Verizon’s 2020 Data Breach Investigation Report (DBIR) is out and, as usual, provides some of the richest data available. The data comes from a broad spectrum and a diverse population: 81 contributors (both government and non-government) representing 81 different countries. There is not a better source for analysis of data breaches and data incidents.
The DBIR analyzed 157,525 incidents, and 32,000 incidents met the DBIR quality standards. Of those, 3,900 were confirmed data breaches that met a standard of quality from the globally distributed participants.
Before we get started, let me clarify the difference between incidents and breaches. An incident is a security event that compromises the integrity, confidentiality, or availability of an information asset. A breach is an incident that results in the confirmed disclosures—not just potential exposure—of data to an unauthorized party.
Now, let’s get to it. Here are my biggest takeaways from this year’s Verizon 2020 Data Breach Investigation Report.
Actors & Motives
External actors perpetrated 70% of breaches, and 55% of those were organized criminal groups. The motives are primarily financial. In addition to organized crime, there are four other large groups behind incidents and breaches: Nation-state, Other (which the DBIR defines an “aggregation of all the items that do not make the cut on our ‘Top (whatever)’ charts.”), System admin, and End user.
What’s interesting is that the threat actions for incidents are denial of service, then phishing, and then error. For actual breaches, the threat actions are phishing, then use of stolen credentials, then other, then error. Phishing is still the social attack of choice at 96%.
The takeaway here is that brute force is used for incidents, while phishing and stolen credentials are primarily used for breaches. In all cases, the motives are mostly financial.
Brute Force & Stolen Credentials
Exploiting vulnerabilities is less than 20% of hacking-based breaches. Companies spend so much time and effort focusing on patching vulnerabilities, but the reality is that the bad guys are following an easier path: gaining access via valid accounts.
Hacking accounts for 45% of all breaches, and the top hacking techniques are brute force attacks and use of stolen credentials (together, accounting for 80% of hacks). This is just trying passwords until one works because it’s weak.
For example, an external actor phished you and got your Gmail password, but you use the same password for your bank account. Or maybe the bad actors find a treasure trove of passwords because your website got hacked by someone who knows what they’re doing, and that guy extracted the user account database and posted it on the dark web. Now your user credentials are easily accessible and can be exploited in several environments.
Bad actors get into those environments or platforms through web interfaces using your stolen credentials. When you log into your bank account, Office 365, Gmail—these are systems that are always on and always accessible from anywhere in the world. You can see (and you know) why using the same passwords for multiple applications, sites, and services sets you up to be a victim.
The data stand out because this type of hacking isn’t sophisticated. It’s akin to going down the street checking door handles to see which car is unlocked so you can boost it—it’s not complicated, but it is preventable.
The impact can be minimized by what Agio calls brilliance in the basics. What that means is, if organizations would focus on the basics—the fundamentals of blocking and tackling—they would mitigate their risk as it relates to the top threat actions identified in the DBIR (phishing and stolen credentials). In this case, the basics would be having fundamental cybersecurity safeguards and controls in place, such as multi-factor authentication (MFA) and password management. Along with taking preventative measures—which aren’t always perfect—implementing a detection and response program acts as an in-depth defense approach to securing your data.
When you get past phishing and stolen credentials, you’ll see error (responsible for 22% of breaches). Errors are now as commonplace as social breaches or social engineering, and even more common than malware. This stands out because companies are very concerned with malware, but errors—accidental administration, accidentally exposing hosts, or configuring protocols, or not configuring the right controls—are more prevalent and cause many more problems. Much of this is due to rapid movement to the cloud and a general lack of understanding of securing cloud environments and services.
If you’re an organization and focused on malware, the DBIR data show that you’re more likely to have a cyber event due to an error, and it’s more likely to be found by someone other than you, including a third-party or customer.
Malware & Ransomware
Most malware is still being delivered by email and accounts for 17% of breaches. The most favored malware file types are Office documents and Windows apps. It’s not that the Word document has a virus in it; it’s that the Word document is configured to use the feature set of Windows in Microsoft Office and run commands that then cause the host to download something or ingest something or take some action. Don’t open unsolicited attachments. Know that not all antivirus at endpoint detection and response systems are equal.
I’m not giving you new information. You already know you’re supposed to use strong passwords and change them regularly. You already know you’re supposed to use multi-factor authentication (MFA) for sensitive accounts or anything you can access from the Internet. You already know you’re supposed to update your systems regularly.
Nevertheless, we don’t. It’s cognitive dissonance: we are not practicing what we know to be best practice.
I’m not trying to downplay malware because we do see it. It’s a big concern because we hear about ransomware, and it does create a huge problem if your organization becomes infected with it.
What strikes me about ransomware is that external actors are also using data privacy as another revenue stream. It used to be that ransomware just encrypted your data, and you paid to have it unlocked; the bad actors weren’t believed to have been doing anything with the data other than encrypting it. However, it appears there’s been a turn.
External actors looking to increase their revenue are exfiltrating some of the data and holding onto it. Before they unencrypt the data on your end, they save a copy, so that after you’ve paid to have access reinstated, they’ve got a way to get another payment from you. If you don’t pay again, they will post the data to a public website.
Discovery & Recovery
From the time the bad guys start their attempt to when they’re successful is usually measured in seconds and minutes. From the time they are actually in the environment until the environment becomes aware of this is usually measured in months, which accounts for more than a quarter of breaches.
It’s fair to say that discovery is still measured in weeks and months, and recovery is still measured in months. Ransomware is the exception—companies are pretty much made aware of the breach right away because the infiltrators want to get paid.
The DBIR’s broad testing group and its findings aren’t just theory; they’re true data points. The DBIR data samples are better than a single cyber vendor telling you what they see in cyber—these are global occurrences. The DBIR testing and reporting are aligned with the CIS controls and MITRE ATT&CK® framework, which Agio is also aligned with.
Agio’s tenet of brilliance in the basics helps companies train employees and address cybersecurity issues like those highlighted in the Verizon 2020 Data Breach Investigation Report. We can quickly assess your organization’s ability to withstand an attack based on known adversary behavior, provide a roadmap to reducing your exposure, and a cadence of governance that ensures your organization is maintaining a posture that evolves with the threat landscape. Give us a call. Agio is here to help.