Key Takeaways from the Verizon DBIR with Tony Goulding

Hello from Cybrary and Delinea, and welcome to the show. If you've been enjoying the Cybrary Podcast or 401 Access Denied, make sure to like, follow and, subscribe so that you don't miss any future episodes. We'd love to hear from you. Join the discussion by leaving us a comment or a view on your platform of choice or emailing us at Podcast@Cybrary.it. From all of us at Cybrary and Delinea, thank you and enjoy the show.

Joseph Carson:

Okay. And Tony, all set and ready to go? Thumbs up?

Tony Goulding:

Yes.

Joseph Carson:

Okay, fantastic. Excellent. So, okay, so three, two, one. Hello everyone. Welcome back to another episode of the 401 Access Tonight Podcast. I am the host of the episode, Joe Carson. I'm Chief Security Scientist and advisory CISO at Delinea. And I'm basically, it's great to have another returning guest on the show today again, and it's going to be absolutely a fun, hopefully very educational episode. And welcome to the episode, Tony. Tony, do you want to give us a bit of audience, just a recap of who you are, what you do, and some of the background?

Tony Goulding:

Sure. Thanks Joe. Thanks for having me. Pleasure to be here again. Yeah, so my name's Tony. Tell from the accent, I'm from the UK, born and bred in Wales, educated there, and I've been in the security space for longer than I care to imagine. It's getting on close to 30 years now. Oh, my word. But I've been in this particular area of privileged access management for probably 15 or so. So been around the block a little bit, like to think I know what's going on here, but Verizon always comes out to surprise us, doesn't it? Yeah. So I work at Delinea. I'm technically a cybersecurity evangelist. My day job is with the marketing team doing technical related content to help them message to our customers and our prospects. So that's kind of what I get up to.

Joseph Carson:

Fantastic. And absolutely today's whole conversation is going to be around the recent Verizon Data Breach Investigations report for 2023.

Tony Goulding:

Yes.

Joseph Carson:

And it's one of those reports that we're all sitting on the edge waiting and usually we know it's usually coming around the May timeframe and we're all waiting for that moment. And it usually provides us a bit of a... It's almost like a scorecard into how well security has done in the past year. And one is definitely, I want to credit those at Verizon who really, and also the friends of Verizon also who make this report happen because it sucks to do reports like this, it's so intense. It takes a lot of time, it's a lot of data to go through.

Tony Goulding:

It does. Huge investment.

Joseph Carson:

Absolutely. This takes months and it's a lot of data and contributions from a lot of different resources. So I just want to kind of make a call-out to David Highlander, Phillip, Alex Pinto, and Suzanne who really kind of other the team behind and bring it together. So absolutely for me it's a great resource for the industry and it really helps us really adjust our kind of strategies in order to deal with the threats out there. And it's been going on for 16 years. 81 countries participates in the analysis of this. They do have a separation between what's an incident and also a data breach. So this report looks at, I think it was just over 16,000 incidents and also over 5000, almost 5200 data breaches. So quite a significant amount of data gets analyzed. I'm just interested, Tony, what was some of the new things that they introduced? Because they're always introducing new elements or new kind of patterns analysis and what were some of the key takeaways that you find from the report itself?

Tony Goulding:

Yeah, certainly we can talk about that. I just want to point out though that it's interesting, some of the reports that I read, they're all stats related and they can be very dry, but I like the fact that the Verizon team injects little bits of humor into their report. So I always get a chuckle out of that. So if you haven't read it, you should read it. It can be quite entertaining as well as a little scary at times. But yeah, so it's funny. I was reading as I started reading through this and I was reading kind of stat after stat, stat. Some things just don't change. There is a consistency. Credentials are still the criminal's best friend and consistent with prior years, it's still all about the money. I've got some little notes here with stats, but 95% are being financially driven.

So that doesn't necessarily change, but I think we can still think of credentials as that fuel that kind of feeds many different types of attacks. So we're not just looking at single use of anything, we are looking at a flow. So for example, different types of attacks using credentials maybe at the start or credentials that are being used further down the chain with ransomware and in turn it can result in yet more compromised credentials. So you get this kind of cyclical effect, it becomes circular feeding off itself. But yeah, so I'm going to harp on about stolen credentials because it's consistent with last year and they're still the most popular entry point for breaches. But I did a quick search also separately just to get a sense of how many credentials are actually available on the dark web. And obviously there's lots of varying numbers, but one of the big ones that jumped out is over 24 billion. So that's a huge number. So it's like-

Joseph Carson:

It's multiple, it means there's multiple credentials of everybody.

