Rapid7 Blog

Verizon DBIR  

2017 Verizon Data Breach Report (DBIR): Key Takeaways

The much-anticipated, tenth-anniversary edition of the Verizon DBIR has been released (http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/), once again providing a data-driven snapshot into what topped the cybercrime charts in 2016. There are just under seventy-five information-rich pages to go through, with topics ranging…

The much-anticipated, tenth-anniversary edition of the Verizon DBIR has been released (http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/), once again providing a data-driven snapshot into what topped the cybercrime charts in 2016. There are just under seventy-five information-rich pages to go through, with topics ranging from distributed denial-of-service (DDoS) to ransomware, prompting us to spin a reprise edition of last year's DBIR field guide (/2016/04/29/the-2016-verizon- data-breach-investigations-report-the-defenders-perspective)). Before we bust out this year's breach-ography, let's set a bit of context. The Verizon DBIR is digested by a diverse community, but the lessons found within are generally aimed at defenders in organizations who are faced with the unenviable task of detecting and deterring the daily onslaught of attacks and attackers. This post is also aimed at that audience. As you go through the Verizon DBIR, there should be three guiding principles at work: How do I use this information to improve my organization's threat response time? How do I use this information to improve my resistance strength (http://www.fairinstitute.org/blog/threat-capability-and-resistance-strength-a-we ight-on-a-rope)? How do I use this information to increase the time it takes attackers to accomplish their goals? Time to fire up the jukebox and see what's inside. The Detection-Deficit is Dead…Long Live the Defender's Differential! The first chart I always went to in the DBIR was the Detection-Deficit chart. Said chart “compared the percentage of breaches where the time-to-compromise was days or less against the percentage of breaches where the time- to-discovery was days or less.” (VZDBIR, pg 8). It's also no longer an artifact in the Verizon DBIR. The Verizon Security Research team provided many good reasons for not including the chart in the report, and also noted several caveats about the timings that you should take time to consider. But, you still need to be tracking similar metrics in your own organization to see if things are getting better or worse (things rarely hold steady in infosec land).  We've taken a cue from the DBIR and used their data to give you two new metrics to track: the “Exfiltration-Compromise Differential” and the “Containment-Discovery Differential”. The former chart shows a band created by comparing the percentage of breaches where exfiltration (you can substitute or add-in other accomplished attacker goals) was in “days or less” (in other words, less than seven days) to those when initial compromise was “days or less”. This band should be empty (all attacker events took days or longer) or as tiny as possible. The latter does the same to compare the defender's ability to detect and contain attacker activity. That band needs to be as YUGE as you can make it (aligned to your organization's risk and defense spending appetites). As noted in the Verizon DBIR, things aren't getting much better (or worse) when looked at in aggregate, but I'm hopeful that organizations can make progress in these areas as tools, education, techniques and processes continue to improve. Some other key takeaways in the “Breach Trends” section include: The balance between External and Internal actors has ebbed-and flowed at about the same pace for the past 7 years, meaning Figure 2 does not validate the ever-present crusade by your Internal Audit department to focus solely on defending against rogue sysadmins. There is a cautionary tale here, though, in that many of the attacks marked as “internal” were actually committed by external attackers who used legit credentials to impersonate internal users. We have finally reached the Threat Action Trifecta stage with Social, Malware and Hacking reigning supreme (and will likely do so for some time to come). Financial gain and stealing secrets remain primary motives (and defending against those who seek your secrets may become job #1 over the coming years if Figure 3 continues the trend). Team DBIR also provided a handy punch-card for you in Figure 9: It's your “at-a-glance” key to the 2016 chart-toppers by industry. Keep it handy as you sit in your post-DBIR-launch roadmap adjustment meetings (you do have those, right?). The Secret Life of Enterprise Vulnerability Management (Guest starring IoT) Verizon has many partners who provide scads of vulnerability data, and the team took a very interesting look at  patching in the intro section preceding the individual industry dives. Verizon gives a solid, technical explanation of this chart, so we'll focus on how you should benchmark your own org against it. Find your industry (NAICS codes are here: https://www.census.gov/eos/www/naics/ but you can also Google™ “COMPANY_NAME NAICS” and usually get a quick result) on the right then hit up your vulnerability and patch management dashboards to see if you meet or beat expectations. If you're a college, do you patch more than 12% of vulns in 12 weeks-time? If you're in a hospital, do you meet the 77% bar? The chart is based on real data from many organizations. You may have some cognitive dissonance reading it because we constantly hear how awesome, well-resourced financial institutions are at IT & security and the converse for industries such as Healthcare. One way to validate these findings is to start tracking this data internally, then getting your ISAC partners (you are aligned with one — or more — information sharing and analysis centers, right?) to do the same and compare notes a few times a year. You also need to define your own targets and use your hit/miss ratio as a catalyst for process improvement (or funding for better tooling). But wait…there's more! Keep one finger on page 13 and then flip to Appendix B to get even more information on vulnerability management, including this chart > Network ops folks patching on 90-day cycles shouldn't really surprise folks - we need to keep those bits and bytes flowing and error-free high-availability switchover capability is expensive - but take a look at the yellow-ish line. First, do you even track IoT (Internet of Things, i.e. embedded) patching? And, if you do — or, when you start to after reading this — will you strive to do better than the “take 100 days to not even get half the known vulns patched”? IoT is a blind-spot in many (most) organizations and this chart is a great reminder that you need to: care about inventory/locate, and track IoT in your environment. Industrial Development Unfortunately, digesting the various Industry sections of the Data Breach Investigations Report is an exercise that you must — dear, reader — undertake on your own, but they are a good resource to have for planning or security architecture development session. Find your industry (see the previous section in this post), note the breach frequency (they'll likely have fixed the bug in the Accommodation section by the time our blog post drops), top patterns, actor information and compromise targets and compare your 2016 to the overall industry 2016. Note the differences (or similarities) and adjust accordingly. The DBIR team provides unique details and content in each industry section to help you focus on the differentials (the unique incident characteristics that made one industry different from each other). As you go through each, do not skip over the caveats. The authors of the report spend a great deal of time sifting through details and will often close out a section with important information that may change your perspective on a given area, such as this closing caveat in the Retail section: “This year we do not have any large retailers in the Point of Sale Intrusions pattern, which is hopefully an indicator of improvements and lessons learned. We are interested in finding out if smaller retailers also learned this lesson, or if single small breaches just aren't making it into our dataset.” The Last Waltz: Dancing Through Incident Classification Patterns We'll close with an overview of the bread-and-butter (or, perhaps, avocado toast?) of the DBIR: the incident classification patterns. Figures 33 & 34 provides the necessary contextual overview: Breaches hurt, but incidents happen with more regularity, so you need to plan for both. First, compare overall prevalence for each category to what your own org saw in 2016 so you understand your own, unique view. Next, make these sections actionable. One of the best ways to get the most out of the data in each of the Patterns sections is to take one or two key details from each that matter to your industry (they align the top ones in each category) and design either tabletop or actual red-team exercise scenarios that your org can run through. For example, design a scenario where attackers have obtained a recent credential dump and have targeted your employee HR records (yes, I took the easy one from Figure 52, page 58).  MITRE has a decent “Cyber Exercise Playbook” (https://www.mitre.org/sites/default/files/publications/pr_14-3929-cyber-exercise -playbook.pdf)) you can riff off of if you don't have one of your own to start with. Coda This is the first year Rapid7 has been a part of the DBIR corpus and we want to end with a shout-out to the entire DBIR team for taking the time to walk through our incident/breach-data contributions with us and look forward to contributing more —and more diverse — data in reports to come.

