This week on the podcast, we cover the key takeaways from the 2024 Verizon Data Breach Investigations Report. Before that, we discuss what we learned from United Healthcare CEO Andrew Witty's congressional testimony on their ransomware attack in February. We also discuss a research article from JFrog on malicious Docker Hub repositories.
View Transcript
Marc Laliberte 0:00
Hey everyone, welcome back to the 443 security simplify. I'm your host Mark liberty and joining me today is
Corey Nachreiner 0:08
Just good old Corey old guy Nachreiner. I'm old and tired and cynical.
Marc Laliberte 0:16
Someone sent Corey a cup of coffee and like a Snickers bar.
Corey Nachreiner 0:18
Let's talk about the same old security crap that happens over and over again because people don't listen to basic advice and then keeps on happening again and again. And we're all in Groundhog's Day and my alarm is gonna go off and there's another breach and credential leak and no MFA.
Marc Laliberte 0:35
I thought I was the cynical one. On today's episode, we will discuss a recent ransomware attack that Korea is heavily hinting at having a very simple cause and very preventable cause. After that, we'll go over some research into a Docker Hub analysis on a massive amount of malicious Docker Hub repositories.
Corey Nachreiner 1:02
Connect to the International Space Station Docker hubs,
Marc Laliberte 1:05
yes, this episode from space. But after all, that, we will dive headfirst into the Verizon data breach investigations report for 2024. And including some of the key takeaways for this year from data breach and just breach trends that Verizon analyzed from massive amounts of data, including data from WatchGuard. With that, let's go ahead and
Corey Nachreiner 1:28
Dr. Roll on in scroll through 100 pages trying to find the rent one random stat mark is talking about?
Marc Laliberte 1:38
Yes, let's do that. So let's start this week with an update on a story we chatted about. Man, this would have been in February, I believe. And again in March, where if you remember back in February change healthcare, which is owned by UnitedHealth, massive healthcare conglomerate in the US disclosed that they had been the victim of a ransomware attack at the time. And the reason we talked about this twice is I think we talked about the initial incident. And then a few weeks later with the threat actors that did this, or at least the ransomware as a service operator, ALPHV or blackcat kind of dropped off the face of the earth, and we discussed their little exit scam they ran against their customers. But so UnitedHealth CEO Andrew witty, testified in front of Congress last week for about two hours. I imagine he was sweating through everything he was wearing during that because he was getting a firm grilling. About so testified about the change healthcare ransomware attack earlier this year. And the testimony actually gave us a few more interesting details about this incident, and the impact it had. So I'll go through a few of the takeaways, Corey, and I'm curious what your thoughts are on some of these two. So the first one, just starting with a timeline, the attack started actually on February 12, when the attacker used stolen credentials for their initial access to gain access to the organization through a Citrix Remote Access Gateway server. So if you're not familiar with Citrix Remote Access Gateway, it is a server software designed to be exposed to the internet earliest advertise that way to enable remote desktop access into the organization. And, you know, on the face of it, this sounds like a pretty important application to secure and prevent unauthorized access to but then in the case of change healthcare, they were not using multi factor authentication for accounts on the service which allowed the attacker to steal a credential and log straight in pause there for a second Corey, I
Corey Nachreiner 3:44
think everyone knows our feeling on this. I like you. How could you not if you listen to the podcast, remote management interface, put it on the intranet good idea. Probably not use a VPN instead. But Citrix portal Citrix says do VPN if you're going to put a VPN publicly on the internet. What do you do you add MFA. It's like another story does say it is pretty much cybersecurity one on one at this point. We know that bad guys are targeted. I mean, everything's remote. Now. You know, even companies that have gone back to work have a lot of remote access. You have to secure that crap threat actors know we have remote access. They know it's easy to target and they know how to steal credentials and people are still bad with their credentials. So, MFA is absolutely required. And frankly, other than other than tools specifically designed to secure remote access read VPN or zero trust network access or SSL portals. I don't think you should have any other remote management on the internet at all without a VPN ctma or some sort of SSL portal. So Oh, really the only thing you should be exposing is something made to secure remote access. And that thing Dang, well better be using MFA. So I agree, I think there's still a lot of companies that, you know, it's as much as the surveys even down to the SMB say, oh, yeah, we use MFA da. I still think a lot of companies do not have a whole lot of MFA widely deployed for all their employees yet. And it's clear that even the biggest companies seem to forget, seem to not do this. Is it just the friction still, Mark? What do you think?
