I just got done skimming the 2015 DBIR, and here are a few things that pulled my attention.
70 organizations contributed
61 countries represented
~ 80,000 security incidents
~ 2,100 confirmed breaches
External threat actors remained the bulk the problem
Memory scraping has grown significantly as an attack vector
60% of the time attackers are able to compromise an org in minutes
Early indicators are that threat intelligence needs much more sharing and use of multiple feeds to be of use
Sharing speed needs to catch up to attack speed (threat intelligence)
23% of recipients open phishing emails, and 11% click on attachments
50% respond to phishing campaigns within an hour
Awareness and training are the best ways to fight phishing
99.9% of exploited vulnerabilities were from over a year after the CVE was published
~ 50% of CVEs exploited in 2014 went from publish to exploit in less than a month
A CVE being added to MetaSploit is the best predictor of exploit
Mobile devices are not a preferred vector in data breaches
96% of mobile malware was targeted at Android
More than 5 billion remotely exploitable Android apps out there
70-90% of malware samples are unique to an organization
We may need to be doing the ISAC thing as a matter of course, rather than as a supplement. Industry-wide standards may not be effective
Average cost per record was $0.58c, but Verizon built a better model for estimating loss
Larger breaches tend to be multi-step, with another breach enabling the attack on the POS
The Chip and PIN regulations go into effect in October 2015. Realize that weak implementations (just like any security system) are still vulnerable to attack
Malware used to launch DoS attacks rose dramatically in significance
Command and control remains a massive industry
Organized Crime became the most commonly seen threat actor for Web Application Attacks
Most web attacks followed this flow: phish -> get credentials -> abuse web application -> steal money
55% of insider threat was insiders abusing access they already had
60% of incidents were attributed to errors made by sysadmins, resulting in breaches and losses of records
You should be logging DNS and web proxy requests, and investing in solutions that help you ingest and analyze this data
I particularly love the piece about DNS monitoring. It’s one of the first things I ask about when having a malware/threat conversation.
The 23/11% numbers for phishing opening/clicking is still quite high. Training must be constant on this, with repercussions for doing the wrong thing.
And the whole piece about the 99.9% of exploited vulnerabilities coming from issues over a year old, well…that’s just embarrassing. I’ve been saying for a while now that we don’t have an issue with finding vulnerabilities, we have an issue with remediating them.
On all counts, this continues to be a great report that I recommend every security person makes a permanent part of their yearly reading.