What do we learn from the NCTV Cyber ​​Security Assessment and Verizon DBIR 2023 – Zolder BV

by Prapattimynk, Sunday, 23 July 2023 (7 months ago)
What do we learn from the NCTV Cyber ​​Security Assessment and Verizon DBIR 2023 – Zolder BV

Zolder BV – 04 jul 2023

This week, the NCTV released the annual Cyber ​​Security Assessment Netherlands, or: the CSBN-2023. I always like these kinds of reports because they provide an up-to-date picture of the cyberthreats out there and where our attention as defenders should be focused. To be honest, that was a bit disappointing this time.

The CSBN seems to be written more on a strategic level this year. I take it that:

  • the war in Ukraine increases the activity of Hacktivists
  • new legislation from the EU (NIS2) is on its way
  • security of Operations Technology (OT) needs more attention

These are not unimportant themes and I also skip a lot, but I was just hoping for some more guidance for concrete operational measures and that is just not what this CSBN offers.

CSBN-2023 and Basic Measures?

What I have explicitly looked up is how things stand with the “basic measures”. After all: until last year, the CSBN was mainly the annual scribble that organizations refuse to implement those basic measures. It is therefore remarkable that not much is said about it this year, except:

  • Reducing the imbalance between digital threat and resilience is still a major challenge
  • Basic measures continue to prove an effective barrier against many types of cyber-attacks. Microsoft states that basic measures protect against as many as 98% of cyber attacks. The NCSC also identifies basic measures that every organization should take to counter cyber attacks. In the event of cyber incidents, the NCSC sees that organizations are vulnerable if these measures are not taken.

You could conclude that the most important thing we have to do is ensure that organizations implement basic measures, but that is not what it says. The CSBN-2023 refers a number of times to the previous edition and that the situation is still the same. But of course that gets a bit boring after a few years, the writers must have thought 😉

Data Breach Investigations Report (DBIR)

I was triggered by the CSBN to see if the annual Data Breach Investigations Report (DBIR) was already out. And yes that was it! How could I have missed it? I’ve been a fan of DBIR for years, as our WCGW characters. Much more than the CSBN, it makes it very clear in figures why and how security incidents and data leaks arise. Nice concrete guidance to set priorities in your security architecture. DBIR has therefore always been a source for CSBN, but not this year.

DBIR2023: Credentials #1 for initial access

Last year I highlighted 1 image from DBIR at various times, which is actually virtually unchanged this year:

What you see here is that leaked credentials are by far the most important basis by which attackers gain access to networks and information. Whether those credentials were obtained through phishing, brute-force or simply purchased from a criminal marketplace. From this first intrusion, the attacker then continues on the path to his goal, such as stealing data, misleading colleagues or locking the ICT.

“Hackers do not break in, they log in” is a well-known saying and this data can certainly be substantiated.

DBIR2023: WebApps & Email as Vectors

But where do they log in? Well, since we can no longer do without SaaS in business today, it makes sense that the main vector for those leaked credentials is: WebApps. And soon after Email.

Often both will apply, for example: people log in to office.com and then go to Outlook to get further trouble out of it via e-mail.

Thus, an attacker can carry out a complete and very lucrative cyber attack just by logging into webmail. No malware needed, no hacking skills, just log in and go.

DBIR2023: Pretexting, CEO-Fraude & BEC

A little further in the context of social engineering:

Here you see a clear advance of what is called “Pretexting”. The point here is that the attacker has gained knowledge about the victim and uses that knowledge to apply deception. This is the case, for example, when we talk about CEO Fraud in the Netherlands. In the US this is all called “Business Email Compromise” and all boils down to the same thing.

DBIR2023: The Actor is External

Speaking of regional differences, it is interesting that DBIR determines over the entire dataset that in 85% of the cases the actor is an external actor. But in our region (EMEA) this is the picture:

In other words, mainly external actors that we should be concerned about. This then differs per sector, with obvious sectors having more to do with internal espionage. Think of Public Administration (government) and Oil&Gas.


The composite conclusion I get from CSBN and DBIR is that organizations are (still) mainly victimized via leaked credentials and email and that they can almost always prevent data breaches by implementing basic measures. And the basic measure that fits leaked credentials is Multi-Factor Authentication (MFA).

Earlier we recorded an Attic LIVE session about MFA. Because E-mail, pretexting, CEO Fraud and BEC are now also made so important, we are going to zoom in on the same kind of Attic LIVE session. To answer the question: which settings can you optimize in Microsoft365 to be better protected against CEO Fraud and Phishing.

Join Attic LIVE on Tuesday, July 11 at 2:00 PM:



Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.