Takeaways from the 2015 Data Breach Investigation Report

I just got done skimming the 2015 DBIR, and here are a few things that pulled my attention.

• 70 organizations contributed

• 61 countries represented

• ~ 80,000 security incidents

• ~ 2,100 confirmed breaches

• External threat actors remained the bulk the problem

• Memory scraping has grown significantly as an attack vector

• 60% of the time attackers are able to compromise an org in minutes

• Early indicators are that threat intelligence needs much more sharing and use of multiple feeds to be of use

• Sharing speed needs to catch up to attack speed (threat intelligence)

• 23% of recipients open phishing emails, and 11% click on attachments

• 50% respond to phishing campaigns within an hour

• Awareness and training are the best ways to fight phishing

• 99.9% of exploited vulnerabilities were from over a year after the CVE was published

• ~ 50% of CVEs exploited in 2014 went from publish to exploit in less than a month

• A CVE being added to MetaSploit is the best predictor of exploit

• Mobile devices are not a preferred vector in data breaches

• 96% of mobile malware was targeted at Android

• More than 5 billion remotely exploitable Android apps out there

• 70-90% of malware samples are unique to an organization

• We may need to be doing the ISAC thing as a matter of course, rather than as a supplement. Industry-wide standards may not be effective

• Average cost per record was $0.58c, but Verizon built a better model for estimating loss

• Larger breaches tend to be multi-step, with another breach enabling the attack on the POS

• The Chip and PIN regulations go into effect in October 2015. Realize that weak implementations (just like any security system) are still vulnerable to attack

• Malware used to launch DoS attacks rose dramatically in significance

• Command and control remains a massive industry

• Organized Crime became the most commonly seen threat actor for Web Application Attacks

• Most web attacks followed this flow: phish -> get credentials -> abuse web application -> steal money

• 55% of insider threat was insiders abusing access they already had

• 60% of incidents were attributed to errors made by sysadmins, resulting in breaches and losses of records

• You should be logging DNS and web proxy requests, and investing in solutions that help you ingest and analyze this data

Analysis

I particularly love the piece about DNS monitoring. It’s one of the first things I ask about when having a malware/threat conversation.

The 23/11% numbers for phishing opening/clicking is still quite high. Training must be constant on this, with repercussions for doing the wrong thing.

And the whole piece about the 99.9% of exploited vulnerabilities coming from issues over a year old, well…that’s just embarrassing. I’ve been saying for a while now that we don’t have an issue with finding vulnerabilities, we have an issue with remediating them.

On all counts, this continues to be a great report that I recommend every security person makes a permanent part of their yearly reading.

[ The 2015 DBIR Report ]

Related posts:

1. Analysis of the 2021 Verizon Data Breach Report (DBIR)

2. Analysis of the 2020 Verizon Data Breach Report

3. The Difference Between Business Intelligence, Reporting, Metrics, and Analytics