Key Takeaways from the Verizon DBIR 2023 | Podcast Ep. 85

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I think one of one of the things we've seen of course some of the ransomware gangs would prefer to study you know low profile stay stealthier not get a a Target because what we're seeing is the the bigger organizations you target the more visibility you get from you know the FBI and the governments around the world and they will come after you hello everyone welcome back to another episode of the 401 access tonight podcast I am the host of the episode Joe Carson I'm the chief security scientist and advisor he says oh at delania and I'm basically you know it's great to have another returning guest on the show today again and it's going to be absolutely a fun uh hopefully very educational episode and welcome to the episode Tony uh Tony do you want to give us a bit of audience just a recap of who you are what you'll do and some of the backgrounds sure thanks Joe thanks for having me pleasure to be here again uh yeah so my name is Tony I mean tell from the accent I'm from the UK born and bred in in Wales educated there and I've been in the security space for longer than I care to imagine it's getting on close close to 30 years now oh my word um but I've been in this particular area of privileged access management for probably 15 or so so been around the block a little bit um you know like to think I know what's going on here but Verizon always comes out to surprise us doesn't it but yeah so I work at the linear um I'm technically a cyber security evangelist my day job is with the marketing team um doing technical related content to help them uh message to our customers and our prospects so that's kind of what I get up to fantastic and absolutely so and today's whole conversation is going to be around the recent uh Verizon data breach investigations report for 2023. and it's always it's one of those reports that we're all sitting on the edge waiting and you know usually we know it's usually coming around the May time frame and we're all waiting for that moment um and it usually provides us a bit of a it's almost like a scorecard into how well security has done in the past year um and you know one is you know definitely I want to you know you know credit those advice Horizon who really and also the the the the friends of Verizon also who make this report happen because it is such to do reports like this um it's so intense it takes a lot of time it's a lot of data to go it does huge investment so it absolutely it's and this takes months you know and and you know it's a lot of date and contributions from for a lot of different resources so I just want to kind of you know make a call out to to uh David heylander Philip uh Alex pinto and Suzanne um who really kind of the team behind and make you know bring it together um so absolutely for me it's you know it's a it's a great resource for the industry and it really helps us really uh adjust our kind of strategies um in order to to deal with the threats out there um so and and this the you know it's been going on for 16 years um 81 countries uh participates in the analysis of this in the past it was uh they do have a separation between what's an incident and also data breach uh so this report looks at I think it was just over 16 000 incidents and also over five thousand almost you know five thousand two hundred data breaches uh so quite a significant amount of data gets analyzed I'm just interested Tony what were some of the kind of you know what was some of the new things that they introduced because they always introducing you know new elements or new kind of patterns analysis um and what were some of the key takeaways that you find from the report itself yeah yeah I'll certainly um we can we can talk about that I just want to point out though that that it's interesting some of the reports that I read uh they're all stats related and they can be very dry but I like the fact that the Verizon team injects little bits of humor into their reporters so I always get a chuckle out of that so if you haven't read it you should read it it can be quite entertaining um as well as a little scary at times but yeah so it's funny because I was read it as I as I started reading through this um and I was reading kind of stat after stat after stat I mean some things just don't change right I mean it's like there there is a consistency I mean you know credentials are still uh the criminal's best friend and and consistent with prai is it's still all about the money I've got some little notes Here with stats but 95 percent uh are being financially driven so so that doesn't necessarily change but I think we can still you know think of credentials as that fuel that kind of feeds many different types of attacks so so we're not just looking at single use of of anything we're looking at at a flow so for example different types of attacks um using credentials maybe at the start or credentials that are being used further down the chain like with ransomware but and in turn it can result in yet more compromise credentials so you get this kind of cyclical effect it becomes circular feeding off itself but um but yeah so I mean I'm going to harp on about starting credentials because it's consistent with last year and they're still the most popular entry point for breaches but I did a quick search also separately just to get a sense of how many credentials are actually available on the dark web and obviously there's lots of varying numbers but one of the big ones that jumped out is over 24 billion so that's a huge number right so it's like it's multiple it's it's it means it's multiple credentials of everybody it's it's huge but I think we all I I might take away from that um is that we all have to assume this um assume a breach we have to take this posture of we have to assume a breach uh approach to security and so things like zero trust and other best practices um are important because they help you build your your processes and and your security posture assuming that a breach has already happened absolutely yeah one of the things we really highlighting the