Pseudorandom Meta Threat Intelligence

thank you everyone for staying here I know it's been a that's a couple of days at least for me there's been a lot of really good knowledge dropped and also huge things to Joe and all the other organizers really appreciate them putting in all the hard work it takes to to run an event like this also appreciate them locking the doors so that none of you can leave you're here now it's one way out only so I hope you enjoy it so as joe said i'm gonna be talking about the verizon data breach investigation report real quick disclaimer that's a verizon building in New York where I live if you know anything about that building or I'd like to talk about

it later I'd be more than happy and interested to talk with you but I do not work for Verizon this is not a Verizon Talk this isn't even a vendor talk I work for RSA but not today today I'm on vacation I was hoping it would be kind of like this but it's more like that and so I have lived on the west coast for a long time I'm quite used to this nine-month reign season and so I was very excited to come here to see friends not necessarily to see the city the agenda for today first we're gonna be talking about what the Verizon Dade data breach investigation report is as you can tell already

I often trip over that word so I'll be calling it the V DB IR the report basically all the facts in the top portion of the talk that we talked about are going to be directly from the date of erisa data breach investigation report covering the top trends the hot industries that have been mentioned in the report that I'm going to shed a little bit light on defensive techniques and I hope we have discussion this can be as casual of a talk as you guys would like it to be I encourage people to interrupt if something isn't making sense if you want to call FUD on something please do so I also brought some little trinkets in case there isn't

much discussion we in InfoSec often have very big opinions behind our keyboards but I know myself and very bashful in person and so tried to incentivize you with some little prizes so what is the Verizon data breach investigation report I believe that's the flag of Portland but someone correct me if I'm wrong it was kind of difficult to figure that out yeah I'm getting a head nod so I guess I did it right so when we talked about the Verizon data breach investigation report as joe said this is a yearly report 20:18 they focused on 2017 s data and this was the 11th year of the report when I talk about the report I talk

about it as a pseudo-random at a threat intelligence report not only to poke a little bit of fun at it but I think that also gives a good overview of war talking about when we talk about pseudo-random talking about where does the data come from in this report there were 67 individual contributors that fed data into the report coming from 65 different countries so a pretty broad reaching sample of our industry of those 67 investigators they fall into three main buckets the first one is external investigators or well third-party investigators to the company being investigated so Verizon is very clear that these are not Verizon data breaches they don't have you know 50,000 did reaches in

Verizon internally every year there's Verizon Enterprise Services I our team I have a couple of friends that work there previously really solid people really good services everyone in our industry has an IR team these days but the data mostly comes from their investigations they use the various framework for reporting I did not know about various previous to this report I haven't really seen it being used outside of the report I think it's very strong specifically various stands for the vocabulary for event reporting an incident sharing and I think it's very useful for us as a community to come together and share what we see going on in the field as the previous speaker talked about we're

often very reticent to do that whether it's for privacy reasons or intellectual property or you know showing the hand of your corporation I think we need to get a little bit beyond that whether it's reducing the data and redacting it or just talking about big trends like they do here so I talked about that first bucket Verizon employees paid investigators that are brought in by third-party corporations to respond to threats that they may have their environment to other buckets are third-party to Verizon themselves so the first is investigators that are doing Incident Response using the verus framework it's very easy for horizon to feed that into their report third is investigators that Verizon has had a longtime relationship with that do

not use Varys but Verizon takes their data translates it into varus for this report and thus it's then usable speaking to the meta portion of this we're not talking about specific tactics and techniques in an individual incident we're talking about broader meta trends across the entire industry in across specific industries and incidents within those industries from the year so there are fifty thousand incidents around fifty three thousand incidents that are included in this year's report and an incident is defined by Verizon as a compromising of the CIA triad so confidentiality integrity availability I think it's a relatively well accepted definition of an incident breach there were 2,000 breaches or so that were summarized in this report and

a breach as far as I'm concerned is data walking up the door Verizon has a more eloquent definition of it about data getting compromised and ending up in the hands of unauthorized third parties stated walking out the door threat intelligence it's a pretty straightforward when it comes from the report the report is brought to you by Verizon in the hopes that you can take some tips and tactics from the report from a defensive standpoint and apply that to your own environment so that you don't have the same types of incidents cropping up year after year finally why does the Verizon data breach investigation report matter well marketing material it's quoted like everywhere that's kind of a joke but

