Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, virtual chief information security officer at Cyber Risk Opportunities, and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.

Jake Bernstein: So Kip, what are we going to talk about today on episode 143 of the Cyber Risk Management Podcast?

Kip Boyle: The number 143 is music to my ears, man. Love making podcasts. Okay, if you were with us last time, you know that we started looking at the Verizon Data Breach Investigation Report, the 2023 edition. That was part one. Welcome to part two of the DBIR. Now, last time, we talked through the first two chapters and the reports overall findings as we do. Today, what we're going to do is we're going to discuss attack pattern data, and then we're going to dive into the industry specific numbers. I'm just rubbing my hands together because I love me some DBIR. How about you?

Jake Bernstein: I always do. I think even when some of the data hasn't changed, the DBIR authors find a way to keep it interesting and relevant. Yeah, let's move into it.

Kip Boyle: Great. Okay, now I don't want to repeat anything we said in the last episode. We're just going to pick up where we left off in the report last time. All right. So, the big new thing this year, and you always have to have a big new thing to keep it interesting, is that the DBIR team has completed its breakdown of the attack techniques, right? So A-T-T-&-C-K, right? That's the MITRE framework. So, they've broken that down and included it, as well as the Center for Internet Security Critical Security Controls. God, that's a mouthful. They've mapped all of that against their incident classification patterns. Now, we don't really talk about MITRE ATT&CK. We don't really talk about the CIS Top 18. Why is that, Jake?

Jake Bernstein: Well, I'm actually not sure about why we don't talk about the MITRE ATT&CK. Maybe you can tell us, but I can tell you that we've never been the biggest fans of the CIS CSC for a variety of reasons. It's because of the way people talk about them. I have nothing against the CSC Controls, but I think what gets confusing is people tend to think of them as a framework and they're not. They're a list of controls. As long as you know what they are and what they're for, they're fine. There are controls. So, yeah.

Kip Boyle: My problem with it is it's old and I don't think it's as useful as other choices. So, you're right, it's not a framework. So, if you want a framework, NIST Cybersecurity Framework. I had a conversation with somebody the other day who said, "Yeah, we tried to use NIST CSF to improve our cyber risk management, but we found it weird and difficult to understand. So, we just adopted the CIS Top 18." I'm like, "Well, there's a reason why you had that experience." I took the time to explain it to them. But anyway, listen, it's the essential eight. That's what I recommend. So, check that out everybody.

Now, I'm not trying to divert this too much from DBIR, but couldn't help, couldn't resist. Why don't we talk about the MITRE ATT&CK framework? It's really technical and I just don't think our audience really wants to spend time talking at that level of technical detail. So, just thought I would comment on why we don't tend to talk about these things on this project. But having said that, the DBIR has mapped them in and I think that's a good thing. I'm not against it at all. The DBIR continues to use the eight patterns that they established a few years ago. Now you can see those patterns on page 28 of the current report.

Jake Bernstein: Twenty-three.

Kip Boyle: Sorry, page 23. I don't know why I said 28. Thank you for catching me. Page 23 and the frequency of the patterns, while we have the same eight, the frequency has changed. Why? Because cyber is a dynamic risk and it's always changing. Stuff that used to work in the past, cyber criminals abandon when we come up with new defensive tactics and then they shift and move around. That's what makes all this so very interesting. Okay. So, last year, we had system intrusion in first place. So, again, last year, 40% of all breaches that they reported on were attributed to system intrusion. Last year, basic web application attacks and social engineering were both in the 20 to 23% range each. Then way down below that were miscellaneous errors, privileged misuse, and lost and stolen assets.

That's actually held steady at 15%, 5%, and 3% respectively. So, that was last year. Okay. So, now how does that compare to this year? Well, it's difficult for me to do this without showing you a graphical representation, but I'm going to do my best. Again, you can see the full charts on pages 22 and 23, but follow me here. System intrusion remains the top pattern in breaches. However, basic web application attacks and social engineering, they pulled apart a little bit. We've got social engineering down to about 18%, basic web application attacks at 25%.

Jake Bernstein: That's interesting, isn't it, Kip? Because again, this is in breaches, right? Just to remind people, the DBIR always talks about incidents and breaches.