Attackers Take Advantage Of The Options You Give Them - Malware vs. Credentials

When InsightIDR was purpose-built to detect compromised credentials in the first months of 2014, we did so because we identified a significant gap in detection solutions currently available to security teams. The 2014 Verizon DBIR just happened to subsequently quantify the size of this gap…

When InsightIDR was purpose-built to detect compromised credentials in the first months of 2014, we did so because we identified a significant gap in detection solutions currently available to security teams. The 2014 Verizon DBIR just happened to subsequently quantify the size of this gap (and it has repeated in 2015 and 2016). User behavior analytics, as an industry, emerged to cover this gap in SIEM and other solutions. This does not mean that malware is not heavily used in attacks today, but there is a great deal of prevention and detection already in place for malware and you need to detect more malicious activity. Perfect malware detection can detect less than one-third of attacker actions Antivirus vendors first started to release consumer software around 1990. In the twenty-four years since that time, a great deal of innovation has occurred in the realm of both (a) malware development and (b) malware detection. Attackers have created full supply chains for malware, the most famous of which was around the Zeus Trojan (which is still around!), and malware detection now ranges from the modern evolution of that original antivirus software to the more innovative solutions of the past few years that leverage sandboxing and kernel-layer software agents. None of these solutions, on its own, can completely stop malware from reaching your organization or claim to detect its operation 100% of the time. However, by layering a few of these solutions and some perimeter defenses, your organization can detect a sizable contingent of malware in the wild. What any red team can tell you is that today's attackers can breach your organization using the "attack tools" that often double as administrator tools, like Windows Credential Editor (WCE) and PsExec. Just as more usable software has made if possible to receive Facebook updates from our grandparents, improved software has enabled criminals with serviceable technical skills to manually attempt to run exploits and use stolen credentials to compromise your organization. This rise in malicious acts that can be, and are, carried out against networks without any automated malicious software (malware) is what concerned us. Verizon places these acts into the "hacking" bucket, whereas the theft or guessing of your credentials is in the "social" bucket. As you can see from their data, these two categories of actions have comprised more than half of all malicious activities since 2008 and represented over two-thirds of all "threat actions" in 2013. It makes sense, when you consider the return on investment that I discussed in my previous post. Two well-publicized attacks show just how little malware is used in some attacks It is likely that you remember hearing the news that RSA was attacked in 2011. I have no doubt that you know a great deal about the Target breach in 2013. Even the hack of The Hacking Team in 2015 is a perfect example. If you look at these breaches, of which more details have been made public than almost any in history, you can see just how little malware is sometimes used by attackers. For good reason, a lot of detail is never released to the public, but what we do know is that malware played two very different roles in these breaches: Once as the initial entry point into RSA's network via email attachment before a great deal of lateral moves with scraped credentials and hashes Once as a means to scrape credit card details from memory on point-of-sale systems after initially entering the Target network and moving laterally to those systems with credentials stolen from Target's HVAC vendor In both cases, there were a lot more malicious actions involving stolen credentials than malware and neither was what led to detection in either attack. Malware was not the only option to enter RSA and it was not the only way to get credit card data out of Target; in both cases, it was just what worked. From the information available on the non-POS portion of the Target breach, the personal information of millions of Americans (including mine) was not stolen with malware, either. Think like an attacker: they use malware when it suits them At Rapid7, our research team, services organization, and product teams are constantly challenged to "think like an attacker," whether that means helping you to defend your organization, simulate attacks with exploits, credentials, and social engineering, or to detect attacks as early as possible. If I ask some of our experts how to get in and get data out, their response is always "it depends on what works." As long as attackers are able to stay undetected while they experiment, there is a great deal of iteration in their process: Entry: Try using some mass market malware because you might get lucky. That didn't work? Okay, try phishing a user for their credentials. That didn't work? Okay, use your expensive 0-day. Data theft: Install some malware on a processing system. Cannot find anything valuable? Okay, try reading data straight out of a database. Any one attacker may be partial to initially trying malware or impersonating users at any stage of an attack, but they are willing to use either to find success. If all of your defenses are focused on preventing and detecting malware, they are going to lean on their other tools to compromise your network and move from system to system. If you want to successfully detect the attackers, you need to have solutions for detecting malware and compromised credentials to maximize your chances. If you want to learn more about how InsightIDR can increase your chances of detecting malicious activity, please contact us to schedule an InsightIDR demo. We think you will appreciate our approach. Not ready for a demo? See how Rapid7 products and services help you detect attacks leveraging compromised credentials here.

Lessons Learned in Web Application Security from the 2016 DBIR

We spent last week hearing from experts around the globe discussing what web application security insights we have gotten from Verizon's 2016 Data Breach Investigations Report. Thank you, Verizon, and all of your partners for giving us a lot to think about! We also polled…

