Skip to main content
Right of Boom
January 30, 2025

Verizon DBIR

In this video, industry experts discuss the latest findings from the Verizon Data Breach Investigation Report (DBIR) and its implications for cybersecurity practices. The conversation delves into the persistent challenges of credential-based attacks, the evolving landscape of ransomware, and the importance of implementing robust security controls like MFA. Viewers will gain insights into the necessity of understanding and mitigating risks, the role of frameworks like CIS controls, and the impact of these reports in shaping effective security strategies for businesses of all sizes.<ul><li>The Verizon Data Breach Investigation Report (DBIR) is considered a gold standard in threat reports, widely used by various organizations including CIS for community defense models.</li><li>The VERIS framework is an open standard that helps describe what an incident is, enabling standardized reporting and understanding of breaches and incidents across organizations.</li><li>Despite advancements in cybersecurity tools, many organizations still fall victim to basic attacks due to a lack of implementation of fundamental security processes like MFA and proper governance.</li></ul>

Guests

Andrew Morgan

Video Transcript

Welcome, welcome episode 1 46. We are live here and we've got people. Thanks Gary. We are live, um, with, I, I tell you one of my favorite people and guests and, and topics. This is, you know, big news for the cyber call. Um, we'll introduce our guest momentarily. A few quick announcements. Number one, because we are talking about the Verizon data breach report in, uh, the notes or in chat, I just put where you can go get it, um, and download it right there.

Um, and uh, the only other announcement I have is, um, in the, uh, green underneath the call to action. Welcome, welcome, everybody there. Good to see you, Bob, Ben and Eric. Um, there is, um, Bo Bullock, uh, from Black Hills. Um, very cool. We are gonna do a three session series with him. Um, and it's the new cloud edition of Back Doors and Breaches. So it's, uh, it's pretty, it's pretty neat that this is out.

So I highly encourage everybody to, uh, attend that and, and learn about topic cloud attacks and SaaS attacks. 'cause this is what he does for a living. So he'll show you and emulate exactly what the threat actors are doing. And obviously that leads right into today, uh, as I set the stage because, um, you know, it's been a few years since we've had Philip with us.

Um, and, uh, you know, this is arguably the DBIR is arguably one of the, it, it, it, it is the gold standard and threat threat reports out there. Um, it's used by CIS and their community defense model. It's, you know, what a lot of folks refer to often in terms of threat data.

And I, and I would say probably if you look at all the great threat research out there now, reports from, whether it's, you know, the CrowdStrike, the Microsofts, et cetera, the world, um, you know, Verizon pretty much set the standard, the bar for that. So, um, it's, uh, very cool to have, um, one of the principal authors for this, but I just wanna quote one thing from the article. Um, and, and this is, uh, pretty interesting, Gary.

I'm gonna kind of just make you comment on this before we introduce Phil. It says, while this, while the state of affairs is already unfortunate enough, it becomes worse still when we don't even require them, meaning the threat actors to evolve their tactics because the old ones still work just fine. And as we're gonna see today, and if as you download the report, and I think Wes goes into it, so I'm not gonna steal Wes' question.

I mean, granted, we need a lot more tools, you know, we're, I'm not suggesting to tool vendors to come out and shoot me, but Gary, the primary mechanisms of the top compromise, uh, you know, as we're gonna see here, it, it's really not needing a lot more tools. No, it's the basics. It's like, you know, Phyllis, you always say what percentage of these things are, if you're truly implementing IG one right? You're getting such a big percentage. And so what that tells us is at all levels, right?

But certainly our community working with SMBs, MSPs, uh, still buying a lot of tools, doing a lot of things, but many times skipping over the blocking and tackling steps one through five. Yeah, yeah, yeah, yeah. Because It's process and discipline and it, it's governance, it's, it's less about the, you know, the tools. It's the hard part, right? Yeah, Yeah. Um, which is Having defined roles, people dedicated to it, accountability, and then factoring those things into what we charge. Yeah.

It, it really mirrors, you know, when I, when I talk about this, Gary sales and security have such similarities because if you look at top MSPs, the two disciplines, which are very challenging right, is discipline in sales and discipline and process, you know, in all a facets of the company, right? And, and Great point Andrew, and I'll throw VCIO into it as well. It's like true VCIO is proactive. Mm-Hmm.

Like all of these things that are proactive and are all process and discipline, they're all the same signs, right? Of, of, of mature business leaders and, and maturing your business process. And it's why MSPs, they struggle in security and they struggle in sales and marketing for the same exact reason. And like you said, usually the ones that're good at one are also good at the other. Yeah. Yeah. Yeah. Alright. Really great perspective, Andrew. Well, thanks Carol.

I'll send you, in Fact, I think I'll steal, call up my own. Yeah, there you go. Alright. So, um, Phil, thank you so much for joining us. Let's get on into this. If you could share a little bit about yourself, your background and the wonderful decor in your background there is awesome. As you can see. Yeah. It's, it's Hilton, uh, you know, unique, special Retro, right? Phil Hilton. The, uh, yeah, as mentioned, my name is Phil.

I'm the, uh, scientist for the board and I've been doing it for about three years. So, and, uh, prior I actually worked with Phyllis on the, so I have a little bit of a bias towards, you know, the one, why you kind of see the sky controls being mentioned relatively frequently in the, uh, the report. But, you know, we have a little bit longer than just that, so. Yeah. Very, very cool. Alright, well Wes, um, let's get on into this. As I, I'd like to have as, as possible.

