Verizon has today published its yearly report on business data breach investigations. Key stats included:
- 86 percent of data breaches for financial gain – up from 71 percent in 2019
- Cloud-based data under attack – web application attacks double to 43 percent
- 67 percent of breaches caused by credential theft, errors and social attacks
- Clearly identified cyber-breach pathways enable a “Defender Advantage” in the fight against cyber-crime
- On-going patching successful – fewer than 1 in 20 breaches exploit vulnerabilities
- Report analyzes 32,002 security incidents and 3,950 confirmed breaches from 81 global contributors from 81 countries
Verizon @VerizonBusiness releases 2020 Data Breach Investigations Report #DBIR, just posted at midnight ET: https://t.co/WbPL4VouXh
— Christian Beckner (@cjbeckner) May 19, 2020
The report dispels many commonly held misconceptions about how and why data breaches happen. Many breaches and data incidents are easily preventable.
Most breaches are perpetrated by organised crime and are financially motivated, not by internal sources. Hacking through the use of stolen credentials, phishing, and errors top the list of actions that lead to breaches.
Web applications are the most common hacking vector through which criminals obtain stolen credentials.
Although ransomware often makes the news, password dumpers that steal hashed passwords which can then be brute-forced are the most common type of malware that leads to data breaches. Malware, in general, is on the decline when it comes to data breaches.
The report shows the Great Digital Train Robbery is alive and well. External, multi-faceted and industrialized hacking continues to pepper large enterprises at 72% of overall victims. It’s no surprise that web application patters, around 45% of attacks, expose technology services firms, retail, financial and Insurance services and professional services most to compromise. They are the highest aggregators of highly sensitive data with substantial 3rd party data sharing risk.
Personal data theft is trending up, now 49% of retail breaches, overtaking payment data at 47% putting privacy regulation risk high on the compliance agenda. 70% of breaches were from external actors, insiders 30%, and human left doors open in 22% of cases. In a world quickly moving to post-covid cloud IT, now 24% of investigated breaches, enterprises have no choice but to modernise data security strategies to neutralize data from attack or become a victim.
The numbers don’t lie – the barrier between attackers and valuable sensitive data can be broken, enabling rapid data theft and abuse unless the real data has no value in the attacker’s hands. Industries that progressively shielded data with contemporary security measures like data tokenization and encryption showed a strong decline in breach impact (POS attack incidents trended close to zero), but attackers followed the path of least resistance – to online compromise opportunities – now 50% of retail breaches.
Contributing to the Verizon DBiR helps us as an industry move the dial in a positive direction. We can\’t improve what we can\’t see.
The idea of \”the great and good\” in the industry contributing together provides a realistic snapshot of what matters In cybersecurity today. I\’m very proud of and grateful to the folks in VDBiR for all their hard work.
This report further goes to show that attackers do not have to be sophisticated to be effective. We see that only 45% of all breaches in this report involved some kind of traditional hacking and only 4% of the breaches in total had more than four attacker actions. Simple, low-hanging fruit for financial gain continues to dominate this space and shows where so much of our security posture can be improved with user education and basic, industry-standard security practices.
Phishing and trojans are down and ransomware is up as Ransomware-as-a-Service (RaaS) groups like REvil are on the rise. Lots of work has gone into spotting phishing domains early with machine learning algorithms and endpoint detection is improving all the time. This makes sense as most of the breaches featured in this report focus on financially motivated organized crime groups. RaaS pays, especially in this COVID-era where attackers are targeting hospitals and essential businesses that may not have the time to turn around and properly rebuild their infrastructure after key data and parts have been compromised.
Errors — mostly misconfigurations of resources — continue to be on the rise as more and more data sets are left openly exposed. This year alone we have already seen massive Elasticsearch instances and MongoDB databases that were left open and exposed, dumped, and then sold on cybercrime forums. The accessibility to cloud infrastructure and the complexity around securing it will continue to have people leaving their data on wide-open S3 buckets for all the world to scrape.
We often think of ransomware as a breach, but the DBIR categorizes most ransomware activity as an incident because while you may have lost access to the data, the attacker hasn’t actually stolen it. While that may give you some comfort, it doesn’t mean that a ransomware incident is materially less impactful to the security folks who have to deal with it.
The fact that “misconfiguration” is in the top five action varieties for breaches is an important acknowledgment that not all incidents are the result of an exploited vulnerability. Misconfigurations actually lead to more breaches than exploited systems, but organizations often don’t put the same effort into assessing them as they do scanning for vulnerabilities.
