Verizon DBIR 2016 – Back to Basics with Phishing Lessons

The Verizon 2016 Data Breach Investigations Report released last week is an extremely comprehensive body of research, quoting over 70 sources worldwide. Yet, despite the fact that it covers multiple business sectors and geographies, one thing is certain: Phishing, an age-old method used by cybercriminals and spies for over two decades is here to stay. In fact, the industry has seen a major increase in the volume and significance of attacks this year. Unlike the phishing campaigns of the past, the majority of phishing attempts are used as a means to install persistent malware.

It’s not surprising that ransomware attacks, the number one form of malware, increased by 16 percent over Verizon’s 2015 findings. And how are most types of ransomware delivered? Yep, through phishing.

Highly targeted attacks, such as these perpetrated for the sake of espionage, leverage phishing as a method to deliver a damaging payload. As the report says: “Phishing, as a leading action, provides a number of advantages over many other exploit approaches. The time to compromise can be extremely quick and it provides a mechanism for attackers to target specific people in an organization. And by using a service that is necessary for business communication to the internet, it allows an attacker to bypass many security devices and gain a foothold on an endpoint in the organization from a remote attack.”

In fact, phishing is a common payload-delivering mechanism in 7 out of the 9 leading incident patterns (the 2 patterns from which phishing is absent are insiders and the dreaded “miscellaneous”).

Phishing is very effective for several reasons. For one, it’s cheap to execute, so criminals can send thousands of emails. Two, it relies on a human’s inability to identify and filter the malicious content. Third, it’s a very quick method. The median time for the first user of a phishing campaign to open the malicious email was 1 minute, 40 seconds. The median time to first click on the attachment was 3 minutes, 45 seconds. And finally, regardless of awareness training, tests conducted throughout various industries showed that, alarmingly, 30 percent of phishing messages were opened – up from 23 percent in the 2015 report – and 13 percent of those clicked to open the malicious attachment or nefarious link.

Phishing is also agnostic to the end motivation, whether it is encrypting files, obtaining credentials or mere reconnaissance. It will get in by email, and the payload will do the rest, as depicted below:

Verizon 2016 Data Breach Investigations Report

Is there no hope?

Well, the report does offer one very solid recommendation for organizations:  It calls to filter your incoming emails and flag suspicious content. All other recommendations (awareness training, etc.) are secondary. And we at ReSec can only applaud the authors of the DBIR report and join them in their call for better security that could only be achieved by disrupting the delivery mechanism.


About the Author:

Michelle Handelman is Head of Marketing at ReSec.