report and you know is Orion absolutely you know some of the key components of data breaches uh was definitely you know up there was number one was stolen credentials uh the seconds came after it was phishing and especially what they did mention which was interesting in fishing in Social Engineering was pre-taxing is also becoming a very popular technique as part of the social engineering and fishing campaigns and then the exploitation of vulnerabilities those were the three top ways of you know how the techniques that attackers were using and one of things it did definitely mentioned is that you know you have the extreme breach you have to assume that you're you know a username and password is not sufficient enough and therefore they did highlight they did emphasize um some of the top you know uh best practices and recommendations and they did highlight multi-factor authentication goes a long way it's not because it's 100 protection it's not bulletproof it's not you know right the complete answer but they did mention you know the emphasis on multi-factor authentication does go a long way into protecting the organizations I think the bar is lowered significantly for MFA I mean you know several years ago it was it could be pretty hard to get to get MFA in place and I think the mentality has changed as well and maybe that's been partly driven by you know insurance providers getting on that bandwagon and insisting that you know mfab part of of Your Arsenal but it used to be that MFA was was tough and not just in terms of the technology but also because you have to think of things like MFA it's being multi-layered in itself you can't just have MFA at one place and say you know it's at the front door and I'm protected you've got to layer that in at multiple access control points so that you have that that opportunity to I guess reassess or or gain additional proof that that user is who they say there are so again going back to ransomware if you've got a piece of malware that's trying to hop from server to server laterally you may want to put you know an MFA challenge in place um at one of those servers or even all of them if they're sensitive so that you can stop that that malware in its track so I think it's it's definitely a critical element of everybody's Arsenal today and one of the things that one of the big advancements that I've seen is is you know how MFA is also trying to deal with the you know MFA fatigue which is a big problem as well as you know that all of a sudden if you simply just get this notification your phone and if it just gives you the yes or no answer um people you know if you get enough time some people but just accept it just to get rid of the notification um and I'd like some of the methods that's been happening is that you know you must enter uh the number that's basically been displayed on the screen into the actually uh MFA response and if you're not the person actually you know making that attempt you don't have information that number so that's a good way really good way of reducing the MFA fatigue down um and definitely you know makes it much more difficult for that you know accidents and mistakes to happen one great thing that I did find in the report um is that the more alignment with Frameworks that was a big big Improvement this year one of the things that of course they aligned uh with the verse framework which is all about the vocabulary for event recording and instance which really highlights into actor action asset and attribute another great thing that I really enjoyed this year was much more alignment to the miter attack framework as well and there's different sections they did go into the details about here's the best here here's the attack techniques from the miter Tech framework and then they get into the CIS um which basically is you know the the security controls which can apply to mitigate them and then using that vocabulary bringing those in was a really great um you know attribute to to Really providing much more information into those different techniques um what was your thoughts around you know you're bringing in the biotech framework definitely I think it's a huge Improvement I mean you know everywhere I go I talk to people and they say you know it's it's tough getting security expertise to help us out in in either in in establishing our defensive posture or or doing War gaming or whatever happens to be or responding to threats so there is definitely a brain drain I guess and it can be challenging so um it's great to have a consistent terminology a consistent naming a consistent way of sharing information amongst the broader community that makes perfect sense kind of like back in the old days when the cve came around right so so this I think the miter attack chain I've been seeing that now being referenced in more and more tools that are being used in things like instant response where they hook into that modular framework and they reference it and maybe even they suck that data in and they they actually point to different techniques and tactics they're in the framework but then we can all talk consistently about the challenges and and maybe how we actually respond to those challenges so I think that's a fantastic thing and clearly it's gonna it's gonna continue in in future Verizon data breach uh reports but I think it's a win for everybody it's cool absolutely it really gives you the you know it aligns with you know how you know the mindset of the attacker and then what things you can do to make it more difficult um one of the things I also was interested as well as the report get into uh who was really you know who's who was behind you know who's the attackers where's the attribution go to um and it all kind of leverages some of those and of course we're starting to see much more organized crime you know suffer criminals um and they became they were the number one source of the attacks um and then there's a very few that actually get into the you know the the Espionage you know type of things where it was you know nation's State backed um but you know we had to look at you know um when they get into the details of all those