Verizon is not only the largest US telco but its network infrastructure allows it to draw on data from more than 82 countries and 67 contributors, including the Australian Federal Police. In Australia it has data centres and provides enterprise/government level network support.
The 85-page investigations report is here and the digest is online here. A related blog post states that “Data breaches are complex affairs often involving some combination of human factors, hardware devices, exploited configurations or malicious software. As can be expected, data breach response activities — investigation, containment, eradication, notification, and recovery — are proportionately complex.”
These response activities, and the lingering post-breach after effects, aren’t just an IT security problem; they’re an enterprise problem involving Legal Counsel, Human Resources, Corporate Communications and other Incident Response (IR) stakeholders. Each of these stakeholders brings a slightly different perspective to the breach response effort.
Verizon says its DBIR is the annual publication on security. The DBD complements and supplements the DBIR by bringing data breaches to life through narratives told by breach responders. So, use the DBIR to frame your argument for enterprise change; use the DBD to illustrate why such change is needed.
Carrying forward from last year, Verizon has come to realise that these data breach scenarios aren’t so much about threat actors, or even about the vulnerabilities they exploited, but more about the situations in which the victim organisations and their IR stakeholders find themselves.
Knowing which incident patterns affect your industry more often than others do provides a building block for allocating cybersecurity resources.
It has identified nine incident patterns:
- Insider and privilege misuse – trusted actors leveraging logical and/or physical access in an inappropriate or malicious manner.
- Cyber-espionage – targeted attacks from external actors hunting for sensitive internal data and trade secrets.
- Web application attacks – web-application-related stolen credentials or vulnerability exploits.
- Crimeware – malware incidents, typically opportunistic and financially motivated in nature (e.g., banking Trojans, ransomware).
- Point-of-sale (POS) Intrusions – attacks on POS environments leading to payment card data disclosure.
- Denial of service (DoS) Attacks – non-breach-related attacks affecting business operations.
- Payment card skimmers – physical tampering of ATMs and fuel pump terminals.
- Physical theft and loss – physical loss or theft of data or IT-related assets.
- Miscellaneous errors – an error directly causing data loss.
But in reality, data breaches fall into four “clustered groupings:
- The human element – four scenarios highlighting human-related threat actors or targeted victims.
- Conduit devices – four scenarios covering device misuse or tampering.
- Configuration exploitation – four scenarios focusing on reconfigured or misconfigured settings.
- Malicious software – four scenarios centering on sophisticated or special-purpose illicit software.
The IR (incident response) stakeholders are much wider than many think. Verizon has identified at least 16 groups.
The report then goes into most aspects of incidence types and what the stakeholders have learned.