Marc Laliberte 5:34
I mean, so I understand not having MFA totally, like 100% deployed across an organization that is actually a pretty difficult challenge, especially when you take into account like shadow IT SaaS applications that other like teams or organizations within your company may have gone out and acquired on their own, like, so I understand not getting 100%. But there is a priority when it comes to deploying multifactor authentication. And I feel like the internet exposed gateway that allows direct remote access to computers on your network is probably right up there as number one, for enabling enabling multi factor authentication on. So, you know, I also understand and healthcare specifically, you know, there's plenty of reports about how strapped for IT resources these organizations are, and how sometimes they do have to prioritize just any work at all. But again, if you're gonna have internet connected remote access into your systems, like putting MFA on that seems like step zero for it. Now, their CEO, Mr. Woody didn't disclose exactly how the credential was stolen, but actually another organization. So Hudson rock, their CTO actually claimed that they have threatened diligence sources that indicate that that credential was stolen from a info steal or malware on February 8, so about four days before the attack started. In this case, they posted a screenshot and like a bleeping computer article I saw of their platform identifying that credential associated with change Health's Citrix web portal now, they only indicate a credential of a employee was stolen, not that this was the specific credential that enabled the breach. But the timelines do at least match up. And that is a plausible explanation for how that credential ended up in the attackers hand because that's a pretty common method. For sure. So the attack started February 12. The ransomware wasn't deployed until nine days later after the initial intrusion. So the attacker had time to go scope out the network, look for sensitive data locations exfiltrate that data, because as we discussed originally, and we'll head again later, they attempted to extort change healthcare with the stolen data to and then after they gathered all they went in and deploy the ransomware attack. The attack impacted around 150 million customers, which, if you do the math is about half the population of the United States, which is a pretty dang big impact, because during this time, so change healthcare, they also own what is like optimum RX, or some very popular Prescription Service. And that entire service was down and pharmacies were unable to operate during the course of this ransomware attack. So it did have a pretty big impact to just random people in the United States. The company estimates the cost was $872 million in damages because of the breach. That was a ton of money. And that isn't just you know, the extortion which itself was only 22 million. But you know, the cost of downtime, loss of revenue, the cost of bringing in companies like Mandiant or whoever that was they brought in for incident response to help investigate all that adds up. I imagine some pretty hefty HIPAA violations are probably slapped in there as well to speaking of the ransom extortion though, they did end up paying $22 million to Alfie and I one thing that stood out to me in the deposition or whatever you want to call it the testimony to Congress was so the CEO goes this was entirely my decision to make and I guess that is him just like falling on his sword for a difficult decision. But it does kind of highlight that paying a ransom is a business decision for an organization and I don't know your thoughts Corey, but it's I still firmly believe should not pay ransom. All it does is fund additional cybercrime and incentivize additional cybercrime. But it's easy for me to say right now in a situation where my company is not impacted by a ransomware attack. So I can sympathize.
Corey Nachreiner 9:52
I can definitely sympathize. To be honest, I don't think this changes my thoughts at all only because it falls within the caveat I I think we've always had, or at least if you remember, ransomware has been targeting healthcare, specifically hospitals forever, including one wanna cry. So I've always been very, very strongly against not paying the ransom. I think people who pay the ransom are just going to increase the business case. But my caveat was always specifically with hospitals, but I could see it with the United Healthcare to that. That is a easier decision for a business that has nothing to do with saving lives to make, right if you're a hospital, you can't get your patient record, surgeons are waiting to do surgery. And you don't have a convenient paper backup. People can die. And so there's always a exception to rule. So caveat. And you know, so with health care, it was the kind of thing I still don't like the fact that, you know, people pay in some cases, but I understand how it can become a very personal decision. Like if this were a let's not, don't don't get me wrong, United Healthcare is a for profit business. And I won't even go down the rabbit hole of how for profit us medical care is, but if this were like some business where Yeah, they were being hurt by the ransomware. But it wasn't really hurting anyone, it'd be, it'd be easier for me on my little ivory tower to judge them. But for health, like for health care, I get it as as someone that is an insurance provider, it's like the first freakin thing anyone asks you even going into a clinic. So it can disrupt a lot of things that has to do with human life. So I understand why they might have to make a hard decision that said, I still don't want to normalize it. I still want this to be something people think thrice about every time, thrice or more, quadruple thrice. I don't know why I picked him three instead of two, two years, it's
Marc Laliberte 12:00
not enough to think about it. You were both
Corey Nachreiner 12:03
saying like, I won't overly judge this CEO, you know, is a health care company. And the metrics are not like when the metrics are just money, then it's hard to know whether it's greed or whatever, or even, you know, I guess you could say it's still a business decision, insurers would argue the loss is less by pain than it is by not, but I think long term that's a crappy business decision, because it encourages the market to continue and your losses will continue to rack up over time. But when the loss is measured in human life or suffering, it's a much different metric. Yeah,
