Joe Carson and Tony Goulding dive into the Verizon Data Breach Investigations Report (DBIR), revealing key insights on the top threats in cybersecurity. Discover why credential compromise remains the leading attack method and how ransomware, data exfiltration, and extortion are on the rise. Learn about the critical importance of strong authentication, authorization, and continuous monitoring. Don’t miss their expert advice on protecting credentials and staying ahead of evolving security threats.
Connect with Delinea:
Delinea Website: https://delinea.com/
Delinea LinkedIn: https://www.linkedin.com/company/delinea/
Delinea Twitter: https://twitter.com/delineainc
Delinea Facebook: https://www.facebook.com/delineainc
Delinea YouTube: https://www.youtube.com/c/delinea
Joseph Carson:
Hello, everyone. Welcome back to another episode of the 401 Access Denied Podcast. I'm the host of the show, Joe Carson, Chief Security Scientist and Advisory CISO with Delinea, an organization who really helps protect the identities and authentication authorization from many organizations around the world. Today, I'm joined with a returning guest who's been on the episode quite a few times before. So, welcome back to the episode. Welcome, Tony. Do you want to give the audience just a reminder who you are, what you do, and any interesting things about yourself?
Tony Goulding:
Yeah, thanks, Joe. Hello, everybody. Nice to be back. My name is Tony. I work for Delinea. I've been in the security industry for many, many years, almost 30, if not more than 30. I lost count over the decades, but privilege access management, identity security, that's my life. Good and bad, sad, but it's really exciting. I mean, we just came back from the RSA Conference and Verizon has just given us their view on the last year in security. So, we're all pumped up, ready to look at those things and talk about them and help our customers understand how they can mitigate risks associated with identity. So, it's a really exciting time for me.
Within Delinea, I wear two hats. I'm in product marketing. So, I work on the technical side of product marketing, and on events like this, I'm a security evangelist. So, it's a really lovely balance for me in my job. I get lots of exciting things to do, such as this podcast.
Joseph Carson:
Fantastic.
Tony Goulding:
So back to you, Joe.
Joseph Carson:
Where's the accent from? Just to remind the audience.
Tony Goulding:
ia. I've been in the US since:Joseph Carson:
Fantastic. Excellent. Moving into today's topic, of course, the Verizon Data Breach Investigations report, which has come up. It's one of those reports where we give ourselves a bit of a scorecard into how we've been doing in the past years. Have we been getting better? Are we improving our defensive? What techniques the attacker is using? What's been successful? So it's always one of those long awaited reports. Then we try to analyze and understand the results. Basically, it's amazing. If I look back at it's 17th year now, so this is impressive long run of reports.
Tony Goulding:
It is.
Joseph Carson:
It really allows you to go back in the data, the trends, and compare year over year. This report covered 94 countries globally, 30,000+ incidents, and then also over 10,000 data breaches. So, quite a lot of interesting data that's in there. So, Tony, what was some of your key takeaways? What was the thing that really surfaced to the highlight that you were really surprised you or maybe even didn't surprise you? What did you take away from it?
Tony Goulding:
Yeah, as you said, we all look forward to this thing coming out. If we are surprised, it's like, well, we shouldn't be because we're experts in this field. But I think overall, I saw several continuing trends from the past year. So, Verizon, they analyze what they call the ways in, the methods that threat actors used to gain initial access. Of those ways in, the trends were very, very similar to last year. So, that was a little bit surprising. There were a couple of blips that caught my eye. There was an uptick in insider threats. It was fairly significant. It's like 35% from 20%. That caught my eye.
There was also a few references to recommendations like the use of MFA and the non-use of VPNs. Also, there was supply chain attack references that influenced almost 10% of breaches. So, these are areas that we need to keep an eye on. Certainly, when it comes to solutions to prevent those types of threats, Delinea, we have to look at that. We have to focus on those things that are trending, that continue to trend, but also those slight jumps in percentages, we need to focus on those.
Joseph Carson:
Absolutely. So, you covered a lot of those great areas. One thing I really honed into was that a number of credential compromise continues to be the top way in. It's followed. Credential compromise was leading. I think it was probably more than two times of what the NICS method, which was phishing and then followed not far behind by exploits and vulnerabilities. Vulnerabilities did significantly increase because we did see a significant amount of vulnerabilities in zero days last year that of course attackers jumped on.