We spent last week hearing from experts around the globe discussing what web application security insights we have gotten from Verizon's 2016 Data Breach Investigations Report. Thank you, Verizon, and all of your partners for giving us a lot to think about! We also polled our robust Rapid7 Community asking them what they have learned from the 2016 DBIR. We wanted to share some of their comments as well: Quick Insights from the Rapid7 Community "I find that the Verizon Data Breach Investigation Report is a good indication of the current environment when it comes to the threat climate - I use it to prioritize what areas and scenarios I spend the most time focusing resources upon. For my environment, the continued shrinking of time between vulnerability disclosure and exploit is very important. For offices like mine with a small staff, identifying and applying patches in an ever more strategic manner is key. I think vendors who successfully market intelligent heterogeneous automated patching systems will start to see big gains in sales. And those that can tie it to scanning/compliance/reporting/attack suites are going to be even better positioned in the market." Scott Meyer, Sr. Systems Engineer at United States Coast guard >"The internet is evolving, and greater complexity creates greater risk by introducing new potential attack vectors. Attackers aren't always after data when targeting a web application. Frequently sites are re-purposed to host malware or as a platform for a phishing campaign. Website defacements are still prevalent, accounting for roughly half of the reported incidents." Steven Maske, Sr. Security Engineer >"Train, train, and retrain your users. Use proper coding. Really, we still fall victim to SQLi? Two factor authentication is still king. Limit download to x to prevent complete data exfiltration" Jack Voth, Sr. Director of Information Technology at Algenol Biotech Lessons Learned from the 2016 Verizon Data Breach Report Learning from DBIR Strategies to Implement 1. Web application attacks are a primary vector. • Start security testing your applications today. 2. No industry is immune, but some are more affected than others. • Focus on the attack patterns that your industry is experiencing. • Know your enemy's motivation. 3. Unvalidated inputs continue to plague our web applications. • Validate your inputs. • Train and retrain your developers. • Keep in mind that software security issues are software defects • Conduct regular dynamic application security testing (DAST) assessments to find unvalidated inputs 4. Web applications are evolving and so should your application security program. • Make sure your skills and tools are up to snuff with the latest dynamic and complex applications. • Ask your vendors if their tools handle Dynamic clients, RESTful APIs and Single Page Applications. Learn why this is important and what questions you need to ask vendors in this quick video. 5. Different industries have different enemies. • Know who and what you are defending against. Grudge or Money? 6. There are so many free and fabulous resources. Use them! • Get involved with OWASP today! How Rapid7 Can Help Rapid7's AppSpider, a Dynamic Application Security Testing (DAST) solution finds real-world vulnerabilities in your applications from the outside in, just as an attacker would. AppSpider goes beyond basic testing by enabling you to build a truly scalable web application security program. You can watch an on-demand demo of AppSpider here if you are interested in learning more. Deeper application coverage The AppSpider development team keeps up with evolving web application technologies so that you don't have to. From AJAX and REST APIs to Single Page Applications, we're committed to making sure that AppSpider assesses as much of your applications as is possible, so that you can rely on AppSpider to find unvalidated inputs and a host of other vulnerabilities in your modern web applications. View our quick video to learn how to achieve deeper web application coverage with your web app scanner. Breadth of web app attack types From unvalidated inputs to information disclosure, with more than 50 different, we've got you covered. AppSpider goes way beyond the OWASP Top 10 attack types, including SQL Injection and Cross Site Scripting (XSS) - we test for every custom attack pattern that can be tested by software. This leaves your team more time and budget to test the attack types that require humanlike business logic testing. Application security program scalability AppSpider is designed to help you scale your application security testing program so that you can conduct regular testing across hundreds or thousands of applications throughout the software development lifecycle. Dynamic Application Security Testing (DAST) earlier in the SDLC AppSpider comes with a host of integrations that enable you to drive application security earlier into the SDLC through Continuous Integration (like Jenkins), issue tracking (like Jira) and browser integration testing (like Selenium). Our customers are successfully collaborating with their developers and building dynamic application security testing earlier into the SDLC. You may also be interested in these blog posts that also offer perspective on the 2016 Verizon DBIR: Social Attacks in Web App Hacking - Investigating Findings of the DBIR 3 Web App Sec-ian Takeaways From the 2016 DBIR 2016 DBIR & Application Security: Let's Get Back to the Basics Folks The 2016 Verizon Data Breach Investigations Report (DBIR) - A Web Application Security Perspective

2016 Verizon Data Breach Report: Vulnerability Management Takeaways

This year's 2016 Verizon Data Breach Investigations Report has plenty of juicy data to pour over and for the past week we've been providing recommendations for ways to improve your security program and stop attackers. The report didn't provide any huge surprises, except for the…

This year's 2016 Verizon Data Breach Investigations Report has plenty of juicy data to pour over and for the past week we've been providing recommendations for ways to improve your security program and stop attackers. The report didn't provide any huge surprises, except for the fact that everything that was bad just keeps getting worse. Thus, we've had some great posts from my teammates focused on the Verizon Data Breach Investigations Report and how it affects the incident detection and response landscape with Eric Sun and the web app security space from Kim Dinerman. But today it's time to talk vulnerability management.Vulnerability Management has been around for a long time, and if there's one thing we've learned, practically every attack outlined in the Verizon Data Breach Investigations Report or any other industry report still involves an exploited vulnerability at some point. The DBIR provides some key controls to implement to get a handle on the never ending growth of new vulnerabilities, and wouldn't you know it, they match up perfectly to some of the key reasons our customers love Nexpose.1. Focus on what the bad guys look for firstThe DBIR describes patching vulnerabilities as a “Sisyphean struggle," with more vulnerabilities being released every week. Keeping pace is difficult. To stop endlessly running up that hill (bonus points if you get the 80s Kate Bush reference), they recommend you “establish a process for vulnerability remediation that targets vulnerabilities which attackers are exploiting in the wild, followed by vulnerabilities with known exploits or proof-of-concept code." Basically, prioritize the vulnerabilities and get that stuff done first, but one must remember that you have to look beyond CVSS.Here to help: This is what Nexpose is all about! We're still the only solution that automatically factors known exploits into our risk scoring (including how easy the exploit is to use), and with Metasploit Pro, you can validate your vulnerabilities to see which ones an attacker could exploit in real time. Check out this quick video to see how easy it is to scan for vulnerabilities with Nexpose and then validate your vulnerabilities with Metasploit Pro.2. Identify what can't be fixed, and come up with a plan to mitigate itMany companies have critical systems running on legacy software that they can't update without impacting their business; that doesn't mean you can ignore the risk. Use a defense-in-depth policy to create mitigating controls for these flaws, so that if you have to leave a hole in the wall open, make damn sure it's fortified (think the wall tunnel in Game of Thrones).                                                                                                                                                                                                                                                        Here to help: Nexpose makes it really easy to create exceptions for these vulnerabilities and remove them from reports, as well as set expiration dates and approval chains to make sure you revisit them when you can. You can also use Metasploit to validate those compensating controls and make sure they're blocking the bad guys the way they should.     Mag the Mighty, only slightly scarier than attackers3. Use vulnerability management to figure out what's new in your environmentRegular vulnerability scanning is like flossing in between going to the dentist; it's a great way to keep up on security hygiene, and the DBIR suggests you use it to identify unknown assets and deviations from standard configurations.Here to help: Nexpose has baseline comparison and trending reports to make it easy to see what's new, and with adaptive security you set up Nexpose to automatically scan and catalog new devices as they enter the network, removing a lot of the legwork that comes with today's rapidly shifting environments. To learn more about adaptive security, check out this on-demand webcast.We'd love to hear your thoughts on these controls and how you're meeting them now! If you haven't already, be sure to get a trial of Nexpose and/or Metasploit and take them for a spin!