Kip Boyle: They're not the same.

Jake Bernstein: They're not the same, with breaches being confirmed, loss of confidentiality. But even though there hasn't been a ton of change in the attack pattern rankings and it's much easier if you can look at the graph, I will admit that. But that separation of basic web application attacks and social engineering is fascinating. I will say that it was a combination of the basic web application attacks increasing and the social engineering decreasing a little bit, but other things also compressed a little bit. It's interesting. Sorry, continue.

Kip Boyle: Yeah, it is interesting. I don't know that I'm inaudible. You needed to set that thing on a stand, man. What even was it?

Jake Bernstein: Hopefully, nobody can hear that.

Kip Boyle: Jake's got something making a little twinkle noise in the background. Anyway, look, it is interesting how these two attack patterns have pulled apart from each other, but honestly, I'm not really sure what conclusion to draw from it at this point. But this is the thing that you look at and you wonder about and you keep it in your mind, because your experience with internet attacks might cause you to go, "Aha, that's why I saw that in the DBIR," or maybe not, but anyway. So, these are good things to notice.

Jake Bernstein: They are. One of the things that, of course, we'll talk about is that these two charts on 22 and 23 are overall, right? Once you dig into the industry specific, you can get more granular data for your particular industry. We'll of course talk about that.

Kip Boyle: That's one of the things I love about this report.

Jake Bernstein: It is. One thing that I want to highlight, simply because I forgot to give myself a speaking part early on, was that in the incidents, so in the patterns that we see in incidents, which again are non-confirmed, there was a dramatic increase in the prevalence of lost and stolen assets. It's actually humorous almost. Again, you're looking at the chart and you see this purple line just spike and it was in... What do you call that? I guess fourth from the bottom, fourth up from the bottom. It has bypassed in one year both social engineering and basic web application attacks. We talked about this a little bit last time, but when people leave their homes, they lose stuff.

Kip Boyle: They're leaving their offices and homes more now, aren't they?

Jake Bernstein: They are, yes.

Kip Boyle: The pandemic is largely receded. We don't quarantine, we haven't been. So, people are out and about.

Jake Bernstein: Yup. Just from numbers, it went from 5% all the way up to 12%. That's a big increase.

Kip Boyle: It is. I mean, on a percentage basis, you might think, "Oh, that's not much," but on an absolute basis, it's quite a bit.

Jake Bernstein: More than double. The incidents, not the incidents. That's very hard to parse. More than doubled. All right. Let's continue before we get down rabbit holes.

Kip Boyle: Okay, great. All right. So, that's the summary information on incident classification patterns. Now what we want to do next is we want to talk a little bit about each one of these patterns to the extent that they're worth talking about. If you're following along, we are now on page 24 and we're going to move up through page 47 at a risk clip. Now, last year, we went into a lot of detail in this area. We're going to do it again. When the new MITRE ATT&CK mappings make some really good insight, we'll mention that as we go. So, Jake, you want to get us going?

Jake Bernstein: Yeah, I'm going to start with system intrusion. Just as a reminder, system intrusion is defined as it captures the complex attacks that leverage malware and/or hacking to achieve their objectives, including deploying ransomware. I like how the DBIR puts it as system intrusion is the true hackers, the hands-on keyboards who have actual skills and they dart around your defenses with a large variety of tools. This is working for it in a way, as they say. So, what can we understand here? This year, I think this is new, but the DBIR breaks down the system intrusion into three phases, initial access, breach escalation, and the results.

Kip Boyle: Yes. Can I tell you why I think they're doing this? Because in the cybercriminal world, they are specializing more than ever. So, now you've got an entire industry of initial access brokers. So, these are people who break in and then sell this access to other organizations, other cyber criminals who want them to deploy ransomwares or whatever it is that they want to do. So, I'm happy to see this broken out this way.

Jake Bernstein: Yeah, no, I think it's helpful even though there's one little part of this that's confusing to me. We can talk about that and maybe we can break it down and figure it out together, but the way they do this is they look at the three phases, like I said, initial access, breach escalation, and the results. Then they give you details of the action asset combinations and you can immediately see how important servers are obviously in system intrusion, that's going to be the asset that is attacked. It's not the only asset that's attacked.

