An attack path is a series of threat actions leading to a successful data breach. The Verizon 2019 DBIR (Data Breach Investigations Report) offers insights.
Reading the Verizon Data Breach Investigations Report (DBIR) is a humbling experience for an information security professional. While the gist of the report remains more or less the same every year, it gives a good glimpse of the mechanics, scale, and intractability of security issues that organizations deal with on an ongoing basis.
This year’s Verizon DBIR is built on an analysis of about 42,000 security incidents and 2,000 breaches in 2018 across a wide variety of industries. The report uses the VERIS (Vocabulary for Event Recording and Incident Sharing) framework to collect and present incident and breach data. It spells out popular threat actions and attack paths that have led to successful data breaches. In this blog post, I summarize my takeaways from the 2019 DBIR.
Attackers are after any type of data that they can sell or use to commit fraud. In fact, 71% of breaches are financially motivated. Attackers sell personal data, email addresses, credentials, credit card numbers, and access to compromised resources on the dark web. They also use stolen data to steal identities and commit direct fraud. In many breaches, multiple types of data are compromised (for example, credentials and internal company data together).
A secondary motivation for data breaches is espionage, which is most common in the public administration vertical. These data breaches are carried out primarily by state-affiliated actors.
A threat action is anything a malicious actor does to advance an attack. The series of threat actions that an attacker follows from start to successful data breach is an attack path. According to the 2019 DBIR, hacking, malware, and social are the most common threat actions used to carry out attacks. Social threat actions, involved in only 17% of breaches in 2013, now play a role in 35% of breaches.
The most popular types of threat actions are phishing, use of stolen credentials, and back doors.
It’s interesting to note that the length of the attack path plays a role in data breaches. For obvious reasons, short attack paths are responsible for more successful breaches than long attack paths. The vast majority of breaches involve fewer than five steps. Is it possible that organizations who eliminate short attack paths—thus making it harder for attackers to breach them—are less likely to suffer a breach?
Now let’s look at the steps typically involved in an attack chain:
Attackers need some place to launch their attacks. Typically, they start with a list of vulnerable servers, phished emails, or stolen credentials. Therefore, the 2019 DBIR recommends you minimize those starting points to ensure security. How can you get rid of those footholds?
While the above efforts may not eliminate all vulnerabilities, they will make your data and environment harder to breach. Remember that threat actors go for the shortest attack path. Don’t give them any shortcuts to compromise your data.
Asma Zubair is a seasoned product leader with extensive experience managing and launching products and services in the application security and application protection space. At Synopsys, Asma manages Seeker, the industry’s first IAST solution with active verification and sensitive-data tracking for web-based applications. Prior to Synopsys, Asma led teams at WhiteHat Security, The Find (Facebook), and Yahoo!. Asma holds a degree in electrical engineering from IIT in India and an MBA from UC Berkeley’s Haas School of Business.