Social Attacks in Web App Hacking - Investigating Findings of the DBIR

This is a guest post from Shay Chen, an Information Security Researcher, Analyst, Tool Author and Speaker. The guy behind TECAPI , WAVSEP and WAFEP benchmarks.Are social attacks that much easier to use, or is it the technology gap of exploitation engines that make social…

This is a guest post from Shay Chen, an Information Security Researcher, Analyst, Tool Author and Speaker. The guy behind TECAPI , WAVSEP and WAFEP benchmarks.Are social attacks that much easier to use, or is it the technology gap of exploitation engines that make social attacks more appealing?While reading through the latest Verizon Data Breach Investigations Report, I naturally took note of the Web App Hacking section, and noticed the diversity of attacks presented under that category. One of the most notable elements was how prominent the use of stolen credentials and social vectors in general turned out to be, in comparison to "traditional" web attacks. Even SQL Injection (SQLi) - probably the most widely known (by humans) and supported attack vector (by tools) is far behind - and numerous application level attack vectors are not even represented in the charts.Although it's obvious that in 2016 there are many additional attack vectors that can have a dire impact, attacks tied to the social element are still much more prominent, and the “traditional” web attacks being used all seem to be attacks supported out-of-the-box by the various scan engines out there.It might be interesting to investigate a theory around the subject: are the attackers limited to attacks supported by commonly available tools? Are they further limited by the engines not catching up with the recent technology complexity?With the recent advancements and changes in web technologies - single page applications, applications referencing multiple domains, exotic and complicated input vectors, scan barriers such as anti-CSRF mechanisms and CAPTCHA variations - even enterprise scale scanners have a hard time scanning modern application in a point-and-shoot scenario, and the typical single page application may require scan policy optimization to get it to work properly, let alone get the most out of the scan.Running phishing campaigns still requires a level of investment/effort from the attacker, at least as much as the configuration and use of capable, automated exploitation tools. Attackers appear to be choosing the former and that's a signal that presently there is a better ROI for these types of attacks.If the exploitation engines that attackers are using face the same challenges as vulnerability scanner vendors - catching up with technology - then perhaps the technology complexity for automated exploitation engines is the real barrier that makes the social elements more appealing, and not only the availability of credentials and the success ratio of social attacks.How about testing it for yourself?If you have a modern single-page application in your organization (Angular, React, etc), and some method of monitoring attacks (WAF, logs, etc), note:Which attacks are being executed on your apps?Which pages/methods and parameters are getting attacked on a regular basis, and which pages/methods are not?Are the pages being exempted technologically complex to crawl, activate or identify?Maybe complexity isn't the enemy of security after all.

3 Web App Sec-ian Takeaways From the 2016 DBIR

This year's 2016 Verizon Data Breach Report was a great read. As I spend my days exploring web application security, the report provided a lot of great insight into the space that I often frequent. Lately, I have been researching out of band and second…

This year's 2016 Verizon Data Breach Report was a great read. As I spend my days exploring web application security, the report provided a lot of great insight into the space that I often frequent. Lately, I have been researching out of band and second order vulnerabilities as well as how Single Page Applications are affecting application security programs.  The following three takeaways are my gut reaction thoughts on the 2016 DBIR from a web app sec-ian perspective: 1. Assess Your Web Applications Today Not tomorrow, not next week, today. I don't want to see talented geeks jump on board a hot startup and hear, “Oh, we don't have a security program.” I look at this report and the huge increase in web application attacks wondering how ANYONE could still not be taking their web application security program seriously. Seriously? Let's get serious for a slim second. There has been a dramatic rise in web application attack patterns across all industry verticals as covered in the research. Though three industries: entertainment, finance, and information, have seen a larger jump. Web application attacks make up 50% or more of the total breaches, with a notable jump in the finance industry from 31% to 82% in 2016. However, it is suggested that this jump is due to sampling errors introduced from the overwhelming data points linked to Dridex. 2. Fun, Ideology, or Grudge drove most incidents. Money motivated most theft. Few spies were caught.  Although at first eye numbing stare, it appears that all web application hacking motives of 2015 were from grudge wielding, whistle blowing people with no real secret agent spying going on, though admittedly with a sizable criminal element.  When this same data is filtered through ‘confirmed data disclosure,' 95% of the resultant cases appear to be financially motivated, and it becomes much more apparent that data disclosure is all about the money. 3. “I value your input, I just don't trust it.” (p. 30) Unvalidated input continues to be one of the most fundamental software problems that lead to web application breaches.  From the dawn of client/server software to the now modern Single Page Application framework, we have been releasing applications with partially validated inputs despite the fact that we have known about validating inputs for decades. Unfortunately, this fundamental cultural development flaw will likely not be leaving us anytime soon. Please, if you learn anything from the DBIR, make sure to validate input, folks! In terms of the top 10 threat varieties of 2015, SQL Injection (#7), and Remote File Inclusion (#9) are ever present and are a direct result to trusting input in an unsafe manner. The ‘Recommended Controls' for Web App Attacks section in the DBIR states, "validate inputs, whether it is ensuring that the image upload functionality makes sure that it is actually an image and not a web shell, or that users can't pass commands to the database via the customer name field." This is not to say validation of output is not also of high importance. Rather, it indicates the place where most initial damage can occur, whereby output validation reduces the available information able to be gathered on the target. That's it for my take on the 2016 Verizon Data Breach Investigations Report. Be sure to check out the Defender's Perspective, written by Bob Rudis.

The 2016 Verizon Data Breach Investigations Report (DBIR) - A Web Application Security Perspective

The 2016 Verizon Data Breach Investigations Report (DBIR) is out and everyone is poring over the report to see what new insights we can take from last year's incidents and breaches. We have not only created this post to look at some primary application security…

The 2016 Verizon Data Breach Investigations Report (DBIR) is out and everyone is poring over the report to see what new insights we can take from last year's incidents and breaches. We have not only created this post to look at some primary application security takeaways, but we also have gathered guest posts from industry experts. Keep checking back this week to hear from people living at the front lines of web application security, as well as commentary from several of our customers who provided some quick takeaways that can help you and your team. Let's dive into four key takeaways from this year's DBIR, from an application security point of view. 1. Protect Your Web Applications Web app attacks remain the most common breach pattern underscoring what we already know - that web applications are a preferred vector for malicious attackers and they are difficult to protect and secure. The figure below shows that 40% of the breaches analyzed for the 2016 DBIR were web app attacks. 2. Stop Auditing Like It's 1999 We've said this before and we'll say it again. Applications are evolving at a rapid pace and they are becoming more complex and more dynamic with each passing year. From web APIs to Single Page Applications, it's critical that your application security experts not only understand the technologies used in your applications, but also find tools that are able to handle these modern applications. As we pay our respects to the dearly beloved, Prince, please, stop testing like it's 1999. Update your application security testing techniques, sharpen your skills, and make sure your tools understand modern applications. 3. No Industry is Immune No industry is exempt from web app attacks, but some are seeing more breaches than others. For the finance, entertainment, and information industries, web app attacks are the primary attack pattern in reported breaches. For the financial industry, web app attacks are a whopping 82% of their attacks. These industries, in particular, should be assessing and gearing up their web application security programs to ensure optimal investment and attention. 4. Validate Your Inputs As an industry, we have been talking about invalidated inputs forever. It feels like we are fighting an uphill battle. We strive to train our developers on secure coding, the importance of input validation and how to prevent SQL Injection, XSS, buffer overflows, and other attacks that stem from invalidated and unsanitary inputs. Unfortunately, too many application inputs continue to be vulnerable and we are swimming against a steady stream of new applications written by developers who continue to repeat the same mistakes. That's our take on the 2016 Verizon Data Breach Investigations Report. We would love to hear your thoughts in the comments! Please check back throughout the week to hear what some of our favorite web application security experts have to share about their key takeaways and reactions from this year's DBIR. For more perspective in this year's DBIR through an application security lens. Check out the rest of the blogs in this series. 3 Web App Sec-ian Takeaways From the 2016 DBIR Social Attacks in Web App Hacking - Investigating Findings of the DBIR 2016 DBIR & Application Security: Let's Get Back to the Basics Folks Be sure to check out The 2016 Data Breach Investigations Report Summary (DBIR) - The Defenders Perspective, by Bob Rudis (aka @hrbrmstr).