Across all three phases, you do see users and the people that are user devices rather and an actual people attacked. There's also a frightening amount of unknowns in this data and I think that it's also worth understanding. Now, obviously, hacking and malware both play a large role in the initial and escalation phases and in the results. I have to admit, I'm not quite sure what these codes mean, IA, CP, and AU. I can't figure out what those are referring to and maybe a kind listener will let us know somehow.

Kip Boyle: I'll cop to not knowing either, which is strange because the people who write this report are generally meticulous about not using terms that they don't define and using the terms that they do define in very specific ways. So, yeah, I was a little confused as well.

Jake Bernstein: So which reminds me, Kip, we should have a feedback form somehow for this podcast, but we'll figure that out later. This is a good reason as to why. Nonetheless, the number of unknowns here, I think that is concerning. I think what that shows is that we need to do a better job of either investigating or reporting on system intrusion so that all of us can get better at defending against them. Then in terms of the action varieties and the vectors, it's also instructive. So, the varieties are ransomware, that's way out in front, over 80%. Then you drop down to other at like 20%, exploit vulnerability, use of stolen credentials, phishing, and then backdoor or C2.

Keep in mind this is very different from the 2022 patterns because 2022 had SolarWinds and Kaseya. So, backdoor or C2, I believe, was at the top. The vectors themselves are a little bit less spiky. You've got web applications, desktop sharing software, and email all between 35 and 25%. So, that's a pretty tight window there. I think what's interesting here is direct install remote injection, they're still on the list, but they're just way below. So, what we really want to look at here and I highly encourage you to go and look at pages 24 through... What is it? This is a long one, 27.

Kip Boyle: Yeah, 47 is really the end of this entire-

Jake Bernstein: That's the end of it.

Kip Boyle: Page 47. Yeah.

Jake Bernstein: Actually, I take it back. This one truly goes all the way until 30. The system intrusion discussion is the longest.

Kip Boyle: Okay, so just this topic. Yeah.

Jake Bernstein: This is just this topic. This is where that attack the details are somewhat interesting. Even if you don't know the codes, if you just look, there's this box on 24. So, the Veris, which is the Verizon system, it would say exploit vulnerability. Okay. So, that's a big topic though, right? If you break that down into the relevant attack techniques, you see that exploitation for privilege escalation, exploiting a public facing application, exploitation for defense evasion, exploitation for credential access for remote services, and vulnerability scanning all fall under this exploit... What that does is, again, if you're on the technical side, go look at this because I think it gives you a sense of much more specific information than I think we've gotten in past years.

Kip Boyle: Really MITRE ATT&CK is among other things, it's a taxonomy. If you're trying to communicate with somebody about very specific technique that somebody used or a sequence of techniques that somebody used to break in, this framework is very helpful because it really does split all those hairs and gets you down to, "Well, it's this, not that," right? So it really does a nice job of eliminating confusion when you want to talk at that level of detail. Okay. Now, thank you for the overview and thank you for letting me talk about ransomware, because ransomware, yes, we just can't stop talking about it because why? It works. It continues to be a major threat for all organizations. It doesn't matter what size you are, it doesn't matter what industry you're in.

I mean right now as we record this, we are studying lots of information that's coming out from Caesars in Las Vegas and MGM in Las Vegas, because they were both attacked and had ransomware deployed and caused tremendous disruption to both. I think MGM is suffering more in terms of their customers right now, but the Wall Street Journal's reporting that Caesar's paid something like $30 million to the attackers in order to get encryption keys. So, this is all fascinating for you and I, Jake, because we're not getting ransomware attacked. Right now, neither of us are in Las Vegas trying to get into a hotel room.

So, it's academic, but it does make the case that ransomware isn't going away. While the report shows ransomware only increasing slightly in the dataset that they studied from 2022, it's everywhere. 91% of the industry groups have it as one of their top three actions and it ebbs and flows. I think right now, it's flowing. It's flowing tremendously. We've got a nice table showing the action vectors that Victor gave me and specifically for ransomware. Did you catch that, Jake? Did you see what I did there?

Jake Bernstein: I did.