Tony Goulding:

It's huge. But I think my takeaway from that is that we all have to assume a breach. We have to take this posture of, we have to assume a breach approach to security. And so things like zero trust and other best practices are important because they help you build your processes and your security posture assuming that a breach has already happened.

Joseph Carson:

Absolutely. I think one of the things that really highlights-

Tony Goulding:

But yeah, so one of those consistencies are still there.

Joseph Carson:

One of the things they really highlight in the report and it was absolutely some of the key components of data breaches was definitely up there, was number one was still on credentials. Second came after it was phishing. And especially what they did mention, which was interesting in phishing and social engineering was pretexting is also becoming a very popular technique as part of the social engineering and phishing campaigns and then the exploitation of vulnerabilities. Those were the three top ways of the techniques that attackers were using. And one of the things it did definitely mention is that you know, have the assumed breach. You have to assume that a username and password is not sufficient enough. And therefore they did highlight and they did emphasize some of the top, best practices and recommendations and they did highlight multifactor authentication goes a long way. It's not 100% protection, it's not bulletproof, it's not the complete answer. But they did mention the emphasis on multifactor authentication does go a long way into protecting the organizations.

Tony Goulding:

I think the bar has lowered significantly for MFA. Several years ago it could be pretty hard to get MFA in place and I think the mentality has changed as well. And maybe that's been partly driven by insurance providers getting on that bandwagon and insisting that MFA be part of your arsenal. But it used to be that MFA was tough and not just in terms of the technology, but also because you have to think of things like MFA as being multilayered in itself.

You can't just have MFA at one place and say, "It's at the front door and I'm protected." You've got to layer that in at multiple access control points so that you have that opportunity to reassess or gain additional proof that user is who they say there are. So again, going back to ransomware, if you've got a piece of malware that's trying to hop from server to server laterally, you may want to put an MFA challenge in place of one of those servers or even all of them if they're sensitive so that you can stop that malware in its track. So I think it's definitely a critical element of everybody's arsenal today, for sure.

Joseph Carson:

Absolutely. Yeah. And one of the things big advancements I've seen is how MFA is also trying to deal with the MFA fatigue, which is a big problem as well is that all of a sudden if you simply just get this notification in your phone and if it just gives you the yes or no answer, if you get it enough time, some people will just accept it just to get rid of the notification. And I like some of the methods that's been happening is that you must enter the number that's basically been displayed on the screen into the actually MFA response and if you are not the person actually making that attempt, you don't have information in that number. So that's a good way, really good way of reducing the MFA fatigue down and definitely makes it much more difficult for accidents and mistakes to happen.

One great thing that I did find in the report is that the more alignment with frameworks. That was a big, big improvement this year. One of the things that of course they aligned with the varus framework, which is all about the vocabulary for event recording and instance, which really highlights into actor, action, asset and attribute. Another great thing that I really enjoyed this year was much more alignment to the Mitre attack framework as well. And there's different sections. They did go into the details about, "Here's the attack techniques from the Mitre attack framework," and then they get into the CIS, which basically is the security controls which can apply to mitigate them. And then using that vocabulary for the virus. Bringing those in was a really great attribute to really providing much more information in each of those different techniques. What was your thoughts around bringing in the Mitre framework and a much more familiar No,

Tony Goulding:

Definitely, I think it's a huge improvement. Everywhere I go I talk to people and they say, "It's tough getting security expertise to help us out either in establishing our defensive posture or doing war gaming or whatever happens to be or responding to threats." So there is definitely a brain drain I guess, and it can be challenging. So it's great to have a consistent terminology, a consistent naming, a consistent way of sharing information amongst the broader community that makes perfect sense, kind of like back in the old days when the CVE came around.

So I think the Mitre attack chain, I've been seeing that now being referenced in more and more tools that are being used in things like instant response where they hook into that Mitre framework and they reference it and maybe even they suck that data in and they actually point to different techniques and tactics that are in the framework. But then we can all talk consistently about the challenges and maybe how we actually respond to those challenges. So I think that's a fantastic thing and clearly it's going to continue in future Verizon data breach reports, but I think it's a win for everybody. It's cool.

