Shostack + Friends Blog Archive


Thoughts on the 2011 DBIR and APT (Authorization Preservation Threats)

So Verizon has recently released their 2011 DBIR. Or perhaps more accurately, I’ve managed to pop enough documents off my stack that my scribbled-on notes are at the top, and I wanted to share some with you. A lot have gone to the authors, in the spirit of questions only they can answer.

Here, I want to talk about one of two particularly New School takeaways from the report, which is figure 18:

Verizon 2011 DBIR Figure 18

Now, there’s two datapoints on there that thus jumped out at me as important. They’re “BRUTE” and “DFCRED”. What do BRUTE and DFCRED mean? BRUTE is “Brute force and dictionary attacks” and DFCRED is “Exploitation of default or guessable credentials.” Now, I’d guess that the difference between “guessable” and “dictionary” is the size of the dictionary needed, but I don’t want to quibble over taxonomies here. What I want you to focus on is how BRUTE was involved in 25% of breaches and on the order of 30% of records. DFCRED is involved in 35% of breaches and a bit under 30% of records.

Take a moment to think about that, and what you might do about it.

I’m not going to claim that changing passwords is free, or that password management is trivial. However, it seems that change your passwords is all it would take to substantially reduce the success of perhaps 30% or more of the breaches that Verizon studies. I’m being squishy because perhaps the attackers would have found another way, or perhaps DFCRED and BRUTE hit different customers, in which case it could be over 50% of attacks thwarted. I don’t want to attack anyone’s business here, but if you’re looking at any super-fancy technology before you’ve rolled out AD password policies and also mastered changing your passwords on the non-AD stuff, you’re ignoring the Authorization Preservation Threat.

And the data we have from the DBIR shows that Authorization Preservation Threats are common and impactful enough to trigger a Verizon investigation.

I’d love to know the numbers for the unions of those BRUTE and DFCRED, but I don’t think they can be derived from the DBIR as published. We’d need a table of breaches and their threat action types. [Update: Wade Baker has kindly published that on their blog!]

To be fair, Verizon’s analysts did understand this this-access control is one of their top recommendations, 30 pages later. I don’t think they stress it enough given the relative ease of implementation, nor do they tie it back sufficiently for my taste.

That’s ok-they’ve published data and methodology in sufficient detail for me to bring up the point and stress it for you. Because they do that, they allow others to interpret and build on their work. Different people have different perspectives that come from where and how they were raised, where they went to school, what jobs they have, what media they pay attention to. All of which combines into different ways of filtering and sorting through facts. Being able to bring those perspectives to bear on the same data helps us get more out of it than any single analyst, however smart. And so Verizon sharing their data is a big win.