The 2016 Verizon Data Breach Investigations Report (DBIR) Summary - The Defender's Perspective

Verizon has released the 2016 edition of their annual Data Breach Investigations Report (DBIR). Their crack team of researchers have, once again, produced one of the most respected, data-driven reports in cyber security, sifting through submissions from 67 contributors and taking a deep dive into…

Verizon has released the 2016 edition of their annual Data Breach Investigations Report (DBIR). Their crack team of researchers have, once again, produced one of the most respected, data-driven reports in cyber security, sifting through submissions from 67 contributors and taking a deep dive into 64,000 incidents—and nearly 2,300 breaches—to help provide insight on what our adversaries are up to and how successful they've been. The DBIR is a highly anticipated research project and has valuable information for many groups. Policy makers use it to defend legislation; pundits and media use it to crank out scary articles; other researchers and academics take the insights in the report and identify new avenues to explore; and vendors quickly identify product and services areas that are aligned with the major findings. Yet, the data in the report is of paramount import to defenders. With over 80 pages to wade through, we thought it might be helpful to provide some way-points that you could use to navigate through this year's breach and incident map. Bigger is…Better? There are a couple "gotchas" with data submitted to the DBIR team. The first is that a big chunk of data comes from the U.S. public sector where there are mandatory reporting laws, regulations, and requirements. The second is the YUGE number of Unknowns. The DBIR acknowledges this, and it's still valuable to look at the data when there are "knowns" even with this grey (okay, ours is green below) blob of uncertainty in the mix. You can easily find your industry in DBIR Tables 1 & 2 (pages 3 & 4) and if we pivot on that data we can see the distribution of the percentage of incidents that are breaches: We've removed the "Public (92)" industry from this set to get a better sense of what's happening across general industries. For the DBIR, there were more submissions of incidents with confirmed data disclosure for smaller organizations than large (i.e. be careful out there SMBs), but there's also a big pile of Unknowns: We can also take another, discrete view of this by industry: As defenders, you should be reading the report with an eye for your industry, size, and other characteristics to help build up your threat profiles and help benchmark your security program. Take your incident to breach ratio (you are using VERIS to record and track everything from anti-virus hits to full on breaches, right?) and compare it to the corresponding industry/size. The Single Most Popular Valuable Chart In The World! (for defenders) When it comes right down to it, you're usually fighting an economic battle with your adversaries. This year's report, Figure 3 (page 7) shows that the motivations are still primarily financial and that Hacking, Malware and Social are the weapons of choice for attackers. We'll dive into that in a bit, but we need to introduce our take on DBIR Figure 8 (page 10) before continuing: We smoothed out the rough edges from the 2016 Verizon Data Breach Report to figure to paint a somewhat clearer picture of the overall trends, and used a complex statistical transformation (i.e. subtraction) to just focus on the smoothed gap: Remember, the DBIR data is a biased sample from the overall population of cyber security incidents and breaches that occur and every statistical transformation introduces more uncertainty along the way. That means your takeaway from "Part Deux" should be "we're not getting any better" vs "THE DETECTION DEFICIT TOPPED 75% FOR THE FIRST TIME IN HISTORY!" So, our adversaries are accomplishing their goals in days or less at an ever-quickening success rate while defenders are just not keeping up at all. Before we can understand what we need to do to reverse these trends, we need to see what the attackers are doing. We took the data from DBIR Figure 6 (page 9) and pulled out the top threat actions for each year, then filtered the result to the areas that match both the major threat action categories and the areas of concern that Rapid7 customers have a keen focus on: Some key takeaways: Malware and hacking events dropping C2s are up Key loggers are making a comeback (this may be an artifact of the heavy influence of Dridex in the DBIR data set this year) Malware-based exfiltration is back to previously seen levels Phishing is pretty much holding steady, which is most likely supporting the use of compromised credentials (which is trending up) Endpoint monitoring, kicking up your awareness programs, and watching out for wonky user account behavior would be wise things to prioritize based on this data. Not all Cut-and-Dridex The Verizon Data Breach Report mentions Dridex 13 times and was very up front about the bias it introduced in the report. So, how can you interpret the data with "DrideRx" prescription lenses? Rapid7's Analytic Response Team notes that Dridex campaigns involve: Phishing Endpoint malware drops Establishment of command and control (C2) on the endpoint Harvesting credentials and shipping them back to the C2 servers This means that—at a minimum—the data behind the Data Breach Investigations Report, Figures 6-8 & 15-22, impacted the overall findings and Verizon itself warns about broad interpretations of the Web App Attacks category: "Hundreds of breaches involving social attacks on customers, followed by the Dridex malware and subsequent use of credentials captured by keyloggers, dominate the actions." So, when interpreting the results, keep an eye out for the above components and factor in the Dridex component before tweaking your security program too much in one direction or another. Who has your back? When reading any report, one should always check to make sure the data presented doesn't conflict with itself. One way to add a validation to the above detection deficit is to look at DBIR Figure 9 (page 11) which shows (when known) how breaches were discovered over time. We can simplify this view as well: In the significant majority of cases, defenders have law enforcement agencies (like the FBI in the United States) and other external parties to "thank" for letting them know they've been pwnd. As our figure shows, we stopped being able to watch our own backs half a decade ago and have yet to recover. This should be a wake-up call to defenders to focus on identifying how attackers are getting into their organizations and instrumenting better ways to detect their actions. Are you: Identifying critical assets and access points? Monitoring the right things (or anything) on your endpoints? Getting the right logs into the right places for analysis and action? Deploying honeypots to catch activity that should not be happening? If not, these may be things you need to re-prioritize in order to force the attackers to invest more time and resources to accomplish their goals (remember, this is an battle of economics). Are You Feeling Vulnerable? Attackers are continuing to use stolen credentials at an alarming rate and they obtain these credentials through both social engineering and the exploitation of vulnerabilities. Similarly, lateral movement within an organization also relies—in part—on exploiting vulnerabilities. DBIR Figure 13 (page 16) shows that as a group, defenders are staying on top of current and year-minus-one vulnerabilities fairly well: We're still having issues patching or mitigating older vulnerabilities, many of which have tried-and-true exploits that will work juuuust fine. Leaving these attack points exposed is not helping your economic battle with your adversaries, as letting them rely on past R&D means they have more time and opportunity. How can you get the upper-hand? Maintain situational awareness when it comes to vulnerabilities (i.e. scan with a plan) Develop a strategy patching with a holistic focus, not just react to "Patch Tuesday" Don't dismiss mitigation. There are legitimate technical and logistic reasons that can make patching difficult. Work on developing a playbook of mitigation strategies you can rely on when these types of vulnerabilities arise. "Threat intelligence" was a noticeably absent topic in the 2016 DBIR, but we feel that it can play a key role when it comes to defending your organization when vulnerabilities are present. Your vuln management, server/app management, and security operations teams should be working in tandem to know where vulnerabilities still exist and to monitor and block malicious activity that is associated with targets that are still vulnerable. This is one of the best ways to utilize all those threat intel feeds you have gathering dust in your SIEM. There and Back Again This post outlined just a few of the interesting markers on your path through the Verizon Data Breach Report. Keep a watchful eye on the Rapid7 Community for more insight into other critical areas of the report and where we can help you address the key issues facing your organization. (Many thanks to Rapid7's Roy Hodgman and Rebekah Brown for their contributions to this post.) Related Resources: Watch my short take on this year's Verizon Data Breach Investigations Report. Join us for a live webcast as we dig deeper into the 2016 Verizon Data Breach Investigations Report findings. Tuesday, May 10 at 2PM ET/11AM PT. Register now!