Joseph Carson:

Absolutely. It aligns with how the mindset of the attacker understanding the common techniques that happens each of those areas and then what things you can do to make it more difficult. One of the things I also was interested as well as the report get into, who's the attackers, where's the attribution go to, and it all kind of leverages some of those. And of course we're starting to see much more organized crime, software criminals and they were the number one source of the attacks.

And then there was a very few that actually get into the espionage you type of things where it was nation state backed, but we had to look at when they get into the details of all those attacks, it gets into the Mitre attack, which basically says there's multiple techniques used, it's not just one method and that's it. There's multiple techniques. And one of the things it was that they actually mentioned, it was 74% of all breaches, included human elements, misconfigurations, privileged misuse, stolen credentials and or social engineering. Those were some of the most common techniques. And really that's where you have to look at, you can't just depend on reducing the risk of one of those. You have to do multiple, you have to do it equally and balanced. Any thoughts that you kind of around the types of methods used?

Tony Goulding:

No, I agree with that. So I recently actually did a deeper kind of dive into the Mitre attack chain for a white paper that we're going to be publishing fairly soon. And I was a little taken aback by how many there are. And I think of these defenders in organizations like our own. You can't go through everything, but you've really got to try and focus on your business and the types of sensitive information that you have and where that might take you in terms of the Mitre attack chain and then tease out. So when you are trying to put together your own playbook to defend yourself, you've got to focus on those techniques and those tactics that are going to be more relevant to your business and then practice them and then do war gaming and tabletop exercises to make sure that you understand what they may... So to your point, step in the shoes of the attacker, try and identify what they're likely to be using.

But one of the things that you mentioned I wanted to mention as well, and that is of the 5200 or so confirmed data breaches 512, 10% were mistakes. And it may seem like a very small number and sort of fairly innocuous, but you can prevent those with things like privileged account vaulting. So taking those off the playing field, taking full-time admin rights away from people that don't need them full-time. And also something that that's creeping in more and more, which is behavioral analytics. So maybe we want to mention that at some stage, but that can help identify anomalous behavior, whether it's adversarial or whether it's just a mistake and it can flag these things, but obviously it doesn't avoid the need for training. So training, training, training is still an important thing, the educational side of it. And also given the fact that business email compromise is nearly doubled. How to spot those, but of course with things like ChatGPT and those emails are getting a lot cleaner and a lot more hard to spot.

Joseph Carson:

Correct. That's one of the things is that... So I recently did some discussions with some government search recently and I was interested what types of attacks have they seen on the rise. And one of the things they did say is that the translation of the generative AI has made the phishing campaigns much more authentic looking. So we're used to be able to check for mistakes and identify common mistakes in those phishing emails that generative AI is making it so much more improved and to the point where it's not just one and done. What they're doing with business email compromise and social engineering and phishing is it's a conversation back and forward. So the first couple of attempts may not include the payload, it might be the fourth or fifth or sixth. So what they're doing is over time is they're having a much more, let's say, interactive conversation with you. And it's not with a human, it's basically with a chatbot.

Tony Goulding:

It's a bot.

Joseph Carson:

It's a bot that's basically determining on your response. It's evolving, its response back to you in order to ultimately gain your trust and the more they gain your trust, the more likely it is once you get to that fifth or sixth or whatever number that they eventually deliver the payload, that you're going to be more willing to trust that response. And that's one of the things and that's where the pre-texting as well where they're taking on roles and different personas and trying to get to somebody where you are kind of willing to trust. And ultimately, and I think when we look at business email compromise, it was the one that rose the most out of all the different motives and techniques used. And it also was significantly financially impactful to businesses as well.

Tony Goulding:

Let's face it, those execs have potentially access to more sensitive information, especially financial than we do. Hey, I've got a stat that I read. I wasn't sure how to interpret this to be honest. This was one of those things that I kind of read and I scratched my head and I was like, "Oh, that's interesting. I'm not sure how or why this is potentially what it is." So I'm going to throw a curveball at you. So it basically it said partner initiated incidents in the previous report, partner initiated incidents with 39%, but in this year's report they're 4%. So that's a big drop. I was kind of looking at that and going, "Are we're talking about supply chain potentially where you compromise a weaker supply chain partner and maybe you hop in through their VPN or expose?" But going down from partner initiated incidents from 39% to 4% is a major drop. And I was trying to scratch my head and think why would that change be what it, because that's trending downward clearly. But any ideas?