it's also not because this report is a very good way to translate some of the things that we're seeing in the field to non subject matter experts so I'm sure a lot of you folks live and breathe information security much like me but when you go to the boardroom when you talk to managers and executives you can't talk about you know the latest TTP's you show them the miters attack matrix which is amazing but does not translate up above that well something like this does so you can distill it you can use you know some of the slides and the data that i've pulled out as a way to talk to your management about what you're seeing

in the field and and why that matters to your defense posture legitimately though it also is an incredibly unique report in the sense that i think it's one of the only broad candid reports of a standardized taxonomy that we have in our field mandiant has their m trends varying quality from year to year it was incredibly good when mandiant was mandiant but now mandiant as a fireEye company I think they've marketized it a little bit too much out of value I think it's worth noting that Verizon doesn't really have you know much product in our space they have their services they don't sell us in they don't sell EDR VP so it's a little bit more valuable from

that perspective at least to me so let's talk about some of the top trends from the 2018 report these are going to be social engineering ransomware we'll talk a little bit of outsider versus insider threats speak about dwell time and then cryptocurrency mining we'll talk about in detail it was somewhat suspiciously absent from this year's report and I'll talk a little bit why I think so social engineering so as I'm sure we can all you know agree on Verizon found that email was the most likely Avenue for social engineering to take place but what I found was particularly interesting was that 4% of any users will click on any link that's presented with them so even if it's like

danger this will do bad things please click on me someone will still click and while 4% seems pretty low if you kind of standardized that to an organization it means that all you need is 25 people in an organization for someone to click on absolutely any link Verizon also found that repeat offenders are a big thing once you click on links once your behavior is that to click on links you're going to do that more often it's kind of shown that that happens even in the face of training and awareness pretty depressing speaking of training awareness only 17% of phishing campaigns were found to be reported inside an organization so say what you will about training and

awareness I think we can all agree that when only 17% of people are reporting phishing campaigns we still need some more work on that front also kind of ancillary to social engineering using stolen credentials was the top cause of data breaches and so when we work in an industry where it's much easier to hack humans as opposed to hacking machines to get someone's password it's definitely something that needs to be taken into consideration talking about ransomware now that is the now-infamous photo of wanna cry if you guys are not familiar with Rana cry you can talk to any one of these many organizations and many more I think Boeing is just up the road a

little bit you can go and knock on their door I'm sure they'd be more than happy to open their books and talk about what happened but ransomware topped the list this year in the number as the number one malware related attack vector our attack technique moved up from fourth place in last year's report and moved up from 22nd place in 2014 so it's definitely on the rise I think I do Incident Response and forensics in the field and I've definitely seen it as pretty much the number one thing that's been affecting our customers there's some debate as to whether that's just because it's so noisy I mean when you have a page like that splashed up on

your screen it's very obvious that something's going wrong but I think nonetheless it is a very common attack vector what I think is most important within the Verizon data set is that they found that ransomware is increasingly infecting critical business systems as opposed to just desktops so that affected a lot of these people here and it's pretty scary because attackers no longer need to blast out across your entire organization they can do some targeted recognizance discover what your crown jewels are and just hit those because they pretty much know you have to pay in the case of more commodity ransomware we see a whole new industry being developed as ransomware as a service so unlike the targeted attacks

these attacks are asking for very small amounts of money but due to the commodification of it it's very easy and there's a high availability of that in the field it's kind of like the new tool of script kitties is to go out and just launch ransomware as the service campaigns sometimes you'll see these being advertised as stressors under less malicious sounding names but they're all pretty much the same in practice similar to social engineering over 90% of ransomware was delivered via email email is definitely a very prevalent vector for tax and I think that's something that needs to stay top of mind we'll talk about industry related data shortly email doesn't discriminate against any industry everyone's facing

email attacks so let's talk briefly about insider versus outsider attacks as you can see in this graph outsider attacks are up here inside our way down here so despite all the marketing material all the noise that you hear when you go to RSA Conference and blackhat inside our attacks really aren't that prevalent they're only about a quarter of the attacks and when they are prevalent it's mostly due to error carelessness well speak about this a little bit more specifically in healthcare but I think we can kind of agree that there's a industry over emphasis on insider attacks question it's a very good point they can be more destructive a privileged insider can obviously have access to a lot of

