The Verizon Business 2020 Data Breach Investigations Report (2020 DBIR) shows that financial gain remains the key driver for cybercrime with nearly nine in 10 (86 percent) breaches investigated financially-driven. The vast majority of breaches continue to be caused by external actors - 70 percent - with organized crime accounting for 55 percent of these. Credential theft and social attacks such as phishing and business email compromises cause the majority of breaches (over 67 percent), and specifically:
- 37 percent of credential theft breaches used stolen or weak credentials,
- 25 percent involved phishing
- Human error accounted for 22 percent as well.
The 2020 DBIR also highlighted a year-over-year two-fold increase in web application breaches, to 43 percent, and stolen credentials were used in more than 80 percent of the cases - a worrying trend as business-critical workflows continue to move to the cloud. Ransomware also saw a slight increase, found in 27 percent of malware incidents (compared to 24 percent in 2019 DBIR); 18 percent of organizations reported blocking at least one piece of ransomware last year.
"As remote working surges in the face of the global pandemic, end-to-end security from the cloud to employee laptop becomes paramount," said Tami Erwin, CEO, Verizon Business. "In addition to protecting their systems from attack, we urge all businesses to continue employee education as phishing schemes become increasingly sophisticated and malicious."
Common patterns offer a Defender Advantage
The 2020 DBIR has re-emphasized the common patterns found within cyber-attack journeys, enabling organizations to determine the bad actors’ destination while they are in progress. Linked to the order of threat actions (e.g. Error, Malware, Physical, Hacking), these breach pathways can help predict the eventual breach target, enabling attacks to be stopped in their tracks. Organizations are therefore able to gain a “Defender’s Advantage” and better understand where to focus their security defenses.
Smaller businesses are not immune
The growing number of small and medium-sized businesses using cloud- and web-based applications and tools has made them prime targets for cyber-attackers. 2020 DBIR findings show that:
- Phishing is the biggest threat for small organizations, accounting for over 30 percent of breaches. This is followed by the use of stolen credentials (27 percent) and password dumpers (16 percent).
- Attackers targeted credentials, personal data and other internal business-related data such as medical records, internal secrets or payment information.
- Over 20 percent of attacks were against web applications, and involved the use of stolen credentials.
Industries under the cyber-spotlight
The 2020 DBIR now includes detailed analysis of 16 industries, and shows that, while security remains a challenge across the board, there are significant differences across verticals. For example, in Manufacturing, 23 percent of malware incidents involved ransomware, compared to 61 percent in the Public Sector and 80 percent in educational services. Errors accounted for 33 percent of Public Sector breaches - but only 12 percent of Manufacturing. Further highlights include:
- Manufacturing: External actors leveraging malware, such as password dumpers, app data capturers and downloaders to obtain proprietary data for financial gain, account for 29 percent of Manufacturing breaches.
- Retail: 99 percent of incidents were financially-motivated, with payment data and personal credentials continuing to be prized. Web applications, rather than Point of Sale (POS) devices, are now the main cause of Retail breaches.
- Financial and Insurance: 30 percent of breaches here were caused by web application attacks, primarily driven by external actors using stolen credentials to get access to sensitive data stored in the cloud. The move to online services is a key factor.
- Educational Services: Ransomware attacks doubled this year, accounting for approximately 80 percent of malware attacks vs. last year’s 45 percent, and social engineering accounted for 27 percent of incidents.
- Healthcare: Basic human error accounted for 31 percent of Healthcare breaches, with external breaches at 51 percent (up from 42 percent in the 2019 DBIR), slightly more common than insiders at 48 percent (59 percent last year). This vertical remains the industry with the highest number of internal bad actors, due to greater access to credentials.
- Public Sector: Ransomware accounted for 61 percent of malware-based incidents. 33 percent of breaches are accidents caused by insiders. However, organizations have got much better at identifying breaches: only 6 percent lay undiscovered for a year compared with 47 percent previously, linked to legislative reporting requirements.
Regional trends
The 81 contributors involved with the 2020 DBIR have provided the report with specific insights into regional cyber-trends highlighting key similarities and differences between them. For example, financially-motivated breaches in general accounted for 91 percent of cases in Northern America, compared to 70 percent in Europe, Middle East and Africa and 63 percent in Asia Pacific. Other key findings include:
- Northern America: The technique most commonly leveraged was stolen credentials, accounting for over 79 percent of hacking breaches; 33 percent of breaches were associated with either phishing or pretexting.
- Europe, Middle East and Africa (EMEA): Denial of Service (DoS) attacks accounted for over 80 percent of malware incidents; 40 percent of breaches targeted web applications, using a combination of hacking techniques that leverage either stolen credentials or known vulnerabilities. Finally, 14 percent of breaches were associated with cyber-espionage.
