It's that time of the year again. No, not the Game of Thrones premiere, but Verizon's latest Data Breach Investigations Report (DBIR). At times, the DBIR can be as hard to read for a security practitioner as GoT is to watch when your favourite character gets killed off, so let's rip off the band aid and dive right in.
The bad guys are still ahead--but by a little less
Let's start with some good news. We're ever-so-slightly closing the gap between time to compromise and time to discover. This is in line with trends we've seen in other reports, for example attackers were able to stay undetected on networks for an average of 205 days in 2014, down from 229 days in 2013 (Mandiant). Unfortunately, for 60% of breaches compromise takes only minutes, so detection taking 205 days is simply not good enough. This reinforces the need to re-balance security investments from prevention technologies to improving detection and response capabilities.
We're still failing to secure credentials
Credentials is still the number 1 way attackers get into the network. Looking specifically at attacks on web applications, 95% of incidents involve logging into the application using stolen credentials harvested from end user devices. This isn't entirely a surprise given how easy it is for cybercriminals to get hold of credentials and how hard it is for security teams to detect their malicious use. In August last year, it came to light that Russian hackers stole 1.2 billion usernames and passwords Ð and these credentials were subsequently linked to the JP Morgan Chase breach.
Phishing is on the rise, from being used in less than 5% of breaches in 2011 to more than 20%. And for good reason Ð it's effective. For a campaign with just 10 emails, there is a greater than 90% chance that at least one person will fall for it. So what can you do about this? Email filtering can't catch every phishing messaging, particularly the more sophisticated ones (i.e. the ones we're more likely to fall for). SANS recommends security awareness and training for minimizing the phishing threat, as well as improved detection and response capabilities for the inevitable ones that get through.
Keep patching all the things
The DBIR has always emphasized getting the basics right. This year the report looked at vulnerabilities in more detail with some interesting insights. About half of all exploited vulnerabilities are compromised within a month of being published, meaning the late nights/early mornings you spent patching HeartBleed, POODLE and Sandworm were probably time well spent. But besides these famous vulnerabilities, what else should you be patching? Well, vulnerabilities found in exploit databases such as Metasploit and ExploitDB are 'the single most reliable predictor of exploitation in the wild'. And don't forget about the older vulnerabilities. 99.9% of vulnerabilities are exploited more than a year after they were published, and in 2014, more than 90 of the CVEs exploited were published back in 2007.
How Rapid7 can help
Rapid7 UserInsight can help you automatically detect the number 1 attack vector Ð compromised credentials Ð as well as improve your detection and response capabilities. With Nexpose's advanced scoring algorithm, RealRiskª, you can prioritize critical vulnerabilities for patching taking into account the availability of public exploits and vulnerability age. And if you're worried about phishing attacks, Rapid7 offers security awareness training to reduce your users' susceptibility. With Metasploit Pro, you can simulating phishing campaigns to test the effectiveness of the training.
Well that's all from me for now. There's a lot more info in the report than what we've covered here, so I'm sure we'll see much more analysis going forward. Let us know your thoughts on the report and if there are other critical insights that we haven't highlighted. Happy reading!
Join me on Friday April 17th @ 11am E.T. for a live webcast on the Top Takeaways from the Verizon 2015 DBIR and what it means for you. Register here: https://information.rapid7.com/top-takeaways-from-the-2015-verizon-dbir.html