Keeping Verizon’s DBIR Trusted and Relevant
By Amanda McKeon on June 4, 2018
Each year Verizon publishes its Data Breach Investigation Report, or DBIR, the annual survey of the state of cybersecurity using data gathered from tens of thousands of incidents from around the world. It’s earned a reputation as a must-read report, for its thoroughness and approachability.
Marc Spitler is a senior manager of Verizon Security Research, and one of the lead authors of the report. He joins us to share the behind-the-scenes story of what goes into the DBIR, how his team chooses the year’s hot topics, and how they protect their efforts from undue influence.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello, everyone. Thanks for joining us for episode 59 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.
Each year, Verizon publishes their Data Breach Investigations Report, or DBIR. It’s their annual survey of the state of cybersecurity using data gathered from tens of thousands of incidents from around the world. It’s earned a reputation as a must-read report, for its thoroughness and approachability.
Marc Spitler is a senior manager of Verizon’s security research, and one of the lead authors of the report. He joins us to share the behind-the-scenes story of what goes into the DBIR, how his team chooses this year’s hot topics, and how they protect their efforts from undue influence. Stay with us.
I think with a lot of people around my age, at least, it didn’t start with a computer science degree or majoring in information security in any way, shape, or form. But coming out, that was really where the job market was taking us. That’s where a lot of interesting things were happening — this is in the area of information technology. I started out working my way up through an organization that provided support for firewalls. I’d be on the phone with customers, walking them through configuration issues, connectivity issues, et cetera. From there, even though I was working on firewalls, I wouldn’t really consider myself a security expert because it was really more of a system administration role. I went from there into other network engineering, and then came back to security when the opportunity presented itself.
I started doing security consulting, working with organizations, walking them through activities that would increase their security posture, getting them moving, act as a little bit of a “staff aug” for them, and then eventually, transitioned. I was working for small companies during that time. We were acquired by Verizon, and I’ve been with Verizon now since 2007. I transitioned into this group — the one responsible for security research and notably, the Data Breach Investigations Report — I believe, in about 2010.
As you were making your way up from job to job and taking on those new skills, was it mostly a matter of on-the-job training? Were you going outside for additional training, or were you able to get what you needed at work?
No, it was certainly … I wouldn’t say, a baptism by fire, but it was definitely on-the-job training. It was taking skill sets that you have and applying them to the new area, but at the same time, learning new skills as you go. It was certainly a lot of on-the-job training. I owe a lot to peers that helped me out. Certainly, coming from a non-technical background and learning things like TCP/IP and Unix, things like that — that was all on-the-job training. It was all done from a mentor standpoint, where people would take juniors underneath their wing, train them up, test them, certify them to the next level, and then the cycle could repeat itself. I’m very, very appreciative of the opportunities afforded to me because of those types of relationships.
It’s an interesting story and it makes me wonder, how does that experience inform, as a senior leader now, how you go through the hiring process?
Obviously, you have to take a look at, what are the needs that you have. You try to find someone who either, A, has the ability currently to be able to fit right in, and is almost utopian. More often than not, I think it’s more of B — someone that has a good foundation and can be trained up and can work, especially with my team. I have a very small team, so we have to be very close-knit. We have to be very efficient. We need someone that can work in that team environment, that can learn quickly, that can absorb, and then can also be a self-starter — be able to learn quickly, and then start rolling with it, start applying what they’ve learned extremely fast.
I want to talk about the Verizon Data Breach Investigations Report, the DBIR. It’s certainly one of the most respected reports in the industry. Can you walk us through what the history of that report is and how you approach it today?
Sure. I wasn’t around from the very, very beginning, but I know the history quite well. I was with Verizon at the time. Really, back in 2008, we recognized that there were a lot of opinions in the information security space — a lot of people making names for themselves, not necessarily in a bad way, but also a lot of organizations and companies that were just trying to sell a product. It was a booming industry. A lot of what people were being fed didn’t really have any science behind it. It didn’t have any real-world facts. It wasn’t data driven. It was more dogma driven. It was a, “Oh my goodness, wouldn’t it be awful if this happened to you?” style of reporting, or blogging, if you will — whatever the medium was. We realized that there was a void there.
