I just got done skimming the 2015 DBIR, and here are a few things that pulled my attention.

• 70 organizations contributed
• 61 countries represented
• ~ 80,000 security incidents
• ~ 2,100 confirmed breaches
• External threat actors remained the bulk the problem
• Memory scraping has grown significantly as an attack vector
• 60% of the time attackers are able to compromise an org in minutes
• Early indicators are that threat intelligence needs much more sharing and use of multiple feeds to be of use
• Sharing speed needs to catch up to attack speed (threat intelligence)
• 23% of recipients open phishing emails, and 11% click on attachments
• 50% respond to phishing campaigns within an hour
• Awareness and training are the best ways to fight phishing
• 99.9% of exploited vulnerabilities were from over a year after the CVE was published
• ~ 50% of CVEs exploited in 2014 went from publish to exploit in less than a month
• A CVE being added to MetaSploit is the best predictor of exploit
• Mobile devices are not a preferred vector in data breaches
• 96% of mobile malware was targeted at Android
• More than 5 billion remotely exploitable Android apps out there
• 70-90% of malware samples are unique to an organization
• We may need to be doing the ISAC thing as a matter of course, rather than as a supplement. Industry-wide standards may not be effective
• Average cost per record was $0.58c, but Verizon built a better model for estimating loss
• Larger breaches tend to be multi-step, with another breach enabling the attack on the POS
• The Chip and PIN regulations go into effect in October 2015. Realize that weak implementations (just like any security system) are still vulnerable to attack
• Malware used to launch DoS attacks rose dramatically in significance
• Command and control remains a massive industry
• Organized Crime became the most commonly seen threat actor for Web Application Attacks
• Most web attacks followed this flow: phish -> get credentials -> abuse web application -> steal money
• 55% of insider threat was insiders abusing access they already had
• 60% of incidents were attributed to errors made by sysadmins, resulting in breaches and losses of records
• You should be logging DNS and web proxy requests, and investing in solutions that help you ingest and analyze this data

Analysis

I particularly love the piece about DNS monitoring. It’s one of the first things I ask about when having a malware/threat conversation.

The 23/11% numbers for phishing opening/clicking is still quite high. Training must be constant on this, with repercussions for doing the wrong thing.

And the whole piece about the 99.9% of exploited vulnerabilities coming from issues over a year old, well…that’s just embarrassing. I’ve been saying for a while now that we don’t have an issue with finding vulnerabilities, we have an issue with remediating them.

On all counts, this continues to be a great report that I recommend every security person makes a permanent part of their yearly reading.

[ The 2015 DBIR Report ]