Marc Laliberte 12:41
I agree. So if you remember, it was early March, we discussed how ALPHV someone had paid $22 million into a Bitcoin wallet owned by them. And we suspected this was change healthcare paying the ransom extortion demands. And two days after that their public Dark Web website went down with a message saying they'd been seized by the FBI. And as a part of an international effort, and some of those international agencies said, Wait a minute, we did no such thing. So our takeaway at the time was that they had basically pulled the rug and stolen $22 million from their affiliate. Well, so it turns out the the affiliate in this case, actually retained the hospital's data. So after Alfie's exit scam, they kept the data and then partnered with a another ransomware operator called ransom hub, to then go and try and extort the company. And from one of our resident ransomware, experts Ryan on our threat lab team. Yeah, he gave us a bit of a note here saying that ransom hub is a newer group that seems experienced. And his guess is that it's possible they could have some or many the members from Alfie is actual members of this new group, or other forgotten or retired ransom are groups which I thought was an interesting take how this place this organization, Ransom hub just kind of materialized that are nowhere. It and as we've talked about in the past, I have a sneaking suspicion that most of these brands of our operators as they go away, don't permanently go away, and that they most likely come in materializes another one. So, either way, the testimony, it was two hours, it was pretty heated, as I won't say poor CEO, but unfortunate CEO is totally grilled by Congress. And it was interested in getting some of our suspicions confirmed, like the ransom or extortion was paid. And some updates on the timeline and details about the incident. I think if there is one takeaway, it's the one we highlighted at the very beginning of this. Just set up MFA on your important system. So it is that would have protected or at least made it significantly more difficult for this attack to have succeeded.
Corey Nachreiner 14:52
It's not to say breaches can still happen with other ways. But I mean, this seems to be just the common it's the lowest hanging In fruit we've seen over and over open management, open VPN, no MFA, bam, bam, bam, they've knocked down in 10s of big companies this way. Don't Don't be like them.
Marc Laliberte 15:11
Don't be like them do better. So well said. Moving on to the next story. So researchers at J frog published a blog post last week, they had a pretty interesting headline. you giggled, because their name is a bit silly
Corey Nachreiner 15:29
for a good group if we followed their research before, but I still can't help and giggle every time I heard a frog. Yep.
Marc Laliberte 15:36
Anyways, so pretty interesting headline that caught my attention. So they did an analysis of Docker Hub, which if you're not familiar with Docker Hub, it's a repository for Docker images, kind of similar to like other package indexes, like NPM for node packages, or pi pi for Python packages. It's basically a registry, where organizations and developers can post a Docker container image, which is like a fully bundled up micro application. And then maintainers can also post like a short description
Corey Nachreiner 16:09
I am I define it by saying a Docker image is almost like a cloud VM image, like it's not literally a virtual OS image, but it's like, it is an image of a bunch of components tied to something that you can spin up in the cloud. And it can have multiple applications and connections between them that you've set up for whatever thing you're trying to build. Yes, that is a little stripped down
Marc Laliberte 16:36
mini VM, I think is a fair description of it. So on Docker Hub, you can like post your images for other people to go download. For example, you can go download, like the Ubuntu Docker image to get a little mini containerized version of Ubuntu, and so on, so forth. So while analyzing all the public repositories on Docker Hub, J frog found three large scale malware campaigns that planted millions of what they call image list repositories with malicious metadata all over Docker Hub. And when they did the math, this is roughly 20% of all public repositories on Docker Hub hosted some sort of malicious content. And the vast majority of just all image lists, repositories, so ones where they have not actually uploaded a container image yet, were entirely malicious. This is what stood out to me like that is a pretty sizable percentage of a legitimate service to be hosting illegitimate or straight up malicious content. So they went through their analysis steps. They said while analyzing newly added repositories, they noticed a pretty common trend over time, where you would see more repositories created on a daily basis during the week, Monday through Friday, a bit of a dip on the weekends, and then a bit more than next week. It was a pretty flat wave month over month, year over year. But there were these two really big spikes they found in 2021 and 2023, where the number of newly created repositories went up tenfold in Docker Hub. And some of them when they looked at their repositories, they noticed none of them had images actually associated with them. So it was just the kind of entry in the directory itself with some HTML information in there. And when they analyze them further, they found interesting malware and phishing campaigns leveraging these. So for example, some of them are just hosting like a simple phishing site or a phishing link. They give one example, that's advertising oxycontin tablets for sale with a link to a phishing toolkit. But in some of the other ones, they were actually hosting links and automated like dynamic redirect errs to malware downloaders like actual malicious payloads. The malware downloader campaigns came online in two distinct rounds, one in 2021, one and 2023, both of them using the exact same payload called free HTML validator dot exe. This malware, it's a pretty basic downloader image, it beacons back to a command control server to get a configuration that actually checks to see which country it's running in. And it's got a list of four countries which I'll bet you'll never guess what any of those countries are Korea on the face of it, that it makes sure it's not right.