We also had a treasure trove of real-world case reports from our forensics investigators that could be hired on retainer, or on demand, to put boots on the ground and respond to organizations if they’ve had a data breach or if they felt they’ve had a data breach. They can do some of that investigative forensic work for them and provide them with a case report. “Here’s what happened. These are the things that we looked at. These are the things that we found.” We had years of these reports, and that’s exactly the type of information that people needed. What’s really happening to people? In the real world, how are people being breached? What methods are being used? Who’s doing it? Why are they doing it? What could we do about it?
We pitched the ideas, and we finally got people like the lawyers on our side because it’s sensitive information. It’s not something people are just going to greenlight and say, “Yeah, go for it.” We spoke at length about how we were going to sanitize the data, how it was going to be discussed in aggregate, and how we wouldn’t be talking about individual breaches. We didn’t then, and we don’t now. That really built up the first report that came out in 2009. It was four years of data, all from a single source. We did that, and then we started working with the Secret Service. We built a relationship with them. They started to provide us their case notes, pre-sanitized, to where we didn’t know who the victim was, but we knew some of the details that were of interest to us and were actionable to the readers, which would be, again, general demographic information — what were the steps of the attack, what did the attacker do, who was the attacker, what was their motive, what assets were affected. Through the Secret Service, we started expanding a little bit more and found some other law enforcement agencies.
Here we are, in the eleventh year. We have 67 different contributing groups. Many of them are Verizon. We still have our investigative response team that’s providing us data, we have our denial-of-service mitigation team that is providing us data. The majority of them are external in nature, so still a lot of law enforcement, a lot of CERTs, domestic and international, other forensics investigators, cyber insurers — pretty much anybody that can provide us solid data, who we’re certainly willing to have a conversation with. We’ve even extended it beyond what I call the “bread and butter” data breach, or security incident case data. We’ve worked with other security vendors, ones that specialize in security awareness training. That is what underpins any of the statistics that we have.
As far as phishing and click rates, we’ve worked with malware defense vendors. We get a lot of really solid information about malware. We get it, obviously, from what happens in real-world breaches and incidents, but we’re also able to combine that with what’s happening on successful malware detonations. I think it tells a really strong story about what malware looks like, where it’s coming from, what file type it’s coming in as, and truly provides some information that the leadership can actually use. They can take action with it, which is what we’re really trying to do with the report.
It always strikes me, when I read the report, how approachable it is. I’m wondering, can you describe to us, how does your team work together? What’s the collaborative process for coming up with a report every year? How do you decide what makes the cut, and what doesn’t? Do people pitch different ideas? How does it work?
We really let the data tell the story. That, ultimately, will determine where the areas of focus are. In this year’s report, we had a section on social engineering. We’ve had it for two straight years because the data was really showing us that there’s a strong prevalence of using social engineering in the forms of phishing, as well as pretexting, by cybercriminals. It’s an important thing. Ransomware — we’ve had sections on ransomware over the last few years because in our dataset, it had increased in size at such a rate that it really necessitated us talking about it a lot more than just a quick blurb here, or a quick blurb there.
Also, if we have new, interesting data that we bring in that looks at something a different way, this would probably be more in that non-incident data that I was talking about. We’ll certainly try to use that in some form or fashion. We’re always trying to enrich the breach and incident corpus. That, still, is really the main goal of the report, but we do try to look for new ways of discussing it. If we can bring in a different dataset that shines light on an area that we haven’t seen before, we’ll certainly utilize it.
As far as, what are our talking points, that’s really going to be dictated by whatever the data tells us. If it is something similar to the prior year, so be it. We like to make it easy to read, and we like to throw in pop culture references and little Easter eggs here and there. But at the end of the day, it’s all about the data and what’s happening in the real world. If something happened last year and is still occurring this year, that’s still a finding. That’s what we’re going to present out to the readers and to the public.
As the leader of the team and heading up that project within Verizon, how do you protect that process? I can imagine, hypothetically, that the folks from Verizon’s marketing department might wander over from time to time and say, “Hey, wouldn’t it be great if you could include this?” How do you protect yourselves from those internal pressures to turn the report, or channel the report, in directions that would take away from its purity?
