Posts

Takeaways from the 2019 Data Breach Investigations Report

The 2019 Data Breach Investigations Report was released in December and highlights the many aspects of data breaches and frequency of their occurrence. In review, we find this gives us a great opportunity to reflect on what security teams should focus on in 2020.

The Attackers

According the report, about 1/3 of attacks originate from insiders and 2/3 are from outsiders. Over half of the attacks from outsiders were from groups with criminal motivations who were trying to steal intellectual property or access someone’s personal information to sell or hold for ransom. Unsurprisingly, C-Level Executives were 12 times more likely the target of an attack.

Proficio Recommendations:

  • Strong perimeter security is essential – without this, you leave your organization vulnerable to outsiders. Security defenses should include cloud, email and web filters.
  • Organizations must understand the business context of their assets. By categorizing valuable assets in your organization, you can provide them a higher level of protection and detection.
  • Don’t forget to monitor internal users, actions across the core, and internal applications; these are common areas where you can catch suspicious behavior.

The Attacks

There was a notable increase in targeting cloud-based email like Office365, which is something many organizations use. Over a fourth of attacks involved malware – 24% were ransomware – which infects endpoints that are vulnerable and accessible to the malware. Errors were the root cause of 1/5 breaches and 71% were financially motivated.

Proficio Recommendations:

  • Make sure you have a wide range of advanced use cases for detecting attacks and compromises of O365 and other mail servers.
  • More than 70% of attacks come from different attack vectors – don’t forget you need to protect more than just the endpoint.
  • The best prevention for ransomware is to not allow malware on the endpoints:
    • Perform continuous vulnerability monitoring with cloud agents and patch regularly.
    • Monitor and respond to suspicious email or web connects.
    • Deploy next-generation endpoint software with behavioral analysis.
  • Mitigate risk by using Risk-Based Vulnerability Management and monitoring and evaluating security control configurations mapped to benchmarks like CIS

The Victims

Companies of all sizes including large and small are getting breached, with over 40% of breaches involving small businesses. Some of the most popular industries to target remain the same: Public Sector, Healthcare, and Financial.

Mobile users are even more susceptible to being attacked often by email-based spear phishing or social media attacks.

Proficio Recommendations:

  • Regardless of your size or industry, you could be the target of a data breach. Make sure cybersecurity is a priority and you have protections in place.
  • Create and implement security procedures around mobile devices.

The Hacks

The most popular methods used by hackers are often Command and Control or Brute Force Attacks. However, exploiting known vulnerabilities or using stolen credentials or social attacks on senior-level executives are also frequently used to gain access.

Proficio Recommendations:

  • Have settings in place to detect suspicious behavior of users or devices.
  • Use frameworks like MITRE ATT&CK to detect and respond to tactics, techniques, and procedures.
  • Keep vigilant and maintain strong passwords to avoid credential theft; also monitor admin and system credentials.
  • Test and patch for vulnerabilities often.

The Breaches

More than half the time, breaches took months or longer to discover, reminding us that many organizations still lack visibility into actual breaches themselves. The top threat vector is web applications, but remote desktop and TeamViewer applications are seen as easy targets. Hackers are also still gaining access to through VPN.

While cybercriminals are looking for a quick victory, they often go through multiple steps before breaching data. This number is decreasing though, and the time from an attacker’s first action in an event chain to the initial compromise is typically measured in minutes.

Proficio Recommendations:

  • Put in place WAF control and monitoring of WAF and web server logs.
  • Actively monitor and investigate suspicious events 24×7 with advanced tools and SOC staff.
  • Orchestrate and automate containment response to occur within minutes of an attack.
  • Perform discovery of the techniques and tactics used.
  • Collect metrics data on your operations team including: Time to Detect, Contain, and Remediate

Manage and Understand Risk

It is often said that it is no longer a question of if an organization will experience a data breach, but when. The report underscores this theory, and reminds us that people, platforms, and applications are still vulnerable to attacks; there is no room for complacency.

Given this reality, we recommend IT leaders strive to understand the cyber risk facing their organizations. Proficio provides our clients with cyber business intelligence and comparative risk data that allows them to see trends in attack volume and type, as well as gaps in their security controls and compare this to peers in their industry. Having this information is a critical step toward funding a strategic response to cyber risk and a first step towards a comprehensive cybersecurity plan.

 

Contact us to find out how Proficio can help with your security initiatives.