Getting Started with VERIS

We did a webcast with @hrbrmstr @gdbassett from the Verizon team last week, discussing how to get started VERIS, the Vocabulary for Event Recording and Incident Sharing. If you missed that webcast- check it out! If you joined us, thanks for coming out. We've attached…

We did a webcast with @hrbrmstr @gdbassett from the Verizon team last week, discussing how to get started VERIS, the Vocabulary for Event Recording and Incident Sharing. If you missed that webcast- check it out! If you joined us, thanks for coming out. We've attached an Excel spreadsheet with a couple of examples to help you get started at VERIS level 2, a couple of layouts to consider using... and we will be providing some updates. Special thanks to Judy Nowak for her hard work on the spreadsheet -- be looking for a blog post from her in the near future! On our webcast, we did a (laughably un-)scientific survey of how folks were tracking incidents in their organization. There's going to be a sample bias, but the questions we asked here would be useful with your own management.... so discuss them with your team and boss! Here are some additional resources for getting started with VERIS: What is VERIS? The VERIS Community Website The VERIS Encoder, built to migrate from a standard CSV to JSON for more advanced analysis. Verizon's Security Blog Verizon's DBIR & VERIS team's GitHub page If you fancy yourself hungering for something a bit more technical and have data you're ready to play with- here are VERIS R Resources: https://github.com/vz-risk/veris https://github.com/vz-risk/veris_scripts https://github.com/jayjacobs/verisr/ https://github.com/vz-risk/VERISAG https://securityblog.verizonenterprise.com/?p=7212 UPDATE: 13 November -- Gabe recorded a video on getting started analyzing incidents using VERIS in Microsoft Excel If you'd like to work through the example, use the VERISMM example file attached below! If you've got questions, let us know! We'll be posting more content to help you get rolling shortly. ~@treyford

What is VERIS?

If you'd like to understand more of the nuts and bolts about VERIS, join us for a webcast November 5 2015 at 2pm ET: Understanding VERIS: the DBIR's Secret Decoder Ring Data driven security is all the rage, and laughably few of us encode and…

If you'd like to understand more of the nuts and bolts about VERIS, join us for a webcast November 5 2015 at 2pm ET: Understanding VERIS: the DBIR's Secret Decoder Ring Data driven security is all the rage, and laughably few of us encode and analyze our programs… and for good reason. It isn't easy. This post will talk about VERIS, a framework for describing security incidents in a precise way. We all have a plan, a security program, compliance regulations, and super busy calendars—but what is working? The answer is hidden in plain sight, it just needs to be analyzed. And this is why we all love the DBIR. If you aren't familiar with Verizon's DBIR (Data Breach Investigation Report), check it out. I (and most of the industry) consider it the seminal report documenting trends in successful attacks and defensive failures. Sports analogies are unavoidable here, and I won't apologize for them. The “Monday morning Quarterback” is a perfect analogy, and it applies to any sport, or activity. When you look back at a performance, just like the coaches do with the quarterback on Monday morning, you discuss more than outcomes, you talk about “what happened,” and “why it happened.” Structured review, a meaningful critique, is based upon objective and accurate data. Talking about incidents is hard. People take things personally, public statements are carefully tuned by PR, Marketing, and Legal teams, security professionals provide perspective to the news on very little in the way of facts— and that makes for difficult take aways for the rest of us. Incidents happening in-house are often treated in a surprisingly similar fashion: carefully filtered facts get documented in writing, post mortem reports are often only narrative based, and the observations and lessons learned are limited to point-in-time assessments, or correlated only to recent audit findings or pinned to a convenient project. Meaningful analysis across events requires a commitment to pragmatic event recording- this means structured data… which is why I'm excited to discuss VERIS. VERIS - Vocabulary for Event Recording and Incident Sharing “VERIS is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner” The overall goal “is to lay a foundation from which we can constructively and cooperatively learn from our experiences to better measure and manage risk” By studying what incidents were stopped (near misses) and what path incidents came from, we can objectively evaluate our program strategies… this, in my opinion, is the magic of VERIS. If our mission, as security professionals, is to inform the business of risk, ultimately stopping “the big one” — there is very little appetite to allow an attack to repeat itself. The A4 So VERIS describes an event using the 4 A's - and it's pretty simple when you think about it. Actors take Actions, Assets have Attributes. Yes. That's a blinding flash of the obvious. Taking the obvious even further: Actors often take lots of Actions Assets may have multiple Actions taken against them Assets may have multiple Attributes affected So it makes sense this is more of a nested schema than something Excel spreadsheet friendly… Got it. Makes sense. Now what? Get familiar with the A4 structure. We've got some videos here to save you some reading- but you'll want to read up after the overview. First up, here are some videos giving an overview of Actors, Actions, Assets, and Attributes: Actors Actions Assets Attributes Read more from VerisCommunity.net here: Threat Actors Threat Actions Compromised Assets Security Attributes

Key Takeaways from Verizon 2015 Data Breach Investigations Report

It's that time of the year again. No, not the Game of Thrones premiere, but Verizon's latest Data Breach Investigations Report (DBIR). At times, the DBIR can be as hard to read for a security practitioner as GoT is to watch when your favourite character…

