There has been some very interesting findings in the Verizon DBIR Report 2022. The community has been asking many questions and is excited. We requested a community session from our partner firecompass research division which you can join for free and ask any questions you have.
We are hosting a session on "Dissecting Verizon DBIR : What caused 3000+ breaches" by J.Chauhan (IIT Kharagpur Alumni; Head Research @FireCompass). Our speaker analyses the report and we understand the most common attack vectors and patterns. In this webinar, we will look deep into the Verizon DBIR report and find out how attackers navigate to your valuable assets and what you can do about it.
The last year has been notorious in cyber crime including well publicized critical infrastructure attacks to massive supply chain breaches. In the DBIR report, it has analysed data to find patterns and action types used against enterprises. This year the DBIR team analyzed 23,896 security incidents, of which, 5,212 were confirmed data breaches. (Reference : Verizon DBIR 2022)
Key Learnings From Session :
- Learn which are the top 5 attack vectors that contributed to 80% of the breaches ?
- Learn about the rise of the ransomware & 5 top ways they get the initial foothold
- Learn how attackers are leveraging web applications in breaches ?
(This is a free session exclusive to ciso platform community members.)
As always, we look forward to your feedback and thoughts. Please send us your ideas on how we can make the community a better value add for you and your peers. Email firstname.lastname@example.org
Session Recording (with Q&A)
- Taxonomy of attacks
- Top 5 attack vectors that contributed to (approx.) 80% of the breaches
- Rise of the ransomwares and few top ways ransomwares get initial foothold.
- How attackers are leveraging Web applications in breaches?
- What about human errors?
2.What Is The Objective ?
The objective to get insights from Verizon DBIR 2022 (Breaches) analysis report and orient the security roadmap, if required.
How can statistics help us ?
Stats based on breaches can tell us where we should focus on.
We believe that continuous security assessment in a way real attackers perform, especially on top of baseline activities such as VA/PT, will help in preventing future potential security incidents and breaches.
3.Taxonomy Of Attack In The DBIR Report
4.Explain The Taxonomy Of The Attack In The DBIR Report?
- Taxonomy consists of multiple concepts such as attack patterns, attack vectors and attack varieties etc.
- Attack Patterns are the complex form of attacks such as system intrusion. An example of system intrusion is multi stage attacks from outside to inside the network
- Attack categories are the group of attack vectors.
- An attack vector consists of multiple attack varieties at the individual levels
5.What Are The Top Attack Patterns (Complex Attacks) That Contributes To More Than 80% Of Breaches ?
These are the ones:
System Intrusion - Multi Stage attacks to gain access to systems via one or more attack vectors to install backdoors and ransomware.
Basic Web App Attacks - such as Web vulnerabilities, Credential Stuffing using stolen credentials
Social Engineering - Phishing to lure users to submit sensitive information or download and install malicious code
Misconfiguration - Exposed Panels, Exposed Keys, Public Cloud Buckets etc.
6.How Do Ransomwares Get Initial Foothold ?
- Ransomwares are the on the rise increased above 20% of the all major breaches. Ransomware generally intrude and gain access to the network using various attack vectors as follows:
Use Stolen credentials
Desktop sharing softwares such as RDP, VPN, Anyconnect etc,
- Phishing via email
Install ransomware code
- Exploit vulnerabilities
Product and Frameworks such as log4j
- Errors and Misconfigurations
Open Databases, Kubernetes, docker instances
7.What Automation Is Being Used By Hackers To Attack Enterprises?
- One of the typical automation, without any human intervention is following
- Scan for targets on mass scale
- Profile the targets using custom crawlers or fingerprinting techniques
- Detect CVEs based on technology, or banner
- Attempt exploitation
- Attempt persistence
8.What Are The Other Ways To Get Initial Foothold Into An Organization ?
- Misuse Partner Access using stolen credentials or other means such as phishing
- Supply chain attack by compromising devops pipeline, system management tools such as Solarwind etc.
- Target desktop sharing software
- Use stolen credentials
- Exploit a vulnerability
- Target a Web Application vulnerability
Once the initial foothold is attained, generally a backdoor / c2 agent / ransomware is installed to carry out pivoting
9.How Attackers Are Leveraging Web Applications In Breaches?
- Web applications are the most exposed assets on the internet.
- Attackers use stolen credentials to perform attacks such as Credential Stuffing or brute force attacks
- Exploiting a vulnerability,
- Misconfiguration such as exposed admin panels etc.
10. What Is The Contribution Of Misconfigurations/Error In Breaches?
The rise of the Misconfiguration error began in 2018 and was largely driven by cloud data store implementations that were stood up without appropriate access controls.
The data tends to be from customers, and it is also the customers who are notifying the breached organizations in a high number of cases. However, Security researchers are still the stars of this Discovery show (although their percentage is down from last year).
11.Suggested Action Items For Prevention And Mitigation
- Improve Visibility
- Continuos Assessment Of Security Posture
Some Detail Suggestions :
- Continuously Discover Misconfigurations’
- Admin Panels, Hidden directories, exposed databases
- Misconfigured DNS, Email servers etc.
- Continuously Assess your Web Applications
- Better visibility
- APIs, Login Pages, Web App Types (VPN, Admin panels etc.)
- Credential Stuffing (Stolen credentials)
- SQLi, SSRF, and more injection attacks
- Validate Security Control
- SSL, CSP, WAF/Cloudflare, Captcha etc.
- Better visibility
- Perform Social Engineering
- More depth including installing malware and backdoors
- Continuously Assess your Desktop Sharing Applications
- Continuous Credential Stuffing attacks
- Malwares are the second most common action category in breaches. Perform Assumed Breached Scenarios
- Build playbooks to emulate supply chain attacks