Robin’s Newsletter #152

16 May 2021. Volume 4, Issue 20
All the stats: it's DBIR time. Colonial Pipeline paid ransom, restored service and DarkSide disappeared. Being better at security engagement.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week is interesting stats

Verizon DBIR 2021 and ClubCISO Information Security Maturity Report

It’s that time of year again: Verizon’s Data Breach Investigations Report (DBIR) and ClubCISO’s survey of 185 CISOs too. There’s a lot to unpack from these two reports and so I’ve pulled out some highlights and interesting bits below, and would love to hear your thoughts: hit me up in either of these threads on linkedin or twitter!

DBIR 2021

Financial gain continues to dominate the motivations for security incidents and organised crime are the actors attributed to 4/5 of incidents. Straight up the theft of money (Business Email Compromise) and ransomware get top billing usually for those, however value in company resources (selling customer data) or mining cryptocurrency using cloud resources may also feature.

Financial motivations dominate cyber security incidents and breaches

As Jessie J would say: ‘It’s all about the money, money, money…’

61% of breaches involved credentials. Enabling multi-factor authentication and using strong, unique passwords (such as those generated with a password manager) both help to reduce the chance that attackers can compromise credentials and re-use them to gain access to your systems and data.

This year the DBIR team also took a sample of breaches where they had cost information and ran 1,000 Monte Carlo simulations to simulate the consequences of risk events (this is similar to the method we use for our Cyber Risk Analysis at Cydea 📉). $21,659 was the median result of their simulations, with 80% of breach impacts falling within $2,038 to $194,035 and 95% of impacts, between $826 and $653,587. 14% of simulated incidents had no impact.

95% of forensic investigation costs fall between $2,402 and $336,449, while legal advice comes in between $806 and $53,691.
 5% of all incidents were ransomware, and that accounted for 10% of data breaches too. 60% of the time the malware is installed directly, rather than spreading via email, network propagation, or other malware.

Information Security Maturity Report

  69% CISOs believe that security posture has been unaffected, or improved, by business changes resulting from the COVID-19 pandemic. That’s probably driven by increased visibility across endpoints, with 50% accelerating endpoint protection plans.
 On that front, 40% of respondents say Security Operations is one of the top three areas they spend their time, though only  22% of them say that it should be where they devote their efforts. The good news is that this may happen, 52% have driven measurable improvements in Security Operations in the last 12 months.

On the security budget front, 33% have had security budgets increase by more than 25% over last year (7% by more than 100%!) while 26% remained the same. Most respondents (31%) report their budget as being between 5%-9% of IT spend.
 Longer-term, CISOs may be setting themselves up for succession planning difficulties. There appears to be a disconnect between what they believe they need to be successful, and what they look for in their team members. 64% rate business knowledge vs 22% technical knowledge as the most important skill needed by a CISO. When looking for skills in their team though 77% look for technical ability, with only 26% citing business knowledge, which doesn’t make the top 10 skills they look for. Only 1/4 reckon this business knowledge is their area of proficiency. This may exacerbate the skills gap and miss out on ‘hidden gem’ internal candidates, though over half say they never struggle to attract good security staff.

I’d love to hear your thoughts on either of these reports: comment on linkedin or twitter. (plus bonus history of DBIR:,

Other newsy bits

Colonial Pipeline restored, paid ransom demands, while DarkSide disappears

The Colonial Pipeline cyberattack has received significant coverage this week from both the cyber and mainstream news outlets. After a six-day outage, resulting in panic buying of fuel, operations have been restored across the 5,500-mile pipeline network.

As first reported by Bloomberg, that appears to be after Colonial swiftly paid the ransom demands of the attackers. Blockchain analysis firm Elliptic says it found a 75 bitcoin ($5M) cryptocurrency payment from Colonial Pipeline to a wallet used by the DarkSide group on 8th May.

The disruption to the pipeline results in a statement from President Biden where he reiterated the FBI’s assertion that the attack was coordinated by a Russian group. Unsurprisingly, he said that there was no evidence of Russian state involvement, but that Russia’s President Putin should act.

Meanwhile, DarkSide, which comprises roughly 5-10 affiliates, has ‘gone dark’. Messages on cybercrime forums reporting to be from the group say they let access to public infrastructure and have been locked out of servers with support indicating this was “at the request of law enforcement agencies”. A cryptocurrency wallet used by the group has also been emptied of funds.

It’s difficult to say if this is an ‘exit scam’ where the group ostensibly ‘shuts down’ only to rebrand and continue operations with less heat from law enforcement. The group has netted $9.4M in payments this week alone and over $40M in the first three months of 2021. That’s a lot of dosh to disappear with.

Usually, when servers are seized by law enforcement they display a banner notifying as such, whereas that isn’t the case here. That could be down to covert action from U.S. agencies, or while I haven’t seen any suggestions, potentially a result of Russia cracking down on a criminal gang that has begun to cause it tangible diplomatic difficulties.

The extensive coverage appears to be causing reflection within the cybercriminal community, with posts advertising ransomware affiliate schemes being banned by message boards, and the REvil group stating that affiliates require authorisation before instigating an attack and may not target the ‘social or gov sectors’ (defined to include healthcare, education and state governments).,,,, (DarkSide profile)

CyberUK and other NCSC updates

Lots of great stuff coming out of the National Cyber Security Centre (NCSC) CyberUK conference this week.

A decade after it was published almost a decade ago, there is a refreshed 10 Steps to Cyber Security, that now explicitly targets security professionals at medium and large organisations.