Joseph Carson:

Absolutely. I think one of the things is, I think if I understand correctly, they did change some of the terminology in this one as well. So I think one of the things that they did classify, if I did understand going through the webinar and the contents, that it also gets classified as external as well. So when you look at that, it might be very specific looking at a third party, but it is concerning that it would drop that much in a year. And it's also important for the audiences that the Verizon data breach investigation report, when we're going through it, it is retrospective. It doesn't reflect what we're saying right now. Basically, it goes from October 2021 until November 2022. So that's the period of the data. So when we're always looking at, it's always the previous years' analysis.

So it's always important to make sure that when we're looking at, even though it is 2023, it's a retrospective report that we're looking back on things. And also when we're looking at that, that was also still a period where COVID was also highly impactful as well. So you might not have got lots of consultants and third parties being able to make onsite visits as well. So some of the things reflective. I think one of the interesting was if you look at basically some of the data stats when basically when COVID hit, I think it was the privilege abuse went significantly down because people couldn't get access to privileges because they were working remotely and organizations basically had locked those down to being... Especially for financial organizations, you would typically have to be on site and at terminals to be able to access some things. So there was a significant drop in privilege abuse as well. I'd be interested if they actually go and analyze that one even further, for sure.

Tony Goulding:

And of course, I guess over the last few years the big elephant in the room has been ransomware. So they commented on ransomware, but the numbers seem to show a steady state there. It was like 25% in the previous one. It's still a quarter, a quarter's a big number, but it looks as though it's a steady state. But the other stat related to ransomware that they surfaced was that ransom amounts are lower, but the costs of recovery are increasing. And they didn't have a good answer, they speculated on it, but it's interesting.

Joseph Carson:

One of the things that was I was waiting to see was basically what was their analysis in ransomware itself? Because if you look at all a lot of the reports from 2022, including to analysis who basically analyzed the ransom payments or cryptocurrencies, one of the things we did see is that if you look at a lot of reports, there was actually a decrease in ransomware throughout that year. And what they did see an increase in the payments, which meant that basically more organizations were still paying. Our report, we also saw that more organizations are having much better backup solutions and recovery solutions as well. So they don't necessarily have the pay as well. But this was really interesting. If you look at that spike that I think it was in 2022 report, which was the previous year, showed a massive rise in ransomware to compared to, I think it was the total, it was compared to all previous years together, that was a significant rise in ransomware.

But then that segment showing the report basically showed us slight even off in steadiness for sure. So I think there's a lot of organizations are one, is doing better and actually ransomware protection. So there's been definitely an investment for many organizations. They have taken a stance on better backup and recovery. Some organizations of course have went down the path of cyber insurance in order to offset the financial costs of ransomware, but it was interesting. It is holding steady. I think for me, looking at all of the kind of types of incidents, I think business email compromise and ransomware for me are the two big things that organizations need to tackle on right now. Ransomware is the most devastating from a business perspective because it can bring the business to a complete stop business. Email compromise is much more of a financial implication. And because basically it's financially focused, basically ransomware is actually business focused. And you get different types of ransomware, whether it being basically disrupting the service, encrypting the data, stealing the data, disclosing the data, it gets into various different types of stages. So for me-

Tony Goulding:

Doubling triple extortions.

Joseph Carson:

Exactly. And that's the most devastating, I think. The most impactful. But those are two things that organizations need to tackle.

Tony Goulding:

And I think it's an equal opportunity, not just large organizations of course. One of the things that Verizon kind of speculated on was that a lot of the attackers are potentially going for smaller entities as well. So while they have less money to hand over in terms of a ransom, there's a lot more of them. But it also may be that the smaller organizations have a lot more technical debt and they don't have as much to invest. They have a lot more technical debt and that can translate to a greater kind of recovery cost. So perhaps an obvious takeaway from that is that don't think ransomware is only for big companies, right? It's an equal opportunity threat, for sure.