But if we look at credentials, if you look at not just at last year's report, but if you go back into the last 10 years, it shows that actually more than 30% of the basically methods of getting access over the last 10 years has been credentials. What's your thoughts around that? What do you think that continues to be the message?
Tony Goulding:
Well, it does. It's no shock to me because I mean, at the end of the day, if you've got infrastructure, if you've got systems and the way into those systems are using IDs and passwords, or it may be federated, but at the end of the day, it's some credential. That credential ties permissions to an account. So, that is the way that you are going to get access to stuff. It's also compromising more privileged credentials is the natural way that you're going to elevate those permissions to gain access to the things that a normal user wouldn't have access to. So, credential theft, it could be in the form of insider theft or insider elevation as well as the external threat. That's going to be their primary target.
That's the way that they're going to gain access to the most systems and services and resources within your infrastructure, and of course with the cloud. I mean those resources, I mean, they've just ballooned over the last five years. So, even more opportunity, credentials haven't gone away. They're still there. We still use passwords a lot. The promise of passkeys taking over and making our lives a lot more secure, it's still something I believe in. I think it still has a lot of potential, but it's not there, right? We're still using passwords today. So, credential theft has always been and probably will be for the foreseeable future, the main vector of attack in the playbook of threat actors.
Joseph Carson:
Absolutely, because it works and it works successfully all the time.
Tony Goulding:
That human element, which is phishing people. In their psychology, that's something that can be leveraged.
Joseph Carson:
Abusing people's trust. Absolutely.
Tony Goulding:
That contributes to that as well. We'll get to that.
Joseph Carson:
It does indeed, especially when it comes to using phishing campaigns and business email compromise. Those are the areas that I see a lot of really more sophisticated types of attacks.
Tony Goulding:
It is, yeah.
Joseph Carson:
One thing that I took away as well is that organizations, they tend to always still have flat networks and especially more in cloud environments. What that tends to do is that if attackers are able to use that initial access of stolen credentials to get in, what you tend to have is this mixture between low risk accounts and high risk accounts on the same flat network. Attackers are really good at using those low risk accounts to do privilege escalation. They know those paths, they've got the playbooks.
You go to the Mitratech framework, and you can look at all of the different methods that they can move from low risk accounts to highly privileged accounts. Those techniques they use over and over again. So, I think it's really important. It's important to make sure that not only you're protecting those accounts from that initial access with adding-
Tony Goulding:
That is a very good point.
Joseph Carson:
... other security controls in place, but at the same time, the segmentation is critical.
Tony Goulding:
No, that is a very good point. I mean, for years, for example, Microsoft has published their architecture for Microsoft Networks, and it's a tiered architecture. Well, I can't say this for sure, but I'm sure many people don't take a lot of attention to that tiering because the tiering also, if it was implemented properly, it would achieve what you're talking about, which would be the segregation of different levels of privileges and credentials into tiers where the ingress and the egress from those tiers is very well-defined and it's very well controlled. I mean, there's still going to be the problem of escalation, but it would make that job a lot more difficult for the threat actors if those boundaries were more properly defined and controlled and protected.
Joseph Carson:
Absolutely. That's why a lot of organizations move to things like vaulting in order to do that segregation between accounts and also making sure you're laying security controls that once you're in the door, the path to those focus accounts is a lot more difficult and challenging with the basic security controls and all of the building in place.
Tony Goulding:
I mean, for years, we've proclaimed the idea of least privilege. You may like the term or not, just like zero trust has its advocates and its detractors, but as a concept, it is fundamental. It's fundamental to zero trust. It's fundamental to a lot of other best practices. But in terms of least privilege, in an absolutely perfect world, you would eliminate all of those privileged accounts that these attackers are going after, but you can't.
So, you've got to put them in a vault. You've got to put them in a place where you can protect and govern their access, where you can do just in time access. So, you can get approval for using those in a legitimate fashion as part of a legitimate job function. If you're an administrator that just got a help desk ticket telling you to go and fix a web server problem on a particular device, then you got to have those controls in place.
Joseph Carson:
Absolutely, getting to least standing privileges or sometimes I refer to zero persistent privilege. So, I have a question.
