2017 Data Breach Digest: Half Year Anniversary

Published: Aug 23, 2017
Author: John Grim

This month (August 2017) marks half a year since the 2017 Data Breach Digest (DBD) was released, covering data breach scenarios from our investigative response caseload. I thought I'd provide a summary for anyone who hasn’t had a chance to read this rich repository of cybersecurity insights, and revisit the lessons learned from real data breach investigations.

Data breaches are complex affairs

Most cybersecurity professionals would agree that data breaches are complex affairs. They may encompass thousands of servers and endpoints sprawled across the globe. Or just one system, but involving sensitive or proprietary data. Data breaches may involve human actions, hardware devices, exploited configurations, malicious software — or a combination of all these factors.

Regardless of the size and extent of the data breach, various stakeholders must work closely together for successful response. Data breach responses may involve legal counsel, human resources, corporate communications, and a whole host of other departments. As you can imagine, each of these stakeholders brings a different perspective to the breach response effort, as they all have their own specific roles and responsibilities.

What's the difference between the DBD and the Data Breach Investigations Report (DBIR)?

The DBIR is our annual publication on cybersecurity. It's full of statistics, metrics, charts, graphs, and insights into the "who", "what", "where" and "how" of data breaches and cybersecurity incidents. We break down these breaches into nine incident patterns. This year marks the 10th edition of this venerable and frequently cited cybersecurity publication.

The DBD is the DBIR's younger sibling and in a sense, its alter ego. The DBD complements the DBIR by bringing data breach concepts to life through narratives based on real events. It’s appropriate for all kinds of readers, including those who would find the DBIR’s data daunting.

Perspective is reality for stakeholders

As we point out in the 2017 DBD, incident response stakeholders come in all shapes and sizes. They vary in numbers as well — from one to a dozen, or even more. Stakeholders may be considered technical or non-technical.

A useful way of characterizing stakeholders is by their roles and responsibilities, and in some cases their level of authority.

Stakeholders often include top-level leadership, mid-level managers, and a variety of technical and non-technical experts on cybersecurity and breach response.

In the Data Breach Digest – Perspective is Reality, each scenario is explained from a different stakeholder’s point of view (PoV). There are sixteen different stakeholder PoVs. Of these, ten are victims or internal stakeholders (e.g. CISO, legal counsel, human resources). The remaining six PoVs are external stakeholders (e.g. the endpoint forensics examiner, malware reverse engineer, network forensics specialist). Each PoV covers stakeholder decision points, actions taken, and crucial lessons learned from the cases we've investigated.

The data breach scenarios

For ease of reference, the 2017 DBD groups the scenarios.

  1. The Human Element: human-related threat actors or targeted victims.
  2. Conduit Devices: device misuse or tampering.
  3. Configuration Exploitation: reconfigured or misconfigured settings.
  4. Malicious Software: sophisticated or special-purpose illicit software.

We have also categorized each scenario as "prevalent" or "lethal" based on our observations within the caseload. There are ten "prevalent" scenarios which are seen frequently, and there are six "lethal" scenarios which are considered more destructive.

For each breach scenario, we include an "Attack-Defend Card" broken down into four quadrants: "breach scenario," "incident pattern," "threat actor," and "targeted victim." These scenarios are inspired by real cybersecurity incidents; but to protect victim anonymity, certain details have been modified.

Leveraging data breach knowledge

The DBIR can be used to frame the argument for enterprise change; the DBD can help to illustrate why such change is needed. The DBD can also help enhance your cybersecurity and incident response program. By incorporating its mitigation recommendations into your cyber defenses, and using its response recommendations to develop incident response (IR) playbooks to augment your IR plan.

You can also leverage the DBD’s content to create a variety of mock incident exercises and test your incident response capabilities. Use it to provide realistic "it's happened before" examples of data breaches and cybersecurity incidents. This can enhance your IT security awareness program, and its intranet posts, monthly newsletters, break room posters, and ad-hoc reminder emails.

Data Breach Reporting Resources

2017 Data Breach Investigations Report

Get the 2017 DBIR, our foremost publication on cybersecurity, and one of the industry’s most respected sources of information:

http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/

2017 Data Breach Digest

Read the 2017 DBD for the story of Verizon’s most intriguing cybercrime investigations. Learn about the attacker’s tactics, the victim’s mistakes and the scramble to limit the damage:

http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/

Vocabulary for Event Recording and Incident Sharing Resources

Check out the VERIS Community Database, as well as these other VERIS related resources:

¾    VERIS Framework: veriscommunity.net

¾    VERIS Schema: github.com/vz-risk/veris

¾    VERIS Community Database: github.com/vz-risk/vcdb

John Grim, the primary author of the Verizon Data Breach Digest, has over fifteen years of experience in conducting digital forensic investigations within the government and civilian security sectors. Currently, John serves as a part of the Verizon Threat Research Advisory Center (VTRAC) and leads a team of highly skilled technical digital investigators. In this capacity, John responds to cyber-security incidents, conducts on-site data breach containment and eradication activities, performs digital forensic examinations, leads pro-active data breach response preparedness training and tabletop exercises, and conducts e-discovery and litigation support for customers worldwide.