It's that time of the year again. No, not the Game of Thrones premiere, but Verizon's latest Data Breach Investigations Report (DBIR). At times, the DBIR can be as hard to read for a security practitioner as GoT is to watch when your favourite character gets killed off, so let's rip off the band aid and dive right in.The bad guys are still ahead--but by a little lessLet's start with some good news. We're ever-so-slightly closing the gap between time to compromise and time to discover. This is in line with trends we've seen in other reports, for example attackers were able to stay undetected on networks for an average of 205 days in 2014, down from 229 days in 2013 (Mandiant). Unfortunately, for 60% of breaches compromise takes only minutes, so detection taking 205 days is simply not good enough. This reinforces the need to re-balance security investments from prevention technologies to improving detection and response capabilities.We're still failing to secure credentialsCredentials is still the number 1 way attackers get into the network. Looking specifically at attacks on web applications, 95% of incidents involve logging into the application using stolen credentials harvested from end user devices. This isn't entirely a surprise given how easy it is for cybercriminals to get hold of credentials and how hard it is for security teams to detect their malicious use. In August last year, it came to light that Russian hackers stole 1.2 billion usernames and passwords Ð and these credentials were subsequently linked to the JP Morgan Chase breach.Gone phishingPhishing is on the rise, from being used in less than 5% of breaches in 2011 to more than 20%. And for good reason Ð it's effective. For a campaign with just 10 emails, there is a greater than 90% chance that at least one person will fall for it. So what can you do about this? Email filtering can't catch every phishing messaging, particularly the more sophisticated ones (i.e. the ones we're more likely to fall for). SANS recommends security awareness and training for minimizing the phishing threat, as well as improved detection and response capabilities for the inevitable ones that get through.Keep patching all the thingsThe DBIR has always emphasized getting the basics right. This year the report looked at vulnerabilities in more detail with some interesting insights. About half of all exploited vulnerabilities are compromised within a month of being published, meaning the late nights/early mornings you spent patching HeartBleed, POODLE and Sandworm were probably time well spent. But besides these famous vulnerabilities, what else should you be patching? Well, vulnerabilities found in exploit databases such as Metasploit and ExploitDB are 'the single most reliable predictor of exploitation in the wild'. And don't forget about the older vulnerabilities. 99.9% of vulnerabilities are exploited more than a year after they were published, and in 2014, more than 90 of the CVEs exploited were published back in 2007.How Rapid7 can helpRapid7 UserInsight can help you automatically detect the number 1 attack vector Ð compromised credentials Ð as well as improve your detection and response capabilities. With Nexpose's advanced scoring algorithm, RealRiskª, you can prioritize critical vulnerabilities for patching taking into account the availability of public exploits and vulnerability age. And if you're worried about phishing attacks, Rapid7 offers security awareness training to reduce your users' susceptibility. With Metasploit Pro, you can simulating phishing campaigns to test the effectiveness of the training.Well that's all from me for now. There's a lot more info in the report than what we've covered here, so I'm sure we'll see much more analysis going forward. Let us know your thoughts on the report and if there are other critical insights that we haven't highlighted. Happy reading!Join me on Friday April 17th @ 11am E.T. for a live webcast on the Top Takeaways from the Verizon 2015 DBIR and what it means for you. Register here: https://information.rapid7.com/top-takeaways-from-the-2015-verizon-dbir.html

New guide: 10 tips for detecting malicious & compromised users

Maybe you've heard a few of the key points from this year's oft-cited Verizon Data Breach Investigations Report (VDBIR). (Or maybe you've been meaning to get around to it.)But if there's only one thing you remember from the report this year, it's this: As…

Maybe you've heard a few of the key points from this year's oft-cited Verizon Data Breach Investigations Report (VDBIR). (Or maybe you've been meaning to get around to it.)But if there's only one thing you remember from the report this year, it's this: As of 2014, the most common way an attacker will get in to your organization's network is via compromised user credentials.Attackers aren't trying to bust the door down or even pick the lock (as much), as they're finding it's increasingly easy to simply up and grab the keys.While the success rate for stolen credentials might sound low compared to other methods—the VDBIR says 9% of phishing attempts are successful, for example—keep in mind that it takes the compromised credentials of just one single user for an attacker to get in to your network, poke around, get what they're looking for, and get away with the goods. And all this can happen in a matter of minutes or seconds. Meanwhile, it usually takes weeks or months for the average organization to even realize what just happened.If you'd like to make it harder for attackers to target users at your organization, we've put together a short-and-sweet guide with 10 tips on how to detect users that have been compromised (as well as users that might be acting with malicious intent). And it just so happens that we call this guide (*drum roll please*): Ten Tips for Detecting Malicious and Compromised Users.It's a super-quick read, and the 10 tips aren't "Educate your users to stop clicking phishy links!" ten times over, I promise.You can find our guide, "Ten Tips for Detecting Malicious and Compromised Users," right here.See how Rapid7 products and services can help you detect attacks leveraging compromised credentials here.Thanks all!MariaP.S. I realize probably no one has used the ol' key-in-the-soap trick since the Hardy Boys.

The Verizon Data Breach Report - 9 Key Takeaways

Last week I hosted a webinar with Nicholas J. Percoco, VP of Strategic Services at Rapid7, where we discussed the latest Verizon DBIR. This year's report, as always, is recommended reading for any security professional as it's probably the most comprehensive piece of research, covering…

Last week I hosted a webinar with Nicholas J. Percoco, VP of Strategic Services at Rapid7, where we discussed the latest Verizon DBIR. This year's report, as always, is recommended reading for any security professional as it's probably the most comprehensive piece of research, covering information gathered about 63,000 incidents and 1,300 confirmed breaches, sourced from 50 contributing organizations from 95 countries. This gives a comprehensive outlook over the years on the changing attack landscape. Here are our nine takeaways from this year's DBIR:1- Attackers shift their methodologies: hacking, malware and social engineering are on the rise, physical is decreasingIt's interesting to see that physical attacks are decreasing as attackers can deploy different methodologies to attack from remote with greater success, using techniques like social engineering. We predict that these trends will increase, because of the increased amount of data shared and generated by people which is a fruitful ground for attackers.  2 - Stolen Credentials - the no. 1 attack methodologyOverlooking a decade of attacks, 2013 was the year where stolen credentials were booming, as they became the most used attack methodology, rising from 3rd in 2012. We expect this trend to increase, as we already saw the eBay breach last week, in which stolen user credentials enabled the attacker's to break into eBay, potentially revealing the passwords of 145 million users, or the recently announced Avast breach where apparently 400,000 usernames, emails and passwords were leaked. Each of these events exposes millions of passwords and serves as a pivot point for attackers to gain access to other networks and companies, as users re-use passwords across services and systems. 3 - Focus on the attack patterns relevant to YOUAccording to DBIR, 95% of all attacks fall into 9 common patterns. By categorizing these 9 patterns and providing specific recommended actions, DBIR helps security professionals focus on the most relevant attack patterns to their industry/type of data/threat landscape and prioritize actions and investments. It is interesting to see at the DBIR that some attack patterns generate more incidents than actual breaches while others are more "successful" in leading to an actual breach. This is also an helpful way to prioritize our efforts in managing these threat patterns. 4 - POS intrusions - Watch out for brute forcing and stolen vendor credentials POS intrusions gets attention with the 2013 large retailer breaches. Our recommendation: while brute forcing is still the most used methodology for cracking these machines, stolen credentials in general, and vendor credentials in particular, is the one that is on the rise. We recommend that every retailer puts in place detection capabilities to discover brute forcing and compromised credentials to respond to these major industry threats.5 - In cases of Insider Misuse - look at privileges88% of attacks done by an insider abuse privileges to get hold of data. This is obviously not exclusive to an malicious insider threat, as many other attack methodologies would escalate and leverage account privileges to be able to move within the network and access critical assets. Make sure you have good visibility to account privileges and get a good feel when abnormal behavior of administrators is taking place. 6 - Cyber Espionage leverages the most varied toolbox, still - phishing is THE way to break in Most of the cases cyber espionage campaigns break in using phishing emails: 78% by attachment in a mail, 20% a mail drive by . That's not surprising, as phishing just works.7 - Yes, phishing works...18% of users receiving phishing emails would click on a drive-by, 9% will fill up a form and 9% will click on an attachment in a phishing email. That means that if an attacker sends emails to a large enough set of users, there is an excellent chance that he'd be able to compromise at least one user. 8 - What can we do to detect things FASTER?While compromise and data exfiltration takes seconds to minutes, detection takes days, and in many cases weeks and months. This is a bad sign for all of us as an industry, showing that we lag behind the attackers, and we are not even improving... There is much to be done to be able to detect FASTER!9 - How to make DBIR work for you?We recommend you use the DBIR for your planning and prioritization. Take your own key learnings and share with your management. Use it as a tool to direct your budget planning. There is great insight on what threats YOU are facing and what gaps YOU may have that can help you build your own program. Worried about stolen credentials and user-based attacks? We recommend that you try the free limited features edition of UserInsight for faster detection and investigation of compromised accounts.