Tony Goulding:
I'll steal that one.
Joseph Carson:
It's one of my favorite. I come from a virtualization background. It was always about getting to non-persistent environments, and that's where I always thought about zero persistence privilege and also getting to zero friction as well. When you think about zero trust, I'll say that you have to make sure that it's usable as well. So, you have to have a zero friction approach.
Tony Goulding:
Yeah, that's an interesting point, because I mean, if you're talking about just in time and you're talking about a workflow where you're kicking in, you're doing a self-service request, there's a workflow, it goes to an approver, it comes back, it gets provisioned. There's going to be some inherent delay in that process, but I think it's absolutely necessary. I think that's just the nature of the beast, but it's interesting, you mentioned about the virtualization because obviously in the CLOUD, we're faced with that a lot, right? There's a lot of ephemeral servers going up and down, spinning up and down, and those credentials are going up and down with it. So, that's an obvious area.
Joseph Carson:
That's where you're getting into temporary credentials, and you're then getting into things like, "Well, you've got also patching faster," which also, that's why virtualization also allows you to getting to micro segmentation. So, I've got a question for you into. One of the things that was really interesting as well was the state of ransomware within the report itself, and we recently did our own ransomware research, which also showed were the acceleration of data exfiltration. This report, Verizon Data Breach Investigation Report also showed the rise of ransomware, but also the rise of data exfiltration, notably where it's getting to extortion ware. What was your thought around that? Yeah
Tony Goulding:
I think they use the term, ramstortion, which it sounds like a German heavy metal band or something, but ramstortion is the fun term that they're using. But yeah, I've got a few notes here, but I think the number for ransomware and so on is around 23%, which was just slightly lower than stolen credentials. But if you do combine that with stealing the data for extortion as well, then that number jumps to like 32%, and it was the top breach pattern in most sectors, scientific, financial, heavy technical services, scientific, et cetera. Yeah, in terms of ransomware, it's the gift that keeps on giving, isn't it? I mean, I think that there's fluidity. I mean the Feds came down on some of the groups and that's leaving a bit of a void, but others are climbing into that void.
So, it's not going away. I guess ransomware groups, they're continuing to be innovative. You mentioned the MOVEit incident, the zero day vulnerability, they're stealing data versus deploying ransomware. So, yeah, I think we're going to see more of that. It's interesting that one of the things that Verizon mentioned about vulnerabilities and zero-days days like MOVEit is they actually recommended that organizations try and distinguish between human adversarial behavior versus bots.
Because generally speaking, when you discover something like MOVEit, they're going to automate that. They're going to create bots that will automate the process of using that too, but initially, there seems to be a trend, especially in the bigger groups of doing it manually, just to try and discover if there are zero day paths through an organization. So, the ability to spot manual activity by an adversary, that could be like a precursor or a hint that there may be a zero day attack on the way if they happen to find one, they recommended that you try and distinguish between the two, which is an interesting thing.
Joseph Carson:
Absolutely. It makes it from a weaponized perspective, because also, when you look at ransomware guys, they're very much organized crime. You've got different elements. You've got those who specialize in initial access brokers. You've got those who specialize in creating the ransomware itself. You've got the money launderers. You've got the hands-on keyboard. You've got the service desk. It's this just basically supply chain.
Tony Goulding:
I mean, they are businesses. They've got HR and recruiters.
Joseph Carson:
Yeah, absolutely. They're even on looking for new hires and offering salaries. It's always interesting to see that ecosystem evolving.
Tony Goulding:
I mean, we laugh, but it is a business for sure.
Joseph Carson:
Absolutely. I mean, I recently went to watch Mikko Hyppönen's recent talk, which was fantastic. He's saying that even these ransomware guys are getting into branding, marketing, where they have logos, they've got slogans. It's interesting.
Tony Goulding:
T-shirts.
Joseph Carson:
Yeah, and T-shirts as well. They want to be known for what they do. They want people to know that "Oh, you can hit by ransomware." Then the second part of it's, "Oh, and we were hit by this guy." Then it's the second shock. One of the things is I think the indications from the report as well shows me that we are getting better. Even though ransomware is on the rise, but with extortion being the acceleration, it tells me that we're getting much better data backups, data resiliency. It means organizations, they have a choice of going back to the data. They've got a customer resilient backup.
