Verizon 2018 DBIR: Phishing, Stolen Passwords, and Other Cheap Tricks

Like the rest of the IT security world last week, I had to stop everything I was doing to delve into the latest Verizon Data Breach Investigations Report. I spent some quality time with the 2018 DBIR (after drinking a few espresso), and I can sum it all up in one short paragraph.

Last year, companies faced financially driven hackers and insiders, who use malware, stolen credentials, or phishing as attack vectors. They get in quickly and then remove payment card information, PII, and other sensitive data. It often takes IT staff months to even discover there’s been a breach.

I just played a trick on you.

The above paragraph was taken word for word from my analysis of the 2016 DBIR. Depressingly, this same analysis applies to the 2018 DBIR and has been pretty spot on for the law few years of Verizon reports.

Swiss Cheese

The point is that hackers have found a very comfortable gig that’s hard to defend against.  According to this year’s DBIR, stolen credential and phishing take up the first and third slots in the report table of top 20 actions in breaches. (RAM scrapers, by the way, are in the 2^nd position and used heavily in POS attacks.)

How big a problem are stolen credentials, user names and passwords, which were previously hacked from other sites?

In a post late last year, Brian Krebs explored the dark market in hot passwords. A hacker can buy a vanilla user name and password combination for around $15. But the price goes up for active accounts of military personnel to $60, and tops out to $150 for active credentials from an online electronics retailers.

Let’s face it, credential are relatively inexpensive, and, as it turns out, they are also plentiful. A study by Google puts the number of credentials available on the black market at almost two billion.

Obviously, this is very bad news. Until we have wider use of multi-factor authentication, hackers can get around perimeter defenses to harvest even more credentials and other personal data and then sell them back to the blackmarket. In other words, there’s an entire dark economy at work to make it all happen.

And if hacker don’t have the cash to buy credentials in bulk, they can use phishing techniques to get through the digital door. There is a small ray of hope about phishing: the DBIR says that 80% of employee never click. Of course, the bad news is that 20% will.

Dr. Zinaida Benenson, our go-to expert on phishing, reported a similar percentage of clickers in her phishing experiments (which we wrote about last year): anywhere between 20% to 50% clicked, depending on how the messages was framed.

It only takes one employee to take the bait for the hackers to get in. You can run your own Probability-101 calculation, as I did here, to discover that with near certainty a good phish mail campaign will succeed in placing a malware payload on a computer.

In short: standard perimeter security defenses protecting against phishing attacks or hackers using stolen or weak credentials begin to resemble a beloved dairy product from a mountainous European country.

Scripty Malware

According to the DBIR, phish mail is the primary way malware enters an organization: their stats say it carries the hackers’ evil software over 90% of the time. Hackers don’t have to waste time finding openings in websites using injection attacks or other techniques: phishing is very effective and easier to pull off.

This year’s DBIR also has some interesting insights (see below) into the format of the malware that eventually lands inside the organization. The hackers are using scriptware — either JavaScript or VBScript —far more than binaries.

And it makes sense! It’s incredibly simple to write these scripts — this non-technical blogger could do it — and make them appear as, say, clickable PDF files in the case of JS of VBS, or insert a VBA script directly into a Word or Excel doc that will execute on opening.

You can learn about these malware-free techniques by reading my epic series of posts on this topic.

The attackers can also cleverly leverage the built-in script environments found in Microsoft Office. There’s even a completely no-sweat code-free approach that takes advantage of Microsoft Word’s DDE function used in embedded fields — I wrote about it here.

Typically, this initial payload allows the hackers to get a foot in the door, and it’s evil purpose is to then download more sophisticated software. The malware-free series, by the way, has real-world samples that show how this is done. Feel free to study them.

To quickly summarize: the MS Office scriptware involves launching a PowerShell session and then using the WebClient command to download the next stage of the attack over an HTTP channel.

Needless to say, the malware-free techniques – Office scripts, PowerShell, HTTP —are very hard to detect using standard security monitoring tools. The scripts themselves are heavily obfuscated — see the PowerShell obfuscation series to understand the full impact — and are regularly tweaked so defenses that rely on scanning for specific keywords or calculating hashes are useless.

The Verizon 2018 DBIR validates what I’m saying. Their stats indicate that 70-90% of malware samples are unique to an organization. Or as they put it:

… basically boil down to “AV is dead.” Except it’s not really. Various forms of AV, from gateway to host, are still alive and quarantining nasty stuff every day. “Signatures alone are dead” is a much more appropriate mantra that reinforces the need for smarter and adaptive approaches to combating today’s highly varied malware.

Towards a Better 2018

If you’ve been paying attention, then not too much of what the Verizon DBIR is saying should come as a shock. However, I do encourage you to read the introductory summary and then skip down to the industry vertical section to get more specifics relevant to your situation — mileage does vary. For example, ransomware is rampant in healthcare, and Remote Access Trojans (RATS) are more prevalent in banking.

And now for my brief sermon on what to do about the DBIR’s bleak statistics.

Perimeter defense are not effective in keeping hackers out. You need them, just as you need locks on windows and doors, but the hackers have found simple and cheap methods to get around these security measures.

To make 2018 a better security year, your first step is to admit that expensive firewalls and scanner infrastructure won’t solve everything — admit it right now, take a huge weight off your shoulders, and feel better! — and so secondary defenses have to be in place.

This means finding and putting more restrictive access rights on your sensitive data files to limit what the hackers can potentially discover, and then using monitoring techniques that alert your security teams if the attackers access these files.

Want to move beyond perimeter security? Click here to request a free risk assessment today!