Joseph Carson:

Absolutely. Surely everyone's a target when it comes to ransomware. I think one of the things we've seen, of course, some of the ransomware gangs would prefer to stay low profile, stay stealthier, not get a target. Because what we've seen is the bigger organizations you target, the more visibility you get from the FBI and the governments around the world and they will come after you. And that's what we're seeing with some of the larger ransomware gangs that have impacted whether it being universities or hospitals or local municipalities and governments that they have put a target on themselves and the governments are going after them now. So I think that's why these criminals, they want to target the SMBs, there's money to be made for them. They typically don't have a dedicated security person, they might actually only have a handful of even IT resources if even. So it gets into the point where they definitely need to make sure that they're doing something. And security shouldn't be a luxury, it should be something that's available to all organizations of all sizes.

They should not be something that they have to make a decision whether they should have it or not. That's where our security... We've talked about in previous years where I think it was Wendy Nather had talked about the security poverty line, that security should not be something that should be only affordable by the big organizations. They need to bring it down so it's affordable and easy to use for companies of all sizes. And that's something that the report highlights, they did have the whole section on the SMB side of things that really showed some of the best practices. And I think that one of the top three things, if I go down to the top three recommended PR practices they had for SMBs, which was really interesting, it was around making sure that one is a good backup strategy, security awareness training.

So the top one was security awareness training, having employees much more better trained. Second high list recommendation was data recovery. And that's not just about data copy, but also data basically segregation, data security and making sure that even if you do become a victim, that the attackers don't have access ability to encrypt all your data online. And then the third one was access control management, which is all about making sure you're rotating managing passwords, you got multifactor authentication place. So those are the top three recommendations that they had for SMBs. And all SMBs should really make sure that they prioritize and take those types of recommendations seriously.

Tony Goulding:

And I think a lot of organizations, they don't have unlimited budgets rights, so they have to make choices when it comes to security controls. But the writing's on the wall here, given the fact that credentials are so predominant in the attack chain that protecting access to those credentials, going to a least privileged security posture, zero trust, whatever it is, your favorite best practice. It also suggests that with a limited budget, you should prioritize on perhaps beefing up your identity related protections. And so actually one of the things that surprised me, I guess it surprised me a little bit because usernames and passwords credentials, obviously hot commodities, but elsewhere I've read that there's a big increase in the use of stolen session cookies to bypass the need for credentials all altogether. So I was a little surprised that didn't factor into the report this year. Maybe with past keys becoming more prevalent, maybe that will factor in next year because hopefully credentials will start to disappear. We all hope, but-

Joseph Carson:

They become digital keys. Digital keys is what we need to get to, which is basically the old method is the username and password, which has been the traditional thing. And of course getting into SSH key management, it's always sometimes very difficult to manage and maintain at a large scale. And this is where passkey has been the big topic. And it's all about what it means is really is about moving much more of the authentication into the background of where it becomes much more better and easier to have multiple devices across multiple applications. And when you look at it, it's the segregation between authentication and authorization. And this is where you get into things like really good single sign-on, you get to Fido basically frameworks and implementations, which then has a strong pass key for authentication.

And then you get into having privilege access security in the background, which is then for the authorization side of things. So absolutely, we're in a world where it's no longer about provisioning and managing devices. It's all about provisioning and managing access. And that's what the new perimeter is, especially when organizations are quickly transitioning to cloud environments. You no longer control that traditional, let's say the firewall of perimeter. You basically are moving into the public internet and therefore you have absolutely a much better way of securing using that network.

Tony Goulding:

And the security providers have had to adjust obviously to that because the whole point of a virtual private cloud where you're standing up Windows and Linux instances to run your business applications is that that needs to remain private. So if you are poking holes in your firewall to allow external tooling or security controls that are historically on premises, for example, to try and protect it, you are opening yourself up. So all of the vendors, ourselves included, have had to adjust to that new paradigm and make sure that we can work in a modern efficient and effective hybrid cloud environment for our customers for sure.

Joseph Carson:

And this also gets into one of the things that was actually I didn't see in the report, which was around API security. And that's also a much more emphasis on cloud security because in the previous reports they did heavily talk about how cloud was becoming a bigger target than on-premise. So that was something I was really interested in, but it really didn't go into any of the details about hybrid cloud or API security. So that was what I was missing from the report.