Tony Goulding:
Also, throughout the year, I mean, I've read a lot about the fact that they've been trying to con their victims. In other words, they say that here's some encrypted data you've been done, but several of maybe the mid and smaller sized groups, they don't necessarily have all of the tools to do that en masse encryption. So, they're conning their victims into thinking that they are hoping that they'll get a ransom out of it. I think that several organizations now are pushing back and saying, "No, no, no," as you said, "we're going to beef up our ability to back up and restore, and we're not necessarily going to go down that path." But also in the Verizon report, I mean, they have some stats on the potential average cost.
I also read some FBI stats recently that put the medium ransom demand at something like 0.05% of victim revenue, which doesn't sound much. So, that would be like $4,000 for a $10 million company. But when it comes to the big game hunting, the larger crews, then that percentage drove up to about 25% of revenue for the top 10% of the cases. So, that would be $25 million for $100 million company. So, that's a big difference. That's just a ransom. It doesn't take into account things like reputational damage and the cost to restore, et cetera, et cetera.
Joseph Carson:
Loss of customers in the future.
Tony Goulding:
Exactly.
Joseph Carson:
All the legal side of things in the background. So, one of the interesting things as well was that around that, when you think about the attackers are doing data filtration and they're taking the data out. They know that "Okay, they've got a backup. I can't destroy the backup, so I'm going to just do data filtration." What they're really good at is analyzing that data and understanding about the financial stability of the organization, what's been going on in the organization, who's the right people. They analyze that.
So, they actually have a really good idea of what type of rents in that organization has the capability of paying without damaging the business. So, they're really getting it very creative and very good at understanding from a financial perspective. But I think this is where we see the joining of two criminal parts of the industry is that one thing that ransomware gangs were never really good at was money laundering. That's what organized criminals were good at was money laundering.
Tony Goulding:
Good point.
Joseph Carson:
You're seeing those two ecosystems of organized crime and ransomware criminals converging and sharing knowledge and experience in order to really get that end-to-end service.
Tony Goulding:
But again, as we discussed earlier, it comes down to skills for hire, right? They're hiring people with those skills to fill the gaps that they have, but it's interesting. I mean, when you exfiltrate data, you could have terabytes of data. So, we'll come to it, but AI is going to contribute into their ability to sift through that quickly and maybe pull out-
Joseph Carson:
Analyze it.
Tony Goulding:
Yeah, analyze it and pull out relevant information.
Joseph Carson:
Absolutely. One of the other key takeaways was that if you look at the different types of motivations, right up there at the top, financial motivation.
Tony Goulding:
That's financial. Yeah.
Joseph Carson:
It's purely financial, even it was like 7% was espionage, which is the nation state, which is very, very small if you look at the entire number of all of the number of incidents and data breaches. We can get to the financial portion here.
Tony Goulding:
The thing that might contribute to that is supply chains. Because if you are, let's say, a tech provider or a service provider and you've got lots of downstream customers, then somebody on the inside would have much more access to stuff outside of its own initial organizational sphere of control or sphere of information. They could spread downstream to other organizations that are affiliated down that supply chain. Consequently, the opportunity is much bigger. So, they could be subject to more targeted blackmail attacks or whatever. So, they could be collusion involved in those things, and that would also be a financially motivated set of attacks.
Joseph Carson:
Absolutely. One of the things that, Tony, you touched on just a little bit, let's dive into that right now, is the AI piece. One of the big takeaways that one from the rise in DBIR was that criminals are not using AI because the basic attacks still work. They don't need to go and develop and invest heavily into these massive GPUs to do lots of these really fancy AI capabilities. They're finding compromised credentials still works. They're finding that phishing campaigns still works. They're finding that vulnerabilities are still going to happen, and those will lead into access. They're going to find vulnerabilities in web applications.
So, one of the things that it looked like is that while gen AI and all of the things we're seeing with artificial intelligence seems to be focused heavily on the defense side today, I have seen some uses in, for example, let's say creating better phishing campaigns for things like translations. I've seen it.
Tony Goulding:
Absolutely.
Joseph Carson:
Being more creative in the types of social engineering capabilities. But I would tend to agree is I haven't seen it being used in augmenting the ransomware variant to bypass the defenses in real time. I haven't seen it get to those points where it's a battle of algorithms and battle of AIs.
