Verizon's Data Breach Investigation Report turns 12 this year. This year’s report contains data from more than 41,686 security incidents, of which more than 2,000 confirmed breaches submitted by 73 data sources spanning 86 countries and analyzed by Verizon security experts.
What I find stagering is that despite the $100+ billion spent on Cybersecurity across 2000 cybersecurity vendors and millions of practitioners, the needle hardly moves in terms of reduction in incidents and confirmed breaches. In fact as this years report illustrates, cybercrime and data breaches are increasing in frequency.
With 71% of hacking breaches involving a stolen, weak, or guessable password I am surprised that multi-factor authentication and the use of Yubikey-type USB token devices for accessing admin credentials are not mandated across industries.
The DBIR is required reading for cybersecurity professionals in all roles as it contains a complete overview of the threat landscape, modes of attack, industry impact and points to key effective remedial activities to reduce the risk of becoming an entrant in the 2020 compendium.
The same 9 industry categories that were first identified in the 2014 report are still present in addition to examining financially-motivated social engineering and credential theft and duping people into transferring money into adversary-controlled accounts. Several areas of research using non-incident data sets such as malware blocks, results of phishing training, and vulnerability scanning are also utilized.
Leveraging, and sometimes combining, disparate data sources (like honeypots and internet scan research) allows for additional data-driven context.
“The purpose of this study is not to rub salt in the wounds of data breach victims or information security, but to contribute to the “light” that raises awareness and provides the ability to learn from the past.”
The data comes from confirmed breaches investigated by Verizon analysts and is, therefore, one of the most valuable sources of insight into the modes, methods, and consequences of Cyberattacks.
- 69% of confirmed breaches were caused by outsiders, with 39% of those breaches caused by criminal groups and 23% from nation state-affiliated actors.
- Over 52% of breaches featured hacking, 32% social and 28% involved malware installed via malicious email attachments
- 71% of hacking breaches involved a stolen, weak, or guessable password.
- 71% of breaches were financially motivated, while 25% of breaches were related to espionage
- Financial organizations were most affected at 24% of all attacks, followed by healthcare 15%, retail, and accommodation 15%, public sector 12%,
- Data received from millions of malware detonations illustrates that the median company received over 90% of their detected malware by email.
- Phishing remains a favorite sport for Cybercriminals, however, there is some cause for hope in regard to phishing, as click rates from the combined results of multiple security awareness vendors are going down, click rates are at 3%, with18% of clicks from the sanctioned phishing data attributed to mobile.
Threat Patterns for 2019
98.5% of security incidents and 88% of data breaches continue to find a home within one of the original nine patterns.
Crimeware: All instances involving malware that did not fit into a more specific pattern. The majority of incidents that comprise this pattern are opportunistic in nature and are financially motivated. Notable findings: Command and control (C2) is the most common functionality (47%) in incidents, followed by Ransomware (28%).
Cyber-Espionage: Incidents in this pattern include unauthorized network or system access linked to state-affiliated actors and/or exhibiting the motive of espionage. Notable findings: Threat actors attributed to state-affiliated groups or nation-states combine to make up 96% of breaches, with former employees, competitors, and organized criminal groups representing the rest. Phishing was present in 78% of Cyber-Espionage incidents and the installation and use of backdoors and/or C2 malware were found in over 87% of incidents. Breaches involving internal actors are categorized in the Insider and Privilege Misuse pattern.
Denial of Service: Any attack intended to compromise the availability of networks and systems. This includes both network and application attacks designed to overwhelm systems, resulting in performance degradation or interruption of service. Notable findings: This pattern is based on the specific hacking action variety of DoS. The victims in our data set are large organizations over 99 percent of the time. Insider and Privilege
Misuse: All incidents tagged with the action category of Misuse—any unapproved or malicious use of organizational resources—fall within this pattern. Notable findings: This is mainly insider misuse, but former and collusive employees, as well as partners, are present in the data set. Miscellaneous Errors: Incidents in which unintentional actions directly compromised a security attribute of an asset. Notable findings: Mis-delivery of sensitive data, publishing data to unintended audiences, and misconfigured servers account for 85% of this pattern.
Payment Card Skimmers: All incidents in which a skimming device was physically implanted (tampering) on an asset that reads magnetic stripe data from a payment card. Notable findings: Physical tampering of ATMs and gas pumps has decreased from last year. This may be attributable to EMV and disruption of card-present fraud capabilities.
Point of Sale Intrusions: Remote attacks against the environments where card-present retail transactions are conducted. POS terminals and POS controllers are targeted assets. Physical tampering of PIN entry device (PED) pads or swapping out devices is covered in the Payment Card Skimmers section. Notable findings: The Accommodation industry is still the most common victim within this pattern, although breaches were less common this year.
Physical Theft and Loss: Any incident where an information asset went missing, whether through misplacement or malice. Notable findings: The top two assets found in Physical Theft and Loss breaches are paper documents and laptops. When recorded, the most common location of theft was at the victim work area, or from employee-owned vehicles.
Web Application Attacks: Any incident in which a web application was the vector of attack. This includes exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms. Notable findings: Over one-half of breaches in this pattern are associated with unauthorized access of cloud-based email servers.
“It goes without saying that not being compromised in the first place is the most desirable scenario in which to find oneself. Therefore, a focus on understanding what data types you possess that are likely to be targeted, along with the correct application of controls to make that data more difficult (even with an initial device compromise) to access and exfiltrate is vital.”
The 2019 DBIR is an essential read for organizational leaders, cybersecurity practitioners, and security industry professionals and it continues to help organizations understand the threats they are facing. A clear understanding of threats and attack modes by industry will enable sound evidence-based risk management decisions to mitigate risk and avoid becoming a statistic in the 2020 edition.
Download the report here. https://enterprise.verizon.com/resources/reports/dbir/?2019