systems and controls that could do more damage but I'd posit that it's very easy for an outsider to quickly become an insider so to speak through such things as credential reuse and social engineering and so at that point it doesn't really matter who the initial person was it's more about what they now have access to but yes very good point and I think that's kind of why we focus a lot on it there's been certainly a lot of media attention kicking off with Edward Snowden no more so with reality winner there have been a lot of big media since and sensationalistic stories about the dangers of insiders it's also kind of sexy like that rogue insider as

we'll see very quickly that guy you don't want him wrecking havoc in your environment you just leave that red stapler alone and all will be fine so to your point also while insiders do have definitely privileged access in our environments when we do see insider attacks the majority of them are being caused by things like error carelessness so it's not necessarily malice that rogue system administrator isn't something that's really seen that often again healthcare is the only industry that has more threats by insiders and outsiders again though carelessness so external threats we see that over 75% of them were financially motivated 50% were conducted by organized crime syndicates I thought that was pretty interesting it really

just shows the transition from a criminal criminal logical standpoint it's now easier to attack digital systems than it is physical there's that popular meme of someone holding up a bank and saying dude you could have done a lot more money through our website so it is interesting to see the trends kind of follow in the digital space and when it comes to external attacks despite our focus on them only 13% were due to espionage similarly around 12% by nation-state attackers so I think much like insider attacks there is some sort of overemphasis albeit however smaller big on those kind of a PT's the Bears the pandas all of all of those good things dwell time as a defender quickly like

you know who's who's a defender in this room hunter blue team yeah so this is really embarrassing for us it's found that 87% of compromises took only minutes or seconds even to execute while we found compromises in only three percent of the time in that same time frame in minutes or seconds vast majority of times it's 2/3 of the breaches take months or longer to find the three-month benchmark is often quoted on my day job I work in a lot of customer Sims and packet captures technologies and it's kind of interesting that most people have a retention for three months so when you find that breach in your environment you find a compromise you only have three months of data to

look back on so it's not to say that the breach or the actors have only been in your environment for three months it's just that's all you can see so I'd posit that attackers are actually in our environments much longer doing recognizance getting kind of a lei for the land and then living off of it it's also pretty embarrassing is that in many different incidents and breaches across all different types of industries it's not the organization itself that discovers the breach it's often a third party a partner law enforcement organization sometimes even your customers I think we can all agree that it's not an ideal scenario by the time that the FBI is knocking at your door it's often far far

too late to prevent any sort of critical business damage so cryptocurrency mining cryptocurrency mining is again suspiciously absent in this year's Verizon data breach investigation report until you get around 90% through the report appendix D is in fact the first time the cryptocurrency mining attacks are even mentioned appendix D is Verizon's year-in-review so it takes all the months in 2017 kind of gives a brief summary of the different incidents that affected companies in those months it's mentioned an 8 out of 12 of the months in 2017 so it's clear that Verizon knows that this is going on seemingly something was kind of misty ER in their report but I do have one possible explanation I'd love

to hear your folks is is guesses as well my guess is that cryptocurrency mining attacks rose socks then had to respond to them finally the industry analysts such as Verizon needed to funnel them up into the report so my guess is that next year's report we're going to see this as one of the top trends likely right behind right behind ransomware but that it just takes a little bit of lead time for it to make it into the report that's absolutely true but it should have showed up in the incidents because it's absolutely a violation of the CIA triad whether you're talking about availability or integrity that that is a very good point that I think sometimes

we overemphasize cryptocurrency mining as a breach type of incident it's often at you know Adele's SERP that our corporate overlords it is considered a declared incident but it's not in the report at all and so even as one of the top trends I would have expected it to be they're looking outside of the report I think it's only logical that these attacks take place and that they may in fact be on the rise or at least were it's very easy to conduct them in the sense that there's a low barrier for entry you also get immediate access to the funds as an attacker and they're relatively non-destructive if you're doing them correctly so if you have a large set of