Tony Goulding:

Yeah, that's a good point.

Joseph Carson:

One thing that was highlighted, which was interesting because the period that happened that this report was in also included the Log4j vulnerability, and of course that was a massive impact for the industry.

Tony Goulding:

It was.

Joseph Carson:

And one of the things that was really interesting was is that when they get into the analysis of Log4j was that they would've expected to see it being abused all year round, but they highlighted basically within the 30 days of the release, that's when basically the 30 days of that vulnerability, that was the actually top period of exploiting that vulnerability. And then basically the meantime organizations got was around 40 days of patching it. And even though there was lots of scanners out there scanning for it, that basically organizations had reacted very quickly to mitigating and patching that vulnerability. So basically that it was the month to two months after Log4j basically was exploited, that was the high impact time and then afterwards organizations become much more defensive against it.

Tony Goulding:

I think that's a good sign because it tells me that organizations are being more sensitized to how to react quickly to potential breaches, to incidents and to breaches. It could have taken months or years in the past to react to something like this, but they're starting to really be more efficient in their ability to react and respond. That to me is very positive. It means the dwell time or, well, not the dwell time, that's the wrong term, but it means that the opportunity for attackers to compromise with new exploits, especially zero day exploits, that opportunity is shrinking.

Joseph Carson:

Absolutely. I think we learned from the likes of Heartbleed and Shellshock and they were very difficult to patch. And then of course we had the PrintNightmare as well, which was another major vulnerability for privileged escalation. So you can go easily from a local standard user account up to local minister account, and if you can do that on a device, it's only a matter of time before an attacker can then elevate to full domain. So I think we've learned from those previous experiences in the past and that organizations, especially for those that's public facing, that they really ticked them very seriously and they tried to address it as very quickly.

One thing that was really interesting, even though we had the Log4j, which was a major exploit vulnerability that happened, one thing that was surprising for me was the web application attacks. Normally I would typically see much more vulnerability exploits around that time or basically other types of attacks. In that, it was basically predominantly it was credential theft and using still credentials for web application attacks. For me, that was a massive kind of indicator about the importance of making sure that usernames and passwords are not the only security controls on those applications. So that was a kind of major... It said 86% of all web application attacks involved the use of stolen credentials. And that's-

Tony Goulding:

Yeah, one of the things that we've spoken about for several years, and it's funny how you can talk about these things and they make logical sense, but the movement to adopting them just trails behind. It's like credentials used by human users, but then you've got the service accounts that are used by the applications and the services. So we focus on protecting those user accounts, but the service accounts kind of are the poor stepchild. And I think it's kind of a similar thing here as well. And the same with the API, you mentioned earlier about protecting your APIs. It's the poor stepchild. But they are massive attack surfaces and it's only a matter of time before they, they're exploited and they take advantage of them, then we've got to scurry around and try and patch those gaps in our defenses. But yeah, it is interesting for sur.

Joseph Carson:

They always break it down by, not just the break it down by the classification patterns, which is always really interesting because what I like to dive into, but they also broke it down by industries and regions, which they always do. And it was always interesting to see which industries are the highest impacted and also which regions or what type of patterns did they see in North America versus EMEA versus APAC. Was there anything in there that you find interesting?

Tony Goulding:

I can't say I looked at that data in any great detail, but in terms of industries, it's historically for me being the typical things because a lot of these are financially oriented, so it's going to be the FinTech and it's going to be banks and it's good. But also healthcare because historically they haven't been very good at, or they haven't necessarily focused on their own internal IT, so they outsource a lot of those capabilities. But yeah, I don't necessarily... Did you spot any of that?

Joseph Carson:

For me, it was definitely what I was interested was the basically system intrusion was still from a regional perspective for North America and EMEA was kind of one of the top methods was getting access. So when you get into system intrusion, that's our typical ransomware technique. You get access, you laterally move, you can access to data. So system intrusion is always kind of some of the kind of main areas. Then you get into, if it's social engineering, that's a pre-tax, therefore business financial fraud business email compromise or that social engineering can be a method that those are access brokers and they'll sell off the access to others who will then come back and do system intrusion and then basically deploy ransomware. So that's some of the methods. What's interesting to kind of looking at this, public administration still is one of the top areas of targeted.

