Season of sharing…breach investigation data

It’s that time of year when the Verizon Data Breach Investigations Report (DBIR) comes out. FireEye also just released their 2018 MTrends report and CrowdStrike released their Global Threat Report in late February of this year. Even though the Verizon report tends to garner the most press, I find it the least useful of the vendor reports. Both FireEye and Crowdstrike rely on their internal intelligence and investigations teams to create their respective reports, which means they can reliably draw conclusions and observe trends.

However, Verizon gathers data from many partner organizations. In 2018, the number included close to 70 contributors including several different investigations teams like CrowdStrike and Verizon’s own team. They also pull data from many security product vendors. This veritable cornucopia of data is then somehow normalized and analyzed. This process leaves me wondering how many assumptions were made, and how one can reasonably normalize data from this many teams, and trust that definitions for data fields stay consistent, not to mention how quality control over the data sources can be attained. And after reviewing this year’s report I was again left very skeptical of many of the conclusions drawn.

The FireEye and CrowdStrike reports are much more limited in scope, of course. But they focus on the threat actors and tactics they observe, and the attacks they investigated. For FireEye, the focus has always been on advanced actors, whether financially motivated or state-sponsored. CrowdStrike seems to open the aperture a bit more and discusses other types of actors including those focused on cryptocurrency mining malware and haktivism.

The MTrends report highlighted new APT groups observed from Vietnam and Iran which should drive home the notion that the bar is being raised and threat groups are getting more sophisticated as are some of the state sponsored activities coming from aspiring countries. Finally, CrowdStrike highlighted the eCrime trends it follows and how those threat actors follow the opportunity to monetize malware. They also discuss haktivism and point out that as regional conflicts are on the rise, haktivist activities tend to follow suit.

While we can’t predict the attacks we will continue to see in 2018, we can review the tactics of the threat actors seen in 2017 and assess our own environments and determine how we would fare against some of these advanced attackers.