attacks uh it included you know it gets into the might attack which basically says there's multiple techniques used it's not just one method and that's it there's multiple techniques and one of the things it was they actually mentioned it was 74 of all data breaches are all sorry all all breaches included human elements um right misconfigurations privilege misuse stolen credentials and or social engineering those were some of the most common techniques um and really that's where you know you have to look at you can't just depend on you know reducing the risk of one of those you had to do multiple you have to do it equally and and balanced any thoughts that you can around you know these types of methods used no I agree with that I mean if uh so I recently actually did a deeper kind of dive into the miter attack chain for uh for a white paper that we're going to be publishing fairly soon and um you know I I was a little taken aback by how many there are and and I think of these people these defenders in in organizations like our own you can't go through everything but you've really got to try and focus on your business and the types of of sensitive information that you have and and where that might take you in terms of the miter attack chain and then tease out so when when you're when you're trying to put together your own Playbook to defend yourself you've got to focus on those techniques and those tactics that are going to be more relevant to your business and then practice them and then do War gaming and tabletop exercises to make sure that you understand what they maybe so to your point right step in the shoes of the attacker try and identify what they're likely to be using but one of the things that you mentioned I wanted to to to uh to mention as well um and that is of the of the 50 200 or so confirmed data breaches 512 10 were mistakes and it may seem like a very small number and sort of Fairly innocuous but but um but you can prevent those with things like privileged account vaulting so taking those off the playing field you know taking full-time admin rights away from from people that don't need them full time and also something that that's creeping in more and more which is behavioral analytics so maybe we want to mention that at some stage but that can that can help identify anomalous Behavior whether it's adversarial or whether it's just a mistake and it can flag these things but um but you know obviously it doesn't it doesn't um avoid the need for training so training training training um is still an important thing the educational side of it um and also given the fact that business email compromise is nearly doubled so how to spot those but but of course with things like chat GPT and they're getting you know they're those emails are getting a lot cleaner and a lot more hard to score right that's one of the things is that um so I I recently did uh some discussions with some government search recently and I was interested in what types of attacks have they seen on The Rise um and one of the things they did say is that you know the translation um of the generator of AI has made the fishing campaigns much more authentic looking so right we're used to be able to check for mistakes and identify common mistakes in those facing emails that generative AI is making it so much more improved and to the point where it's not just it's not just you're one and done what they're doing with business email compromise and social engineering and phishing is it's a conversation back and forward so the first couple of you know attempts may not include the payload it might be the fourth or fifth or sixth so what the right thing is over time is they're having a much more let's say interactive conversation with you and you know it is it's not with a human it's basically with a chatbot it's about this basically uh determining on your response it's evolving its response back to you in order to ultimately gain your trust and the more they gain your trust the more likely it is once you get to that fifth or sixth or whatever number that they eventually deliver the payload that you're going to be more willing to trust that uh response right um and that's one of the things and that's where the pre-texting as well where they're taking on roles and different you know personas and and trying to get to somebody where you're kind of willing to to to trust and ultimately and I think when we look at business email compromise it is it was the one that Rose the most um out of all the different uh you know motives and techniques used and it also was significantly financially uh impactful to businesses as well right let's face it those those execs have potentially access to more sensitive information especially Financial than we do hey I've got a stat that I uh that I read I wasn't sure how to interpret this to be honest this was one of those things that I kind of read and I scratched my head and I was like oh that's that's interesting I'm not sure how or why uh this is potentially what it is so I'm going to throw a curveball at you sure um so so it said it basically it said partner initiated incidents um in the previous report partner initiated incidents with 39 but in this year's report they're four percent so that's a big drop that that I was kind of looking at that and going you know is we're talking about supply chain potentially where you know you compromise a weaker supply chain partner and maybe you hop in through their VPN or expose but but going down from partner initiated incidents from 39 to 4 is a major drop and I I was trying to scratch my head and think why would why would that change be what it because that's trending downward clearly but any ideas I think one of the things is I think if I understand correctly did they change some of the terminology in this okay so I think one of the things that they did kind of classify if I did understand going through the webinar and the contents that uh that it also gets classified as external um as well um so when you look at that it might actually you know it might be very specific look at a third party but it is it is concerning you know that it would drop