- Asia Pacific (APAC): 63 percent of breaches were financially-motivated, and phishing attacks are also high, at over 28 percent.
Alex Pinto, Lead Author of the Verizon Business Data Breach Investigations Report, comments: “Security headlines often talk about spying, or grudge attacks, as a key driver for cyber-crime - our data shows that is not the case. Financial gain continues to drive organized crime to exploit system vulnerabilities or human error. The good news is that there is a lot that organizations can do to protect themselves, including the ability to track common patterns within cyber-attack journeys - a security game changer - that puts control back into the hands of organizations around the globe.”
Joseph Carson, chief security scientist and Advisory CISO at Thycotic, says, "The latest Verizon Data Breach Investigations Report (DBIR) 2020 should be seen as an infosec success as cybersecurity is increasing in priority for many organizations around the world. This report is an indication of the hard work that CISOs have been doing and security professionals who have been working hard to defend organizations from the continuous cyberattacks without sleep or taking vacations."
"The DBIR highlights a decline in malware which is not a surprise, though the latest ransomware techniques were not included as this would change them to being a data breach, rather than an incident, since the latest ransomware is now stealing data prior to encrypting it and becoming more of a data disclosure issue. Ransomware, however, will continue to be the biggest threat in the future, not only for companies, but celebrities, governments and others," says Carson. "Another note that was interesting was the increase in cloud data breaches which now represent 24 percent of the breaches with 70 percent impacting on-premises. Though, out of those cloud breaches, 77 percent involved breached credentials. This to me is an indicator that we must move away from allowing humans to select and create passwords. This requires a move to password managers, multi-factor authentication (MFA) and strong privileged access security. The less we allow humans to create passwords, the less likely it is for an attacker to steal and abuse them."
"More good news is that the dwell time, at least for some, if getting shorter, even to days, which is contributed to companies using Managed Security Services Providers (MSSP). The shows that getting more experts involved in your infrastructure can lead to quicker detection of malicious attackers," Carson adds. "Email continues to be the top delivery method and office attachments again the top payload with web applications, desktops/laptops and email being the top target assets. However, success in cyber awareness and security culture shows users are clicking less on bad stuff which shows users are becoming more aware and suspicious."
"One major area that continues to be a struggle for most organizations is that stolen credentials brute force against web applications continues to be a successful technique. This is an area that must improve and companies need to consider the principle of least privilege not just for endpoints but for everything including cloud and software-as-a-service (SaaS) applications. A strong privileged access security strategy and MFA is essential and should be a mandatory part of a company’s security strategy. As always great work to the Verizon DBIR team and supporting companies," notes Carson.
Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows, says the prominence and continued use of stolen credentials indicates that there is still work to be done to prevent breaches. One thing that strikes him about this year's Verizon DBIR report is that the data set is pre-pandemic, he adds. "The "current state of security" is dramatically different today than it was two months ago. I'm very interested to see how the new remote working paradigm impacts next year's report. It is crucial to understand the data set and limitations for any reporting. The fact that the DBIR's primary analytical data focus is from the 2019 caseload doesn't devalue the report; there are still many year over year trends that are useful for defenders. Also, the DBIR should serve as one of many data points in your risk management strategy, which should be complemented by an organization's own internal incident and breach reporting.
Chris Morales, head of security analytics at Vectra, says, "What I think the Verizon DBIR demonstrates is who is targeting what industry and what they are doing. Attribution is interesting in the sense it paints a picture of who is behind a breach and what they do. The motives behind an attack tend to be consistent for each industry as does the risk and data in those industries."
"Yet, what happened last year will only paint a partial picture of the tools, tactics and procedures being implemented now in what is a dramatically shifted threat landscape over the last few months. A threat landscape that might be more permanent than temporary," Morales adds. "For example, an increase in the use of SaaS like Office 365 and Zoom for intrusion and lateral movement techniques. The higher obfuscation of command and control and data exfiltration in companies that previously would never allow remote work-from-home."
Shahrokh Shahidzadeh, CEO at Acceptto, notes that the top actions for breaches remain credentials, misconfiguration and phishing. "Credentials are still the favorite attack surface, and within the past three years, range fluctuates between 75-81 percent. The reduction in malware is just aligned with the previous year’s trend and is a function of the risk balloon getting squeezed as alternative attacks reward balance out. Besides, if you think about January 2020 alone, and weigh in the key breaches reported during the first month of 2020, then you will realize the shift is insignificant."
Shahidzadeh adds, "These reports are usually a trailing indicator given a significant number of breaches that occurred in 2019 simply have not been discovered yet. And yes, understanding the threat balloon risk and the associated financial motivation is how we deal with risk management. That said, any <6 percent reduction is simply noise."