Luckily, those aren’t battles that I’ve had to have long, drawn-out wars about. I think that everybody realizes exactly what this report is and how useful it can be in its current state. Obviously, 11 years ago, it was outstanding for Verizon to put out a report like this because we were still really trying to make a name for ourselves and say, “Hey, we offer all of these security services. We are a player in this space. We’ve got an enormous amount of talent behind us.” But Verizon was not synonymous with security services. It was certainly the, “Can you hear me now?” guy, still. It was a great way to evangelize our capabilities, our talent, and our services.
I think that because of the way … And this is what I really like about our report, is that it is built upon so many people coming together, so many different organizations coming together to trust me and my team with their data. Granted, it is anonymized when we get it, but still, there’s a high level of trust there. I think anything that we did with the report that would erode that trust would be the end of the report. It would not be received. It would not be well received by our contributors. I think everybody has that understanding, that what makes this report great is that we don’t, inside the report itself, make it all about marketing ourselves or any of our partners’ products.
We’ll certainly recommend technologies and practices within the report — that’s when salespeople from our organization and others can leverage that in order to try to evangelize what they’re doing. If you walk along, you see security presentations. It’s often quoted, and that’s great. You walk around RSA, you’ll see it quoted on booths, and that’s absolutely fine as well. We’re hoping that it is a rising tide that raises all sails, but we’re researchers. Our main goal is to be able to provide something good out to the public that can be used and helps out the security ecosystem.
I want to switch gears a little bit and talk about threat intelligence. I’m curious about what your take is on the role of threat intelligence for companies looking to protect themselves.
Sure. My area is more of the strategic threat intelligence, more trends and what types of actions these adversaries are doing, what paths they are taking, that type of thing. I believe that is very important. On the other side of the coin, you have to start … And I think we are, as an industry as a whole, leveraging tactical threat intelligence and having an understanding of, what are the bad domains. Your egress traffic — where is it going? What types of neighborhoods is it traveling to? What other things are we seeing? Everything from, what’s the latest phishing campaign that is targeting your industry, to what is the latest piece of malware that’s coming out, to what is the known infrastructure of the groups that are targeting your industry. All of that has to come into play, and it all has to be packaged in such a way to where it’s digestible. It’s one thing to be able to collect all of it. It’s another thing to be able to synthesize it, analyze it, and actually be able to make that decision of, what action do I need to take based on this alert or this notification.
As far as what I really like about threat intelligence is how it lends itself to data sharing. Certainly, data sharing is close to our heart because it’s really one of the things that allows us to make our report what it is, and being able to collect data from various sources, being able to aggregate that all together and produce something that’s better than the sum of its parts. I think with threat intelligence, it’s a similar thing as, you’re able to build upon expertise of other organizations that are specializing in this, but also within industry data-sharing groups like ISACs. It’s really becoming not a bleeding-edge security control anymore, but I think it’s just now established itself as another layer, another piece in our defense in depth — to use a security cliché — but it makes sense. It’s just one of those things that can be used to help defend and really detect.
Our data is showing that we are doing a pretty poor job, as far as detecting compromises when they happen. If someone gets hit with a piece of malware and that malware tries to communicate out, because you have that intelligence, however you’ve collected it, and you know that that’s going to a domain or an IP address that is questionable in nature, you can do the investigation. You can determine that something did happen, that you’ve had a security incident, but it wasn’t able to manifest itself, and it wasn’t able to grow into a high-impact data breach. That still needs to be considered a security win for the good guys. That’s certainly one area where threat intelligence does come into play.
I’m curious. With the view that you have on this data, and doing the report and seeing how things evolve year to year, are there any things that leave you scratching your head where you say, “Gosh, if only we did this, we’d have a better handle on this.”
That moment came in 2011. For those that are on this, that are veteran readers of the report, back then, we would put a little bit more focus on number of records lost. We don’t do that as much anymore for several reasons. Back then, the majority of the cases that came in were of the payment card variety, in some form or fashion compromising payment cards for obvious reasons. It’s monetizable. People like money. Bad guys like money. We’d count them in the millions. It’d be 100 and whatever million, and this year, “Oh, okay, it was 70 million.”