Kip Boyle: All right, fine. You don't need to appreciate it, but I thought it was funny. Okay, so let's break down this table. First, you got email, 35%; then desktop sharing software, 30%; web applications, 25%; the ever popular other category at 18%; direct install and backdoor only at the 5% level. So, yeah, that's what we saw in 2022. Now, the report also talks about this year's big cyber event for the dataset, which was Log4j. Now page 28 of the DBIR, you're going to see a very in-depth... They devote an entire page to this Log4j episode that we all went through. But I think one of the upshots of Log4j is this idea of a software bill of materials or as we call it an SBOM. No, not an F-bomb, you cheeky kids, but it's an SBOM. So, what does this thing do?

Well, the idea here is that if you are wondering, look, I just got this package and it lets me do network administration. Okay, well, what are all the modules in here? How much of this stuff is proprietary code? How much of it's open source? Which projects did it come from? That was one of the problems that people struggled with when they were trying to mitigate Log4j is that that stuff is everywhere, but it's not obvious. So, if you got a software bill of materials, then it would be a much faster and a much more accurate analysis to find out where do I have to patch, because I have to do a lot of patching. So, we're almost done with system intrusion. Okay. So, I'm on page 30 right now. There's a note and it consists of an updated examination of the FBI's IC3 data.

Now, what is IC3? Well, that's the Internet Crime Complaint Center. That's where you can go. That's like the FBI's official place where you can grouse about all the awful things that happened to you while you were trying to use the internet. There's some interesting points in there. Now there is some takeaways, but before I tell you what the takeaways are, I want to caution you, only a very small fraction of all crime is actually reported to the police. It doesn't matter. It could be armed robbery, it could be rape, it could be all kinds of crimes. Historically, they're all under-reported, and that does not break down. When it comes to cybercrime, most cybercrime is wildly under reported.

So, when you go to the FBI's Internet Crime Complaint Center and you look at the data that they have there, you've got to keep that in mind. Okay? But okay, now holding that, what we're seeing is that the threat of ransomware for smaller organizations is increasing and the cost of recovering from a ransomware incident is increasing, despite the fact that the actual ransom payments have gone down. Why have they gone down, Jake? Did it say?

Jake Bernstein: It did? I mean, they simply said that because they're taking whatever they can get from smaller and smaller organizations.

Kip Boyle: They just don't have as much to pay. They just don't have as much.

Jake Bernstein: Right, you just mentioned the MGM and Caesars. Yeah, Caesars can pay $30 million. That may set some records, but it's like we said in the past, you don't care if you get $10 from 100 companies or $1,000 from one company. If you're the hacker, if you're the criminal, it doesn't matter to you. That's why we're seeing a slight decrease in the overall ransom payments. But I think it's really important that the cost of recovery is getting higher and higher for smaller organizations in part because they are smaller.

As you said, I mean the losses, the data that you get from the FBI IC3 is interesting, but they have this 95% range, which means that 95% of all losses occurred between, get this, $1 and $2.25 million. It's not terribly useful, but it does mean that the upper bound is scary if you're a smaller business.

Kip Boyle: The smaller you are, the more risk there is that the cost of recovering from something like this will go out of reach. If you don't have insurance, if you don't have good backups, it may not be possible for you to afford to reassemble your business quickly. You just may not have the resources to do it. We've seen examples of this out in the real world. We've got dental offices, we've got cloud providers, we've got manufacturers who all have had to shut their doors because they were so thoroughly dismantled from the cyber-attacks that there just was no way for them to reconstitute as they were. I mean, they just really were knocked back to the Stone Age of their organization's history. It's awful. It's wrong and I could get on my soapbox right now, but I'm not going to because-

Jake Bernstein: Because I'm going to talk about social engineering now. So, here it is. The numbers are quite simply up largely because the use of pretexting, which is commonly used in BEC, business email compromise. It has nearly doubled over last year, and the median amount stolen from these attacks has also increased to $50,000. Now, I didn't put this in the script, but I'm going to do it anyway. I want to mention the difference between pretexting and phishing because it's actually pretty important. This is the definitions within the DBIR. Phishing is your basic information grab, right? There's a link, maybe a folder.