Corey Nachreiner 19:37
It won't be Russia def definitely Russia is definitely not on that list, right. Because Russia and Azerbaijan
Marc Laliberte 19:45
Armenia and Belarus the four amigos, although I guess Azerbaijan and Armenia are not exactly best friends with each other but
Corey Nachreiner 19:53
we only recently Russia makes sense.
Marc Laliberte 19:57
So it checks to make sure that it's not running in one of those countries if it is it stops execution. It also looks for a few specific antivirus engines to things like Avast, or AVG, or even McAfee and it stops running if it sees one of those on the machine too. But assuming all those checks pass that beacons back home, and it goes to download additional malware payloads onto the endpoint. The other campaign, they found is what they were calling an ebook phishing campaign. Were roughly in the middle of 2021. Someone was turning Docker Hub into a pirate ebook library, where they post like big excerpts of a public ebook, and then a link saying you didn't go here to go download the full copy of this ebook. Now that link would send you to a page that ultimately would ask for a credit card information to try and maybe get you to pay $2 for this free ebook, in reality behind the scenes, it was just stealing your credit card info. So J frog worked with Docker, they've been taking down these repositories and putting in additional protections too. But you know, we've talked about especially on like our podcasts, where recovered like internet security reports, how it's increasingly common for threat actors to leverage these legitimate services to host malicious content, like sharehub as a domain where you can go register subdomains and host whatever you want, is a pretty popular target. We've talked about various legitimate Services websites, like especially file hosts that don't have the right, checking for file type for uploads, where attackers will start uploading malware and using them as a command and control or a malware delivery vehicle. It's what stood out to me was seeing Docker hub, a pretty big website being used for a sizable amount of malware to deliver 20% of all repositories versus ciated with these campaigns, because I think in comparison, things like GitHub, there's obviously malicious content on GitHub. There's obviously threat actors using it to deliver content. We just talked last week, the week before, about using GitHub comments as a way to get a legit looking link for malware files. But I'm willing to bet it's not 20% of all GitHub repositories are straight up malicious. So that was interesting. This isn't because they are addressing the issue now they've seen it. But man, yet another way of abusing a legitimate service for hosting stuff. Oriente. What do you think we're gonna see pop up? Next is the avenue for threat actors.
Corey Nachreiner 22:41
What else do we share a bunch of stuff. I am interesting. My only hot take was, it's clear that this was a Docker Hub being used, but it wasn't actually images containing malicious malware. I even though that's not the case, I wonder if that I mean, what a great way to image essentially spin something up, that's running code to have a service. But if you trojanized it, you could also have a lot of bad stuff going on. So if you could actually compromise legitimate images, I remember a very old WatchGuard prediction, I can't remember if it was right when you joined my team or a bit before where, you know, when, when it was just using virtual images. And even in new laptops, whether you're virtualizing the server or you have a new laptop, you might have a golden image that you either spin up as a new virtual server, or that you use to build your your default laptop image. And I used to have a prediction that threat actors would purposely go after that, quote, unquote, golden image infected with some Trojan, it would still do whatever its job that it expected. But what a great way to affect every server, they spun up from that point. So this is scary enough just using the repository without actually having images in these different repositories. But if they ever get access to common Docker images that people use to just because it's shared open source, you want to provide this, this service, just spin up this Docker image, that would be even more scary, too. So maybe the next step is to go from these empty or not empty, but you know what I mean, non image repositories to actually hijacking a real repository and start trojanized seeing some common images people use who
Marc Laliberte 24:33
especially because like, so the way Docker containers and images are built, it's entirely visible, like you can see the whole manifest of what's going on inside of it. If you go to look for it. If you just go blindly download a Docker image, like it just using the Docker command line and like, you know, Docker poll and image name. All you get is the little download bar and it's done and it's running. You don't see what's going on inside of it. And so it would be a really easy way to like you said deliver something malicious to an endpoint if folks aren't reviewing it. Now, my hope is that in a enterprise organization or an enterprise deployment, you aren't just blindly downloading and running Docker images you are inspecting the manifest to see or building your
Corey Nachreiner 25:13
own. Of course, you are mark, it's the same way when there's open source packages, you're not blindly downloading open source, you're checking it out before you use it in your critical applications, right, Mark, everyone does that all the time, they don't blindly download things.