users you can do a very slow roll of cryptocurrency mining very low processing can even do them on IOT devices security cameras routers and monetize that very quickly and not need to wait for someone to pay a ransom in order for you to get results from it it will also be interesting to see as the crypto currency markets declined in value themself if that's going to have a corollary dis crease in cryptocurrency mining attacks I think we can all agree that the cryptocurrency mining markets were insane for a while now they come back to earth a little bit and so I'll be interesting to see if the incidence of these mining attacks decreases well I

have not seen that in the field currently they steel still seem to be pretty pretty common but we'll see if the monetization factor forces the hand of them to decrease another potential topic for discussion is I've had a lot of chocolate co-workers about whether the ransomware attackers have pivoted to cryptocurrency mining or if it's a new breed of attackers that's coming out some debate about amongst that but I'd love to hear anyone have any opinions on that anyone see any decrease and ransomware in your field as cryptocurrency mining has increased you can get back to that later so now the hot industries I was very surprised to see that Portland headache port I'm not sure quite how that's possible but it

does and that's it it doesn't look completely that robust but I'm impressed for a landlocked City you guys have a port so health care is one of the biggest industries in terms of the Verizon data breach investigation report they pay a lot of stock and time in talking about health care I think mostly because that's where the most valuable data is these days if you take a look at the darknet credit card financial data yeah that's kind of like a couple sentence these days but medical records are at least twenty dollars so there's there's that and healthcare again the only industry were insider attacks out a threats from the outside but as I mentioned previously the vast majority

of that is due to error carelessness I think we can agree that when we go to the doctor whether it's doctors or nurses there are a million different systems that they're all using whether it's epic or homebrew home-brewed systems I see my doctor going into like eight different terminals having no idea what he's doing pretty much every time I go there so I think it's only natural that some error is introduced just through the human element these are also not necessarily the most technical savvy folks nor should they necessarily need to be so I wish we could do something more in that realm to make it easier to secure our health records which is at least as far

as I'm concerned is pretty much the most important data about me the health care vertical when DC incidents there are seven times as likely due to error carelessness so it's a pretty big deal for the for this folks up to employee abuse of access is the only real malicious insider threat that they see in health care although in about 50% of the time that's due to fun or curiosity so this is something like if you have if you know a celebrity has recently stayed in one of your hospitals you can go and look at their medical records not necessarily to sell it to TMZ and monetize it just purely out of curiosity when it comes to external threats

ransomware is a huge problem in health care there have been popular media reports of lots of health care institutions getting hit by ransomware it's not just the big ones they'll pretty much go after anyone though speaking of the big ones Merck was a huge victim from the not petia campaign well not necessarily ransomware I think one could argue that not petia is a great example of human error in terms of the execution of that campaign so there's there's that public administration I kind of poo pooed whole apt nation-state espionage vector earlier this is where it matters around 50% of the attacks in public administration were due to nation-state advanced sophisticated attacks that's an incredibly anomalous to

stick in the report only 13% of the rest of attacks incidents and breaches in the report were due to nation-state attackers it's not just state secrets though it's also the data of civilians and employees in these public administration breaches of citizen and personal data were double fold compared to the theft of state secrets I thought that was pretty interesting because it's not just kind of the intellectual property of the f-35 that people are coming after it's as the depart or the state of Georgia can attest to pretty much everything that they have and much of what they have is data about us so I think it's in all of our interest to help defend public administration not

necessarily the whole military complex but at least the local and state governments that really are necessary for day to day life to function it's not mentioned in a report but I think critical infrastructure is also going to start coming into play whether its traditional critical infrastructure like industrial control systems water treatment facilities or new age types of technologies like connected cities connected cars public administration is behind all of this for better or worse and so we need to ensure that those vectors are defended against as well information technology I know probably a many of you and from in the room or from this field we have Amazon and Microsoft up north we have Silicon Valley below us

