NZ Incident Response Bulletin – July 2023

Our Views:

Key Takeaways from the 2023 Data Breach Investigation Report

The annual Verizon Data Breach Investigation Report gives us one of the most reliable and comprehensive insights into the recent cyber incident and data breach landscape. It describes the main challenges and threats organisations have faced over the previous 12 months. It is also a key resource that The Centre for Internet Security uses to continually help them recommend the most relevant and effective security controls an organisation can implement to combat these threats.

The 2023 report analyses a total of 16,312 security incidents whereby a security event compromised the integrity, confidentiality, or availability of information assets. 5,199 of these incidents were confirmed data breaches. We have included the highlights and what we consider the key learnings from this latest report below:

Threat Actors

• External actors were responsible for most confirmed data breaches (83%). These external actors were overwhelmingly (94.6%) financially motivated with organised crime groups making up around three quarters of these actors.
• Nation state sponsored data breaches were not highly represented with internal end users contributing to more data breaches via either malicious activity or accident than state affiliated actors.

Attacks, Attack Vectors, and Assets

• The Use of Stolen Credentials followed closely by Ransomware and then Phishing rank as the most used attack actions when reviewing all confirmed data breaches.
• Denial of Service attacks and Ransomware dominate the statistics when looking at all incidents.
• The top three attack vectors for both confirmed data breaches and incidents in order of prevalence were:
  • Web application
  • Email
  • Carelessness
• Ransomware was involved in almost a quarter of all breaches and still appears to have room to grow further and cause greater harm in the years to come. The latest data suggests that while ransom demand amounts have lowered the overall cost to recover from a ransomware attack is increasing.
• Social Engineering attacks have increased. Business Email Compromise has almost doubled since the previous year with pretexting and phishing the primary attack actions. 50% of all Social Engineering incidents in 2022 used pretexting. Pretexting is essentially an invented scenario that tricks someone into handing over information or doing something that may result in a breach.
• Poor creation and protection of passwords drove high rates of Basic Web Application attacks this year. Leveraging stolen credentials and vulnerabilities enabled 25% of data breaches.
• The top attack patterns of System Intrusion, Basic Web Application Attacks, and Social Engineering ensured Servers remained the top asset affected by a breach, particularly Web Application and Email Servers. People take the second spot reflecting the impact of social engineering.
• Operational Technology impacts still feature extremely low in comparison to impacts on Information Technology making it hard to derive valuable information on this area yet.
• Denial of Service attacks dominate the overall incident category where median bits per second in these attacks grew by 57% from 1.4 Gbps per second previously to 2.2Gbps this year.

Important actions to take in response to this information include:

• New remote and more flexible working models mean devices and data are more likely to be transported and used in multiple locations. This requires business to monitor and act to prevent carelessness and loss. Remind employees about their duty of care and set guidelines for the storage and protection of assets.
• Ransomware response plans should be in place and understood by all in the organisation.
• Employee awareness training to address good credential management, general landscape awareness, and phishing identification remains critical to combat social engineering (CIS 14 as below).
• Review your DDOS mitigation service to ensure it can scale appropriately and ensure DNS infrastructure resiliency.
• Consider implementing or augmenting a Software Bill of Materials (SBOM) process where relevant.
• The following set of critical security controls should be considered as priority actions for your business:
  • CIS 4 Secure Configuration of Enterprise Assets and Software (4.1, 4.2, 4.4, 4.5)
  • CIS 5 Account Management (5.1, 5.3)
  • CIS 6 Access Control Management (6.1, 6.3, 6.4) MFA,MFA,MFA!
  • CIS 7 Continuous Vulnerability Management (7.1,7.2)
  • CIS 9 Email and Web Browser Protection (9.2)
  • CIS 10 Malware Defences (10.1, 10.2)
  • CIS 11 Data Recovery (including 11.1, 11.2, 11.3, 11.4)
  • CIS 14 Security Training and Awareness
  • CIS 17 Incident Response Management (17.1,17.2,17.3)

Regional Differences

Overall, the APAC (Asia Pacific) region generally follows similar patterns to all other regions with a couple of notable differences. Social Engineering rates as the highest problem in the APAC region with System Intrusion second. This contrasts with all other regions where System Intrusion dominates. Additionally, the percentage of espionage attacks and the resulting compromise of data secrets is significantly greater in APAC than other regions.

In summary the DBIR highlights some key areas of concern for organisations. As a priority we recommend you invest in your people. Security awareness training is crucial as 74% of breaches involved the human element. You should back up this awareness training with smart policies, processes and automated systems that aid in compliance. Secondly, as threats continue to accelerate you should assess your organisation against each of the CIS controls outlined above and take steps towards closing any gaps.

Further detail on all the report detail including mapping to the Mitre Attack framework is available on the Verizon website.

About the Bulletin:

The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.

To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.

This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.