Marc Laliberte 25:27
The
Corey Nachreiner 25:31
image is a little easier to check, they're actually reading source so I get what you're going. But but I've seen people install something and have to next stuff. And literally, bam, bam, bam, bam, bam, bam. So I don't even if it's some simple thing of looking at what's in the package, I may or may not be as optimistic as you that people are checking their Docker images. Because that's my point,
Marc Laliberte 25:57
like a 200. Line manifest is a bit different than 3000 lines of a programming language. I don't know, actually. But I that was my other point, though, that people do just blindly install Docker images and containers. So I it is a pretty big concern. I think that you highlighted there. I guess one takeaway from this that J frog had is Docker does have a like Docker official tag, they stick on a Docker Hub repositories that have been vetted. And so you can find
Corey Nachreiner 26:30
them. It's not like a crowdsource review, it's one that they've actually vetted because the CrowdStrike reviews tend to get hacked, too, like threat actors just drum up the results.
Marc Laliberte 26:43
And unlike the Twitter verification badge is not just something you can buy, it is something that is manually done by the Docker team.
Corey Nachreiner 26:51
Throw that shade, have you received it?
Marc Laliberte 26:57
Anyways, so again, main takeaway from this is they have resolved this issue got rid of these malicious libraries. But definitely keep an eye out if you are using Docker containers from Docker Hub, to make sure you're downloading ones from a trusted and vetted source. So the last thing I wanted to cover this week, Verizon just released their data breach investigations report just a couple of days ago at the time of this recording, recording. And if you weren't already aware, WatchGuard is actually a data contributor to the DVIR. So I wanted to go through and take some time and hit a few of the key takeaways and trends they had. And I found like some pretty interesting ones, both big increases that were interesting, and even entirely new trends or statistics that they were looking at that I thought it'd be worth highlighting. So let's go ahead and dive in to just some interesting stats, I think. And the first one was 14% of breaches, involved exploiting vulnerabilities as a initial access step, which was up three times about 180%. From last year. So first, Corey, like, what's your hot take on that one threat actors going after vulnerable systems three times more this year, than in the previous year? Do you think this shows like a lack of patch management from organizations? Are there more vulnerabilities? I don't
Corey Nachreiner 28:23
know if if you're asking about my gut it, I would immediately go to attackers attacking more. I mean, I have no empirical evidence for any of your suggestions. But my feeling is patch management has kind of been generally met. You know, there's been plenty of victims that haven't been patching externally showdown has proven that forever. And so I mean, I haven't gone and looked at all the showdown results. But I I'm assuming that the vulnerable servers out there hasn't really exploded or changed much. And they are available and they're out there. Are there more vulnerabilities this year? You know, there's sources we could go to look, they actually do track that. So maybe that's a possibility. But my general vague memory of 2023 At least, there were some big critical things, but it seemed like, on average the same. So my curiosity is if the threat actors have just gotten more active, I don't really know what's your take mark? They
Marc Laliberte 29:29
did. So in the report itself, they highlighted one critical vulnerability that was pretty big and wide impacting the vulnerabilities impacting the move it file management software, that ended up getting a whole bunch of organizations compromised. I bet that was at least some bit of a contributor, but I feel like your reaction may be correct that there is just more activity in in total going on against organizations. And I don't know by cynical Syed says, as times get tougher, more people turn to crime. And that could be one reason why we're seeing more cybercrime. As you know, the US is doing actually decently well. But as global economies continue to struggle a bit, I agree with
Corey Nachreiner 30:13
that. And by the way, even though the US is is very quantitatively doing well as a whole, that doesn't mean things like inflation haven't, you know, while our economy might be okay, and we may not have unemployment, I think things like inflation, especially in the US, but probably globally, has made the average to low income person's life even harder, even if the country's overall economics are okay. And I hate to say it, but you know, I It doesn't excuse it. But we've found before that threat actors tend to be in countries that if they're, you have a high technical skill, but there's not a ton of opportunity for making a good salary with it legitimately. It's one of the reasons threat actors go that way. So I don't know if either of us can prove that quantifiably. But it feels when the economy drops, I would expect cyber attacks to go up like you say, and even even if the economy's up if the if the lower, I don't want to say lower income folks are feeling stretched because of things like inflation, they might have to do riskier things to try to survive in their head.