Pretexting though, it is really defined by the BEC pattern where there's an extended conversation where somebody tries to get you to switch to a different bank account number or it's multiple communication attempts as opposed to "the simple phish", which is usually a one-time thing. So, that's way up. The use of pretexting is way up, which means that the risk is high there. I'm really curious to see the pretexting numbers for the coming couple of years because I think that generative AI is making pretexting easier and more convincing. So, we'll have to see how that goes in the future. There's no data on that in the 2023 DBIR because the data set was finished-

Kip Boyle: It was before-

Jake Bernstein: It was closed.

Kip Boyle: ... ChatGPT ever really made a-

Jake Bernstein: Yeah, exactly.

Kip Boyle: ... a splash into it.

Jake Bernstein: Exactly. So, what's the takeaway here? It's email, right? It's email. Email is the primary vector for influencing people in ways that will hurt them. It's 98% of the vector for these incidents. Then after you get the email, we do have this divergence. If you're a phisher, then you're probably getting credentials and then you go and leverage them and try to get into the user's inbox. That's 32% of incidents. Otherwise, you're going down that pretexting route, which is trying to get someone to do something clearly against their interest using only email communications. There is some good news here, and I've experienced this. That is that if you can get to law enforcement and your bank fast enough, the odds are getting way better that you're going to get at least some of your money back.

In fact, now I'll tell you the statistic. More than half of all victims were able to recover at least 82% of the stolen funds. This is huge because what's happened here is that law enforcement and banks have gotten much better at stopping the money from moving. Yes, this is focused on wire transfer fraud and the business email compromise, but what I like here is the DBIR's advice to stop focusing on this click rate of phishes.

As they so humorously put it, the phishing exercises will continue until the click rate has decreased. For those that aren't thinking about it, that is a play on the phrase the beatings will continue until morale improves. There's a good point here, which is because time is of the essence, work toward a more collaborative security culture, so that your employees are comfortable to report things right away. Because time in a BEC is everything.

Kip Boyle: Time is money. I mean, let's grab that aphorism as well.

Jake Bernstein: Time is money, but in this case, it's because you have a limited time period to get the law enforcement agencies and the banks to stop the money transfer. So, there you go. Go fast.

Kip Boyle: You were starting to veer into this territory, Jake, I thought was really interesting, which is how can you make a psychologically safe environment for people to report stuff that they think, "Oh, this is weird," or "Oh, my God, I just got scammed, but I'm afraid to say it because I'm afraid that people are going to blame me as the victim or whatever." But we've talked about this before in prior episodes. In fact, it was due to a DBIR review that we did back in 2021 that led us to do two episodes. Both of them were called how to really make sure that cybersecurity is everyone's job. Those were episodes 88 and 89. Guess what? Even though that was back in 2021, still relevant, maybe even more relevant than it ever was.

Jake Bernstein: Yeah, agreed.

Kip Boyle: So okay, social engineering. So, now there's a lot of excellent data in the attack patterns section. We say it every year, but it continues to be true. We're not writing the report. We're just reading it. So, while we're going to move into industry data, we want to encourage you to pay particular attention to the basic web application attack section and that's going to be in pages 35 through 39, because the scope of the threat and the denial of service section, pages 42 and 43, it's just interesting to see this one continue to remain at the top of the list for incidents. So, go check out those.

I'm actually surprised that you haven't tried to pronounce the acronym for basic web application attacks yet, Jake. Maybe that's going to come later. I don't know. I guess that's come later. Okay. Now we also have to mention, and we actually did-

Jake Bernstein: Oh, actually, now that you mentioned it, Kip, I do want to say, so I meant to actually talk a little bit about the MITRE ATT&CK techniques that were relevant to social engineering. I'm also going to do it real quick for-

Kip Boyle: BLAA.

Jake Bernstein: There you go, basic web application attacks. If you look at the little black sidebar, that's where it is.

Kip Boyle: What page?

Jake Bernstein: This one's on page 31 for social engineering. They talk about you can see what you'd expect. The compromise targets are email accounts. They also make email accounts in the social engineering. We often forget about that. It's important to remember that one of the things that an intruder or a threat actor will do is create their own accounts in your email system, presumably after they've gotten credentials. Then of course you see spearphishing attachments, spearphishing links, and spearphishing via a service. All of those are distinct at least in the MITRE framework, and those are worth looking at. I'm just going to zoom down to page 35 on basic web application attacks.