And I'll call out to the audience, please, you know, send in questions, comments, as you guys always do. I know you're always very lively. Uh, go recruit friends, family members, neighbors, uh, 'cause this is gonna be an awesome one. Tell your peers to come on and join us. Alright. So, uh, this is awesome. I'm super pumped for this conversation. So here's Phil where I wanna start, if I could. So I have a background in threat intel and, um, threat.

Intel's awesome because it's a way that you can share information, you know, the, the ideas that machine speed, so organizations can stay abreast of what's happening. One of the things that we've not seen in threat intel for quite some time, and we've talked about this in cyber call, is the absence of incident data, right? Like, it's great to see cyber threat intelligence around us, but like sometimes we really need to know what are the incidents that are happening?

And you look at the national level with, you know, crc a being published and, um, going into law that's sort of standardizing how critical industry report incidents, but we're missing a framework to share it. And I actually, so I was super involved in threat intel sharing with sticks and taxi in my financial services days, and even served on the, uh, committee for sticks and taxi. Um, but I remember missing, like, we're missing incident data. Like that's one of the key things that we need.

We don't have it. And I actually started writing it, and then lo and behold, I started asking around and, and I discovered that there's this thing that's already out there called Veris and I had not seen it. I wanna publish this so you guys can see it in chat. Veris is super cool because it's, it's giving us the ability to standardize on a taxonomy or a common language for, for incidents, which I would think is really important for Verizon. Right.

So can you just high level talk to us about the, the Veris framework, why you guys developed it, how you use it, and, and just expand from there. Yeah, sure thing. So, you know, let's take a quick trip 13 years back, right? So we came out with the first DBIR and we used Verizon data as the majority, right?

So after doing that for a year or two, we started having some partners come in, they wanna share, well now we have data, you know, D sources and some people are calling things, people are calling email, some people are right. Have all these different names for essentially our same thing coming in. So what we end up having to do, create a standard that helps describe what an incident is, and that's essentially how Vera is perform, right?

And one of the reasons why we published, it's because it's something that we, as, you know, DBI authors have created, but it goes beyond our use cases, right? I think it benefits everyone if there's a framework that we can leverage and that others can use. Because then that kind of feed into, you know, our dataset and our understanding of, you know, breaches and incidents. So, and that's kind of the, the very long history ever since then we're evolving, right?

Every year we go through and we call various wars where we basically go through and identify what are all enumerations that we don't use, don't make sense, you know, what are types of incidents that we can't cover based off of the current framework. And then we all, so what we've done is, you know, we've noticed there's a big gap discrepancy in terms of how we track, uh, like attacks on a, right.

So we're trying to see these cases where being bypass or cell phones being compromised or, you know, request people suffer. We didn't have that language in Paris. So what we've done is we've updated Paris to include that. So every year we go through this process of adding generations and then we publish it on the GitHub. Okay. That, that makes sense.

Is there a day, just to follow up question on this one, is there a day, well, maybe two pieces, are there other organizations or federal government that's working alongside Verizon with Veris? Like are there other participants to this as well? So it's, you know, it's, it's open framework, you know, it's available on GitHub and we know other organizations are leveraging it. And then, you know, we do have a lot of our tooling that helps organizations leverage it, really kind of use it as well.

So we have these secondary in which folks can, can consume it or help their own needs. Okay. Got it. That, that makes sense. And so like, is there a future in state where like, just like threat intel sort of went from, we developed a taxonomy to share it, and then we have these repos, like, you know, a threat intel platform that can ingest and store it. I can search for it.

Is there a future state in which, like we have the ability to see incident data that's being shared and published by cyber insurance, by, you know, law enforcement by research org. Like, is that, is that something that could one day happen because we lack that? And I think it'd be something that'd be really, really valuable? Uh, yes, I would like that to, right?

But it's, there's a lot of, um, kind of, you know, privacy concerns and people don't really like to, you know, air dirty laundry to partners. So the way that we mitigated that, we work 80 plus different partners data. So what we tell them is we don't want customers information. We don't wanna, we, is it a small business? What industry are they in, um, the general size. Then we can do these kind of aggregate use of, you know, and such.

So that we found has been very effective because at the end, when we're talking about these, you know, large scale types of analysis, we're really just looking for aggregation. We're looking for trends. We don't wanna point out to a specific victim. We don't wanna, we're not looking at that level of detail. We're looking for the big picture stuff. And I think there's more comfort and shared aggregated data than specific ones. Okay. Yeah.

And the reason I'm just for the audience, the reason I'm asking these questions is, I mean, imagine a day in which you can sit down with clients and you can help them understand we're not just talking about like generic study data where, you know, one company says a breach costs this much, and another says it costs this much.

We're actually pulling this out, and we could even filter really quickly for organizations of certain sizes of industries, and we can really kind of bring it back to the client to say like, I'm not making this up. This is actual real data that shows from a maturity perspective, this is what it takes to do things, right? This is why it's important. So I, I love it. And as soon as I saw Veris, I just, I, I really jumped into that and I'm like, this is really, really awesome.

And I don't, I don't see enough of us talking about it. So really big fan of it. We, wes I mean, you, you're onto something here. It's like, this is the number one issue is that it is so hard for leaders of MBS to associate the cost of risk. 'cause if they did, we wouldn't have the issues. Like I always say, they wouldn't care whether they spend 5,000 with author us or 6,000, but they don't see it and they aren't able to do it.