Marc Laliberte 31:25
Now heartache for you, Corey. One of the so while the economy in general is doing well, one specific vertical that has been struggling a bit is tech. And there have been a lot of, you know, layoffs and struggles getting hired in the tech world. How many of those engineers do you think are turning to cybercrime now, Corey?
Corey Nachreiner 31:49
Good question. I would hope not. I
Marc Laliberte 31:53
would hope that too. And I'm
Corey Nachreiner 31:56
almost all right. Yeah. I, I if I got laid off, like you and I, well, maybe you would argue I miscript Kitty level seen how basic some of the attacks are out there. You and I could breach companies using the red teaming stuff? We know. I I'm not if I lost my job. I just I wouldn't turn to that. Yeah, maybe that's country is probably geographic, right? Because here in the US, we actually have some pretty, I don't think I would do it for personal ethics. But just let's just say about being punished here in the US, you would be punished pretty quickly. And yes, VPN and things like that can save you but I gotta tell you, in the US things like wiretaps and things like that you're even with VPNs, you can be hunted, hunted down. But I think that's the other reason we see a lot of threat actor crime activity coming from certain countries, because they just don't have the same repercussions in their country. I mean, we use it all the time. But that seems to be clearly why Russia is a haven for ransomware actions. You know, if you're a ransomware threat actor in the United States, and they found out you're United Healthcare, you're going to jail. And if you're in Russia, you may not be able to go to a cool vacation, but you're probably drinking. You might be recruited to start popping the newest VPN filter devices for your government.
Marc Laliberte 33:25
Exactly. Yeah, interesting take. So next that I wanted to highlight that because we have to throw out the social engineering stat. 68% of breaches involve either social engineering or human error of those that they analyzed last year, which honestly, that feels lower than I expected. But I guess this is like the initial intrusion vector with social engineering and human error. Not it was the one of the potentially many factors in there. So I guess that makes sense. Yeah, sure. Other key takeaway 62% of financially motivated incidents involved ransomware with a median loss of 46, or $460,000 per breach. Without 460,000 was interesting, because we always hear now the big name ransomware attacks, we just talked about 22 million and extortion from change healthcare. But the reality is the majority of ransomware attacks are significantly less of an extortion demand from ransom, I would
Corey Nachreiner 34:27
assume that's because threat actors are I mean, they're asking a lot for their ransom, but I think there's they're, they know who their target is. So they're asking a lot, but in scale with the target they're going after. So like if you have a Microsoft or something you're going to ask for 10s of millions. But I would suspect that more small to medium businesses would fall prey to ransomware. And that's where you know, if you're a business making only a revenue of 400,000 there They're not going to, or 400 million or 4 million, I should say, they're not going to ask you for 40 million in ransom, they'll probably ask you for 150,000 to 400,000. I wonder what would happen if you're a company that only made four, 4 million in revenue? You lost 52 million. But you were worth a billion on the stock market? What would they ask you for that? Ransom view. I wonder that is, that's very random, or just, I don't know, just some random company.