Intel is either to the east or the west I'm not entirely sure but distributed denial-of-service Rd doses are rampant in IT it's over 50% of the attacks that we see are DDoS campaigns an amplification attacks whether it's DNS reflection or other types of the amplification attacks are incredibly prevalent over 75% of the DDoS campaigns used amplification which is pretty scary when you think when you have things like mirai out there that make it very easy to kind of amplify any sort of normal DDoS attack you don't need the traditional infrastructure that you once did in order to conduct these attacks an average attacks produced around 600 megabyte megabits per second of traffic that kind of surprised

because we're used to hearing the gigabit per second or terabit per second tax that hit people like Brian Krebs and din I know that I freaked out when Twitter went down so that was not cool but even earlier this year github saw the attack of 1.3 terabits per second shortly thereafter Arbor Networks got hit by 1.7 terabit per second attack so they're definitely ramping up and it'll be interesting to see how those trends continue to rise only saving grace here is that the attacks usually lasts only a matter of minutes or seconds but for a lot of these companies you know if your web presence has taken down for a couple of minutes that's millions of dollars

that's out the door the most common attack vector here is probably not surprising to a lot of us its servers over 90% of the attacks in DDoS campaigns were targeting servers mostly database servers and web application servers not only are these where the crown jewels are in terms of availability necessities but they're also very rarely well secured that's for a number of reasons the talk previous went into a depth about you know dev net sack ops the new kind of hybrid term of overarching you know security and development unicorn life I think we're spreading our talents a bit too thin these days and so we need to take you know a bit more considerate approach in

securing these types of assets especially when they're so core to our business one good thing is there was a significant decline in breaches in IT in 2016 and 2017 so we're not doing a horrible job at least an industry that's doing a pretty good job is the financial industry they're the only industry to have significant declines and decreases for incidents and breaches pretty much for the past five years the past three years have a steep steep decline I'm relatively proud of that I work with a lot of financial folks out in New York they spend lots of money though and so it's somewhat difficult kind of model to follow because not everyone has the dispensable income that a bank does

these days the current threats are mainly physical so whether it's ATM skimming card skimming or ATM jackpot engg I mean we've known about these for a long time this is from Barnaby Jack's presentation blackhat 2010 so been out there for a while we have an ATM next door I think it's hilarious at how easy it is to pop it even just with pics and so there definitely needs to still be a lot of work done from a physical perspective education education is a funny one when it comes to the Verizon data breach investigation report over ten percent of the attacks had fun as their primary motive I just think that's great I know when I was a student I was doing

things I probably shouldn't have not from a malicious standpoint at all just because you go to class you hear some new techniques you go on the forums at night and you need somewhere to test your new skills that's usually your campuses network so I just want to give a quick shout out to anyone in academia here keep up the good fight also in education you'll see things like this Verizon I think does a very good job with their graphics but every once in a while you'll get something like this and I would love to hear if anyone in the audience can form any sort of you know logical trend from this graph the only trend that I can see and I think it's

actually a valuable thing to note is that you can't make trends around everything not everything can have a baseline an average an anomalous vector you need to kind of take a considered approach and look at your own environment whether it's your industry or your specific enterprise and defend accordingly if you're in education and you're only focusing on crime where 2014 you would have killed it it would've been like 90 percent success rate but these days you're well below 10% and so you really need to take a look at what's hitting your specific organization and defend accordingly that brings us to defensive techniques I was interested if anyone would boo the Portland Police image but you guys seem

to be pretty good corporate citizens so visibility I think visibility is a huge deal these times these days and enterprises in my opinion it's pretty much the greatest improvement you can make for a pretty low dollar amount I work for RSA now witness we sell a visibility project our product it is incredibly expensive but you do not need us you can use snort Zeke I think it's now called which is that's we're bros Zeke that's odd for me sir cata there the security onion is an amazing tool and so if you don't have the budget to buy a fancy commercial tool there are tons of things out there on the market to do that when I talk

about visibility I think it's very important to focus on the fact that you know many people are saying defense-in-depth is dead I don't think it's dead necessarily but I think it's a starter it's a beginning step you need your defense in depth defense and depth is going to protect against a lot of the low hanging fruit attacks a lot of the commodity type of attacks but you also need more than that you need visibility into not only your logs but your endpoint in your network environment as well peak apps are great you know peak apps are didn't happen type of thing you really need to have visibility and cross your environment to understand the full

attack campaign of or the full scope of an attack campaign this is also an incredibly important graph from the Verizon data breach investigation report I know it's probably very difficult to see right now it's available not only in the full report but also in the executive summary and I've kind of zoomed in on the four different areas that I've talked about today the four different verticals I think it's incredibly important that you tailor your defenses to your environment I spoke about this previously but I'll go into a little bit more detail first I'd focus on your industry so here you can see there are some pretty you know big trends that you can determine if you're