You see, brute force is a common attack technique, credential stuffing, password cracking, password guessing, password spraying. They're going to be exploiting public facing applications. They're going to be looking at your default accounts and your domain accounts. This one's scary. They will exploit application access tokens. So, again, the reason I like this, every year we say this all the time, but the DBIR, the more detail they provide, the more actionable it becomes. Even though you and I don't live and breathe the MITRE ATT&CK framework, the fact that it's in here is just an amazing, another increase in utility to this report. Okay, now I'm done.

Kip Boyle: I absolutely agree. If I was a defender working in an organization as a W-2 employee and I was just trying to figure out, "How should we be investing our budget next year? How do we need to counter the high frequency attacks?", I mean, I would be all over this looking at the relevant attack techniques because that is what's going to tell you very specifically what countermeasures you need to deploy. So, yeah, it's wonderful and I'm glad that you went back to emphasize that. Okay. Do you want to talk about privilege misuse?

Jake Bernstein: I do, but you've got to mention lost and stolen assets.

Kip Boyle: We already did.

Jake Bernstein: No, but-

Kip Boyle: Did that already, how the pandemic's over, people are now out and about, and we saw that huge spike from 5 to 12%.

Jake Bernstein: We did. I just want to mention the obvious, which is that, look, the devices these days have huge storage capabilities and they're small. They're not big.

Kip Boyle: Yes.

Jake Bernstein: Okay, so privilege misuse, very important. Look, employees are using their access to commit breaches and even initiate fraudulent transactions. One of the things that's frightening this year is that there's a lot more evidence of collusion between multiple actor types. It's still about the money, but with privilege misuse, it's only 85% where the financial is the motivation. I think it's interesting that grudge is the second largest motivation in 15% of breaches.

Kip Boyle: Not grunge. We've outlived that error.

Jake Bernstein: Yeah, not grunge, grudge. You can't ignore that. That's an important thing to keep in mind. If an employee has a grudge, make sure they don't have access after you have given them cause to have the grudge usually by terminating their employment. The other thing that's really interesting is that apparently, it is not all that rare for a criminal gang to send in people to get hired by the target organization so they can assist with fraudulent transactions. That's part of this insider threat. Spotting them is hard. The best we can do is really say, well, make sure you have as robust of an onboarding process and conduct your background checks, but that is a challenge. That almost seems like a Hollywoodism, but to find out that the data backs it up, it's inherently fascinating.

Kip Boyle: I'll tell you a quick story. It was 1998. I was in New York City. I was consulting to a large, large, large bank, and I was talking to the CISO. Guess what? He said, "All this hacking's really interesting, but my biggest problem is that I've got people showing up to work, new employees, and it turns out that they are actually part of criminal gangs. Now I've got this massive insider threat and I don't know how to screen with high degrees of accuracy during the hiring process to identify these people because they're mostly younger folks. They don't have existing backgrounds." Anyway, this has been going on for a while. It's interesting to see it show up here in the DBIR.

One thing about privilege misuse that doesn't seem to show up in the DBIR that I want to make a comment about is that here we're looking at privilege misuse where you've got a person on the inside going, "Ha-ha-ha, I'm going to steal money," or "Oh, I'm going to get you guys back." But social engineering is also about privilege misuse, but in that case, you've actually got outsiders tricking insiders into doing things with their privileges that they don't realize what they're doing. The same kinds of internal controls that'll stop or detect an insider who's deliberately trying to rip you off will also help to decrease the impact of somebody who's being manipulated into misusing their privileges.

Jake Bernstein: Agreed. Yup, it's very true.

Kip Boyle: I think it's important as a defender. Okay, now let's take a look at the big picture of industry data. So, the DBIR explains at some length why you shouldn't look at the raw numbers of incidents and breaches and draw conclusions about the state of security in an industry or in a given industry's likelihood of being attacked for a large variety of reasons. So, as you look at this industry data, just keep that in mind. Look, the specific recommendation for any given industry is to check out the top patterns. So, start with the patterns and then go back and check out the pattern section, which we've only skimmed through, and then you'll get useful details there.