Then, I’m pretty sure it was the 2011 report, it was four million, and we were like, “Okay, wait, what?” We started looking back again, looking at it. This is back when we had fewer sources of data, so it was a little easier to do. We started looking back, and we were just scratching our heads. We asked other people, scoured open source intelligence. We did discern that there really wasn’t, to our knowledge, one of those mega breaches that would really inflate these numbers. I think we’re okay here. That was just one of those things that really threw us for a loop. Did we miss something? That was the one time we really felt like we’ve just completely overlooked a major event or a couple of sizable events that have really brought this down. Ultimately, we were confident in the data that we had. Still are.
Coming back to today, what is interesting to me, one of the things that I beat my head against a wall about is that I still am getting cases that are being reported as confirmed data breaches that involve things like lost laptops, specifically within the healthcare industry where they have such stringent disclosure requirements. I talked about threat intelligence as not being so bleeding edge anymore, and really something that everybody should start to embrace. Certainly, full disk encryption is not a bleeding-edge security control anymore and is something that should be implemented now. It’s one of those things where, this is a very easy fix. It’s a direct control that would solve that problem, that problem being that you have to disclose a lost device if it’s not encrypted. Implement it, be able to prove evidence of implementation, and you won’t have to disclose. I won’t know about it if you do that.
Right, and no difference to the user either.
Yeah, none. Then, I guess lastly, talking a little bit about payment cards again — industries. We certainly have had our fair share of what we call point-of-sale intrusions over the years. These are adversaries that are typically using stolen or guessable passwords to get remote access into point-of-sale environments. From there, they will install malware that will collect payment card information while still in running memory. Then, we know the story from there. They’re cashing out. They’re committing fraud on that. We are continuing to see that with extreme prevalence in the accommodation industry, hotels, and food service restaurants, but we’re not seeing it as much in our dataset with retailers — brick and mortar retailers. I don’t know why.
I am hoping that the retailers have done the right things, that they’ve strengthened authentication, they’ve worked with third-party point-of-sale vendors, they’ve done the right things to make themselves not be one of the slower gazelles out there. It was one of those things where I still would’ve expected to see some of the smaller ones end up in our corpus, but we haven’t for whatever reason. That’s one that I’m scratching my head on. I’m hoping it’s because they’re doing the right thing. At the same time, our data is, I think, well diversified, but it’s still a sample, so it’s not every single thing that happened to every single person in the prior year. I’m hoping it’s not just, for whatever reason … That it’s being underreported.
I want to wrap up with you, and I want to get your take on advice for that person who’s coming up and is hoping to find their place in the industry. Maybe they’re coming up through school or thinking about switching careers. With everything that you’ve seen, what would your advice be for that person?
Wow. I think if they’re just coming out of school, just come out with the understanding that you’re still going to essentially be in school. A lot of your time in the workforce, especially in those early years, is going to be learning. Have that mindset that you are still a student, albeit hopefully a paid one as a junior member in the information security space. One of the things is, you want to try to learn from as many people as you can, but have an understanding that you’re never going to know it all. One of the things that people talk about a lot in our industry is the imposter syndrome where, “Oh my goodness, that person’s so much smarter than me because they know this.” That’s something I think everybody struggles with. I’m not a pen tester, I’m not a hacker, so even I will be intimidated a lot by the folks that are the red teamers, that have done the things, that are writing these scripts and reverse engineering malware.
At the end of the day, you need to have an understanding of, you’ll find your place, you’ll find what it is. There’s a lot of different things that you can do within information security with various levels of technicality required, various levels of business acumen required. It’s all about finding your place, finding a good team to work with, finding a place where you can learn, where you can grow. If there’s something that you don’t know about and it isn’t necessarily pertinent to where you’re going, it’s okay to not know. That’s where you’ve got to rely on someone else that has that area of expertise, because it’s never this one security person doing something alone or knowing everything that’s going to solve everybody’s problems. It’s going to be working with people that specialize in different areas, combining and providing value, doing the right things, and defending your organization, or whatever it is, within the information security that you’re doing.
Our thanks to Marc Spitler from Verizon for joining us.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.