an education crime work isn't a big deal for you Janell lip service is because your students and faculty need to access your assets on pretty much a daily basis and so you need to take the kind of self inventory and ensure that you have the necessary security controls in place to defend against the trends that you guys are seeing the most in whatever industry you work in you then need to take that down to a granular level and take a look at your own enterprise this requires a look at the people process technologies that you have available and implemented and so you know it sounds silly but I've seen a lot of folks try to implement a

hunt team with like a single junior level one analyst it's probably not where your efforts are best spent likewise you probably shouldn't know are you sure probably be hunting for apt in your environment if you don't even know what devices are on your network you also shouldn't be instituting and purchasing AI machine learning you know whatever deep dreaming technologies that are being sold these days without having a competence in there's a lot of forces out there from marketing from the different conferences for your executives will come back and say you know here's a couple hundred thousand dollars get this AI technology get this automation technology and will save all of your problems and you really need to

have data points such as this report to really push back on that and say you know these are the threats that we're facing in our environment these are the tools that I think can help defend against them let's go that way instead a big thing that I'm a I'm a huge proponent of for a lot of the customers that I work with is creating a data breach investigation report for your own environment it by known means needs to be public and as robust as Verizon's but I think there are two main things that can accomplish first is that you can get an amazing baseline from your environment you take that report year-on-year compared to previous years

and see exactly what's trending in your own ecosystem additionally it's a great way to get visibility at the executive level without getting dragged up to the you know top floor conference room when something bad is going on I know I've had a lot of sock experience in my past and it's very often that you only talk to those important people at the company when you're kind of under attack and and they're looking to you as like you guys have failed why didn't you do your job doing a report like this a yearly report and briefing your executives on it get to immense visibility kind of a seat at that table without anything to be pushed

on you another big thing is Hardware tokens Hardware tokens I think are an incredible step that you can make to defend against phishing and other credential reuse type of attacks here I had to kind of give an homage the old secure ID tokens of the day but we're really talking about these days is gee wikis Google had an amazing case study it was released by Brian Krebs on his blog since they rolled out Hardware tokens in place of one-time passwords and other types of authentication methods in early 2017 they haven't had a single incidence of phishing amongst their 85,000 plus employees that was really impressive to me I had been using you know Google Authenticator try not to do SMS whenever

I can but I completely switched over to Yubikey after that with a pretty low growth or a learning curve it's pretty easy to use these these days they're relatively cheap they have mobile models desktop models there's really no excuse to have an environment without some sort of hardware based authentication finally you really need to focus on the basic building blocks before you do anything else you don't need to build that kind of Starship Enterprise Trooper without focusing on you know the 101's when I talk about the one-on-ones first you can even start about sysadmin patching and backups backups pretty straightforward I haven't heard of an organization giving much pushback on backups mutually it's just determining the amount of time and

the method that you use patching is a bit more difficult there are some systems that unfortunately you just can't patch I know that's a reality so patch for you can and where you can't segment those systems increase the monitoring on them so that you have as much visibility as possible to determine if something is going wrong after you kind of hit off the sysadmin 101 checklist move to the CISSP I know we all joke about it but there's some valuable information in there whether it's you know keeping need-to-know privileges privileges of least access you really need to know who in your environment has access to what determine what the criticality is of those assets and ensure you're doing roving audits of

that Netflix has an amazing program the name escapes me right now but I believe it's open source where they have a protocol that will kind of do random reduction of privileges chaos monkey thank you so if someone complains they say hey I need that it's part of my daily job you can either automatically reenroll it or you can do a manual review and ensure that they actually do need it if no one complains probably shouldn't have a dad had access to that in first place so I think systems like that incredibly useful relatively low friction I know you're Deb's are always fighting against you to have you know pseudo rude and more and and so things like that can be

easily implemented in your environment so that is all I had I did not want to spend the 50 minutes kind of distilling every single statistic in the Verizon data breach investigation report I'll take some questions now if there are any and then we can move to a discussion I do not want to take these pins home so you guys need to participate and get some some goodies any questions first I expected that and I have some topics for you so do the trends that you saw here match what you guys see in your environments why do you think we as an industry may overemphasize such things like insider tax nation-state attacks how can we come more tailored and less