that much um in a year and it's also important for the audience is that when we're always like the Verizon database investigation report when we're going through it it is retrospective it doesn't reflect what it is saying right now what it is basically it goes from October uh 2021 until November 2022 so that's the period of the day so when we're always looking at it's always the previous years um analysis so it's always important to make sure that you know when we're looking at even though it is 2023 it's a respect a retrospective report that we're looking back on things um and also my you know when we're looking at that that was also still appear where covet was also highly you know impactful as well so you might not have got lots of consultants and third parties been able to make on-site visits as well um so some of the things you know reflected I think one of the interesting was um if you look at basically some of the data stats um when you see basically when covet hit I think it was the privilege abuse went significantly Tom because people couldn't get access to privileges um uh because they were working remotely and organizations basically had locked those down to being you know especially for financial organizations you would typically have to be on site and you know at terminals to be able to access some things so there was a significant drop until this abuse as well it'd be interesting I'd be interested they actually go on analysis analyze that one even further for sure and and of course you know I guess over the last few years the big elephant in the room has been ransomware right so they commented on on ransomware but um they see the numbers seem to show a steady state there it was like 25 in the previous one it's it's still a quarter I mean a quarter is a big number but um you know it's it's uh it looks as though it's a steady state but the other stat related to ransomware that they uh that they surfaced was that Ransom amounts are lower but the costs of recovery are increasing and they kind of speculated on they didn't have a a good answer they speculated on it but yes it's interesting I mean one of the things that was one of the things I was waiting to see was basically what was their analysis and ransomware itself because if you look at all the a lot of the reports from 2022 including uh to analysis who basically analyzed The Ransom payments of cryptocurrencies one of the things we did see is that if you look at a lot of reports there was actually a decrease and run somewhere to throw it that year right right and what they did see an increase in the payments uh which meant that basically more organizations were still paying um our report we also saw that more organizations are having much better backup Solutions and Recovery Solutions as well so they don't necessarily necessarily have the pay as well but this was really interesting you know if you look at that Spike um that I think it was in 2020 the 2022 report which was the previous year showed a massive rise in Ransom or you know to can you compare to I was like it was at all it was compared to all previous years together that was a significant rise in ransomware um and but then that segment I'm showing the report basically showed us you know slight even off and steadiness uh for sure so I think there's a lot you know a lot of organizations are one is doing better uh it actually runs more protection so there's been definitely an investment for many organizations right right they have taken a stance on better backup and Recovery um some organizations of course have went on the path of cyber Insurance in order to offset the financial costs of ransomer but it was interesting it is a holding steady um and I think for me it's I think looking at all of the the kind of types of incidents I think business email compromise and ransomware for me are the two big things or organizations need to tackle around right now and those are the ones that we you know ransomware is the most devastating from a business perspective uh because it can bring the business to a complete stop uh business email compromise is much more of a financial implication and because it is about basically you know it's financially focused more business is actually business focused you know and you get different types of ransomware we well it being basically you know disrupting the service encrypting the data stealing the data uh you know disclosing the data there's there's it gets into various you know different types of stages exactly and it gets that's the most devastating I think the most impactful but those are two things that organizations need to tackle right and I think this is you know it's an equal opportunity Devastator it's not just large organizations of course I mean one of the things that Verizon kind of speculated on was that you know that that a lot of the attackers are potentially going for smaller entities as well so while they have less money to hand over in terms of a ransom there's a lot more of them um but it also may be that the smaller organizations have a lot more technical debt and they don't have as much to invest they have a lot more technical debt and that can translate to a greater kind of recovery cost so you know perhaps uh an obvious takeaway from that is that don't think ransomware is is only for big companies right it's it's it's it's it's an equal opportunity if everyone's a Target when it comes to ransomer um I think one of the things we've seen of course some of the ransomware gangs would prefer to stay you know low profile stay stealthier you know not get a a Target because what we're seeing is the the bigger organizations you target the more visibility you get from you know the FBI and the governments around the world and they will come after you um and that's what we're seeing with some of the larger Reservoir gangs you know that have impacted whether it being universities or you know hospitals or local municipalities in governments right um that they have put a Target on themselves and the governments are going after them now so I think you know that's why you know these criminals they want to Target the smps you know there's money to be made for them they typically don't have a dedicated security person that might actually only have a handful of even I.T resources if even um so it gets into the point where they definitely need to make sure that they're doing something and security you know she shouldn't be a luxury it should be something that's available to all organizations of all sizes they should not you know be something that they have to make a decision whether they should have it or not um and so we need we need to get over you know that's where security we've talked about in previous years where I think it was windy uh Nathan had talked about the security poverty line you know that security should not be something that should be only affordable by the big organization right um that there's you know they need to bring it down so it's affordable and easy to use for companies of all sizes and that's something that the report highlights they did have the whole section on the SMB side of things that really showed some of the best practices and I think one of the top three things if I go down to the top three uh recommended practices they had for smbs which was really interesting um it was around making sure that one is a a good backup strategy uh security awareness training so the top one was security Warners training having employees much more better trained second highest recommendation was data recovery um and uh that's a you know it's not just by data recovery but also data uh basically uh segregation data security and making sure that even if you do become a victim that the attackers don't have access to ability to to increase all your data online and then the third one was Access Control Management which is all about making sure you're rotating managing passwords you've got multi-final authentication in place so those are the top three recommendations that they had for smps um and those should be you know all smbs should really make sure that they prioritize and take those types of recommendations uh seriously yeah and I think I mean I think a lot of organizations they they don't have unlimited budgets right so they have to make choices when it comes to security controls but you know the the writings on the wall here given the fact that credentials are so predominant in the attack chain that that protecting access to those credentials um going to a least privileged security postage zero trust whatever it is your your favorite best practice it all suggests that that that with a limited budget you should prioritize on perhaps beefing up your identity related protections um and so you know actually one of the things that that surprised me I guess it surprised me a little bit because um you know usernames and passwords credentials obviously hot Commodities but elsewhere I've read that um there's a big increase in the use of stolen session cookies to kind of bypass the need for credentials or all together so I was a little surprised that that didn't factor into into the report this year maybe with past Keys becoming more prevalent maybe that will factor in next year um is you know hopefully credentials will start to disappear we all hope but you know yeah digital Keys is what we need to get to which is basically you know it's it's you know the all method is the username and password which has been the traditional thing uh and of course you know getting into SSH Key Management is always sometimes very difficult to to manage to maintain at a large scale and this is where passkeys have been the big topic um and it's all about what it means is really is about moving much more of the you know the authentication into the background or where it becomes much more you know better and easier to have multiple devices across multiple applications and when you look at it it's a segregation between authentication and authorization and this is where you get into things like you know really good single sign-on you get to Fido uh you know basically Frameworks and and uh you know implementations which then has a strong pass key for authentication and then you get into having privilege access Security in the background which is then for the authorization side of things so we're in a world where you know it's no longer by you know provisioning and managing devices it's all about provisioning and managing access and right for the new perimeter is especially when you know organizations are quickly transitioning to Cloud environments you no longer control that traditional you know you know let's say the firewall of the perimeter um you basically are moving into the the public internet and therefore you have a much better way of securing using that you know using that Network yeah and the the security providers have had to adjust obviously to that because um you know I mean the whole point of a virtual private Cloud where you're standing up you know windows and Linux instances to run your business applications is that that needs to remain private so if you're poking holes in your firewall to allow you know sort of uh external tooling or or security controls that are historically on premises for example to try and protect it you're opening yourself up so so all of the vendors ourselves included have had to adjust to that new paradigm and make sure that we can we can work in a kind of a modern efficient and effective hybrid uh Cloud environment for our customers for sure but uh but yeah and this also gets into one of the things that was actually I I didn't see in the report which was around API security you know and and that's you know and also much more emphasis on cloud security because in previous reports um they did heavily talk about how cloud is becoming a bigger Target than on-premise so that was something I was really interested in but it really didn't go into any of the details about uh hybrid cloud or API security so that was what I was missing from the report yeah that's a good point yeah one thing that was highlighted which was interesting because uh the period that happened uh that this report was in uh also included the log for J vulnerability and of course that was a massive impact for the industry it was and one of the things that was really interesting was is that when they you know get into the analysis of log4j was that they would have expected to see it you know being abused all year all year round but they highlighted basically within the 30 days of the release um that's when basically you know the 30 days of that vulnerability that was the actually top uh period of using you know exploiting that vulnerability um and then basically the meantime organizations got was around 40 days of patching it and therefore even though there was lots of scanners out there scanning for it um that basically organizations had reacted very quickly to mitigating and patching that vulnerability um so basically that you know it was the the month the two months after local J basically you know was exploited that that was the high impact time and then afterwards organizations become much more defensive against it I think that's a good sign I mean because it it tells me that organizations are being more sensitized to how to react quickly to potential breaches to incidents and to breaches um you know it it could have taken months or years in the past to react to something like this but they're they're starting to to really be more efficient in their ability to react and respond um that that to me is very positive it means the dwell time or well not the dwell time that's the wrong term but it means that the opportunity for for attackers to compromise with with new exploits especially zero day exploits that that opportunity is is shrinking I think we learned from the likes of heartbeat and shell shock you know those were and they were very difficult to pass and then we of course we had the print nightmare as well which was another major vulnerability for privileged escalation so you can go easily from a local you know user standard user account up to local Minister account and if you can do that on the device it's only a matter of time before an attacker again wait to full domain so I think we've learned from those previous experiences in the past and that organizations you know especially for those public facing um that they really take them very seriously and they try to address it very quickly one thing that was really interesting even though we had the log for Jay which was a major exploit vulnerability um that happened one thing was surprising for me was the web application attacks normally I would typically see much more vulnerability exploits around that time you know or basically other types of attacks in that it was basically predominantly it was credential uh theft and and using solo credentials for web application text for me that was a massive uh you know kind of indicator about you know the importance of making sure that usernames and passwords are not the only security controls on those applications um so that was a kind of major it said 86 of all web application attacks involved the use of stolen credentials and that's yeah I mean that's it's um you know one of the things that that we've spoken about for several years and it's funny how how you can talk about these things and they make logical sense but the movement to adopting them just Trails behind it's like you know credentials used by human human users but then you've got the service accounts that are used by the applications and the services so we focus on protecting those those user accounts but the service accounts kind of are the spot poor stepchild and I think it's it's it's kind of a similar it's it's a similar thing here as well I mean there's there's always that um and the same with the API you mentioned earlier about you know protecting your apis it's the poor stepchild but they are Massive Attack surfaces and and it's only a matter of time before they're you know before they they're exploited and and they take advantage of them then we've got to Scurry around and try and try and Patch those those gaps in in our defenses but yeah it's it is interesting for sure was it what about and they always break it down by you know um not just the break it down by the classification pattern which is always really interesting because that's what I can dive into but they also broke it down by Industries and regions which they always do and it was always interesting to see which you know which Industries are kind of the highest impacted and also which regions or what type of patterns that they see you know in North America versus India versus APAC was there anything in there that you find interesting um I can't say I looked at that data in any great detail but um you know in terms of Industries it's it's it's historically for me being the typical things because a lot of these are financially oriented so it's going to be the the you know the the fintech and it's going to be Banks and it's good but also you know healthcare because historically they haven't been very good at um or they haven't necessarily focused on on on their own internal I.T so they Outsource a lot of that of those capabilities um but but yeah it's um I don't I don't necessarily I mean did you spot any of that I for me it was definitely what I did was interested was the basically system intrusion was still from a regional perspective uh for North America and and emea was kind of one of the top methods was getting access and I think that's predominantly so when you get into system intrusion um you know that's our typical ransomware technique um you get access you uh laterally move you can access the data so system intrusion is almost kind of some of the kind of main areas then you get into if it's social engineering um that's a pre-taxy therefore business you know financial fraud business email compromise or um that you know social engineering can be a method you know that those are access Brokers and they'll sell off the access to others who will then come back and do system intrusion and then basically to play ransomware um so the kind of that's some of the methods what's interesting kind of looking at this you know public administration still is one of the top you know areas of targeted um you also get into you know information companies are basically