At a high level, the key things for every organisation to worry about are brute force and stolen credentials, and web applications.
It’s tempting to downplay vulnerability management based on this data, but the details show that, by and large, the organizations that are doing it reasonably well are safer, and the organizations that aren’t are very, very vulnerable. One key lesson, though, is that an organization can do both. The old adage “you can’t protect what you don’t know about” is true for vulnerability management. Asset management is a prerequisite for vulnerability management.
If you want to protect yourself from the most common breaches, protect your web servers, your workstations and your mail infrastructure.
Cloud assets are still a minority of targets, at 24% compared to on-premise’s 70%. Why change tactics if they’re working? The cloud has a learning curve for criminals as well as enterprises.
One important lesson to take from the DBIR is that a compromise is often made up of multiple attacks, and so, as a defender, you have multiple opportunities to stop the attacker. The concept of ‘defense in depth’ is applicable here. The data provided about how the multiple steps in a compromise occur is vital. Malware is rarely the first step, and so if you catch malware in your environment, you have to look for what came before that. Hacking is much harder to deal with because it plays a role in the beginning, middle and end stages of a breach.
The industry analysis provided by the DBIR is invaluable. Being able to see which assets, actions, and patterns are most relevant for your industry allows you to take much more decisive action as a defender. For example, Manufacturing should be more concerned about crimeware, introduced through malware and social engineering, than any other industry. If you’re in healthcare, errors figure much more prominently in your threat model than other industries.
The inclusion of the CIS controls, after a hiatus, is a good addition for defenders. CIS is well-respected in the industry, and the controls provide enough information to be actionable but avoid being overwhelming at the same time.
The DBIR offers a lot of information for security professionals to digest. One way to use it is to understand how your industry is represented, see the sorts of actors and events that affect your industry, and be sure your organization’s risk model and countermeasures mitigate the concerns reported by the DBIR.
The findings in the Data Breach Investigations Report (DBIR) 2020 show that while attack vectors may fluctuate over time, cybercriminals often set their sights on low-hanging fruit. Zero-days may garner most of the attention, but foundational cyber hygiene issues enable most breaches. The motivation for cybercriminals is primarily financial. As the Cybersecurity and Infrastructure Security Agency (CISA) recently underscored in a recent report about the top 10 routinely exploited vulnerabilities, cybercriminals focus their efforts on exploiting unpatched vulnerabilities. It’s a cost-effective measure that provides the most bang for the buck, because they don’t have to spend the capital needed to acquire zero-day vulnerabilities when there are so many unpatched systems to take advantage of. As the DBIR notes, even if a newly-discovered vulnerability wasn’t patched in a network, those same systems would likely also be vulnerable to a plethora of other vulnerabilities, which signifies a lack of basic cyber hygiene.
Ransomware increased by 2.6% from last year, landing at number three in the most common Malware breach variety, while also taking the number two spot for most common malware incident variety, according to the DBIR. What’s changed in that time is that ransomware isn’t solely devoted to encrypting files anymore. Cybercriminals have escalated their attacks to another level, siphoning off sensitive information from organizations whose files they’ve encrypted. These cybercriminals threaten to publish this sensitive information publicly, often publicly sharing a teaser of files from organizations they’ve compromised. The belief is that naming and shaming these victims would encourage them to pay the ransom demand, and in many cases, that’s proven to be true.
Another notable finding is that 43% of breaches involved web applications. This is often fueled by the exploitation of some of the most common vulnerabilities, such as SQL injection or PHP injection flaws. As more and more businesses have migrated to the cloud, their attack surface increases, especially with respect to web applications. The DBIR notes that web applications along with email application servers were involved in 73% of cloud breaches, while most of those were the result of breached credentials.
The 2020 Verizon Breach Incident Report has a lot of good information, and reminds us that checking for malware on systems isn’t enough, as attacks via malware have decreased to only 6.5% of attacks and incidents (down from the peak near 50% in 2016).
It’s a good reminder that organizations need to have security in place for phishing, preventing credential theft, and to protect web applications that continue to have vulnerabilities that can be exploited.
The other big takeaway for organizations is that misconfiguration errors were a big gainer this year (called the best supporting action in the report). We often see at customer sites, where they patched a known vulnerability incorrectly or left it unpatched, leaving them vulnerable, and standard tools like WAF and EDR didn’t detect attacks on that vulnerability.