You also get into information. Companies are basically responsible for information and data and then also the financial industries. Those are some of the top targeted industries. So financial, it's what the money is. Targeted, they are going to go after that. Public administration tends to be where basically you've got the least amount of security in place and therefore they become a target. Definitely healthcare, it's always basically, but I find that it's not the main kind of target because it can get into the basically ethical side of things. So you find criminals will try to avoid them. And then information companies, but of course where the data is, that's also the target as well. So for me, I think that's where you see the predominant... Manufacturing is also up there on the high end list, but that's typically what the attackers will target after. So those are some of the interesting things.

Tony Goulding:

There's also, if you read some of the stats, it's an overused term defense in depth, but you still got to focus on defense in depth. So one of the stats was that servers accounted for 85% of the assets in breaches, user devices, workstations, and so on were 20%. So you think, "Oh, okay." Well, if you look at a typical ransomware attack chain, it is going to be trying to phish or compromise the end user, take over their workstation, move from the workstation to the server network and then laterally from server to server.

But servers accounting for 85% of their assets in breaches is a big number. So I think that it's important to have that defense in depth where you're protecting both the edge of your network, the workstations that our human users are using, and that are a very easy entry point, largely speaking, especially working from home where our home network defenses are maybe not as tolerant or as strong as they would be in the office. But then protecting that lateral movement, trying to prevent lateral movement from server to server to server. So 85% of assets in breaches of servers. That was a big number. And again, ransomware, the end of the day ransomware is malware and malware can only do its thing if it gets access to the systems in your network. And one of the best ways of preventing that is to protect those credentials.

Joseph Carson:

Absolutely. And what we tend to find, one of the things is that we tend to protect the front door as much as we possibly can, but we don't protect the inner doors and inner walls. So that means that one attacker, we assume that we're putting all our defenses on that perimeter, on that front door, and when the front door fails and the attacker gets inside, then that's where basically we are hoping in many organizations that usernames and passwords and lateral moves and that they won't get that far. But as you mentioned earlier, it is a defense in depth methodology that organizations must adopt and they have to assume that that front door security will fail, that what happens when they get inside. And that's when it becomes really important to make sure you've got additional levels of protection, recovery access controls, segregation, a strong backup and recovery strategy. This is where you have network segmentation or the principle least privilege, which is that foundation to a zero trust strategy as well.

Tony Goulding:

Absolutely. Yeah. No, that's a key thing. Least privilege, we are all familiar with that principle, but the extent to which you are subscribing to something like zero standing privileges or zero trust that has its foundations in that it's so very important. But even if you're taking the first kind of step in terms of maturity by vaulting away those privileged accounts, you've still got to not just be letting your administrators routinely check them out on a daily basis. You've got to be kind of leaving them there for emergencies and having them log in as themselves with minimum rights. That's the key to the least privilege.

Joseph Carson:

Absolutely. Just getting to zero persistent privilege or least standing privileges where you just have enough the privilege to do what you need to do, and it becomes on demand just in time. And that makes it much more difficult for lateral moves or for privilege abuse.

Tony Goulding:

It does.

Joseph Carson:

It makes organizations much more visibility. In the report itself, is there anything that you find missing or anything you would like to see in much more detail or greater detail in the future?

Tony Goulding:

But again, there were two areas that I always think, well, at least one area that's a massive attack surface, and that's the service accounts and the application accounts side of the equation. So great, you've got this massive attack surface that is credentials split between human used credentials and application used credentials. It's sprinkled in there, but it's not a huge focus. And certainly with APIs and stuff, everything that's programmatic with DevOps and it's becoming more and more of a problem. So some of the things that I talk to and I see our customers talking about is we're developing applications for the cloud for hybrid cloud scenarios, whatever, and we want to get away from using static credentials. So they go, "Okay, let's take them out of embedded code and maybe we'll vault them and then we can reach out programmatically to the vault to actually get those credentials."

But then they want to take it further because they're still static credentials. So they're looking to actually have the vault create ephemeral tokens so they can use those programmatically. And those are ephemeral by nature. They dissolve after a certain amount of time, they have a short time span. They're more secure than IDs and passwords. I don't really find that represented much in here. And as I mentioned earlier, the whole stolen cookies and session cookies being used to bypass credential based authentication mechanisms is another area that I would expect to see, maybe more in next years with passkey, as I said, stuff like that.