responsible for information and data and then also the financial Industries those are some of the top targeted Industries um so you know Financial it's what the money is going to go after that uh public administration tends to be where basically you've got the least amount of security uh in place and therefore they become a Target and definitely Healthcare you know it's always physically but I find that it's not the the main kind of Target because it can get into you know the basically ethical side of things so you find the criminals uh will try to avoid them um and then information companies but of course you know where the data is uh right that's also the target as well so for me I think that's where you see the you know dominant you know manufacturing is also up there on the high in the list uh but that's typically what you know the attackers will Target after um so those are some of the interesting things there's also there's also you know if you read some of the stats it's like well you you've also it's a it's an overused term defense in depth but you've still got to focus on defense and depth so one of the stats was that servers accounted for 85 of the Assets in breaches um user devices workstations and so on were 20 so you think oh okay well I mean if you look at a typical ransomware attack chain it is going to be trying to fish or compromise the end user take over their workstation move from the workstation to the server Network and then laterally from server to server but 85 of assets service accounting for 85 of their assets um in breaches is a big number so so I think that it's important to to have that defense in depth where you're protecting both the the edge of your network the workstations that our human users uh uh uh uh are using and that are very easy entry point um largely speaking especially working from home where I'd our home network defenses are maybe not as tolerant or a sense as strong as they would be in the office but then protecting that that lateral movement trying to prevent lateral movement from server to server to server so um you know that was a 85 of Assets in breaches of servers that was a big number so we've got a and again ransomware right it's it's the end of the day ransomware is malware and and you know malware can only do its thing if it gets access to the systems in your network and one of the best ways of of preventing that is to protect those credentials absolutely and what we've tend to find one of the things is that we we tend to protect the front door as much as we possibly can but we don't protect the inner doors and inner walls um so that means that you know one attacker we assume that we've got all of the oh we're putting all our defenses on that perimeter on that front door and when the front door fails and the attacker gets inside and then that's where basically we're hoping in many organizations that usernames and passwords and lateral moves I thought you know that they won't get that far but it's going to you know as you mentioned earlier it is a defense in-depth uh you know methodology that organizations you know must adopt and they have to assume that that front door you know Security will feel that what happens when they get inside and that's when it becomes really important to make sure you've got additional levels of protection you know recovery you know Access Control segregation a strong backup and Recovery strategy um this is where you have you know Network segmentation or the principle privilege which is that foundation too strategy as well absolutely yeah yeah no that's a key thing I mean least privilege it's I mean we're all familiar with that principle but the extent to which um you know your your subscribing to something like zero standing privileges or zero trust that has its foundations in that it's it's it's so very important um but um you know even if even if you're taking the first kind of step in terms of of maturity by vaulting away those privileged accounts you've still gotta not just be let adding your administrators routinely check them out on a daily basis you you've got to be kind of leaving them there for emergencies and having them log in as themselves with with minimum rights that's the key to the least privilege getting to zero persistent privilege or you know at least standing privileges where you just have enough to probably do what you need to do and it becomes on demand just in time and that makes it much more difficult for lateral moves or you know for privilege abuse it does it makes organizations much more visibility um in the report itself is there anything that you find missing or anything you would like to see uh in much more detail or greater detail in the future but again I I there were two areas that that I always think um you know well at least one area that's a massive attack surface and that's the um that's the service accounts and and the application accounts side of the equation so so great you've got this massive attack surface that that is credentials um split between human used credentials and application use credentials it sprinkled in there but it's not a huge focus and certainly with apis and stuff uh everything that's programmatic with devops and and it's becoming more and more of a problem so some of the things that I I talk to and I see our customers talking about is is you know we're developing applications for the cloud for hybrid Cloud scenarios whatever and you know we want to get away from from using static credentials so so they go okay let's take them out of embedded code and maybe we'll Vault them and then we can reach out programmatically to the Vault to actually get those credentials but then they want to take it further because there's still static credentials so so they're looking to actually have the the Vault create ephemeral tokens so they can use those programmatically and those are ephemeral by Nature they they dissolve after a certain amount of time um you know they have a short time span they're more secure than IDs and passwords I don't really find that represented much in here and as I mentioned earlier the whole you you know stolen cookies and