The 2020 edition of the Verizon DBIR highlights the top actions for breaches, which continue to be credentials, misconfiguration and phishing. Credentials are still the favorite attack surface, and within the past three years, range fluctuates between 75%-81%.
A reduction in malware is aligned with the previous year’s trend and is a function of the risk balloon getting squeezed as alternative attacks reward balance out. If you think about this January alone, and weigh in the key breaches reported during the first month of the year, then you will understand that the shift is insignificant.
These reports are usually a trailing indicator given a significant number of breaches that occurred in 2019 simply have not been discovered yet. Understanding the threat balloon risk and the associated financial motivation is how we deal with risk management.
With that being said, any <6% reduction is simply noise.
Drilling down into Verizon\’s 2020 version of the DBIR tells us two things: One, the number of incidents and data breaches is snowballing year-on-year, confirming the trend that digital transformation will result in threat vectors compounding and growing in number. And two, hacking for financial gain has taken precedence over malware and other low-impact techniques as the primary motivator for malicious actors.
The need for heightened security infrastructures for all systems (internal, external, critical, and peripheral) notwithstanding, there are simply too many endpoints today to be protected individually by security teams — given that hackers are actively gunning to exploit even the tiniest weak link in the system. Automation of security systems is the name of the game here, which will not only reduce the manual effort involved (which eliminates human error), but also allow for enterprises to scale security along with business growth at every level, without having to expend time and effort on implementing it from scratch when it is needed — scalability is the most important buzzword in high growth ecosystems in this day and age.
Another point of note is that the report adds several new industries to its breach analysis, reinforcing the fact that firms across every vertical are being targeted/succumbing to cybersecurity threats — now is the time to reinforce our cloud- and internet-connected systems with robust protection, detection, and recovery systems. Every industry in the world is now under the threat radar and even the slightest complacence will be akin to painting a target on oneself.
Looking these results, we see that organized crime is the top actor, credential theft remains a top threat, and financially motivated breaches are most common. Criminal enterprises are stealing credentials instead of using extortion for financial gain. Between phishing, social engineering, and a broad range of hacks, it\’s easy for thieves to get someone\’s credentials and access a system as them. But it\’s radically more difficult to act like them once they\’re inside.
Machine learning-based security analytics immediately detects compromised accounts because the behavior deviation is so telling. Verizon sites the growing role of organized crime. While revenge may be a dish that’s best served cold, machine learning makes detection a dish that can be served piping hot as it’s immediately effective.
The 2020 Verizon Data Breach Investigations Report (DBIR) is a yearly staple for the security industry, and this year\’s report is no exception. According to the report, 43% of breaches were attacks on web applications, more than doubling the results from last year. Organizations need to understand the importance of knowing their infrastructure because web applications provide easy entry points for cybercriminals. Web applications are what we interact with as users, but it\’s more than that: The technologies and infrastructure which powers the businesses we rely on are ever increasingly built on top of web technologies.
With cybercriminals utilizing hacking techniques to exploit web applications, whitehat hacking can be an advantageous way to mitigate exploits and improve organizations\’ cyber postures. 70% of breaches involve hacking; the same philosophy can be applied to defending organizations by implementing crowdsourced security. Whitehat hackers think like our adversaries, but want to do good, helping organizations find vulnerabilities before the bad guys do. Web application vulnerabilities have always been the top submitted vulnerabilities (90%) across our programs and correspondingly account for the highest percentage of overall rewards paid.
It is interesting to note that 45 % breaches occur due to hacking, and 22 % went via targeting a user or employee. The attackers then on an average need less than 4 further steps in 90 % of the attacks, but most do indeed require more than a single step.
This shows clearly that defence in depth is just as important as ever.
The study shows that vulnerability management of internet facing systems is successful in most organizations, but that for those who do not address this, it is an attractive venue of attack.
Half of organizations have less than 1% of their internet facing systems with an exposed vulnerability, 90% of organizations have less than 10% of their hosts exposing a known vulnerability.
43 % of all the recorded breaches involved web applications. But when we look at hacking, the numbers get really interesting, where we see that 90 % of hacking targets web applications.
Most breaches are started via hacking, secondly via social engineering, the end phase is often malware implants. So as more and more functionality and data have shifted to web applications, so have the attacks. This is now a key piece of the vulnerability management undertaking of organizations, managing application vulnerabilities and risks.