I mean, it really just comes down to there are more useful ways to analyze data and there were less useful ways. The DBIR team knows their data. They just made a recommendation to you about what's the most productive way to use it. Please follow that until you know better because your experience tells you that there's a better way to do that. Look at pages 50 and 51. You know, Jake, we should start telling people that when they tune into this episode, they should open up their DBIR and follow along with us, right?

Jake Bernstein: Yeah, that's a good idea. Too bad we didn't think of that, well, actually two weeks ago.

Kip Boyle: Too bad we didn't think of that four years ago or whenever it was we started doing these episodes, but probably there's lots of smart listeners out there that already figured it out, even though Jake and I just figured it out right now. But if you go to pages 51 and 52, that's where you're going to find the pattern action and assets organized by industry code.

Jake Bernstein: These are the heat map charts. Yeah, these are the heat map tables, which I love.

Kip Boyle: Yeah, they're great because you can instantly see things about your industry that would take you a long time to figure out if you're actually reading the report, right? So you can see, for example, that if you're in real estate, let's see here, you are less likely to have to deal with attacks against people than other industries are. If you're in public administration, you're far more likely to have to deal with user.... What's user dev? Why do I not understand that as I glance at-

Jake Bernstein: That's a user device.

Kip Boyle: User devices. For some reason, I have software in my mind. User devices are going to be far, far, far more likely of a problem area for you. I mean just like way, way, way more than any other industry. So, these are great tables. I could sit here and study them for a long time easily. I would not get bored anytime too soon. What do you think about all this, Jake?

Jake Bernstein: I mean some of the media section, the media's two pages of the entire report, but again, don't read too much into the actual numbers. It's still important to go look at the breakout page for the industry, which is what we're going to do now. So, Kip, why don't you go ahead and start with the financial and insurance, which is NAICS Code 52?

Kip Boyle: All right. So, if I go down to 52, let's see here. Okay, so the top patterns for this industry, 77% of all breaches in fact are basic web application attacks, system intrusion, and miscellaneous error. Where do those attacks come from? Well, the threat actors are 66% external, which is actually down from 73%, and they are 34% internal. The primary motive is not surprising. Financial at 97%, the data compromised is personal at 74%, credentials at 38%, our favorite category of other at 30%, and then bank related data at 21%. Now, there's an interesting quote on page 55. It says, "These attacks are so basic."

Jake Bernstein: No, no, no, you have to read it. These attacks are so basic.

Kip Boyle: Then you do it.

Jake Bernstein: No, if anyone has seen the Finding Anna Netflix series, she calls everything basic.

Kip Boyle: See, I haven't seen that yet. You gave it to me and I don't know what to do.

Jake Bernstein: This is an insult. This is a pop culture insult, but continue because I think you'll like this part.

Kip Boyle: Okay. Okay. These attacks are so basic.

Jake Bernstein: There you go.

Kip Boyle: As the DBIR on page 55, how often do we hear that we were compromised by a highly sophisticated cyber-attack?

Jake Bernstein: All the time. You always hear that.

Kip Boyle: We hear that all the time. Yup, we do. In fact, I saw another little turner phrase excoriated on LinkedIn this morning, which was around this little term, out of an abundance of caution.

Jake Bernstein: I hate that phrase.

Kip Boyle: Which is a mask for we don't know what we're doing, so we're going to cover all of our bases in a very broad based way. Look, it may be highly sophisticated for some people who don't really understand this space, but really it's just brute force passwords, credential stuffing attacks. This stuff's not new. These things have been going on for 25+ years. So, anyway, happy to bust that myth with you here now, Jake. Okay, so this is where the breakdown patterns really matters. System intrusion dropped from 27% to 14% this year, and that means we're not doing a great job of making the bad guys work for their breaches.

Jake Bernstein: It's true. I mean, it's actually sad. Both brute force passwords and credential stuffing are attack patterns and vectors where technical controls can make a big difference. That's why I don't think they're all that sophisticated, which makes the whole highly sophisticated cyber-attack just ring hollow.

Kip Boyle: I roll my eyes.

Jake Bernstein: Very good points.

Kip Boyle: I roll my eyes at that phrase.

