The Data Breach Investigations Report (DBIR) team at Verizon always produces first-class insight and perspective on the year’s breach data. This year, one of the highlights is a what they call a “survivorship callout”, a thoughtful way of looking at the differences between what the breach data is showing, on the one hand, versus the experience of many cybersecurity professionals working in the field.
What does it mean that the DBIR data shows the prevalence of malware decreasing in breach events, when cybersecurity engineers feel as if it’s an enormous part of the threat landscape they interact with?
So, what exactly is survivorship bias? In summary, it’s a very specific form of selection bias that occurs when a non-representative subset of data is used to draw conclusions. The classic example of survivorship bias is drawn from World War 2, and an oft-repeated story about a military officer who wanted to reinforce the armor plating of bomber aircraft.
Noticing the aircraft that returned from bombing missions typically had bullet holes in some parts of the fuselage but not others, the officer ordered the areas reinforced where bullet holes were being seen. It was pointed out, however, that this was the opposite of the right idea – planes that returned home from missions were exactly the ones that had not sustained critical damage. Therefore, being shot in those parts of the fuselage was obviously not serious enough to bring the bomber down. In fact, assuming that bullets would strike all over the body of a plane, the regions with no bullet holes were the regions that were critical to protect, because the planes that had been shot in those areas were the ones that never made it back.
Is Malware the Primary Threat?
In a cybersecurity context, we deal with malware detections on a daily basis. Often, there are so many that it feels as if malware must be the primary threat that organizations face. Verizon’s DBIR team challenges this idea by suggesting that, possibly, the organizations where lots of malware is being detected are the ones that aren’t being breached. Their dataset is the opposite of survivor data; Verizon works with data from the companies that have been breached, working with the cybersecurity version of the planes that never made it home.
So, does malware fall into the category of a survivor bias? Are we focused on protecting our customers from malware because we see a lot of detections, although the likelihood of involvement in a breach is low? Well, not exactly. Looking at the anti-survivor data from the DBIR team, we see that malware is still a very big part of breaches – it just comes in at a different phase.
In confirmed breaches, malware was found to be a lower proportion of attacker methodology in the early stages of the breach, but it’s prevalent again in the middle stage of the breach. The early stages – no surprise! – feature social engineering and human compromise as prominent vectors.
What does this mean for cybersecurity strategy? It means the concept of defense in depth is not only alive and well, it’s more important than ever. It also means that when we catch malware in a customer environment, it’s important to ask ourselves how it got there. Were there compromised credentials that weren’t reported? Although a full forensic investigation may not be warranted for every trojan, we should be mindful that robust and active malware is often not the first success in an attacker’s campaign.
Ingalls Information Security
Ingalls Information Security understands cybersecurity attacks and how to respond effectively. Since 2010, we’ve been in war rooms and boardrooms, investigating computer networks targeted and attacked by criminals and nation-state sponsored hackers. This experience gives us a powerful edge in preventing and responding to cyberattacks.
Ingalls helps businesses large and small manage security risks and defend against cyberattacks. If you’d like to learn more please contact us here. One of our cybersecurity experts will be more than happy to assist you and answer any questions you may have..
About the Author
Jon Lee, CCNA-Security
Mr. Lee is an experienced Cybersecurity Consultant who has worked in network security and incident response since 2016. His expertise is in communications, data analysis, threat vectors, security assessments and cybersecurity training. His work includes extensive exposure to the legal, medical, and energy sectors. He is formerly a longtime Information Technology professional with a background in systems administration and network topology, and maintains Linux and Cisco related certifications. He holds a bachelor’s degree in Formal Logic.