Top 3 Takeaways from "9 Top Takeaways from the Verizon Data Breach Investigations Report"

Hi, I'm Kelly Garofalo – you may know me as the voice of the moderator in most of our security webcasts. (You know, the one that tells you about how you can snag CPE credits for joining us and sends you a nice follow-up so…

Hi, I'm Kelly Garofalo – you may know me as the voice of the moderator in most of our security webcasts. (You know, the one that tells you about how you can snag CPE credits for joining us and sends you a nice follow-up so that you can access more wonderful webcasts and content.) I'm excited to bring you the top takeaways from our recent webcast, “9 Top Takeaways from the Verizon Data Breach Investigations Report” (Essentially this is a TL;DR of our TL;DR webinar for this year's report.) If you are interested in learning about data breach trends you should be aware of, keep reading!In our May 22 webinar we heard from Nicholas J. Percoco (VP of Strategic Services at Rapid7) and Lital Asher-Dotan (Senior Product Marketing Manager at Rapid7) about the most significant findings from the 2014 Verizon Data Breach Investigations Report.Some key takeaways for attendees from the live broadcast were:Creds, creds, creds! – As emphasized by the very recent eBay data breach; stolen credentials are a fast-growing trend. When attackers are logging in using a legitimate username and password, they are very difficult to detect, so it is more important than ever to have visibility into normal user behavior so that the misuse of credentials is easy to hone in on as soon as unusual behavior is observed.*It's very important to ensure users NEVER re-use passwords since compromised credentials in one breach could means their information can be compromised anywhere else those credentials are in use.Attackers are getting more and more sophisticated – Attacker methods are evolving as quickly as security programs and technologies are evolving. Attackers are leaving less of a signature on networks and are creating increasingly tailored and realistic methods of targeting users. When an attacker understand someone's typical conversations and interaction patterns, it becomes very easy to get a click from a user – as their emails and websites look completely legitimate! And this one click can be all they need to infiltrate a network.Patterns are key – 95% of breaches that have ever happened follow 9 specific patterns, so all organizations must examine these patterns alongside their security programs to find out where gaps might be and immediately fill them.To learn more about how you should be bolstering your security program to avoid falling prey to common attack methodologies - view the recording of this webcast on demand now!If you want to hear more about security trends and methodologies, take your pick from our Webcast depository: Webcasts

Is AV dead? Why Symantec's executive is only half right about the state of anti-virus software

This week, a Symantec executive proclaimed that anti-virus is dead. Given the company's position in the AV market, it may be the most discussed comment coming from Symantec for some time; though in and of itself, I'm not sure the statement would elicit much of…

This week, a Symantec executive proclaimed that anti-virus is dead. Given the company's position in the AV market, it may be the most discussed comment coming from Symantec for some time; though in and of itself, I'm not sure the statement would elicit much of an argument from most security professionals.  Oh, except for the other AV vendors of course.For our own part, it's not news that we believe that AV is "limited".  In fact, Metasploit specifically offers AV evasion capabilities to represent the way that attackers behave.  Anti-virus only works to protect you against threats that are known.  And known in enough detail that it can be recognized and blocked on a variety of systems.  It's not rocket science to think then that a technically-skilled attacker with time will either tweak some existing malware, or create something new, so that it won't be recognizable to standard AV packs.Hence all that cynicism about AV, particularly among the pen testing community who face – and defeat – AV on a daily basis.  But here's where I have a hard time playing the funeral dirge for AV.See whether it's because you're lazy, or a total go-getter that wants to cram as much into your day as possible, either way you're likely to want to be as efficient with your time and effort as you can be. This is why people like automation (yes, that was a Metasploit Pro plug). This is also why there is a pretty decent market for crimeware packs.  And why not?  There is a lot of malware knocking about on the internet after 30 years or so of people creating it, and others creating flawed software to be exploited by it. And tragically much of it still works.So if I am an evil genius attacker (cybercriminals are all evil geniuses, no?) and I can get the goodies by using old malware that's been around for ages, why wouldn't I?  Why spend time and energy on creating something more elaborate when the old stuff still works, and meanwhile I can divert my time to creating a car that turns into a submarine to reach my secret underwater layer. Or sitting around playing Titanfall in my underwear.So yeah, I'm not ready to pronounce AV dead, and I still make sure my mom runs it on her computer because at least it affords her a level of basic protection against drive-by attacks. The Verizon Data Breach Investigations Report summarizes this with: "While many proclaim AV is dead, not having it is akin to living without an immune system."  I'm not sure I think AV is as effective as an immune system.  Rather, I'd compare it to a shower curtain – it protects you from the peripheral spray, but won't stand up to a direct deluge.This is where I think AV can become problematic, dangerous even. It can give people a false sense of security.  You need to remember that it doesn't make you bulletproof, not even close. So whether you're my mom or a Fortune 50 enterprise (and everything in between), you still need to practice good security hygiene and practices beyond deploying AV.  Which is where pen testing comes in… (though probably not for my mom).Testing AV evasion techniques is the way to understand the impact of directing the faucet right at the edge of the tub; just how soggy is everything going to get, and what problems does that cause?  To find out, why not try our updated AV evasion techniques which help you mimic a real-world attack?One final comment – if you are running AV, it's crucial that you keep it active and updated on all machines or it really is a pointless exercise – like having a holey shower curtain, or one made of rice paper. This is something Rapid7 ControlsInsight can help you with.  Now I'm off to my mom's place to update hers and work on my sub-car-ine.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now