Technology Context From the Verizon Data Breach Investigations Report (DBIR)

Posted by Admin on April 28, 2014

By Bob Gourley — APRIL 28, 2014

For a decade now the cyber security community has been treated to important strategic context coordinated by Verizon in their Data Breach Investigations Report (DBIR). The information in the report can help drive strategic planning for enterprise technologists and members of the enterprise cyber security team and it is well worth a read by any CTO, CIO, CISO and most other members of enterprise technology teams.


  • The point of this report is to support evidence-based risk management. It is for those that want to inform their strategies with facts.

  • No study of this type is perfect, so to enable you to assess its strengths and weaknesses the DBIR team lay out their methodology and even highlight places where they know there are gaps. This is a good approach. As for me I’m not looking for perfect, I’m looking for actionable insights and this has plenty of those.

  • The community of participants includes some highly regarded investigators and technology champions, including the most highly regarded names in computer security and forensics (like the Carnegie Mellon Software Engineering Institute’s CERT, The US Secret Service, the Department of Homeland Security (and the US CERT), the Council on Cyber Security, and for the first time, Centripetal Networks (I’m very proud to be on the Centripetal Networks Board). Here are my key take-aways from this year’s research:

  • In every measure that matters, in every category, the bad guys are getting faster by automating.

  • 92% of attacks studied in this research can be described and categorized by nine basic attack patterns of:

    • Crimeware

    • Insider Misuse

    • Cyber Espionage

    • Web application attacks

    • DoS attacks

    • Errors and their exploitation

    • Physical Theft

    • Payment card skimmers

    • Point of sale intrusions
  • In each of these attack patterns the threat is characterized in very important ways that can inform your defensive posture. Threat actors, their preferred techniques, and realities about how they operate and are detected are examined. Also, defensive measures keyed to the Critical Controls coordinated by and for the community by the Council on Cyber Security are also provided in each of the attack patterns. This can provide helpful inputs to prioritize strategic efforts to enhance your defensive posture.

  • A ten-year look at attack types proves that attackers are creative, adaptive and capable of adjusting their tactics to accomplish their objectives. They do what it takes to get in, including devising very sophisticated phishing schemes, creating spyware, placing code in RAM, leaving hacker tools, installing rootkits and continually adjusting/re-placing spyware. The exact code will of course vary, but they will implant it in your enterprise. Then it will communicate out.

  • Taking a ten-year look at the data also underscores another chilling observation regarding attack timelines. Statistically, enterprise breaches occur quickly, in a matter of days or even hours. But detecting these breaches takes longer, with periods normally measured in months. Remediating and recovering also takes a long time.

  • So, to underscore the above, attackers get in fast and then are not detected for a long time, and once detected a fight with a thinking adversary begins. This is a key reason why every enterprise incident response team is overworked.

  • Having a plan to respond and well configured response plans are key to success.

  • In almost every attack pattern, the threat is automating. The only way to defend is to automate (detection and removal must be automated).

  • The report does not endorse any one firm or its technology, but it can certainly inform your technology choices. The report builds a strong case for capabilities that can automate the detection and removal of malicious code including spyware, rootkits and crimeware. This calls out for solutions like those provided by Hexis Cyber (especially HawkEye-G), stopping the number one source of initial intrusions for malware (through use of endpoint security and secure environments from Invincea), scanning in-memory threats (see Triumfant), and establishing rules on borders, boundaries and internal flows, as well as operationalizing threat intelligence (via Centripetal Networks). Configuration and data protection of mobile devices are also key (and for this see Fixmo).

  • Security posture, technologies used and threats all vary from enterprise to enterprise, but general conclusions that can inform you defensive posture can be produced by sector. The info-graphic below highlights the key attack patterns for top sectors. The report itself dives deeper, giving a good overview that can help prioritize defensive measures.

Conclusion: The bad guys are just getting faster. You must automate your defense, detection, response and remediation. Automation is your only hope.

  • For more see: Data Breach Investigations Report (DBIR)

  • And also check out: Hexis Cyber (especially HawkEye-G), Invincea, Triumfant, Fixmo and Centripetal Networks (to operationalize threat intelligence). I know these firms because I advise them directly and I know they are making virtuous contributions to enterprise success. Automate with them.