effective in our defenses and what you guys use what defensive techniques do you use that you'd like to share with others I'm a huge advocate of sharing in our community I think it's great and so you know this is a forum now for you guys to do so yes

yep yep so the comment was focused on end-user training what in your organization do you guys use have you seen effective and I know I personally cringe when I hear about it and user training but a sneaker yesterday talked about having an escape room method for their user training that seemed to be incredibly effective it sounded cool to me I'd like escape rooms if I had to you do that as part of any user training I'd be pretty stoked any think anything that you guys have done in your organization that you have not yeah that's the unfortunate truth of it I agree that that we need to get a little bit more agile with our user training and more

applicable to the threats that are facing on a daily basis nice little Trevor forget pin anything else anyone

yeah no I appreciate that I did have only one of the customers that I work with kind of take me up on that and last year they were able to get two additional head counts as a result of that and this year they were able to get a vast increase in budget so it is you know valuable it's not just it's very little work as well a lot of times you'll have these metrics just kind of sitting in your different products it's just a matter of pulling them making them pretty dumbing them down perhaps for executives and and then kind of getting that seat at the table yes I

would venture to say many but yeah if if Verizon didn't know that it existed there's no way to put a metric behind that so I think it's it's really hard to say

I would make sure that they're not able to keep it out of the media less they are one of the most highly regulated industries I know personally New York State just put a new regulation that's very kind of gdpr esque in terms of mandating disclosures of breaches my guess is that they have been so fortified for so long now that they're just not the target that attackers are going to take there will always be the concerted attackers that hit the Swift system you know you still hear about these things happening but in terms of a single institution getting breached it's far and few in between yes aardvark is the one that I was thinking about yeah

yeah that is not in the scope of this report as far as I know but it is a personal question of mine those numbers and metrics are incredibly far ranging it's as low as you know two hundred thousand dollars for someone like target and in my mind I'm like well it that's pretty cheap compared to a security tool so I hope we don't take the trend of just considering these things as like shrinkage and shoplifting where it's cheaper to get breached than it is to you know put the security tools in place to detect them but you also hear estimates going all the way up to like two hundred million dollars adventure it's somewhere in between but a lot of

the more destructive campaigns that we've seen and the wanna cry and the not petty --is of recent there was definitely significant in major disruptions to business that must have exceeded even the 200 million dollar mark just from from personal knowledge of those attacks some of those those companies were very heavily affected I know Maersk is still you know cleaning up from that yep yeah it's probably not good to use a bug bounty as a facade of paying extortion to a attacker I think that was the the BER scenario definitely not a good look especially when uber has so much other things going on you think they'd behave well when you know something they're outed an instance like

that yes

yeah that that reason is specifically why I solely kind of used Verizon I do check it especially in preparation for this talk the trends that they report on pretty much match the other ones in other reports mandiant SEM Trends was a huge huge thing for me a while back it's become a little diluted in my my opinion but I would love you know other suggestions if people use other metrics and other reports Gartner is Gartner and so not gonna say much more about that but there there definitely are a lot of reports out there but I think of the Verizon data breach investigation report is being kind of the creme de la creme

so that that is something that's been seen and people try and draw corollaries between that and the increase in cryptocurrency mining I'm not confident that that's an accurate correlation to make but I think we need a little bit more time on that ransomware is still certainly very prevalent and the reduction in those quarterly time spaces also curiously matched general reduction in attacks I'm not quite sure what that's about whether people kind of get lazy at the end of the year they go on holiday they've reaped all of the you know Bitcoin that they need for for the year and they're good and then they kind of wake back up in q2 but that is definitely a trend throughout all

industries that see that type of behavior the only kind of out lies are outliers are that are the commercial industries to get hit very heavily during you know the holiday seasons but most other folks it's odd because if I plug in an attacker hat on I think that most of the defenders are going on vacation so what better time to hit them then at the end of the year but I think there are also a lot of freezes put into effect where systems are taking off for maintenance or whatnot that make it a little bit more difficult for attackers to execute on their objectives any other questions or comments