Marc Laliberte 35:32
Okay, anyways, so on page eight, there was another stat I wanted to go over, which was 15% of breaches involve a third party or supplier. This one was interesting, because it's specifically talking about the attack surface that you expose from, like third party software you use or suppliers to give access to your organization. But the one kind of caveat they put in here was so of those 15% of breaches that involve a third party or supplier that also included software vulnerabilities. And so a tool that you deploy that had a vulnerability that enabled the breach, so like that, move it example. And that was an interesting pencil out, I had because I want to, like when I think of third party, or supplier, I think of you know, like the Target breach where it was the H back vendor that got compromised, they use those credentials to then go after target and steal payment card information. I don't typically think of, you know, I got a license to software XYZ XYZ had had a vulnerability. And that allowed the threat actor and I consider that more of like an internal breach from the software I managed. So that I don't know what's your take on that Corey, I thought it was an interesting bundling software vulnerabilities. And then
Corey Nachreiner 36:43
it was weird, because I kind of you know, we talked about a class of vulnerabilities that I call them digital supply chain breaches. And I kind of can go both ways on them a digital supply chain breach can be a third parties system in your system that had higher privilege that was the door in and to your point, that could be just software, you use that head of vulnerability, aka SolarWinds, Orion. But I also consider a the H fat case at Target kind of a digital supply chain breach to in this case, it was an external partner. But it was a digital tool that that target exposed for accounting purposes for that H fac vendor to use that that gave a third party partner more privileged access and the target systems, very different technical things, very different types of partners. One is just software you use and one is just a partner you have. But but in my high level head, I call both supply chain breaches. And I just add the digital because it has nothing to do with, you know, manufacturing or the people themselves, it has to do with some digital tool that gives that partner more privileged access into your organization. Either way, I wonder if depending on how they define it, like is 20 I feel like the supply chain problem is really bad. So is under 20% Actually as bad as I think or or are they may be late leaving out some types of what I consider a supply chain breach in that that step there for what they are calling the third party breaches. Yeah,
Marc Laliberte 38:27
I think that's fair. And so they actually added an entire category that they're calling supply chain interconnected breaches starting on page, what is it 14, I believe is where the main stats are, where they describe like of breaches involving these third party interconnected supply chains, etc, around 90% of them involved exploiting a vulnerability. So vulnerability in the component from that supplier, around 80% of them resulted in a backdoor or command and control connection to the victim in this case, and only around 10% of them involve stolen credentials. So if you remember 68% of global breaches involves social engineering of some sort or human error when it comes to these like ones initiated from a supplier or third party ranks 10%. Exactly. And they even noted in the section that they recognize it is a bit controversial to include vulnerabilities in this metric. And they argue that software vendors are the developers are victims as almost as much as victims as the organizations that deployed the software, but that there's a bit of a misalignment for incentives between those developers and the consumers that are employing this pulling the software that can result in this breach. So I thought that is
Corey Nachreiner 39:45
why the government wants to change it right. It's the whole idea that if vendors that make the software can push the liability of a breach on to the customer. If you use someone else's software, you become the supplier I chained victim whereas if those vendors are responsible for their software errors that you know, that is why the target is this victim? Not necessarily certainly the software people hopefully that will change ah fact ah back when was stolen credentials though so it kind of shows how rare the target one was if I remember right H fac vendor was fished and they just used his credentials to get to a web application that was inside Target's network. But it's one that he had credentials in order to report his hours or or heat I said he, the owner of that company. So yeah. Interesting that they're usually vulnerabilities. Not surprising. I mean, for most of the ones we've seen a long time for a long time, the past few years have been some vulnerable code from someone that lots of companies use.
Marc Laliberte 40:55
Yep. So on page, this would be 16. They go into a few details about the category of threat actor going after organizations that they analyzed for this report, they found that organized crime such as cyber criminals generically for 65% of breaches, end users. So this would be employees or contractors were doubled from 11% to around 26%. And state sponsored threat actors were about 5% of all breaches report a definition
Corey Nachreiner 41:25
does the end user also mean a inside attacker? Or could it just EPA, someone that's mad at the company on the outside but not organized criminal?
Marc Laliberte 41:37
That so end user is by their definition and employee or contractor. So Insider. So X, like an external singular threat actor would still be crime in this case? Or potentially other actually, I'm not sure but not end user further definition. But so nation state or threat actor I, I'm on the fence on this one, like part of me is like, well, it's only 5%. Like kind of makes sense. The other part is, while 5% is actually a decent chunk of overall breaches, when you consider globally like the victim space to have
Corey Nachreiner 42:12
feels like 5% shouldn't be the right number, in my opinion, like it's what you would hope and it could even be a lot. But with the I think the thing is, is that 5% state actor breaches is among the most impactful, huge situations that make the news and affect a lot of companies. You know, we mentioned VPN filter, what was the nude Cyclops Blink is one What was the name of the one we just talked about that was Cisco boarded aqua, but what the
Marc Laliberte 42:43
heck is an arcane door arcane
Corey Nachreiner 42:45
door, like I could see logically why maybe that's only 5% of the breaches out there. But they're such humongous breaches that I feel like state sponsored should be right up there with organized criminal, just because of the whole impact the amount of money costs in the big deal of them. But for technically, how many actual attacks are occurring? You would you would assume it was mostly organized crime. If anything surprised me, it's a that there's that over 20% Insider, maybe, maybe it's my head, but I do know insider attacks happen, but they feel maybe it's just my hope as a CIO so that we don't have to deal with one mark, but they feel rare. To me. It always feels like external for the big hacks and breaches. Yeah,
Marc Laliberte 43:35
that's also just because WatchGuard only hires trusted individuals. And so
Corey Nachreiner 43:40
to say that I feel like I mean, we have a great process. We actually do hire trusted people, and we do trust our people. As soon as you say anything definitive, my Oh, crap meter goes off.
