The Verizon DBIR and the art of the breach

An attack path is a series of threat actions leading to a successful data breach. The Verizon 2019 DBIR (Data Breach Investigations Report) offers insights.

Attack paths and data breaches in the Verizon 2019 DBIR

Reading the Verizon Data Breach Investigations Report (DBIR) is a humbling experience for an information security professional. While the gist of the report remains more or less the same every year, it gives a good glimpse of the mechanics, scale, and intractability of security issues that organizations deal with on an ongoing basis.

This year’s Verizon DBIR is built on an analysis of about 42,000 security incidents and 2,000 breaches in 2018 across a wide variety of industries. The report uses the VERIS (Vocabulary for Event Recording and Incident Sharing) framework to collect and present incident and breach data. It spells out popular threat actions and attack paths that have led to successful data breaches. In this blog post, I summarize my takeaways from the 2019 DBIR.

What type of data are attackers after?

Attackers are after any type of data that they can sell or use to commit fraud. In fact, 71% of breaches are financially motivated. Attackers sell personal data, email addresses, credentials, credit card numbers, and access to compromised resources on the dark web. They also use stolen data to steal identities and commit direct fraud. In many breaches, multiple types of data are compromised (for example, credentials and internal company data together).

71% of breaches are financially motivated.

A secondary motivation for data breaches is espionage, which is most common in the public administration vertical. These data breaches are carried out primarily by state-affiliated actors.

Which threat actions are most popular?

A threat action is anything a malicious actor does to advance an attack. The series of threat actions that an attacker follows from start to successful data breach is an attack path. According to the 2019 DBIR, hacking, malware, and social are the most common threat actions used to carry out attacks. Social threat actions, involved in only 17% of breaches in 2013, now play a role in 35% of breaches.

Social threat actions, involved in only 17% of breaches in 2013, now play a role in 35% of breaches.

The most popular types of threat actions are phishing, use of stolen credentials, and back doors.

  • Hacking is driven primarily by using stolen credentials, back doors, or vulnerability exploitation. Web applications and back doors are the most common threat vectors (paths of attack) in this category.
  • Malware is used in many ways to establish or advance attacks. Back doors, C2 (command and control), and keyloggers are the action varieties most used in successful breaches. Email, direct install, and web drive-by are the most common vectors using malware.
  • Social attacks are carried out primarily through phishing.

How is attack path length related to data breaches?

It’s interesting to note that the length of the attack path plays a role in data breaches. For obvious reasons, short attack paths are responsible for more successful breaches than long attack paths. The vast majority of breaches involve fewer than five steps. Is it possible that organizations who eliminate short attack paths—thus making it harder for attackers to breach them—are less likely to suffer a breach?

Short attack paths are responsible for more successful breaches than long attack paths.

Where do threat actions happen in attack paths?

Now let’s look at the steps typically involved in an attack chain:

  • First steps. The first action in an incident can be almost anything (hacking, error, social, misuse, physical). Interestingly, malware is the least preferred first step, even behind physical action, which requires the attacker or another actor to be physically present. While malware may be useful for stealing data, it’s not good for starting attacks. After all, you first need some means to get malware installed on the victim’s machine.
  • Middle steps. Malware and hacking are the most preferred actions for continuing and concluding attacks, which typically involve stealing data, hiding one’s tracks, and ending the operation. Physical actions are the least useful in the middle of the attack path.
  • Last steps. Social actions are, understandably, the least preferred last step. While they play an important role in starting and continuing attacks (to acquire the information needed to launch or expand attacks), they bring minimum value in the last stages of an attack.

How can I prevent data breaches?

Attackers need some place to launch their attacks. Typically, they start with a list of vulnerable servers, phished emails, or stolen credentials. Therefore, the 2019 DBIR recommends you minimize those starting points to ensure security. How can you get rid of those footholds?

  • For applications you use, keep them secure by installing the latest and greatest patches.
  • For applications you develop, perform security testing to find and fix application vulnerabilities. Prioritize critical vulnerabilities and have a plan to address those remaining.
  • Use multifactor authentication to ensure authorized access to your data.
  • Provide security awareness training to your employees. Invest in building a security-centric culture.

Threat actors go for the shortest attack path.

While the above efforts may not eliminate all vulnerabilities, they will make your data and environment harder to breach. Remember that threat actors go for the shortest attack path. Don’t give them any shortcuts to compromise your data.

Download our threat modeling eBook

Asma Zubair

Posted by

Asma Zubair

Asma Zubair

Asma Zubair is a seasoned product leader with extensive experience managing and launching products and services in the application security and application protection space. At Synopsys, Asma manages Seeker, the industry’s first IAST solution with active verification and sensitive-data tracking for web-based applications. Prior to Synopsys, Asma led teams at WhiteHat Security, The Find (Facebook), and Yahoo!. Asma holds a degree in electrical engineering from IIT in India and an MBA from UC Berkeley’s Haas School of Business.

More from Security news and research