The annual Verizon Data Breach Investigation Report (DBIR) has been an invaluable resource for IT security practitioners ever since it was first published in 2008. But what sets the newly released 2020 edition of the DBIR apart is that many of its findings have significant implications not only for IT security—but also for OT security, too.
Here’s our take on the most important findings in the Verizon 2020 DBIR from an OT-security perspective:
For the first time ever, the 2020 DBIR examines the involvement of information technology (IT) versus operational technology (OT) assets in security incidents. 4% of observed security breaches involved OT, compared to 96% percent for IT.
While this percentage may seem relatively insignificant, the report characterizes it as a notable cause for concern for companies with robust OT environments.
To assess the extent to which a single, newly discovered vulnerability can impact the overall vulnerability of the internet as a whole—as well as specific organizations—the authors of the DBIR conducted an experiment.
First, they compared two sets of servers hosted on public IP addresses: one set vulnerable to the 2019 Exim vulnerability, and one randomly chosen set. The authors found that the servers vulnerable to Exim were far more likely to also be vulnerable to 10-year-old SSH vulnerabilities, which can be exploited by adversaries just as easily.
Next, the authors compared the overall security posture of organizations with the headline-grabbing Eternal Blue vulnerability present on their systems to those without. Similar to their previous finding, they found that systems with Eternal Blue tended to be far more likely to also be vulnerable to older vulnerabilities from the past decade or two.
The main takeaway from this investigation is that organizations able to maintain a well-prioritized patch management regime over time are far less likely to fall victim to vulnerability exploits. And since the report also found that patches that don’t get applied within three months of being released are typically never applied at all, consistency and timeliness are especially critical to effective patch management.
The report found an average organization keeps 43% of its internet-facing IPs within one network. However, half of all observed organizations are present on seven or more networks. For more than 90% of organizations, less than 10% of internet-facing hosts had significant vulnerabilities, and for half of all organizations, less than 1% of hosts were vulnerable.
This suggests inadequate asset management—which tends to be uniquely prevalent in OT environments—is often to blame for vulnerabilities, as opposed to consistent but slowly applied vulnerability management. Asset management challenges are especially common in OT environments, but they can be overcome by partnering with a security vendor that offers granular, timely visibility into OT assets.
An analysis of attack paths in observed incidents found the vast majority of breaches involve less than five steps. This indicates attackers preference for seeking out low-hanging fruit that allows them to carry out relatively simple attacks to compromise high-value targets.
As such, efforts to put obstacles in place to make an attack against your environment more complex or time consuming can go a long way in making your organization a less appealing target. For example, while two-factor authentication is an imperfect security mechanism, it does effectively add an additional step to the attack path. As the report notes, the difference between two and three steps, or three and four steps, can be drastic in terms of enhancing your security posture. This applies to IT and OT environments alike.
Among OT-related incidents tracked for the DBIR, most involved companies in two industry verticals: Manufacturing and the consolidated vertical of Mining, Quarrying, and Oil & Gas Extraction + Utilities.
As with all sectors detailed in the DBIR, the most common motivation behind the observed incidents impacting the Manufacturing sector was financial gain (73%). That being said, a substantial portion (27%) were motivated by cyber espionage. Reinforcing the strong need for solutions that monitor for and protect against insider threats, internal threat actors were behind 25% of Manufacturing breaches, and 13% of breaches involved employee privilege abuse or data mishandling.
Nation-state adversaries comprised 38% of external threat actors targeting manufacturers, an indicator that organizations in this vertical should be prepared to defend against sophisticated, well-resourced threat actors keen on stealing intellectual property and other sensitive data. As the report succinctly puts it, “it is cheaper and simpler to steal something than to design it yourself.”
Crimeware and web applications were the two most common attack vectors for targeting manufacturers, comprising a combined 51% of observed breaches. For breaches involving crimeware, the report notes a common pattern of (1) obtaining passwords, (2) infiltrating the network, (3) downloading the software, and (4) capturing data for incidents targeting manufacturers.
According to the report, the targeting of Manufacturing companies’ web applications was dominated by the use of stolen credentials obtained through various means, such as phishing campaigns and desktop sharing.
The DBIR’s top recommendations for the Manufacturing sector are as follows:
For a joint view of the observed incidents and breaches impacting the Mining, Quarrying, and Oil and Gas Extraction (NAICS 21) and Utilities (NAICS 22) sectors, they have been consolidated in the 2020 DBIR. This combined sector faced an even higher proportion of attacks involving internal threat actors (28%).
Threat-actor motives were difficult to pin down for the Mining & Utilities vertical, with an estimated range of 63%–95% of incidents being financially motivated and 8%–43% by espionage. While the remarkably broad estimated range of espionage-motivated incidents may be difficult to interpret in precise terms, the most important takeaway is that the actual percentage is likely much higher than the average of 10% across the DBIR’s entire dataset.
Due to the highly varied and often overlapping attack patterns used against this vertical, the DBIR concludes it was statistically impossible to determine which was most prevalent, limiting the specificity of the report’s recommendations to “Note to all CISOs: Secure all the things!” That being said, the report acknowledges social engineering tactics such as phishing and the exploitation of unpatched vulnerabilities in web application infrastructure as notably common attack patterns.
The DBIR’s top recommendations for Mining & Utilities sector are as follows: