come and tell you, "Hey, why are you abusing my personal information?" Or a partner would or something like that. But now we just have the bad folks just coming right out and telling say, "Hey, we just compromised you."
Jake Bernstein: And that is a change. Just to be clear, that part is a change. I'd say, in some ways it's probably more disheartening that it's coming from the bad guys themselves.
Kip Boyle: Definitely because that just tells you how bold. They're feeling so emboldened that they can just out you on Twitter and on social media and just commence with the public relations manipulation. Just how bold do you have to be? How impervious to being held accountable to your actions must you feel that you can actually start doing this? It's crazy. It's just crazy. Okay, now I don't know for sure, so check me on this, but it seems like event chain, like a chain that you used to lock something up with, an event chain, there's a statistic, and I think it's new this year, is that right?
Jake Bernstein: I'm not sure.
Kip Boyle: Okay. Well, it's fascinating because it shows the number of steps, which means the number of separate actions of a given attack. So it's like the MITR attack framework. And we find that the vast majority of breaches only include a handful of steps, which means less than five. And the most common actions here are phishing, downloader, and ransomware. And this isn't great news. As a defender, we want attacks to take as many steps as possible. Why? Because each step is an opportunity for our defense in depth strategy to work, to actually trip up an attacker to keep them from achieving their desired end game. But yeah, it's just getting easier and simpler for them and more difficult for us.
Jake Bernstein: So before we wrap up part one of the 2022 DBIR episodes, there is another new piece of information that I find fascinating called the Value Chain, and it's linked to the event chains. And I'm reasonably convinced these are both new. And this new section, which you can find at page 21, concludes something that we always knew. It takes money to make money. In other words, we need to remember that there is an attacker ecosystem out there with important events occurring both before and after any particular attack. Kip has been pounding this drum for years now, the dynamic threat, the fire doesn't innovate, there's people who go to an office building and their nine to five job is to research and develop malware and things like that.
But why does this matter? And it's because we got to think about attack... Sorry. We should remember not to think about attacks solely in terms of starting or ending, but instead think of them more like, and this is a new metaphor, a sports team during its season. They are either on the field or they're preparing to be. There isn't like this time where they're doing nothing other the off season.
Kip Boyle: Or military campaigns, right?.
Jake Bernstein: Right.
Kip Boyle: That's another possible way of thinking about this.
Jake Bernstein: So while the DBIR doesn't explain yet what exactly we can do with this information, they do suggest the ultimate goal, which is if we can understand the circle of breach, and yes, they do make a circle of life joke here, and the transactions that make up that cycle, maybe we can find ways to make those transactions more difficult, more expensive, or less sustainable for attackers. And this is me just going off on my own thinking. Maybe if we could find ways to limit the value of stolen credentials by increasing adoption of breach detection software that forces immediate credential reset. I have no idea if that's a thing or if it would even be a good idea, but it illustrates the point, which is a data breach that snags a whole bunch of credentials leads to attacks that use those credentials. So if we were able to make those credentials less valuable, ideally we would do it almost instantaneously, but we can assume that those credentials get used over the course of not just days, but probably weeks or even months. So there you are.
Kip Boyle: Okay. So that brings us to the end of the first episode in our DBIR 2022 series, and we only got to page what, 21 in this 108 page report? There's so much. Okay, so that wraps it up. And today we did part one of our analysis and so we're going to next time dig into the industry data. And we hope that you'll join us in a couple of weeks to do that. Thank you for being here. We'll see you next time
Jake Bernstein: See you next time
Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity huddle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.
Cyber Risk Opportunities
Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).
K&L Gates LLC
Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.