37% of breaches stole or used credentials highlights the need for businesses and organizations to provide their end-users with a secure mechanism for accessing systems and data that doesn\’t rely on passwords alone. With more and more of our lives becoming digital, securing and protecting are digital identity and lives will come more into focus. Businesses and organizations who demonstrate good security practices to it end-users will remain distinct advantage. Secure access control to data and systems is a fundamental to building this end-user trust.
No matter what the industry does, attackers seem to be able to stay one step ahead. Attackers appear to be utilizing the same methods with a varying mix depending on what defenses are on in place. One thing that is clear is that the industry has not solved the phishing problem, as it remains the top attack vector. It seems that no amount of AI or detection algorithms are able to combat a well-written email that is delivered to a user on a topic that is of interest.
With the current remote worker situation and ever expanding use of SaaS and mobile devices, the attack surface continues to expand, and this makes it increasingly difficult to stem the tide of breaches. We predict that the scale of breaches will only increase in 2020 as attackers take advantage of this situation. It’s likely to be one of the worst years we have seen in a long time.
The findings from the Verizon report demonstrate that, as an industry, we are spending more time reacting to threats rather than proactively taking steps to ensure assets are secure before they go to market. This is why it’s crucial to think about security as early as when developers are actually coding applications. The technology to provide Code Security feedback throughout software development workflows exists, and not only will it help organizations prevent future incidents, it will also grow their development team in caring about the security of their product. Developers get to learn and leverage secure coding practices, resulting in more secure applications delivered to end-users. This type of technology can already identify and eliminate the most commonly exploited web app vulnerabilities, according to Verizon’s report–SQL injection and PHP injection vulnerabilities.
Web applications are a growing focus point for cyber criminals. Motivated by financial outcomes, they understand the value of the information exchanged and stored in web applications. The 2020 Verizon Data Breach Investigations Report (DBIR) confirms that this is the case: 43% of data breaches are tied to web application vulnerabilities—which more than doubled year over year. Legacy, outside-in DevOps security is failing, and a new approach is needed that takes an inside-out approach.
While it’s a positive shift to see this year’s Verizon Data Breach Investigations Report (DBIR) reflect the security challenges of small businesses, there is much more work to be done to extrapolate major trends from more comprehensive SMB data. From our work with managed service providers (MSPs) who provide outsourced IT to hundreds of thousands of SMBs, we know that only 407 incidents in one year is startlingly low. In fact, in just the last week, we were informed of a single network attack on an MSP that compromised 15 different SMBs alone.
What’s also interesting is that the last year the DBIR report focused on small business trends was 2013 — the same year the Edward Snowden revelations came out. Since then, hacking has become more mainstream and enterprises have begun to take security more seriously. However, SMBs have not made similar strides in their security posture, which is alarming considering the growing threat of criminal marketplaces targeting these businesses.
Similarly, with espionage accounting for 8% of small business motives versus 14% for large enterprises, our experience suggests that these attacks are likely against defense contractors, of which many fall under the 1,000 employee threshold. In fact, the latest Cybersecurity Maturity Model Certification (CMMC) requirements released earlier this year further underscore this persistent issue. We have reviewed evidence of nation state actors leveraging MSPs to swim upstream in order to gain access into well-established defense contractors to obtain federal data.
According to the DBIR report, brute force attacks account for approximately 8 percent of top breach types within large enterprises, while making up 34 percent for small businesses. We have also seen brute force attacks plague hundreds of businesses by reusing usernames and passwords disclosed in unrelated breaches in an attempt to hack into a system. Although this attack method has been around for quite some time, its effectiveness is higher with smaller businesses because of the prevalence of misconfigured security policies and low adoption of multi-factor authentication, a symptom of an even bigger problem — a shortage of cybersecurity talent.
However, we know firsthand these types of attacks are even more prevalent within SMBs than the DBIR indicates. For example, adopting and enforcing a least privilege policy among SMBs is one of the largest challenges as they try to balance productivity with security while growing their business. This creates ripe environments for privilege escalation and lateral movement within the network that leads to capturing stored data or credential theft.
There is also a common misconception that enterprises need to be most wary of phishing attacks. This often holds true for larger enterprises that have stronger security configurations, prompting hackers to resort to phishing knowing that humans tend to be the weakest link. However, the same cannot be said for SMBs. We generally see a wider distribution of attacks within SMBs because there are more low-hanging attack surfaces and weaker links to target, such as misconfigured or unpatched systems. With the growing target on SMBs’ backs, it is more important than ever to employ an MSP to protect company data and assets.