Verizon 2016 DBIR: Phishing, Known Vulnerabilities & Stolen Credentials
Verizon analyzed a dataset of 64,199 security incidents and 2,260 data breaches, across a variety of industries in over 82 countries in their ninth iteration of their Data Breach Investigations Report (DBIR).
From that data, a number of interesting findings emerged - nothing we didn’t really know before, but it’s still somewhat reassuring that attackers are using the same threat vectors. That just means we have to get better.
The typical attack vector starts with a phish, featuring an attachment that downloads malware onto a user’s computer and steals credentials. The time-to-compromise is almost always days or less, if not minutes, as attackers get even quicker at compromising their victims, according to the report.
A few key points of focus:
It’s continuing its upward trend in frequency, and is one of the most opportunistic attacks. In 2015, 30 percent of phishing messages were opened by the target user, an increase from 23 percent last year.
Another 12 percent clicked on the malicious attachment or link, and only 3 percent alerted management of the phish. Phishing works quickly, with the dropping of malware via malicious attachments occurring within seconds. And what do attackers ultimately steal, as a result? Credentials and trade secrets.
When it comes to recommended security controls to stop the success of a phishing attack, Verizon slams single-factor authentication:
“Passwords are great, kind of like salt…wonderful as an addition to something else, but you wouldn’t consume it on its own.”
This year, Verizon found 63 percent of confirmed data breaches involved weak, default or stolen passwords. Password guessing attacks and prominent malware families like Dyre and Zeus are designed to capture keystrokes from an infected device, and increasing password complexity won’t protect you against these types of attacks.
Web App Attacks
Attacks against web applications have increased significantly, especially for financial services organizations, up from 31 percent last year. Stolen credentials topped the list of top threat actions used to exploit web apps. The typical attack path involves phishing a customer > making a connection to a command & control server (c2) > dropping a keylogger to capture keystrokes > export captured data > use stolen credentials.
While Verizon recognizes that using multi-factor authentication is not a panacea, but, rather, a “bar raise” - it is a bar worth raising.
“The use of stolen, weak or default credentials in breaches is not new, bleeding edge or glamorous, but it works.”
Using multi-factor authentication to secure access to web applications is recommended - in addition to establishing a patch process for web apps (specifically, content management systems) and third-party plugins.
Point-of-sale (POS) intrusions refer to attacks against the POS systems that process credit and debit card data. Keylogging malware plays a significant role in POS attacks, targeting poorly configured, Internet-facing POS devices.
The attack path starts with a POS server visible to the Internet > POS has a default login > bad guy leverages the default login > installs malware > malware grabs payment data as it’s processed.
When it came to large organizations that suffered a POS breach, static, single-factor authentication was leveraged to get access and steal data - once again, making the case for using two-factor authentication to protect access to customer data.
It’s not zero-days that take the cake here - Verizon found that older vulnerabilities are still heavily targeted. An analysis of time-to-exploit after the vulnerability code was published publicly finds that Adobe bugs (read: Flash Player) are exploited much more quickly than others, including ones affecting Microsoft, Apple and Mozilla.
While that gives us information about which software patches to prioritize over others, it also shows that we’re no updating as frequently as we should be.
Tracking device operating system, browser, and plugin versions can help provide insight into risky devices connecting to your corporate network. Access-based policies and controls can also be configured to block outdated devices from entry.
Learn more about two-factor authentication and endpoint solutions in our Two-Factor Authentication Evaluation Guide.