An InfoSec baby’s first Verizon DBIR

As many seasoned security professionals around the globe last week dug into Verizon’s 2022 Data Breach Investigations Report (DBIR), I read it -- along with many other newer information security professionals -- for the very first time.

In 2008, Verizon and their Risk team analyzed more than 500 security incidents to exert data points and statistics surrounding the information security spectrum, our current understanding of the day-to-day, and who’s right and wrong about what – publishing the very first DBIR when I was 11-years-old. I was not quite like Dade Murphy at all, who wrote a computer virus that crashed 1,507 computer systems. As a sixth grader at the time, I just wanted to get back to my computer to play Team Fortress 2, having no idea yet what a breach even was.

Fast forward to May 2022. I now have some experience as a security analyst under my belt. This time around, the 2022 report analyzed 23,896 security incidents and of those, 5,212 were considered data breach events.

A lot has changed in the last 15 years, and I’m sure many of the cybersecurity folks (the ones I previously referred to as “seasoned”) appreciated the special flavor of nostalgia in the intro of this year’s DBIR. As a first time reader of the report, I wanted to share what struck me as particularly interesting and particularly concerning for other newer professionals in my shoes.   

A new generation gets a new generation of DBIR

Open cybersecurity positions have increased 350% from 2013 to 2021. It’s clear that re-training generations of sysadmins, network engineers and software engineers has not proven to fill the gap in skills needed to do security right. What inevitably helps fill this gap is the ever-passionate, ever-curious younger generations. Young professionals are entering the information security workforce, but I’m not sure we are being prepared well enough by academics.

These younger generations need proper training and exposure to break into the field. Whether it’s academic courses offered at a younger age, or a training program that gets us hands-on exposure in the field before applying to college, every little bit helps. It will help us reach a higher point of security posture than we have before.

Proper exposure of the field also gives younger generations a career path. Some 23% of younger participants in Kaspersky’s 2016 cybersecurity skills gap report survey indicated they knew somebody who engaged in illegal cyber-related activities. It’s clear that young people are finding their way in to the cyber-madness of this industry with or without the help of experienced professionals.

Some things change and some things stay the same

Verizon suggested much of the community believed insider threat actors are the leading cause of incidents in their original DBIR back in 2008. A stark difference between 2008 and today is the fact that threat actors targeted significantly different industries in attacks. The 2008 report found retail as the most targeted industry with 35% of investigated incidents, while 2022 suggests threat actors have grown confident, much like their defensive counterpart. The most targeted industries include finance, healthcare and public administration.

The word “ransomware” does not even get a mention in the 2008 report. Ransomware, much like hacktivism, has seen a stark rise since we first put our investigative hats on. However, ransomware at its core has not changed much at all. Verizon even indicates this in its 2022 report with a snippet from their 2013 report, which finally included data about ransomware:

“When targeting companies, typically SMBs, the criminals access victim networks via Microsoft’s remote desktop protocol (RDP) either via unpatched vulnerabilities or weak passwords. Once they’ve gained initial access they then proceed to alter the company’s backup so that they continue to run each night but no longer actually backup any data.”

With a particularly harsh tone, the writers suggest they could have saved some time just copying and pasting the same analysis around ransomware from their first mention of it, with the hope that maybe something will change in another nine years. What never changes about ransomware is its strength in ruining most IR plans. If companies have backups, that’s great. If they get encrypted along with everything else, not so much.

The 2022 report stresses to continue bolstering external-facing infrastructure, especially RDP and emails, to strengthen protection from ransomware. Perhaps a “hot take” from a young security professional today might be: What’s stopping organizations from getting rid of email for individuals who don’t “need” it in their day-to-day, or for the organization altogether? Many may see this idea as impractical, as most entities an organization would engage with would still expect email for the primary means of communication, because when has it not been?

We need to reform our foundation for how organizations should engage with each other. If security teams eliminate as many external entry points as possible, this will inevitably make an attack lifespan longer, making most attackers in it for a quick score to turn the other way.

DBIR “newbie” no more

Security pros spend a lot of time being proven wrong the next day about what they thought was right the whole time. In the scheme of things, it’s still such a new field – and ever-changing. Relax for one minute and get too comfortable and something or someone will come along and rip the rug out from under you. However, there’s one point the 2008 and 2022 reports still agree on: humans are the weakest aspect of our security posture. As expected! Young professionals are entering the security work force more than they ever have before, and it’s time we strutted in with a feeling of confidence.

Ryan Cribelar, vulnerability research engineer, Nucleus Security