Daniel Miessler

Takeaways from the 2015 Data Breach Investigation Report

April 17, 2015
#business #cybersecurity #technology
2015-dbir

I just got done skimming the 2015 DBIR >, and here are a few things that pulled my attention.

  • 70 organizations contributed

  • 61 countries represented

  • ~ 80,000 security incidents

  • ~ 2,100 confirmed breaches

  • External threat actors remained the bulk the problem

  • Memory scraping has grown significantly as an attack vector

  • 60% of the time attackers are able to compromise an org in minutes

  • Early indicators are that threat intelligence needs much more sharing and use of multiple feeds to be of use

  • Sharing speed needs to catch up to attack speed (threat intelligence)

  • 23% of recipients open phishing emails, and 11% click on attachments

  • 50% respond to phishing campaigns within an hour

  • Awareness and training are the best ways to fight phishing

  • 99.9% of exploited vulnerabilities were from over a year after the CVE was published

  • ~ 50% of CVEs exploited in 2014 went from publish to exploit in less than a month

  • A CVE being added to MetaSploit is the best predictor of exploit

  • Mobile devices are not a preferred vector in data breaches

  • 96% of mobile malware was targeted at Android

  • More than 5 billion remotely exploitable Android apps out there

  • 70-90% of malware samples are unique to an organization

  • We may need to be doing the ISAC thing as a matter of course, rather than as a supplement. Industry-wide standards may not be effective

  • Average cost per record was $0.58c, but Verizon built a better model for estimating loss

  • Larger breaches tend to be multi-step, with another breach enabling the attack on the POS

  • The Chip and PIN regulations go into effect in October 2015. Realize that weak implementations (just like any security system) are still vulnerable to attack

  • Malware used to launch DoS attacks rose dramatically in significance

  • Command and control remains a massive industry

  • Organized Crime became the most commonly seen threat actor for Web Application Attacks

  • Most web attacks followed this flow: phish -> get credentials -> abuse web application -> steal money

  • 55% of insider threat was insiders abusing access they already had

  • 60% of incidents were attributed to errors made by sysadmins, resulting in breaches and losses of records

  • You should be logging DNS and web proxy requests, and investing in solutions that help you ingest and analyze this data

Analysis

I particularly love the piece about DNS monitoring. It’s one of the first things I ask about when having a malware/threat conversation.

The 23/11% numbers for phishing opening/clicking is still quite high. Training must be constant on this, with repercussions for doing the wrong thing.

And the whole piece about the 99.9% of exploited vulnerabilities coming from issues over a year old, well…that’s just embarrassing. I’ve been saying for a while now that we don’t have an issue with finding vulnerabilities, we have an issue with remediating them.

On all counts, this continues to be a great report that I recommend every security person makes a permanent part of their yearly reading.

[ The 2015 DBIR Report > ]

Follow
Follow On X Subscribe On YouTube Follow On LinkedIn

supporting = loving

3,000+ posts over 25 years—security, AI, technology, meaning—all free, no ads, one person. If even one idea here saved you time, changed your thinking, or made you better at your craft, you got a mass of value for free.

A few bucks a month keeps this going. Pick an amount that feels right.

Monthly One-time
Search
HOME·BLOG·ARCHIVES·ABOUT