And so, you know, we've talked about frameworks, but what you're talking about right now is another way of having data to be able to show them in, in a, in a concise, clear way, right? Yeah. How, how to do That. Absolutely. And when you go look through what Veris is doing it, it has so many, like, you know, Phil, you're right. Like, no one wants to know the actual indus like the actual business that was hit. I don't care about that.

But man, it's so much value in knowing a threat actor, the damages, the points of entry, the systems attacked, the, the, the, the dwell time of the attacker, tying that back into like attack data, which I'm gonna ask my next que Yeah.

It's like that's crazy valuable that we can use in a lot of great conversations that while that's all technical data, we can distill that down to a client to say, Hey, industry is your size industries in, you know, they're just like you when they go through a a, a breach an incident. Look at what this costs, look at the impact, look at the outage time, Andrew.

Yeah, no, I was gonna say that you kind of led where I was gonna go, Wes, is that again, 'cause business owners don't understand the technical, they don't understand what it really means until we put it in their terms. So it's like, you know, oh, it costs this much, but if we can actually then, hey, you know, this is healthcare.

So EMR was down for this period of time, this was the quality or lack thereof, this was the implications to the patients or, or whatever vertical we may be talking about. Then it starts to resonate, I think, with people, you know? Yep. And it, and it also helps with confirmation bias, right? Because a lot of times I read threat reports and I think Verizon's one of the very few that that is, does not have this issue as much.

But a lot of times these threat reports from different vendors have confirmation bias that just happens to be what they see and what they know. Well, what about everything else that they don't, you know? And so it's like the unknown unknowns or whatever to steal from Rumsfeld. So, so yeah, I, that's why I'm a huge fan of like this where the direction of this is going.

So Phil, another question for you is, we've, we've talked a lot on cyber call around things like Mitre attack, which we just mentioned, the center for threat informed defense. But can you tell us a little bit more how veris is tied into kind of that, those ecosystems of research and production as well? Yeah, absolutely. So, you know, the tie in VE attack actually goes back to my days at cis, which I think I was facing a similar issue as a lot of people, right?

There's a lot of these reports, there's a lot of these standards. And I just wanted to be able to say, you know, Phyllis, Tony or Kurt are doing a presentation, say the healthcare, right? I wanna be able to go and plug and pull out all the reports they're saying in terms of different threats, incidents. And what we kind of quickly realized there wasn't really a standard language, right?

And Verizon, there attack was coming together, you know, MIT's work over those, you know, kind of early years. So slowly we've kind of evolved to the you language of the technical technical actions attackers take. However, it's difficult talk to business folks in terms of attack, right? It's not necessarily an easy translation. And Veris has the benefit of being a little more clean English, right? We understand things are, you know, it's malware, ransomware, this is a brute source, right?

It's very simple language. So what we've done is we've worked with C, which is to create a there and attack, right? So we can do this translation from the tactical, technical descriptions to the more business friendly language of there, and then vice versa. So the idea is you can go and tailor your, your messaging based on your audience, right? The SOC analyst, the forensic folks with forensics folks doing, um, red team, they live in path, right?

So that's the language that makes sense for them. That doesn't make sense for folks doing risk management, right? It's, it's further level of abstraction, but we need to be able to pull from the same data source. So having a mapping allows that for organizations to go and translate their language from one format to another. Awesome. Awesome. Um, a again, and I love how you said, like it li that they, they live in the past, right?

And, and risk management is saying, well, what should we do about it? Right? Therefore, what does this mean for us? Where should we apply our def defenses and our, our attention and time? Andrew? Yeah. I was just gonna, so to synthesize Phil, in case everybody didn't hear exactly everything, if I could just sum, summarize, and correct me if I'm wrong, it's like, hey, if I'm doing adversarial emulation based on what we see here, what happened in the past, maybe we can inform, right?

This is what would happen to risks in the future. These are the deltas, these are the, these are the gaps we are seeing in our defenses. This is why hypothetically and Ryan Weeks did a great job on this, is like when log four J hit, he went through and did all these adversarial emulations when he was at CISO DA and said, Hey, look, we're good, but I don't like this gap, this gap and this gap. I need this type of investment to shore these things up.

Is that high level what you're pretty much saying there, Phil? Yeah, absolutely. Right. We have to tie between the things we're assessing from red team or configuration elements to large trends, right? To what's happening at a strategic level. Um, and the more we can connect these dots, the more we can prioritize or controls based on what's happening. So next question for you is, I want to jump back to Andrew's opening quote, you know, just around, we're not forcing bad guys to innovate.

We're, we're letting them continue to operate off, you know, the old, the old wheel, the old horse-drawn, uh, carriage versus, you know, pushing to an automobile, right? In some senses, I actually think that's good for us with, with good cyber mature hygiene and posture because we can leverage that. But what's scary is if we're not forcing an arms race, it's because the vast majority of us have not done what we need, right?

And so we've seen in the report you guys talk about credentials are, is much or more important than ever before. 74% of breaches include the human. It's like, this is not novel new stuff. What's, what's Verizon's take on all of this, like, is, is this just, it is what it is? Do you see this coming to a change? Is are, are we just waiting for some big cataclysmic event because of this? Like, expand on this for us if you would. Yeah, I don't think that's gonna change dramatically, right?

