It’s that time of year again, when Verizon releases their annual compendium of security incident/breach data derived from commercially-provided forensic investigations and contributions from other organizations via the VERIS framework. This year’s report analyzes more than 2,260 confirmed data breaches and more than 100,000 reported security incidents, the highest since the report’s inception in 2008. Historically, the Data Breach Investigations Report (DBIR) has analyzed 10,000 breaches and nearly 300,000 security incidents over 11 years.
With all that data, what can we say about progress in the discipline of information security, or even its sub-disciplines of software and application security? Well, the report opens with Yogi Berra’s well-known quote about déjà vu, if that tells you anything. Unfortunately, 2016 was not a year for improved InfoSec defenses, and in fact, things slipped a notch or two.
Let’s recount a few quotes highlighting this slip, from the DBIR 2016 itself and the DBIR press release:
“Most attacks exploit known vulnerabilities that have never been patched despite patches being available for months, or even years. In fact, the top 10 known vulnerabilities accounted for 85 percent of successful exploits.”
“Sixty-three (63) percent of confirmed data breaches involve using weak, default, or stolen passwords.”
“Basic defenses continue to be sorely lacking in many organizations.”
“Thirty (30) percent of phishing messages were opened—up from 23 percent in the 2015 report—and 13 percent of those clicked to open the malicious attachment or nefarious link.”
“Web application attacks climbed to the #1 spot for data breaches, up 33 percent over prior year, and the vast majority (95 percent) were financially motivated.”
“Actors in breaches are predominantly external. While this goes against InfoSec folklore, the story the data consistently tells is that, when it comes to data disclosure, the attacker is not coming from inside the house.”
This is all well and (not) good, and I’m sure it’ll produce the usual hand-wringing amongst the chattering classes, some of it even justified. But what does it have to say, if anything, about the state of specific sub-disciplines of information security, including those near and dear to my heart, software and application security?
Well, there are some headline-worthy items in DBIR 2016 related to AppSec:
Web apps were far and away the attack pattern resulting in the most breaches (not incidents). At just over 40% (an increase of 33% over the prior year’s data), finance, information, and retail organizations were the predominant victims. DBIR 2016 indicates that much of this was due to the well-established compromise pattern of “phish customer > C2 > Drop Keylogger > Export captured data > Use stolen credentials” perpetrated by malware like the Dridex banking Trojan. SQL injection doesn’t appear until the seventh item on the list of threat actions within Web attack breaches (at only 20% of the overall breach count). I’m not sure whether to laugh or cry; less SQLi is good, but it’s still number one after you filter Dridex?
Net net, the DBIR 2016 Web app data makes me feel like we’re losing ground in a space where organizations should have at least some maturity after all these years.
The other big AppSec-related insight I glean from DBIR is the absence of AppSec in the data. Stolen credentials, insider abuse, physical theft and loss—the bulk of the report doesn’t really expose much in the way of software and/or application root cause (about one percent of “miscellaneous errors” are attributed to “programming error”—does that count?). Of course, this could simply reflect reality—the bulk of incidents and breaches result from successful campaigns that typically scale well through automation. A compromise of, say, one company’s ERP app through one software vulnerability is just one incident/breach, lost in the background noise. This is true, however, when viewed against the raw count of incidents and breaches—but the impact of individual compromises could be quite large. In this light, I’d be interested to see DBIR break out the impact of breaches by attack pattern, as they have in years past. There are only a few pages of impact discussion at the end of DBIR 2016, plus an appendix on monetization of stolen data. But, I didn’t see anything linking attack patterns to impact. Perhaps in future reports we’ll be able to look through the lens of impact again.
There are other indirect insights into non-AppSec data in DBIR 2016. Let’s take a look at these:
I’ve overheard serious security leaders contemplate eliminating the investment in prevention, focusing solely on detection and response. Their reasoning is that it’s just a question of if, not when, in this historically mismatched contest between attackers and defenders. The report illustrates (in Figure 8) that time to compromise is getting quicker (84% “days or less”), but time to discover is still lagging (25% “days or less”), which is actually trending downward from 2014 and 2015. Additionally, internal notification (discovery) of breaches is trending down versus external (in Figure 9), so all that fancy monitoring gear and IR process improvement does not seem to be paying off. Clearly, prevention can still be effective.
Semi-related, vulnerability management is only keeping us afloat, as new vulnerabilities are coming out much faster than we apply the patches. DBIR unfortunately doesn’t offer any silver bullets—while the top 10 mega vulnerabilities account for 85% of breaches, the other 15% originate from over 900 vulnerabilities. So, being selective about patching is still 15% likely to get you compromised. Other data shows patching falls off significantly for vulnerabilities older than two years. This suggests that a non-trivial mitigation must be applied since the patch was infeasible (gee, who’s ever seen that happen?). An incentive for software companies producing this tidal wave of vulnerabilities might be the only light at the end of the tunnel, and a dim one at that. Customers putting secure software development clauses in contracts and licenses? Commercial liability for breaches? I know these are cans of worms, but it seems like things are getting bad enough to at least discuss options (my personal preference would be options for the commercial market variety versus regulation…).
DBIR tells me that since 2009, breaches of servers and networks have decreased, while breaches of user devices have gone up (illustrated in Figure 6). Of course, human beings are a common denominator for all these categories (as noted in the DBIR press release), so it is probably inaccurate to differentiate between organizationally managed servers and networks versus individually-managed devices and…well, persons. But, I suspect this is at least a partial reflection of the relative security of data centers versus home PCs. Adjust your threat models accordingly, if you haven’t already. And no, those end point devices are not mobile. DBIR 2016 claims that the upward trend in user devices are primarily desktops getting infected with malware and POS terminals being “popped.”
More generally, I think this and other data in the DBIR point to a classic hunting technique: frighten the herd and separate the slow and weak. We remain in the glory days of end user/end point/client application hacking, and it will take further efforts to enable stronger authentication via multi-sensor/multi-communication channel mobile devices to reverse this long trend.
To close on a more whimsical note, I was struck by DBIR 2016’s lack of attention regarding cutting edge technologies that we all read about in the headlines. Although they’re making the front page of the news, they’re not in DBIR 2016 at all: “For those looking for proclamations about this being the year that mobile attacks bring us to our knees or that the Internet of Things (IoT) is coming to kill us all, you will be disappointed. We still do not have significant real-world data on these technologies as the vector of attack on organizations.” Either those items that do make the news (e.g. V-Tech toy hack for IoT) haven’t resulted in a serious incident or breach, according to DBIR, or those platforms are harder to break into than perceived (hint: if the FBI is asking for help, we must be doing something right). I’d bet on the former for IoT and that latter for mobile, personally. In any case, as I argue in most of my recent writing, good risk managers will keep their attention on the fundamentals and leave daydreaming about being attacked by Skynet drones to spare time. I’m happy to see that DBIR 2016 supports this notion, despite all the other bad news.