it's a very good question Aiki has had success over the past two years I think I'm particularly cynical I think many of us are and so I'd look to the internal threat actors and the non malicious attacks that they take that they follow as kind of a success of humanity so to speak in that even when people are behind these attacks and have very privileged positions in our environment they're generally not doing it out of malice it's more human nature of curiosity the folks in education just doing it for the lulz it's it's I agree that we have very pessimistic views of kind of the state of our industry oftentimes this report does not do a

great job of reversing that but I think there there are small wins that you can take in each of the industries in terms of the reduction of attack surface and corollary result of incidents

yeah that that very well be could that very well could be the case it's not necessarily reflected in a report but I do believe that it's obviously easier to patch a desktop machine in most cases than it is a critical server especially one Runnings let's say some sort of operational technology that literally cannot work if that patch were put into place exactly that is well though from that perspective if your servers are more important to your business function the availability should have a higher priority in the sense that you can patch it and ensure the availability with minimal downtime as opposed to leaving it unpatched and having the risk that someone destroys your availability and

your you know five nines bye-bye you know facing an attack although unfortunately we are forced to often be reactive in our field as opposed to proactive and so I hope that reports like this and using the statistics to show the benefits of being proactive can give a little bit more fire and more weight to our pleas to be able to you know take a twenty four-hour downtime period to potentially reduce an immense amount of business impact

no they don't get that granular

that's true I don't think we've gotten there now where there's such granularity amongst the defensive postures within certain industries I think it could potentially be true you know a major large healthcare provider should at least have better security than let's say like a mom-and-pop dentist but that large healthcare provider would arguably also have much more valuable data and so it's hard to make that kind of distinction as of now I'm also not sure that Verizon is brought in to incidents of much smaller corporations there their services much like everyone's services and are in this field is not cheap and so it does take a certain barrier of entry yeah yeah it's it's it's kind of

the it's the the cruel reality of it right now a lot of folks in the smaller small medium business areas don't even have the visibility to understand if something like this is happening and that's that's where I think we really need to get better in terms of enabling folks building secure by design systems so that you don't need to have you know core security background or even a security employee on staff to have a decent chance of surviving some sort of attack

I'm not one to necessarily preach regulation but I do think it has helped things like the we saw a huge influx in chatter amongst our customers when gdpr was coming out much like the New York State Frey our financial regulations so it's definitely moving the ball unfortunately it's still far too slow in my opinion I had an interesting conversation along this point with a colleague his estimation was that it's really going to take insurance companies to start offering cyber insurance and then some sort of valuation of when does a breach exceed the capabilities of that insurance provider where it's no longer in their interest to provide that insurance service and then the government will really step in and

increase the regulations because private sector will no longer be able to do it for themself but that I think is many years out and with the advent of IOT and embedded devices and ICS becoming more and more connected I think we need it much sooner than that

yep yeah that's where we see it the most that's kind of what spurred my conversation another not speaking to financial but another interesting data point as Bruce Schneier has a really good book out that talks about kind of like we're all burning the world is coming to an end not the most optimistic of all books but he speaks as someone who's also not traditionally a fan of regulation he speaks very candidly about how his experiences in the past have led him to the point where he really sees regulation as the only thing that can do it at this point so I'd advocate for everyone you know not only become involved in political process but make kind of your passion of

security your day job of security whatever it is that that caused you to be here today a driving force in the political process as well we've seen that before we've seen great strides come as a result of political movement so if we could do that for our industry not only would it be great job security for us if we don't need that already but or don't have that already but I think it could could make great strides in our kind of defensive posture as as a society the election and tampering and all of that I think I was very optimistic that that would that would help but that that seem has seems to have done very little if nothing do you

have another

absolutely absolutely and I'm a huge advocate of embedding with the political process you know you don't need to necessarily you know run for office or whatnot but spending an hour a week an hour a month and in volunteering with a political office or a political party or whomever you associate with to just advise them on security posture if you're a networked person help them shore up their network security if you're an application person help them with their apps even just from an operational security standpoint and bringing awareness to patching and in really basic kind of computer hygiene type of opportunities I think those are rife within public sector right now I think that is all of our time but I'm

more than happy to continue any conversation off the stage and thank you all for your attendance and your participation you're welcome to come up and I think I have three more little Trevor pins left so come on up and grab them [Applause]

you