Marco Rottigni, chief technical security officer, EMEA, Qualys, shares his views on the latest Verizon Data Breach Investigations report and spotlights why having an effective vulenerability prioritisation programme is key to achieving great accuracy in detection in the digital landscape.
The Verizon DBIR is one of the most respected research reports in cybersecurity, providing a very comprehensive analysis, covering over 150,000 incidents and selecting 32,000 by quality standards. I particularly like how they represent the concept that no industry, no region, no market is excluded; using a differently coloured squared page to illustrate how wide, pervasive, and data-driven their 3950 breaches analysis has been.
According to the findings of the report, nearly half (45 percent) of the breaches featured hacking and the large majority of them have been perpetrated by external actors, which reiterates the concept of a value chain presence behind almost each hacking attempts. This is also highlighted by the common denominators section, showing 86 percent of breaches as financially motivated.
Another interesting finding was that half of breaches (43 percent) involved web applications, underscoring the crucial importance of having a solid CI/CD pipeline where security is totally integrated as early as possible in the DevOps lifecycle. This pervasive role of security must include a continuous assessment before and after the production stage, to ensure that vulnerabilities causing the mentioned compromises and breaches are detected early enough and made available to developers in a consumable format to ensure they are fixed with the minimum TTR (Time To Remediate). It is worth pointing out that the high percentage of breaches using web apps as a primary attack vector shows that DevOps security hasn’t reached maturity yet and there is much scope for improvement in this area.
A commonality that needs attention is that 37 percent of breaches stole or used credentials, highlighting that too many attacks don’t need sophisticated malware to weaponise the attacker’s strategy — assets misconfiguration, scarce security awareness, or mistakes in verifying compliance are normally great risk amplifiers for attacks where credential theft is the root cause of a breach. It’s also worth noting that breaches where misconfiguration was leveraged have increased by 4.9 percent from last year and since 2015 there has been a steady growth of this technique.
Looking at the supporting actions section, error — especially misconfiguration — comes immediately after hacking and it has practically the same popularity as social. While misconfiguration and misdelivery don’t rank high in terms of the top threat action varieties in incidents, they warranted a very high spot when the focus was the top threat action variety in breaches.
One curious area in this same section on supporting actions, is the use of weaponised malware — while this category has seen a decrease in overall usage, it also saw a polarisation between advanced attacks and smash-and-grab compromises. These two attack types are both highly impacting on business and aimed to steal valuable data or compromise service continuity. Since malware injection is often part of the vulnerability exploitation process, this polarisation highlights the need of an effective vulnerability management and remediation program in place. Aiming to shorten TTR with a granular and highly efficient prioritisation programme leads to the minimisation of the exposed vulnerable surface, reducing furthermore the likelihood of a malware-rooted breach.
Another interesting section of the report is the Exploiting Vulnerabilities one, because it starts to almost minimise the problem and says that vulnerability exploitation hasn’t played a major role, accounting for a peak 5 percent in 2017. Nonetheless, the chapter also highlights that vulnerability exploitation is in second place in breach Hacking varieties. This is because it is one technique that is part of practically every attack strategy!
This section also stresses the crucial importance of a continuous and effective detection and remediation program, because there are way too many low hanging fruits for attackers to leverage. Organisations need to realise that cyber-attacks are powered by a value chain and easy, widely available vulnerabilities are much cheaper to find and use than sophisticated zero days attacks.
Validating and managing the vast amount of vulnerabilities continuously discovered remains a big challenge, one that can only be solved with a very effective prioritisation program that needs to start with capabilities like total visibility of the entire digital landscape and great accuracy in detection. Building on these capabilities are prioritisation based on detection age, real time threat indicators, and impact of the most dangerous vulnerabilities on your network. Orchestrating these and mapping them to logically tagged perimeters is a very effective way to reduce the overall amount of vulnerabilities while augmenting effectiveness in remediation over time.
The last section I’d like to highlight is the one dedicated to Assets. It greatly advocates the need of an asset management program that must be integrated with security and compliance. The digital biodiversity we have to deal with nowadays includes many digital species, non-digital ones like human users and semi-digital ones like Operational Technology, not to mention the universe of IoT, Cloud instances, and mobile devices. Each of these categories has a variety of attributes that should be organically catalogued, organised and normalised into a global asset inventory where many other IT, security, and compliance processes are grounded.
This approach creates a solid, actionable, single source of truth that is the greatest advantage when vulnerable surfaces become attack surfaces. The scale that such inventory — and the processes that it enables — should reach is potentially very high; but it must also be flexible to grow, to shrink, to expand and contract at the pace imposed by the digital velocity.
Verizon DBIR celebrates its thirteenth year with a level of maturity that is impressive, grounded on data science. The report summarises a huge amount of raw data into meaningful and actionable information, greatly refined by experience. The wrap up on page 101 reiterating the crucial importance of using the CIS Top 20 controls as guidance for the security posture validation is the perfect conclusion for a very formative and informative read.