Home Secretary, Priti Patel, announced a review of the UK’s Computer Misuse Act (CMA) that is now 30 years old. It is the primary legislation covering all things cyber and hacking and is widely seen as insufficient for modern offences. There is a call for information that you can participate in to provide your professional inputs on how new legislation should be drafted on

Patel went on to decry ransom payments, saying

Paying a ransom in response to ransomware does not guarantee a successful outcome. You will not protect networks from future attacks, nor will it prevent the possibility of future data loss. In fact, paying a ransom is likely to encourage further criminality.

I mentioned forwarding fraudulent SMS messages to 7726 (SPAM) and hadn’t realised that the URLs in these messages are being passed through NCSC’s Takedown Service: “In April 2020 we accelerated the rate at which we processed the URLs in 7726 SMS phishing reports. Between April and end of December 2020, these referrals were credited as the first reporter of over 22,000 URLs in the Takedown system.“ The Takedown Service helped mitigate 700,595 campaigns in 2020!

In the same vein, NCSC’s Suspicious Email Reporting Service (SERS) allows the public to forward suspicious emails to [email protected] where they are analysed and malicious links send to the Takedown Service to try and remove those sites from the internet. 

You can find the session replays from CyberUK 2021 on YouTube, and the full ACD report on the NCSC website. (10 Steps), (CMA),, (ACD report; PDF)

In brief

Attacks, incidents & breaches

  • The Health Service Executive (HSE), Ireland’s public health service, has temporarily shut down its IT systems following a human-operated ransomware attack. The attackers, believed to be the Conti gang, are demanding $20M, which HSE says they will not pay. Outpatient appointments are being cancelled and it may be a ‘number of days’ before services are restored and efficient services are restored, though emergency departments and vaccine rollout programmes are, thankfully, unaffected,
  • The Babuk gang extorting the Washington D.C. police has released pyschmetric evaluations of officers after negotiations broke down. The police apparently offered $100K to not release the information while attackers were pushing for $4M
  • German-headquartered chemical company Brenntag, with 17,000 global employees, paid $4.4M ransom to DarkSide
  • Toshiba’s European subsidiary also victim of suspected DarkSide attack earlier this month
  • Manchester City Council forgot to redact car number plates from parking ticket info made public in transparency push
  • Internal tooling for Rapid7’s MDR service exposed in Codecov incident

Threat intel

  • Android malware stealing banking credentials and SMS login codes targeting banks in Spain, Germany Belgium and Netherlands
  • Cybercriminals are buying search ads to promote phishing pages


 - Publishing exploits do not encourage organisations to patch and results in a longer time before detection content is created, according to Kenna Security and Cyentia Institute. 49.1% of assets were patched within 3 months when an exploit is published, 2.8% more than without a public exploit. Detection signatures take a median of 27 days to create when an exploit is released before a patch, 23 days longer than when a patch is released first. Meanwhile, attackers are 15x more likely to use a vulnerability where there is a public exploit available  - Vulnerabilities in WiFi standards dating back 24 years, dubbed Frag Attacks, can be used to attack devices within physical range and work even if WEP or WPA configurations are enabled. Fortunately, the researchers say “the design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings.” Patching has been coordinated through the Wi-Fi Alliance and vendors over the last nine months, so you’re probably covered, though older or cheaper IoT devices may not receive updates

  • Adobe Acrobat vulns, leading to arbitrary code execution, being exploited in the wild

Cyber risk and security engineering

  • Microsoft adding GPS-based named location to Azure AD’s Conditional Access feature to add additional protection to authentication
  • AXA to stop reimbursing ransom payments made by French policy holders
  • 15% of 2020 ransom payments carried a sanctions violations risk
  • “500 human years are wasted every single day - just for us to prove our humanity” says Cloudflare, as it seeks to kill CAPTCHA in favour of security keys

Internet of Things

  • This is some really cool hardware hacking: messing with voltages at the right time to skip code, enable debug mode and dump the firmware from Apple’s Airtags
  • QNAP makes second warning of ransomware targeting its network attached storage (NAS) devices in as many weeks


  • New technique to fingerprint users looks at what apps you have installed to track browsing across independent web browsers

Public policy

  • ‘Everything you need to know’ on President Biden’s new executive order on cybersecurity

Mergers, acquisitions and investments

  • Panaseer raises $26.5M series B funding to expand Continuous Controls Monitoring solution (congrats, folks!)
  • Jamf acquiring zero trust firm Wandera for $400M
  • Cisco to acquire Kenna Security to integrate risk-based vulnerability management into SecureX platform
  • DarkTrace to host platform on Azure, export alerts to Sentinel

And finally

Learning from West Midlands Trains phishing simulation

This is a bad way to run a phishing simulation. It’s bad because it didn’t tell the security team or management anything new. Instead it has likely turned those they need to be their greatest allies against them. Trashing culture and trust along the way.

That “this is how an attacker would do it” defence isn’t good enough. You don’t ‘educate’ staff to handle abusive passengers by planting stooges on scheduled services to hurl abuse and see how the guard handles the situation.

Instead of doing this you could improve mail filters. You could endure external mail is clearly labelled. You could implement web filtering and monitoring. You could implement MFA to prevent credential stuffing. You could offer staff a password manager and help them secure their personal digital life too.

You could protect, rather than prank, your colleagues.


  Robin's Newsletter - Volume 4

  Verizon Data Breach Investigations Report (DBIR) DBIR 2021 ClubCISO Information Security Maturity Report Colonial Pipeline Ransomware DarkSide National Cyber Security Centre (NCSC) CyberUK 10 Steps to Cyber Security West Midlands Trains Security engagement Security awareness Phishing simulation Public exploits