Tony Goulding:
No, me neither.
Joseph Carson:
I would tend to agree with the analysis of the report when it comes to attackers using AI.
Tony Goulding:
e next year when we're at RSA:Joseph Carson:
Absolutely.
Tony Goulding:
... incorporating it or not. But to your point, the only areas that I've seen AI being used is with those translations of let's say business email compromise attacks, emails. I've also seen reference to it being used to do research on an executive. So, they're going to target somebody pretending to be an executive, and they use AI to research that executive and to cull information. Let's say that the executive's daughter may be in college right now or on a vacation or something, and they incorporate that into there. So, the AI can be used to help-
Joseph Carson:
The recalling side, reconnaissance. Really get the blueprint of the organization. This is one of the things I used to do in the past was penetration testing, was creating those blueprints about who's the prime target. Absolutely, if you feed the public information from the organization into generative AI, it would simulate and create that for you.
Tony Goulding:
Yeah, I think we will see more of it. I did read a couple of weeks ago about a situation where security controls are being offered and used to combat BEC, like things like using a verbal authentication request from C-suite execs, but they're being circumvented using AI to clone executive voices. So, it's creeping in there.
Joseph Carson:
It is. I think most of the things we're seeing it though is more in-
Tony Goulding:
It's very lightweight.
Joseph Carson:
Defects would be probably mostly for celebrity side of things or calling or fake advertisements. That's where the majority of that criminal activities has been, where I've seen it being based in Estonia. One of the things is that the Estonian language is very complex. So, that has for many years been a barrier for criminals to do phishing and business email compromise and social engineering without having local expertise or local proper translators. But that's what ChatGPT and generative AI has been able to... They've removed that barrier. So, the Estonian language is no longer a barrier to protect here. So, it means that-
Tony Goulding:
It's interesting.
Joseph Carson:
... you have to be more being able to detect those types of scams.
Tony Goulding:
It's an interesting tie in that the innovation sandbox at RSA this year, the company that won it was a company that has software to recognize deep fakes because of exactly this potential scenario. So, I mean, they're making a business out of it. So, we must assume that there is an impending demand for that security. So, interesting.
Joseph Carson:
Absolutely. From the report itself, analyzing all of those details, the credentials, the vulnerability side of things, the exploits, getting into ransomware being on the rise with a focus on extortion and the AI pieces, what's your recommendation? What should organizations take away from the report and what types of security controls should we be prioritizing based on the lessons they've learned from this?
Tony Goulding:
Well, I'm jaded. Obviously, I'm in a space where we do help with that, but I don't think it takes much reasoning to follow the puck. I mean, we are still in a situation where IT and IT security has limited budgets, so they've got to focus on where they spend that. Given the fact that credential theft and credential abuse is still the top way in that attackers are exploiting with ransomware and ransomware plus extortion being slightly further behind, then for me, if you don't have a vault, get a vault. That would be the number one.
But because these, especially the ransomware attacks, are very layered, I mean the typical attack chain, the layers of the methodology that they use in order to gain initial foothold, to gain access, to elevate privilege, to move laterally, you've got to spread those controls throughout your infrastructure. So, that means locking down workstations, having workstation protection. It's almost simple blocking and tackling, but it requires technology to make it happen. That is removing just basic users from things like the local administrator group, making sure that they have least privilege and then extending that to servers, where you can do the same thing to prevent lateral movement, which is a very, very common adversarial tactic.
So, you want to prevent that lateral movement and obviously to protect the server from being attacked in the first place, but if they do get a foothold, you want to try and reduce that blast radius, contain them in other words. Put hurdles in their path to prevent them from going to the next step in their playbook. So, those hurdles are all important. Now the focus is on making sure that you can do all of these kinds of things across your entire identity fabric. So, that identity fabric, if you're looking at credential protection, that includes your identity providers.
Whether it's Entra ID, whether it's Ping, whether it's Okta, whether it's on-prem active directory, you've got to have visibility into those IDPs as well as your systems, your workstations, your servers, whether they're on-prem or in the cloud. That visibility, especially if you have an analytics capability to analyze all of that, you can understand the access pathways across your entire identity fabric. With an understanding of those pathways, you can better identify risk at the various points within your infrastructure that's identity specific.