And it's something that, you know, is within every of the DBI, right? And the reason why we don't necessarily always draw attention to it is because it's a boring story, right? We talk about you ation bias and like when we wanna report, we wanna report on novel things because that's what gets attention, right? We wanna talk about these weird esoteric attacks that happen once. Um, but at the end of the day, right, it's these normal known types of attacks that continue to play victim, right?

The, the question being the scale of it, right? How many organizations or the type of organization, you know, we look back the first time that we talked about ransomware, which is like 2008, nine, around then, you know, they talk about how attackers got access through brute servers or malware that was not repudiated, right? That's the same thing we're seeing today, I guess because it still works. Can, can I say something we please?

It's like, I hate to say it, but it's like the accident on the road, like Gary, like when we have something happen in our industry, whatever tool, whatever, like, and we have a cyber call on it, like there's that, you know, accident of the day. Our numbers like skyrocket like off the charts if there's some kind of controversy, et cetera.

Meanwhile, as of Friday, Fortinet in this latest remote code execution as an example, still has 330,000 devices scanning that you can go scan right now via show Dan, that are completely open and, and to Phil's, it's just like, that's Yesterday's news. What's that? That's yesterday's News. Exactly. Literally, it's yesterday's news, right? Yeah. We Moved, right?

It almost made me also think about, I remember, um, uh, years ago, um, my parents' house was broken into like really traumatic thing when you walk in your house, right? And knowing that people were there and then after that they lived there for 60 years, right? Then after that they started getting alarm stuff and putting things in. I'm like, hmm, lightning might not strike twice y you know?

But I think that's kind of this mentality like you're alluding to of make, you know, Wes, what you were saying about making things real and, and Andrew, you're getting the other side of the psychology, which is something happens, right? But then we get back to our, you know, normal lives and we let our customers get back. Like we don't keep them in, in, in the journey. It's not a journey, it's an incident rather than a journey. Like we see, like, come on Gary.

Now that you're also a Florida resident, you see it here every single year, right? I'm not, you know, no, the hurricane won't hit me. I'm not gonna leave. Right. And the majority of the time, you're right. It, the hurricane doesn't, except when it does. Okay. And you were in Fort Myers last year, right? Right. And your place got absolutely wrecked and you're like, oh, I sh maybe I should have had flood insurance, Right? Yep. It's like that old quote.

I always say, no one, your clients don't care about cybersecurity until they care. You know, like, uh, yeah. Not a, I always say, yeah, cybersecurity is not an issue until it is. Yep. That's right. Um, alright, Phil, last question for you before, um, for Gary is, I, I don't wanna say we're seeing a, um, an evolution in which ransomware is, is dying. I know we saw a bit of an ebb in the amount of ransomware over the past, you know, few past quarter.

It's picking up again, all the carriers are, it's cyber insurance carriers are saying it's picking up again. But are we seeing a shift to where like, ransomware doesn't always have to be the number one actions on objective. Like, are we starting to see a shift away to like a ransomware list type of, um, uh, set of damages for SMBs that they should care about from the ECR actors?

Yeah, so ransomware is one of these, you know, super interesting areas that, you know, I, I've read the section of ransomware since I've started working there because I find it interesting, right? You have this way of reliably monetizing the access to an environment that you have, right? And it's reliable, right? It may not be worked every time, but it's easy to scale, right? There's, you know, consistent, it's a lot of news, right?

Because you have your site post, call up the c add whatever pressure want, right? To really kind of twist the arm. So it's essentially really kind of created this much larger market that didn't exist before. Uh, before, if you were one of these dedicated pen testing or bag, you'd have to find a target, add data value to you, right? You had to look for the target and the Home Depot.

We'd have to go penetrate deep into a network, put out your credit card scanning malware, and then sit back and collect. That's a lot of work. That's a lot of skills. Ransomware, you can purchase credentials, purchase access, you get in the environment, you do what you need to do, which might take an afternoon or a couple days, you deploy your ware, you're not even negotiating, right?

Someone else is doing that, you know, because you're so, you're just letting go and then you're gonna sit back, you're gonna collect that 70%. So it allows you to be much more specialized and then also allows you to target a larger range of victims. You don't have to search for the ones that have payment card data. You can it anyone who can show up on your list, right? And, you know, is a little scary though, right? Because people used to say, well, I'm not Target, why would they go after me?

I'm not Home Depot. But now it's, well, you have data value and that you would be willing to pay for And no security. Virtually no Security, yeah. Against our basic, you know, uh, tactics, our core tactics that are inexpensive. Yeah, absolutely. And if, you know, if they, they find that you're too hard of a target, guess what? They have a list of hundred, right? How much are they really gonna be willing to spend when you have this extremely target rich environment? Love it.

Um, good stuff, Gary. So, uh, Phil, by the way, this is great. Thank you so much, uh, for spending the time and hopefully everyone's gonna read the report and the, the information is our I is our greatest, you know, asset with our customers. So I wanna talk about motives.

Um, I, I saw like 94% of the motives are financial related, but I want, maybe you can comment on who, 'cause we always think when we see that we assume always threat actors, but you know, there's internal as well as external act. So can you talk a little bit about that in, because we don't really say too much. Yeah. So the internal kind of breakdown into two major groups, right? You have the accidental, right?

