I just got done skimming the 2015 DBIR, and here are a few things that pulled my attention.
- 70 organizations contributed
- 61 countries represented
- ~ 80,000 security incidents
- ~ 2,100 confirmed breaches
- External threat actors remained the bulk the problem
- Memory scraping has grown significantly as an attack vector
- 60% of the time attackers are able to compromise an org in minutes
- Early indicators are that threat intelligence needs much more sharing and use of multiple feeds to be of use
- Sharing speed needs to catch up to attack speed (threat intelligence)
- 23% of recipients open phishing emails, and 11% click on attachments
- 50% respond to phishing campaigns within an hour
- Awareness and training are the best ways to fight phishing
- 99.9% of exploited vulnerabilities were from over a year after the CVE was published
- ~ 50% of CVEs exploited in 2014 went from publish to exploit in less than a month
- A CVE being added to MetaSploit is the best predictor of exploit
- Mobile devices are not a preferred vector in data breaches
- 96% of mobile malware was targeted at Android
- More than 5 billion remotely exploitable Android apps out there
- 70-90% of malware samples are unique to an organization
- We may need to be doing the ISAC thing as a matter of course, rather than as a supplement. Industry-wide standards may not be effective
- Average cost per record was $0.58c, but Verizon built a better model for estimating loss
- Larger breaches tend to be multi-step, with another breach enabling the attack on the POS
- The Chip and PIN regulations go into effect in October 2015. Realize that weak implementations (just like any security system) are still vulnerable to attack
- Malware used to launch DoS attacks rose dramatically in significance
- Command and control remains a massive industry
- Organized Crime became the most commonly seen threat actor for Web Application Attacks
- Most web attacks followed this flow: phish -> get credentials -> abuse web application -> steal money
- 55% of insider threat was insiders abusing access they already had
- 60% of incidents were attributed to errors made by sysadmins, resulting in breaches and losses of records
- You should be logging DNS and web proxy requests, and investing in solutions that help you ingest and analyze this data
I particularly love the piece about DNS monitoring. It’s one of the first things I ask about when having a malware/threat conversation.
The 23/11% numbers for phishing opening/clicking is still quite high. Training must be constant on this, with repercussions for doing the wrong thing.
And the whole piece about the 99.9% of exploited vulnerabilities coming from issues over a year old, well…that’s just embarrassing. I’ve been saying for a while now that we don’t have an issue with finding vulnerabilities, we have an issue with remediating them.
On all counts, this continues to be a great report that I recommend every security person makes a permanent part of their yearly reading.