Application security, Malware, Ransomware, Risk Assessments/Management

Verizon DBIR 2021: Top takeaways for security pros

Today’s columnist, Louis Evans of Arctic Wolf, says ransomware gets the headlines, but the Verizon DBIR study points out that security teams still need to lookout for business email compromises. A major BEC by the Russian group RedCurl last summer hit 14 companies in six countries, including construction companies, financial firms, retailers, insur...

About the same time as the Colonial Pipeline attack and the new Biden administration cybersecurity executive order, Verizon released its annual 2021 Data Breach Incident Report (DBIR). Insights from the DBIR structure cybersecurity activities for the year to come, helping defenders prioritize threats, enhance security posture, and develop their investment strategies.

Here’s a look at the important trends highlighted in the report and how to best adapt your organization’s cybersecurity practice to handle the threats to come:

  • Business Email Compromises are a leading threat.

Ransomware attacks like the one against Colonial Pipeline continue to dominate the headlines, but the DBIR suggests that businesses should be just as concerned about a Business Email Compromise (BEC). These are attacks in which hackers gain access to a trusted email account (often an organization leader); they typically then deceive a rank-and-file employee or someone in HR or accounting into transferring funds, or sometimes commit other forms of fraud.

Verizon’s impact analysis showed that the median BEC attack cost organizations $30,000, higher than the median impacts of either a data breach ($29K) or ransomware ($11K). An even starker contrast: 58% of BEC attacks imposed losses on their targets, compared to just 24% of data breaches and 10% of ransomware attacks. Since the attacks with no costs aren’t included in the median calculation,  BECs have become the runaway threat in terms of impact.

The FBI recently found similar results. Its complaint database report shows that BECs are about eight times as common and nine times as expensive as ransomware. Most worrying for defenders: BEC attacks, unlike ransomware, don’t typically rely on malware with detectable signatures, and in the age of SaaS emails, BEC attacks may not hit a server or an endpoint at all—requiring more comprehensive defense strategies.

  • Humans are a top risk vector.

In a significant increase from last year, 85% of all incidents involved a human element. Whether that’s falling victim to social engineering (the leading breach pattern, present in about one-third of breaches), privilege misuse, or the opaquely categorized “miscellaneous errors” and “everything else,” humans remain a leading vulnerability to organizations.

The results aren’t surprising because cybersecurity isn’t just a technology challenge, it’s also a human challenge. What does that mean for defenders? Important priorities for every organization should include maintaining, enhancing, and reimagining security awareness and training across the organization that includes modern-day learning techniques such as microlearning, automated phishing simulations, and account takeover monitoring.

  • Legacy vulnerabilities leave businesses exposed.

From the steady drumbeat of Patch Tuesdays to the explosive reveal of EternalBlue, the discovery and publication of new cybersecurity vulnerabilities soaks up all the attention. The 2021 DBIR demonstrates an important truth: vulnerabilities don’t do damage when they are revealed, but when they are exploited by attackers. And attackers aren’t picky. EternalBlue vulnerabilities are four years old, but they dominate the honeypot data, representing nearly 90% of total attacks. Attackers are more likely to exploit vulnerabilities from 2008 than from 2018.

These numbers are a stern rebuke to the defender industry. Organizations need to get their vulnerability management house in order: Prioritizing vulnerabilities exploited by attackers, patching those vulnerabilities diligently, and then verifying their patches. Otherwise, EternalBlue (discovered in 2017) will remain a leading a decade later.

  • Detection and response works.

The DBIR found that organizations are discovering breaches much faster. In the 2016 DBIR, the vast majority of attacks took months to identify. Today, the number of attacks taking months or more to discover has fallen to about 20%. On the other hand, only one-quarter were found in days or less in previous reports. Now more than 60% are located that quickly. It’s not a flash in the pan, either—these good numbers represent a continuous trend over the past half decade.

There’s credit to share for this positive development, but managed detection services have contributor-helped organizations catch attacks they might have missed on their own. Defenders who’ve invested in these solutions should take credit and take heart—and consider what other security areas might benefit from a managed approach.

There are countless valuable insights in this year’s DBIR, and the report continues to offer an important benchmark for cybersecurity professionals. This year’s report points to the growing significance of BECs and the overall human factor in the threat landscape. It validates the growing success of detection and response and reminds industry pros to focus on vulnerability management and patching and not just chasing the latest threat headlines. Focus on the quiet risks, from people to established vulnerabilities, the ones that cut to the core of the business and find a way to spread the load and enhance security posture this year, and every year.

Stay safe and stay smart, and happy defending.

Louis Evans, technical manager, Arctic Wolf

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.