The user that either exposed database directly to the internet or sent a spreadsheet to the wrong person that had a bunch of PII in it, right? So that makes up, you know, the majority of our internal actors, right? Folks that are well intended accidentally cause a breach. The other part is the folks that are intentionally malicious and use their access for nefarious purposes, right?

So I think the stereotypical example is, uh, someone working in a hospital looking up a famous patient in a database, right? Or a police officer looking up X in, you know, the criminal justice system. They're using access, they have generally for ill purposes, right? So we call that privilege abuse. And that makes up the majority of kind of, you know, these misuse cases are people that are just reusing their legitimate access for nefarious.

And it's much harder to track because it requires an understanding as to what is the user's business needs, right? What do the actual need to get access to, to do their job? And that's where it gets a little more complicated because we can't just throw in a, you know, technical security control, uh, without having a discussion with the business and say, well, what does this person really need? One is considered, you know, illegitimate versus legitimate use. Yeah.

And I, and I, and I think that people don't, when they think about security, they don't think about it in that way, right? Uh, especially like in the SB where, you know, maybe the MSPs and the SMBs are a little more immature about, you know, but it's a, it's a major concern. Major concern. Yeah. The, the way we look at it's, you know, it's like 9% of our breaches are caused by errors. Do you dedicate 9% of your security budget to errors? Um, yeah.

And especially if you work with, you know, p or any type of sensitive information, that's, that's where we see it, right? Because people are handling it through accidentally. Garrett, um, can I ask Phil a quick thing? But Phil just kind of like pointing out, you know, CIS control five and account management and the rate, the recent, like really looking at having a, again, a process like what do people really need, right? And are we provisioning correctly, deprovisioning correctly?

And, and again, if we could wave a wand and security budget was completely in a la uh, inelastic, right? Like you had no, no worries in the world, this sets up, you know, concepts like zero trust, where you would literally just kind of lock down somebody to go, this is all you can do, this is all you need.

But is that kind of a, a, the mindset behind, again, a, a control that I would argue most companies in the, at least in the SMB play, uh, you know, are, are probably not that great at, is, is that kind of what that means? Yeah, absolutely. No, and there's also like, you know, so that will help with the error part, right? You're not accidentally accessing data you be, but also compromised. You don't have access to that sensitive information, right?

That added that, that it can also protect against, you know, the intentional external actors. So, you know, it's that extra, extra layer depth that makes it, you know, more steps for actors to get to between initial access to getting the actual, you know, uh, crown rules. And Wes, this is why we're seeing cyber insurance really push privilege access management solutions in their questionnaires more and more. Is that a fair statement? Yeah. I'll pay you later for mentioning that, of course.

But No, I mean, but it's A thousand percent. It is a thousand percent. It is, it has to be solved for, because your employees are like water. If they're gonna go the path of least resistance, uh, they have no desire to want to, you know, control their, their identity correctly. This age of cloud and sprawl and SSO and SAML and all this stuff where like credentials are just everywhere. Um, yeah, that's, it's a big deal and it's a big deal in the CIS controls around controls four, five, and six.

So, um, yeah, the carriers are a few years behind this, but, but absolutely they're now starting to mandate identity management as part of a, a solve stack. Yep. And there's the two obstacles, like when you're, when MSPs, when you're dealing, well, when you're dealing with business leaders, whether it's an MSP or whether it's internal, it, you know, money is one obstacle attaching a value. So the, you have the budget, but just as big, right? Is change and inconvenience. That's the pushback.

Even as simple things like MFA, right? They're pushing back on things where they can't do their job and, you know, everyone hasn't gotten to the point yet of prioritizing security over efficiency, and sometimes you need to. Yeah. Um, the next question I had, I was looking, uh, at the top actions, right? Threat actors are using and, uh, stolen creds, other then ransomware and phishing. Can you, can you double click on other, other? Yeah.

So when we do these types of charts, right, we say we want the top X, right? So the top 10, and what it does is it pulls out the top 10 and then grabs everything else and squishes it into others. So when you see others showing up, we call that like a long tail distribution, right? Where you have a lot of things up front and you just have a whole launch list of things that, so that's A little scary, right?

We'd rather have four things than, But when you start looking at what those other things really represent, it's not the initial access, right? And it's, you know, some actor decide cryptocurrencies are still worth mining, right? So we still see miners showing up in our data set, or we still see, you know, these, these ones that's West, by the way. Gotta get that dictator coin baby. Yeah.

So we're still seeing these, like these small types of attacks that don't really show up often, but you know, they're just there. They aggregate though. Exactly. Yeah. So it's a lot of those privileged misuse, these one time use malware. There's sometimes we get forensic cases that are very detailed, so we know all the different steps, all the different types of malware types of actions. So that also will go and kind of add those up into that other category.

But, you know, I think the, the biggest part is that we still have, you know, so much congregated in the top actions. And the same thing with the pattern, right? With the top three patterns count. Normally, you know, 70 to 8% of the breaches for most, uh, most industries. Yeah. So there's a lot of congregation towards those most common ones.

And the other ones are, you know, maybe actors are experimenting with techniques and maybe it catches on, maybe it doesn't, but it still shows up in the data set when we, uh, have access to it. Awesome. Um, I want to talk for a little bit about, um, uh, DDoS.