Joseph Carson:

Absolutely. Yeah, that's a really interesting point is they do not that distinction between the human and the machine identities. The machine identities for me is all of those which are non-human. It can be the service accounts, application accounts, the API keys, and it doesn't get into that in detail. And it'll be actually interesting to see is this abuse of human interactive credentials or was it abuse of service accounts or session keys or session tokens? What was the distinguishing factor? It is interesting that there's a human element, yes, but what was the next step attack chain that they used? So absolutely, that's an interesting... For me, it was definitely API was missing because that's a big area of the automation behind the scenes type of security as well as between the on-premise and cloud. But yeah, the machine identities is a key important part and it's becoming definitely a massive attack surface for many organizations.

Tony Goulding:

For sure, without a doubt. And MFA can play a role here as well because if you've got a situation where a service account or a machine identity is being used in an interactive fashion. If it's available, it's not disabled for use by interactive login, then MFA can kick in and block that in its tracks a little bit harder to manage that. Of course, you don't want to do, try and do an MFA for a legitimate service to service or app to app, absolutely authentication.

Joseph Carson:

In those cases for me, absolutely is they shouldn't be interactive log on first, one of the primary things. If it is interactive log, that's a misconfiguration for me in many cases. Then you get into, no one should know the credential of that. It should be vaulted away and protected and rotated when it's needed. And then you get into the next phase, which is should it should be time-based? Is there a window of opportunity that should only be used for? Is it a backup job? Is it automated task? Is it a discovery? When should that run? Is it running once a day? And should you limit the time? So this is really kind of getting into you, is how to make sure we reduce that threat surface for those types of machine accounts.

Tony Goulding:

You've got to have some good intelligence behind that, the lifecycle management of service accounts, because very often you find that a single service account may be leveraged by multiple applications, multiple machines. So if you arbitrarily go and rotate that password, you could break those other services and then your availability goes to hell in the hand basket. So you've got to have some intelligence behind that, knowing how and when to rotate a shared sort of machine account. But once you've got that sorted out, then you can really reduce that attack surface. You can make it very, very much harder for a threat actor to leverage a credential that's probably expired hopefully by the time they come to try and compromise and use it.

Joseph Carson:

Absolutely. Yeah, the dependency mapping across services is critical to making sure as long as you don't break something, but also you make it as secure as you possibly can. Tony, it's been fantastic having you on and delving into-

Tony Goulding:

Thank you.

Joseph Carson:

... the details and the analysis of the latest Verizon data breach investigation report. It definitely is one of the main top reports that we analyze. And it's also, what's the great thing is it is an indicator that we are doing better. And I'll say that when we get these reports and it shows progression, it shows that organizations are taking the right step. It is time that we should celebrate. Everyone should pat ourselves in the back and say that, "We are doing something good," because in many cases it is... Sometimes we feel you're not getting better, you're not seeing the improvements, but this is a report that actually is showing that we are doing better and we should keep the momentum.

We shouldn't become complacent. We should make sure that we're analyzing the report, taking the key findings out of it that actually is making the difference. And all the organizations should really look to implement some of those good protections that the report does highlight. So absolutely. Tony, it's been fantastic having you on. And again, back-

Tony Goulding:

Thank you.

Joseph Carson:

... to the Verizon DBR team. David, Philip, Alex, and Suzanne. Keep up the great work and definitely make sure that we're getting the analysis and we're showing the progression and what works and what doesn't work.

Tony Goulding:

Only 11 more months to wait for the next one, eh?

Joseph Carson:

Absolutely. But we still have a lot of data to go through in this one. When you get into the details, there is a lot of still information to analyze.

Tony Goulding:

There is.

Joseph Carson:

We'll definitely make sure that for the audience, we'll make sure that we get a link to the actually DBR report in the show notes. Tony, it's been a pleasure having you on as always, and for the audience-

Tony Goulding:

Thanks Joe.

Joseph Carson:

Absolutely. And for the audience, tune in every two weeks, the 401 Access Tonight Podcast is here to really bring you highlights, trends, leadership, ideas on what's happening, and bring some fantastic guests on the show to really show their experiences and ideas with you. So stay safe, take care, and we'll see you again soon. Thank you.

Tony Goulding:

Thanks a lot. Bye-Bye.