So, my recommendation would be to visit or revisit the tools that enable you to have that visibility, to detect these types of anomalous activities that go on, whether it's the human or the bot as we discussed earlier, and then to be able to very, very quickly react to those to try and shut it down or remediate it if it's actually something in progress.
Joseph Carson:
Absolutely. So, from that, since the credentials are still the top initial access factor, getting control of that, and if I summarize into that is from the authentication side of things, it's really get good at authenticating your users. So, going and validating Tony that you really are Tony. Then the next side of that is the authorization side is really, okay, what can Tony do in the environment?
Tony Goulding:
Exactly.
Joseph Carson:
Getting to that zero persistent privilege or at least standing privileges so that it's elevation on demand and using also that segregation of duties. So, we're thinking about not just MFA at the front door, but also MFA at different intersections within the organization. Then with that is the entitlement side of things where you're thinking about, "Okay, now that I know who Tony is and I can make sure that he's only doing the things he's entitled to do, what has he done in the environment?" So getting that visibility and the entitlements is the audit trail into where have you been, what have you changed, and does that align with things like regulatory side of things as well, because there's always compliance as well.
Tony Goulding:
Of course, you've got to wrap something like an IGA function around that. So, having routine regular identity recertification and permission recertification projects, so that you can constantly adjust. Does Tony need the same rights next quarter as he had this quarter? Has his role changed? Has his function changed? So that way, you're constantly adjusting the permissions and the access that's appropriate to the job function over time.
Joseph Carson:
It's absolutely getting to dynamic or adaptive entitlement. So, it's not manually done from day one and never revisited, which many organizations unfortunately do.
Tony Goulding:
There's a lot of stale.
Joseph Carson:
to give a summary, I mean the:It's really important to make sure that strong authentication and authorization and educating employees, learning about what the report tells us, continually monitoring for threats and really working together as community and sharing the knowledge to make the world a safer place.
Tony Goulding:
Well, the community is interesting because certainly in the US, the FBI and the various three-letter agencies are way more out there now willing to help and coordinate and collaborate on issues of security than they ever were before their presence. I keep mentioning RSA, but their presence at RSA, they were everywhere. You're not on your own anymore if you do get hacked. There are lots of resources there to help you out. But my read of the DBIR is that they summarized the takeaways being continued need for security awareness. There always will be because of that human element.
So, continual education, MFA, which as you mentioned, is a critical identity assurance control that can really detect bots and prevent them from moving further, secure coding, which we didn't touch, but I think that's important as well. There's a lot of emphasis on that and insider threat monitoring. So, that's part of that, being able to detect, monitor, analyze, have the visibility, and monitor activity for potential anomalous activity. That's where AI can actually help with that.
Joseph Carson:
Absolutely. I think what reminds me is two things it wasn't heavily focused on in the report this year, which is around API security and cloud security. It was in there, but not heavily focused, I guess, that organizations are in the hybrid world where they've got criminals.
Tony Goulding:
Interesting.
Joseph Carson:
So Tony, it's been awesome having you on the show as always.
Tony Goulding:
Thank you. Thank you.
Joseph Carson:
Your knowledge and insights of the report is very valuable for the listeners and those out there. Any final thoughts you would like to leave the audience with before we close the episode?
Tony Goulding:
Be safe out there. There's no silver bullet. We all know that. So, follow the puck, and again, as I said, with your limited budget, your limited time, your limited resources, try and focus on the high bar. I would focus on credential protection for sure. That would be my...
Joseph Carson:
Absolutely. Absolutely. The 31% of the last 10 years of being credential compromises-
Tony Goulding:
It's a big chunk. It's a big chunk.
Joseph Carson:
So definitely, we need to prioritize the thing that criminals are being successful at. Tony, it's been awesome having you on. Many thanks as always.
Tony Goulding:
Thank you. Thank you.
Joseph Carson:
Great chatting with you. For the audience out there, every two weeks, tune in to the 401 Access Denied Podcast. We're here to bring you thought leaders, exciting topics, trends, and really leave you with the knowledge in order to take back to your organizations and hopefully make your organization, your family, your community, your society and the world a safer place online. Take care. Thank you. Stay safe.
Tony Goulding:
Thanks. Bye-bye.