So we don't see a lot of this in the SMB like, but in the enterprise, but for a bunch of reasons, speaking with a number of CISOs, like I, I, I get the feeling people think that this tactic will become more widely used, and I want to get your opinion on that. Yeah. It's always one of these, um, interesting topics. So we have a fair amount of DDoS data. It's like 45% of our incidents is DDoS, right? So just, it's numerous, right? And it's one part of that is because it's cheap to run, right?

You can get access to a stressor or fooder or whatever, however they advertise themselves these days, put in your credit card and then you go take down the site and go on Twitter and talk to all your hacker buddies, listen Z tango down, you know, kill nets after you or, or blah, blah, blah, right? So it's, you know, there's, part of it is performative, right? So a lot of these hacktivist groups use it as a very public way demonstrating capabilities. There's a business part of it, right?

Where we noticed there was, uh, the gaming sector was one of the most targeted sectors for DDoS, like really going after, or it actually ended up being, so one way to get more business, knock your competitors side down, right? DDoS their site, make it inaccessible, and then business will come to you. So as you have to start thinking about what is my business, how much I really find on the internet, how much that impact the bottom line, if my site was inaccessible.

And the good news is there's a lot of different partners out there and organizations and ways to mitigate DDoS. So, you know, you're not necessarily the left on your own, right? There's a lot of people that work with day to day, you know, as your ISPs and stuff. You play a role in mitigating each step of the detox type attacks. Yep. So it's kind of like Wes that's doing a, you know, a BIA knowing which of your clients Right. Would have an Yep. Impact. Yep. Right.

Um, I had one more question, but it's 20 of I, well, we can maybe circle back, but I want to make sure that Phyllis has time. So I'm gonna, I'm gonna send it over to you, Phyllis. Great. Thanks. And it's always great to see Phil, he's, um, he's done a great job with the Verizon data breach report. Someone said that they like to look at the pictures we do too, over at CIS and see what kind of new funky graphs that Verizon has come up with every year. What's your favorite, Phil?

Is it spaghetti dot? Like what do you, what's your, So I do like spaghetti. I think it's the easiest to communicate, but the thing is, it ends up rendering every single line in the PDF. So you end up with these like gig size PDFs, which isn't possible. Um, but yeah, I do like the, the line charts. It would've been great back in the college days or back in the, not that I would ever experiment with anything like that, Gary, but maybe in the sixties to look at one of those, huh? Yeah, exactly.

Um, so anyway, so thanks again for being here, Phil. Um, let's, let's kind of pivot a little bit to, um, uh, data X fill. So can you tell us like what kinds of data, um, that you all saw being exfil from, um, enterprises, and did you notice anything? What can you tell us about that? Yeah, so in terms of the, the data, you know, when we're looking at, you know, ransomware, which is one of the biggest trends out there, right? Still, you know, it's like 24 5% of the data.

It's business data, right? It's customer data. It's information that is of value to the business, and they're just, they're taking that they know it's gonna have an impact with the organization, right? So they're really targeting things of value to the victim, not necessarily things that are value to them.

Because previously I said, you know, we saw this, you know, of payment card data, exfil, we still see it, but it's really common, a percentage of what it used to be in like thousand 16 and thousand 17. And when we do see it, we're a lot of the e-commerce sites getting compromised with card, you know, type, you know, Java script file that's going to go and send the credit card data to attack, as, you know, as well as the normal gateway.

You know, that ends up being, you know, kind of the way they steal credit cards nowadays versus breaking, you know, sending it in the carders memory. Um, so we see a lot of organizational data and of course, attach all personal data, um, especially taking consideration the type of data you have access to in your inbox, seeing that a lot of organizations compromised credentials. First thing they're is gonna see your credential against your web client for your email.

And then from there, they're gonna pull down emails, they're gonna do what they wanna do with it afterwards, depending on what attack it is. So thanks. I think, again, driving home the point of really having that discussion with your customer, like what data is valuable to your organization? Like you, you know, we often point to PII as sensitive data, right? And, but we still need to be cognizant of, you know, what is that high value data, um, could be different for different organizations.

It's easy to point out healthcare, like you said, credit card data, all that other, you know, those kind of standard types of, you know, high value data. But really having that, um, you know, as Gary said earlier, that BIA discussion, um, you know, know your environment, you know, let's drive it home again. And Phyllis and the, for the SMBs that tell the MSPs out here that I don't have really anything a threat actor wants, and then you can say, how about your bank statement? Right?

Because right. You know, these days with BEC, they don't it. Okay, so let's, you don't have no data. Okay, I agree with you. You have no data. That's Im important. Do you have anything in your bank? Right? Right. And I, and you know, Phil brings up appointment, you know, about the, the email, like, and you just brought up BEC. A lot of organizations don't look, um, at email per se, as a place where they store sensitive data.

But you really need to think about that, that, you know, what, what is an important record? Yeah. I Have no sensitive data. No meaning and no hope. I don't mean to seriously, Where's your buzzer? And it, Phil, just curious, Phil, like, it's not just email too though. Like, I mean, we're seeing, you know, things like Slack and, and, and other, you know, discord and you know, these, these tools teams that people use too. Is it, is that fair as well? Oh yeah, totally.

I mean, you see, wherever organizations are conducting business, attackers are gonna go, are gonna go to it, right? That's just, just kind of common sense. And, and I think it was, wasn't it Lapsis, I could be wrong, that use Slack right? As a mechanism to compromise massive, you know, like big enterprises. Yeah.

