This blog post is part one of a multi-part blog series analyzing the Verizon Data Breach Investigation Report (DBIR) for 2022.
————
Verizon’s yearly DBIR provides many valuable insights into the behavior of hackers and how breaches unfold. As cyber practitioners, we should read the report closely and identify the potential areas we should emphasize to keep hackers out of our network and our data.
Top 4 Cyber Intrusion Paths Identified in the DBIR
This year’s DBIR highlights the top four intrusion paths hackers use to get to the crown jewels – the most critical assets of an organization (be they servers, applications, or people).
- Stolen credentials
- Phishing
- Exploiting a vulnerability
- Botnet
Then, on page 26, Verizon highlights the top vector and varieties for System Intrusion.
Reading these lists from defenders’ perspective, we should ask ourselves, “Are our current security controls adequate?” That is to say, do we have the right controls in place? Are they configured correctly to do their job? Are they placed in the correct locations? Is it possible to circumvent them?
Those are hard questions to answer. Even if your entire security team spends days analyzing the current systems, it would be difficult to know for certain that these questions are completely answered.
Behind these questions lie more: How do you test for phishing? How do you test that your public assets are locked down? How do you test your EDR solution?
Then, of course, you will also ask, “How do I test these controls on an ongoing basis to ensure that our controls are at – and remain at – peak operational efficiency?”
The challenge is that, since answering these questions is difficult, many security teams operate in the dark with no visibility – hoping for the best without really preparing for the worst.
The Solution: Security Control Validation using Breach and Attack Simulation (BAS) tools
The concept behind Breach and Attack Simulation and Security Control Validation are to simulate attackers’ behavior – both from outside and from within your network. If you can behave like the hackers, you can test your controls and see the gaps you may have.
There are multiple ways to do this, with different toolsets and solutions geared toward different experience levels and offensive testing skills. We (Cymulate) offer such a solution, but there are others as well.
The concept behind security control validation is to check each of your controls, individually and in tandem (layers), to ensure they behave in the way you expect. That is – they block the malicious behavior and report it to your SOC, which can react rapidly. Cymulate also provides a solution for this testing methodology.
In short, BAS is the operationalization of an extended array of threat-actor behaviors in a controlled situation to gauge how effectively defensive systems will act. At the same time, Security Control Validation (SCV) solutions take this idea to the next level and string together behaviors into more complex attacks specifically designed to challenge layered defenses in the same way an attacker would – especially in production environments. Both must be done as accurately as possible and as safely as possible at the same time.
What About Verizon’s Top Intrusion Paths?
Back to the four key intrusion paths detailed in Verizon’s DBIR, how do you deal with each of them?
1. Stolen credentials – here are two areas you should look at:
A. How do I avoid credentials from being stolen, to begin with?
Credentials can be stolen from various locations, but they’re often stolen from users’ own machines. A developer, for example, will likely have various important credentials stored on their machine to do their work. The same with an Accounting Specialist who would have access to multiple business-confidential systems.
The developer or accountant may be working from a public wi-fi right now, where a hacker (benignly) or attacker (maliciously) is attempting to get into their computer. Or maybe, that employee’s son or daughter decides to play a new game on their company laptop without their parent’s consent.
Here, it’s important to ensure the endpoint products and VPN you’ve installed will protect the computer on the public wi-fi, as well as ensure whatever the child tries to install is not malicious.
B. How do I know if stolen credentials are misused?
This is where your SIEM tool and SOC team come into the picture. Imagine an attacker with credentials trying to navigate their way around your environment, reach their goal and exfiltrate the data. There are many controls you have put in place, and hopefully, they are all sending their logs to your SIEM, which generates events.
Also, hopefully, your SOC team is monitoring the events the SIEM is generating, so any suspicious behavior is identified and handled.
But, how do you know if this is actually the case? That’s where BAS and SCV come into the picture – by simulating attackers’ behavior in your network without warning your SOC team, you can check whether your SOC team is really on top of everything. In addition, some Security Posture Management solutions (like Cymulate) offer Attack Surface Management, which will give you similar insights from the outside in.
2. Phishing – how do you know none of your employees and contractors will click on an email sent by an attacker? One of the primary attackers’ paths into your network is sending innocent-looking emails to your company employees – many times with real company information taken from LinkedIn or from data troves on the dark net – with the hope that one of them will click on a malicious link or download an infected attachment.
BAS and SCV come into the picture here at two levels:
a. Testing your email security control to ensure malicious links and attachments are being blocked whenever possible (such as when they contain identifiable malicious attachments or links).
b. Testing your colleagues to ensure they won’t interact with a phishing email – by sending them legitimate-looking emails and seeing who clicks.
3. Exploiting a vulnerability – once a patch is issued by a vendor, hackers are quick to implement an exploit. They do it so quickly that it’s often ready long before you’re even aware of the patch. So, what do you do? You use a vulnerability management tool to continuously scan your environment for vulnerabilities. The result? There are thousands of vulnerabilities you now need to patch. But how do you prioritize? Is the CVSS score enough?
Top BAS/SCV solutions include what’s called “Attack Based Vulnerability Management”, or ABVM for short. ABVM looks at the vulnerability management data and complements it with data based on offensive testing of your compensating controls for the various vulnerabilities. It then generates a report showing you which of the vulnerabilities are actually exploitable in your environment, so you can focus on patching those.
4. Botnet – this is simply a method of scaling the hacker’s work. So essentially, it’s a way to do more of the first three paths mentioned above by brute-forcing passwords, sending massive amounts of emails from various IPs, etc. Botnets and similar attacks are blindingly fast, as they do not require human input once they begin running and, therefore, can execute at the same speed as the systems they are infecting can run the botnet code itself.
This is where ensuring your controls are robust is even more critical. Brute-forcing a password from a single IP is hard because most systems will block it easily, but when it’s spread over thousands of IPs, it’s much harder to block. The faster your systems can detect and respond to a botnet-type attack, the less chance the attacker has to gain information and perform additional attacks.
Your SIEM would hopefully be able to connect the dots on this one and figure out that one actor is coming from many different directions. However, even that premise needs to be tested – is the SIEM correctly tuned? Even this, an advanced BAS/SCV solution can confirm that the SIEM is operating effectively and ensure it continues to adapt to new attack techniques over time.
Conclusion
Verizon DBIR is valuable in understanding where we should all be looking, and both Breach and Attack Simulation (BAS) and Security Control Validation (SCV) solutions are highly beneficial in evaluating how well we are protected and what our current Security Posture really is. Breach and Attack Simulation provides better security posture management; you can test your security controls, your people’s awareness of hacking attempts, and your internal incident response processes.
In our next part of this mini-series, we will look at what the DBIR says about the path hackers take once they have a small footprint in the network.