Jake Bernstein: Yes, yes. Next up is healthcare. The headline here is a sector under siege, highly targeted by ransomware gangs, which is very bad. We've talked about this in the distant past. I believe we had a whole episode about killware. The ransomware that targets a hospital is likely to kill people through unavailability of systems, but let's talk about the data here. So, last year, the top issue was basic web application attacks, and that hasn't changed. System intrusion is up because ransomware is becoming increasingly popular and causing an increase in confirmed breaches.

What does that tell us? That tells us that so-called ransomware 2.0 or whatever we're on now, 3.0, where it's not just an encryption, it's also a threat to release as a data breach. That's extra effective against the healthcare industry. Why? Because there are clear penalties for losing healthcare data. There's a reason that this is particularly common in the healthcare industry.

Kip Boyle: What I continue to observe is that I don't know what it is exactly, but healthcare senior decision makers just don't seem to be bothered by this. I continue to hear from my colleagues that work in that industry that yeah, they're not getting what they need to be successful.

Jake Bernstein: Yeah, I really see a variation here. I see a lot of my healthcare clients are doing as best as they can on this, and it's a priority. Others still haven't seemed to figure it out. I will say that errors are still a major problem, as are basic web application attacks. You can't ever discount the risk of internal threat actors in this area. Healthcare has 35% internal actors in breaches. That's a fair amount. So, together with basic web application attacks, system intrusion, and miscellaneous errors, that is 68% of the healthcare industry breaches.

Privilege misuse is still just outside the top three, but there again is increasing evidence of collusion between internal and external actors. The best defense here is swift identification of unusual data access patterns. Look, I'm not going to lie, that is a technical problem that can be solved by technical tools, but it's not easy and it's not cheap.

Kip Boyle: No, no, it's not. The smaller you are, the more difficult that whole idea of even doing that can be. Okay, so this is the part of the episode where I say, Jake, we're 45+ minutes in and there's still a lot to talk about. I suggest that we compress the rest of the things we wanted to talk about so that people don't have to be listening to us for another 30 minutes. What do you think?

Jake Bernstein: I think that's probably a good idea. Here's the summary is if you look at the information manufacturing and the professional scientific and technical services industries, you're not going to find a great deal of change from last year. There are little details that move around. For example, miscellaneous error gets replaced by social engineering. Espionage motives are decreasing. Pretexting is increasing. These are all things we've said and I think that's helpful to understand. I'm stealing this from you. There is something that's useful here, and it's at the page 65. It's from 65 through, I want to say 68. This is a whole section about small and medium business. Kip, why do we care about small and medium business?

Kip Boyle: Because in the United States, it's 99% of all organizations in the market space.

Jake Bernstein: I mean, we serve a lot of medium-sized businesses-

Kip Boyle: We do.

Jake Bernstein: ... as our clients.

Kip Boyle: Yup.

Jake Bernstein: Again, the way that the DBIR breaks this down is a small business is less than 1,000 employees and a large business is more than 1,000 employees. Look, that's a really simplistic mechanism here, but it's useful nonetheless. The takeaway from this is that, and this actually makes intuitive sense. Everybody is moving toward the same infrastructure.

Kip Boyle: Like cloud.

Jake Bernstein: Cloud, right, whether you're large or small. Because of that, small, medium businesses and enterprise are really becoming much more similar in terms of the attack patterns that they face, the vectors. But the difference, Kip, is that SMBs continue to struggle to recover from incidents and breaches compared to their larger cousins simply because they don't have the level of resources-

Kip Boyle: That's right.

Jake Bernstein: ... that is available to a larger business. There is even more detail here. If you are small, they will go through and they provide some recommendations on controls. They are the CIS CSC, so we're not going to talk about them because again, they're not our favorites. But don't let our bias stop you from doing that. It is helpful, and I think it's worthwhile to go and consider that. So, that is the last new thing that we're going to talk about. Otherwise, as always, check out the DBIR for yourself. It's always a great read.

Kip Boyle: That wraps up this episode of the Cyber Risk Management Podcast.

Jake Bernstein: It does. It does indeed.

Kip Boyle: Yeah. We talked about part two of our analysis of the 2023 edition of the DBIR to see what we could learn and to help point you in the right direction. Thanks for being here, and we'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.