And it's just, you know, it's using, working in these known tactics, you know, the one which was stolen, credentialed to get access to Slack, then they contacted IT Health Desk to help them reregister their system into the v vpn, social engineering via social media, or you know, whatever. Missing Messenger, right? Was Slack yesterday, it would've been Skype, you know, right. 10 years Ago. Right, right. Absolutely Right.

So, um, another thing of note was that, um, phishing dropped, um, from number one to Pretexting as, um, the most prominent tactic for social engineering. So can you tell us, you know, what really is pre-testing, pre-texting, and, um, why did it become more prevalent than phishing?

So this is actually a, Andrew was talking about earlier, pretax really is business email compromised type of attack where they use some existing email chain or communication to then ask like an update bank account or payroll information. And it's highly effecti. That's why we see it kind of, you know, rising dramatically. And it was one of those findings, or, you know, we've always talked about DC and it's always been kind of creeping along. Mm-Hmm.

But then we did the analysis and we just saw this giant spike, right? And especially in the incident data, we're not looking at the 4,000, we're looking at the 16,000 incident, right? Percentage increase in that is dramatic. So when we go through like, okay, is it one partner that's contributing in it, new partner that's specialized, we removed it, then we looked across insurance, it's the same thing, right?

So insurance are reporting an increase, the FBI's reporting an increase, there's a genuine increase, it's because it's effective and the requirements for it are pretty low, right? Do You think there's better, like anything changed? Like it's easier, better technology, you know, on the adversary side, uh, what do you think drives that?

Uh, you know, the chasing trend and also maybe it's part of more, you know, transition forward, distributed workforce and that maybe there's a less face to face and things are just process based. Digital means that maybe that's part of it. Other part is there's access to credentials and it's just that way of monetizing credentials, right?

I go log into the user's inbox, I take all the emails, I search for invoice, I find one spin up a domain that looks alike, and I say, Hey, about this, you know, this last update, do you mind updating it? And you know, and that kind of takes it off. So it's not really a large investment that you have to do. The hardest part is probably getting money out, right? The money rules and everything. That's a, that's a whole different can of worms. Okay.

So, um, web application attacks made one of the top tax attacks again this year, not surprisingly. And as we talked about earlier, um, a lot of it is really about just compromising credentials. Of course, it seems, you know, again, one of the, the, I guess more used ways of getting into or compromising a network more so than vulnerability, exploitation, brute force, et cetera. Um, and now today we know the majority of apps and our infrastructure is moving towards SaaS and the cloud.

So what recommendations would you give to MSPs to discuss, um, with their clients, how to help mitigate against these top types of compromises and, you know, maybe mapping them back to CIS controls? Yeah, absolutely. The way I look at it, advocating it, because we have to start thinking of the lack of MFA as being as severe as the lack of patch system with severe vulnerabilities, right?

I think that's the way we have to drive it home is that we've gotten good communicating vulnerabilities and technology. This has to be considered in the same way, right? This is part of a requirement for new platform. This is, you know, a non-negotiable high finding to not have, right? And because it's still so easy to bru force accounts to do credential stuff. I mean, you see, even advanced countries do that, right?

With the groups they set up and they just go, look, if single user has password one or summer 2023, right? And they're doing it because it works, right? And, and it doesn't cost them much and they can just keep spamming. So, you know, a vulnerability, there's a lot of conditions for vulnerability to be cleared, right? You have to find the system, hope, no analysis found before you have to, you know, weaponize the exploit. You have to set up a server, right?

There's a lot of steps towards exploiting a vulnerability credential stock is just one server. You can buy a compromise, one for $10 run or open bullet, just let it rip, right? And then if it doesn't work out, well, you're not out $10 just set up on new system, it gets you. So it's, you know, it, we, I think we put a lot of onus on the, you know, um, cloud platforms to say, oh, they must be blocking it. They must be taking preventative.

You know, do you really want running off hope that you're doing good enough job? Or do you wanna sure that you have connections in place to protect your users? I'm curious, like for MSPs, do you make MFAA minimum requirement when you onboard customers? You know, it, are we at that point where that's it, it shouldn't be, you know, password policy. I mean, it's password policy, but it's also like must have MFA, right? I'm just kind of curious if MSPs are at that point.

Um, because you know, the cybersecurity insurers are also doing that. We Did a survey, Didn't we at one point, Andrew? Yeah. About How many people have demand. A hundred percent. And I, and I, and I think we were surprised. Yeah, I, I forget the exact amount, but you know, again, whether it's SaaS alerts that has a pretty good view with over a million endpoints now, or CS a with their view through Enterprise cloud, we, we still know it's only in the low thirties. Mm-Hmm.

Which is frightening, Right? Um, right. So the reason why, right, the reason why this attack pops up to number one and surpasses vulnerability exploitation is because it's successful. So, you know, I'm curious, you know, how many times do we have to beat that drum? How far along are we at at making that a minimum requirement? A million times. Yeah. Okay. I think we're only up to about a couple hundred. We've got a ways to go.

And Phyllis just, I wanna point something out that Phil said, like he, you know, as he was describing, he's like, or someone using summer 2023. Yeah. You know, Bo Bullock talks about this all the time, or, or John Strand or any of the folks that are doing pen pen testing, uh, James Carroll, right? Um, they don't have a network. They haven't popped still that doesn't have it.

