For the past 13 years, Verizon's "Data Breach Investigations Report" (DBIR) has been the industry's definitive resource for documenting and benchmarking the global state of cybersecurity. As always, the Verizon DBIR team does an admirable job of sifting through an impressively large data set to tease out the underlying trends that are driving the market.
But as Miles Davis, the legendary jazz trumpeter, once famously said, "It's not the notes you play, it's the notes you don't play." In other words, it's the silence between the notes that enables the listener to interpret and appreciate the music's deeper meaning and context. When reading a broad industry survey such as the DBIR, it is likewise instructive to look beyond the bolded headlines and ask further questions of the data to best understand the meaning behind these trends.
Here's what I mean.
Headline #1: The Global Malware Threat Is Evaporating
According to DBIR: The Verizon DBIR team documents a precipitous decline of malware-related threats, from 50% in 2016 to just 6%, stating that "we think that other attack types such as hacking and social breaches benefit from the theft of credentials, which makes it no longer necessary to add malware in order to maintain persistence. So while we definitely cannot assert that malware has gone the way of the eight-track tape, it is a tool that sits idle in the attacker's toolbox in simpler attack scenarios."
Beyond the headline: Of course, it's heartening to read that malware threats are waning, and I agree with the interpretation that the broad availability of user credentials has, to a great extent, obviated the need for threat actors to employ malware to maintain persistence. Why bother climbing through a small basement window if you can just open the front door, right?
However, despite this downward trend, few threat researchers I know would take comfort in this pronouncement alone — nor would they presume that malware is a threat they no longer need worry about. Rather, the decline could be attributed to the fact that exploit kits that were once the province of a sophisticated few threat actors are now broadly available to a larger population via easy-to-use subscription services that don't require the use of advanced malware to compromise the network (not to mention the industry as a whole has collectively improved its ability to detect and block malware threats in general).
Another force behind the decline is that threat actors are relying less on malware as a blunt instrument to gain entry and rather leveraging legitimate system utilities and tools for malicious purposes. This is perhaps best exemplified with the rise of "living-off-the-land binaries" (LOLBins). Typically, threat actors will abuse legitimate apps like PowerShell with malicious scripts to avoid detection by conventional antivirus tools.
Headline #2: It's Still All About the Benjamins, but ...
According to DBIR: Financial rewards remain the primary motivator for threat actors. However, DBIR authors acknowledged a "secondary" motivating factor, for which the compromised infrastructure "is not the main target, but a means to an end as part of another attack."
Beyond the headline: What the authors call secondary is a convenient way to group a wide spectrum of disparate motivations under a single umbrella. However, it also hints at another underlying trend, which is that threat actors are being both more selective at deploying malware and increasingly using evasive malware strains to conduct longer-term intelligence-gathering operations.
With respect to droppers and Trojans, the authors note that while they find these particular threats decreasing over time, "their backdoor and remote-control capabilities are still a key functionality for more advanced attackers to operate and achieve their objective." We've seen ample evidence of this in our work at VMRay analyzing a variety of banking Trojans (for example, Trickbot and Ursnif). We have seen firsthand how they are increasingly being leveraged to conduct a wide range of secondary information reconnaissance — from querying the network for configuration settings, to recording what software and services are installed and running, to breaching HR and payroll systems — all of which attackers can leverage for future attacks.
This supports the case that more sophisticated attackers — be they nation-states or criminal organizations — are leveraging known malware strains and repurposing them for extended campaigns whose primary objective is to maintain persistence.
Headline #3: Reverse Survivorship Bias (aka, It's What We Aren't Seeing That Could Really Be Hurting Us)
According to DBIR: "Our incident corpus suffers from the opposite of survivorship bias. Breaches and incidents are records of when the victim didn't survive. … Malware being blocked by your protective controls is an example of survivorship bias where the potential victim didn't get the malware" … and that "it is important to acknowledge that the relative percentage of malware that we see present in breaches and incidents may not correspond to your experiences fighting, cleaning and quarantining malware throughout your own organization."
Beyond the headline: Perhaps the most well-known example of survivorship bias comes from statistician Abraham Wald, who during World War II took this bias into account when considering how to minimize bomber loss to enemy fire. He observed that it was the planes that never came home — rather than the ones that did despite being riddled with bullet holes, especially in their wings — that should inform the decision as to where bombers should be reinforced with additional armor (the fuselage area).
It's good to see the DBIR authors both acknowledge and highlight this particular issue because even the most comprehensive datasets tell only part of the story. In addition to their observation of malware being blocked by protective controls being an example of survivorship bias where the potential victim didn't get the malware, the open question remains as to how many malware threats never made it into the sample population not because they were blocked, but rather because they succeeded in evading detection. It stands to reason that the malware of 2019 is significantly better at hiding its tracks than the malware of 2014.
The Verizon DBIR has become a truly invaluable resource for threat researchers and security analysts who are continuously tasked with planning for every variety of "what-if" scenario. More than anything, though, the report is a showcase of cross-industry collaboration at its finest, with growing participation from an array of diverse security vendors, government agencies, and nonprofit organizations. Regardless of what the data says about the state of the current threat environment, this type of open cooperation among even the fiercest competitors represents our best hope in keeping our future secure.
(Note: VMRay is among the report's contributing organizations.)