Marc Laliberte 43:53
Fair. Yeah. I agree, though. I am. It does feel like yeah, anyways. So the last that I wanted to highlight, again, there's this report like 80 pages long, it's pretty crazy. But on page 37, they dive into specific social engineering methods. So have the what are the top action action vectors and social engineering based breaches and email, as you may or may not have guessed was like 99.9% of all social engineering related breaches, web applications, phone, instant messages, text messages, were like sub 1% each. And the reason I want to talk about this though, is because we've talked a lot about you know, the rise in text message based phishing and vishing and you know, leveraging AI to do video based phishing, but the reality is, like even though it exactly they're super miniscule compared to just basic email,
Corey Nachreiner 44:53
although I wish I could see the version you might be able to tell me if they have it later. That is, I am in s admis is growth compared to itself, meaning get email off the scale so that you can see the growth or lack of growth in those other areas. And honestly, I could care less about how SMS relates to web application or phone. I more want to see year over a year, SMS IMS. And what I'm getting at is they could be growing, we may be actually entirely correct SMS phishing could have doubled or tripled in the last year. The point is, email is the first way and so commonly that the rest don't really matter.
Marc Laliberte 45:36
I have not seen that stat, or I don't think they actually display that in here. But that is an interesting thing curious.
Corey Nachreiner 45:42
I also wonder if a web application gets like if we I would never expect the web application be the first thing but I would say that I bet you in at least 30, if not 40% of the time, the first email lower connects to a website. So I don't want people to think websites. I think there's a lot of malicious web categories out there, you have to block the thing is it's always what will get you to a website, people aren't just not going to go to a random website. So of course, every sort of malicious web thing out there is going to start with an email or some communication to get you there. Or Docker out. Yeah, true, true. Although to you know, that would still end up as a link in an email. So to the average user, that's just a link to go look at something that once they interact with, they're screwed. Now, either way,
Marc Laliberte 46:40
so I was wrong. It's not 80 pages, this report is 100 pages. Yeah, it's
Corey Nachreiner 46:45
more a scroll down too much. And I quickly got the 60.
Marc Laliberte 46:50
There are, there's a lot of good information in this report, like really interesting high level trends that can help you prioritize what areas to focus that, that we did not get into them right now. But they even break it out into specific verticals and specific regions to highly recommend going and getting a copy of the data breach investigations report. And at least like picking out a few sections to go read through. If you don't want to spend the time to go through all 100 Whatever pages
Corey Nachreiner 47:17
you know, over the next six months, you'll probably hear us through these studies are the type of stats that whenever we're talking on any subject, we tend to throw them into different presentations. So it's hard to consume this 100 pages the day it comes out. But expect us to sprinkle a sand every other security conscious organization to sprinkle the stats for ice and releases every year. We really appreciate this port report. We appreciate all you know the important thing I think Mark already said but there's a it's not just Verizon Verizon partners very well, with a tons of cool security companies to get all this data. So good on them for doing it. Wow, there's so many cool security companies doing that mark. He says as circles watch
Marc Laliberte 48:06
got to do. Yep. I wish our name started with an A so we could be at the top. But either way, though, great report. And like you said, I think we'll be pulling stats out of this for at least the next six months as we chat about other topics. Hats off. Also speaking as someone that helps publish a security report that is only 30 something pages, I cannot imagine the amount of work that goes into cranking out this thing every single year by
Corey Nachreiner 48:38
the end and hurting the cats of all of us, right? We interact with some folks that do it. And we're a tiny subset of data. And frankly, everyone gathers data in different ways and it's sometimes raw. So they have to normalize whatever data they're getting from all of us and then create the 100 pages. Super hats off to them. This is a big and awesome report.
Marc Laliberte 49:01
Yep 100% Thanks again Verizon for another cool report. Hey, everyone, thanks again for listening. As always, if you enjoyed today's episode, don't forget to rate why
Corey Nachreiner 49:12
wouldn't the more the world is so much better. Nothing bad happened? There was nothing cynical about this episode. So yeah, what were you saying about rate review and subscribe? Stay tuned all the bells, do thumbs ups.
Marc Laliberte 49:28
Smash that Like button. If you have any questions on today's content or suggestions for future episode content, you can reach out to us on Instagram. We're at watchguard_technologies. Thanks again for listening and you will hear from us next week.
Corey Nachreiner 49:46
They should have my puppies Instagram account. It can give me 443 updates there.