And Bo, when he looks at like, describing the other side for helping MSPs from a defensive standpoint, again, I'll ask MSPs, are you putting in, you know, specific O 365 policies to not allow, you know, settings to not allow seasons, sports? Right. You know, and, and Phil, again, it's this, as Gary points out it's process. And this is the thing that Gary, it's man, this is not the things that we can just use a tool for. Fair. Yeah. And you can't do it without dedicated roles and process.

I don't, I'll say it every week that we get on here. And there's too many people that don't have dedicated roles and process that are causing in to their model to do these things. And until they do, they'll only have good intentions. Yeah. Cool. Bill us back to you. Yeah. Um, so last but not least our last question. You know, you've been over at Verizon for now three years. Um, controls have been mentioned in Verizon data breach report for the past three years, you know, thank you. Coincidence.

I dunno. Um, but, you know, let's talk a little bit about the partnership. Um, you know, why controls and, um, how can MSPs use the report to help them with their clients and, and, um, really tell that story? Like you said, that's The most important question today. Yeah. The, uh, I mean, I can't take full credit, right? It was existing relationship that I think just a few years before the controls were even at cis.

Um, so they were like looking almost like a not tenure year, but seven or eight year, uh, relationship. But it really, at the end of the day, you know, we're, we're researchers, right? We sit in our ivory health towers looking down upon the working folks, right? We don't necessarily have, you know, the, the full understanding of the day to day battles. You know, we just look at the data. We work with other researchers who really like cool novel stuff, novel controls.

So, you know, if we make recommendations, we have our intrinsic biases, right? So to be able to point to something like the CIS control that's community built, it's supported by, you know, great folks like everyone here on this call, it's an easier deal, right? You can say, you know, we don't, we don't know everything. We're sitting our power looking at data. But these, you know, these smart folks, they know something about, you know, security controls.

Let's leverage the work that they've done. So what we've done is we've mapped our patterns and our actions to the specific safeguards and controls. And then this in report, we actually go and identify what are the controls that are associated with these patterns. So if you're looking at social engineering, what are the controls that you should consider, right? What should we be looking at?

And then that additional context, you know, so you can talk to the more technical folks, or you can talk to the folks that actually doing the, and doing the, the controls. So, you know, I think it's, it's, it's a natural relationship because we don't have the expertise the community does. And you know, we've tried it for years, we do good enough. But I think being able to tie into the framework is super useful because someone says day, you guys really like the controls.

I'm the n you know, shop, what can I do? I'm like, well, there's another mapping for that. Yeah, right. You, I have to know everything. There's existing, you know, there's, you're buying into a whole ecosystem of tooling and mappings. You know, it's the same reason you're buying into an ecosystem. It's standardized place you can go and pull additional resources. Right. Thanks.

I do, I do wanna say one thing, also, another, um, finding in the, um, V-D-B-I-R, um, just for, um, MSPs and small medium businesses, um, they're like, we didn't even pull out a se a section, um, separating these attacks are only for SMBs only, or SMEs only because, um, the delta between attacks that enterprises are facing large enterprises and SMBs is smaller and smaller.

So the report only talks about like mitigations for SMB and SMEs as far as like, because of the resource constraints, but the attacks everyone is facing, they're all the same. Yeah. And so, you know that, oh, it's not gonna affect me. No one cares about me. I'm not a large enterprise. You really can't say that anymore. The data's pointing to, we're all facing the same attack. So I think that's, um, a huge takeaway, um, for this community from Verizon data breach report.

Phyllis, I'm really glad you you mentioned that that is, so again, it's, it's in the, the latter portion of the report. Mm-Hmm. But what Phyllis just said, Phyllis just said is absolutely awesome and critical as kind of like thought leadership.

You know, Gary, when you know you're selling, like, because every, you know, I think a lot of it, Phil, just to clarify percentage, the, the, the systems we're using the sa because so much has moved to SaaS, the delta between what an enterprise uses from an infrastructure and SaaS perspective to what SMBs use. It's, it's the, the gaps narrowed so much now. There's no need to have a report that says one versus the other. Yeah. Yeah. This was Phil, this was really, really good.

And I hope that everyone listening and they're gonna share it with their colleagues, uh, are gonna spend some time, everyone on your team should be reviewing this. You should be then having takeaways that come from this, and then from that distilling down the messaging to your customers. Like that's all, all three of those steps, you know, need to happen.

And the last thing I want to say is, you know, Andrew, somebody mentioned, um, just we're seeing the cumulative of this community you've built Andrew, and how it's moving the needle about people looking at things you know, differently. And you know, the people that are, and I see it in my peer members, those that get involved with this community, um, they have a different perspective, um, and, and the different culture in their business.

So, and this and things like this, and calls like today where we get people like Phil, uh, and can have a tool like this report. Awesome. Yeah. Thanks Gary. Yeah, Phil, thank you for making it what it was today. And, and thank you to all of you out there for, for joining us and I hope you continue to spread the word and, um, we're trying to do our best here to help everybody.

So Phil, again, grateful for you to take a few minutes outta your day, um, being on vacation, and, uh, hope you and your wife enjoy, um, the rest of your time there in New England. Nice. My pleasure. Thank you so much for having Thanks. Great scene. Thank you. Bye. Thanks everybody. Take care.

Related Videos

Verizon DBIR | Right of Boom