session cookies being used to bypass credential based authentication mechanisms is another area that that I would expect to see maybe more in in you know next year's with passkeys as I said and stuff like that absolutely that's a really interesting point is you know they do not you know do that distinction between the human and the Machine identities you know it's right which is kind of the you know the machine identities for me is is all of those uh which are non-human you know it can be the service accounts application accounts the API keys and it doesn't get into that in in detail and it'll be actually interesting to see um is this abuse of human interactive credentials or was it abuse of um you know service accounts or session you know keys or session tokens what was what was the distinguishing you know Factor um you know it is interesting that there's a human element yes but what was the next step what was the next attack chain that they used um so absolutely that's an interesting yeah for me it was you know definitely the API was missing because that's a big area of the automation the behind the scenes type of of security uh as well as moving between you know the on-premise and Cloud um but yeah the the machine identities is is a key important part and it's becoming definitely a massive attack surface for many organizations oh for sure without a doubt and um you know MFA can play a role here as well because if if if you've got a situation where a service account or a machine identity is being used in an interactive fashion if it's available it's not disabled for use by by interactive login you know then MFA can can can kick in and block that in its tracks a little bit harder to to manage that of course you don't want to do try and do an MFA for a legitimate service Services service or app to app uh authentication but yeah in those cases you know for me absolutely you know this is they they shouldn't be interactive log on first you know one of the primary things if it is interactive login that's that's a misconfiguration for me um you know in many cases then you get into um no one should know the credential of that it's involted away when it's needed um and then to get into the next phase which is it should be time based you know is there a window of opportunity that that should only be used for is it is it a backup job it's an automated task is it a discovery you know um when should that run is it running once a day um limited time um so this is really kind of getting into is is how to make sure we reduce that threat surface for those types of machine accounts you've got to have some some good intelligence behind that the life cycle management of service accounts because very often you find that a single service account may be leveraged by multiple applications multiple machines so if you arbitrarily go and rotate that password you could break those other services and then your availabilities Goes to Hell in the handbasket so so you've got to have some intelligence behind that knowing how and when to rotate a shared um sort of machine account but once you've got that sorted out then you can really reduce that attack surface you can make it very very much harder for a threat actor to leverage a credential that's probably expired hopefully by the time they come to try and and compromise and use it so absolutely yeah the dependency mapping across Services is critical to to making sure you'll be honest you don't break something but also you make it as secure as it possibly can uh Tony it's been fantastic having you on and and you know delving into the details and the analysis of the latest Verizon data breeds investigation report um it definitely is one of the you know the main uh you know top reports that we analyze and it's also you know what's the great thing is it is an indicator that we are doing better and I will say that you know when that's when we get these reports and it shows progress and it shows that organizations are taking the right step it is time that we should celebrate we should you know you know everyone should Pat ourselves in the back and say that we are doing something good um because many many cases it is you know it sometimes it sometimes you know we feel is you know this you're not getting better you're not seeing the Impressions um but this is this is a report that actually is showing that we are doing better um and we should keep the momentum we shouldn't become complacent um we should make sure that we're you know analyzing the report taking the key findings out of it that actually is making a difference and all the organizations should really you know look to implement some of those good protections uh that the report does highlight um so absolutely Tony's been fantastic having you on and again back you know the Verizon uh dbr Team um uh you know David Phillip Alex and Suzanne you know keep up the great work um and in depth definitely make sure that you know we're getting the analysis and we're showing the progression and what works and what doesn't work so um only 11 more months to wait for the next one eh absolutely but we still have a lot of the data to go through in this one uh what do you get into the details uh there is a lot of still information to analyze so all right we'll definitely make sure that for the audience uh we'll make sure that we get a link to the actually uh dbr report um in the show notes uh Tony it's been a pleasure having you on as always and for the audience absolutely and for the audience you know tune in every two weeks the 401 access tonight podcast is here to really bring you you know highlights Trends leadership um you know ideas and on what's Happening and and bring some fantastic guests on the show to really show their experiences and ideas with you so stay safe take care and we'll see you again soon thank you thanks a lot bye-bye

Info

Channel: Delinea

Views: 257

Rating: undefined out of 5

Keywords: tony goulding, joseph carson, DBIR, Verizon DBIR, DBIR 2023, DBIR insights, DBIR takeaways, cybersecurity podcast

Id: SbvYN6hazkE

Channel Id: undefined

Length: 45min 23sec (2723 seconds)

Published: Sat Jul 29 2023