It’s DBIR time! Time to read the key findings of this year’s 13th edition of the annual Verizon Data Breach Investigations Report and learn from our mistakes. The more we know about the threats we face and how we react to these threats, the better our chances of keeping our data secure and our company’s name out of the headlines for all the wrong reasons.
This year, the report analyzes 32,000 incidents, out of which 3,950 were confirmed data breaches. What’s new in this edition of the report is that the findings are broken down into 16 industry verticals and aligned with the MITRE ATT&CK framework and CIS Controls.
The Energy Sector: Oil, Gas and Utilities
According to the report, breaches in the energy sector are composed of a variety of actions, but social attacks such as phishing and pretexting dominate incident data. What is concerning is the fact that there were about as many incidents with potential data disclosure as there were confirmed breaches. With cyber espionage being the main motive behind all these attacks, the proliferation of social attacks becomes a greater concern.
As the energy sector moves to the cloud as well, web apps were a top attack pattern, propelled by the use of credentials stolen by phishing campaigns. Stolen credentials accounted for the 41% of the data being compromised, while another 41% were personal data.
The good news is that the sector performed above the average when applying patches. This is good news because, according to Verizon, patches that do not get applied within the first quarter of being released frequently don’t get applied at all. This gives the adversaries time to build tools that will make it easy even for a novice to attack the infrastructure that remains vulnerable.
Focusing on the IT vs OT part of the energy sector, the report findings were not surprising: 96% of breaches involved IT assets, while 4% involved OT. Although 4% might not be a lot, having a 4% chance of disrupting the reliability and availability of highly critical services, such as the electric grid of water supply, that rely on OT equipment, is an adequate cause for concern. Considering the criticality of OT assets, involved industries must take every precaution available to minimize this 4%.
DBIR did not cover solely the energy sector. There are many interesting findings for everyone to read. The key ones can be summarized as follows:
- Although many believe internal actors to be the most common cause of breaches, the DBIR data shows that 70% of breaches were caused by outsiders.
- 86% of breaches were financially motivated, although espionage and advanced threats get the buzz.
- Credential theft, social attacks (phishing and business email compromise) and errors cause the majority of breaches (67% or more). The majority of the errors are associated with either misconfigured storage or misdelivered emails, committed by either system admins or end users.
- Ransomware accounts for 27% of malware incidents, while 18% of the organizations blocked at least one piece of ransomware before the malware was able to manifest itself.
- Attacks on web apps were a part of 43% of breaches, more than double from last year. As workflows move to cloud services, it makes sense for attackers to follow. The most common methods of attacking web apps are using stolen or brute-forced credentials.
- Personal data was involved in 58% of breaches, nearly twice the percentage in last year’s data. This increase is mostly due to the regulatory requirements for reporting all incidents or breaches that involve breaching the privacy of personal data. That’s a big benefit coming out of GDPR and other privacy regulations.
- 81% of the reported breaches were contained in days or less, while large businesses were the most likely victims (72%).
Hacking, Ransomware and Errors
We cannot escape the fact that people make mistakes, and this is obvious in the report statistics. The only “action” that is consistently increasing is error. Human errors are equally as common as social breaches, more common than malware and ubiquitous across all industries. Only hacking remains higher, and that is due to credential theft and use. With misconfiguration and misdelivery being the top causes of errors, the high numbers could be the result of businesses being obliged by regulations to report any incident.
On the other hand, ransomware is a big problem that continues to get bigger. According to the report data, ransomware is the third most common malware breach variety and the second most common malware incident variety. Part of its continued growth can be explained by the ease with which attackers can launch a ransomware attack. In 7% of the ransomware threads found in criminal forums and marketplaces, “service” was mentioned, suggesting that attackers don’t even need to be able to do the work themselves. They can simply rent ransoware as a service.
Discussing breaches, while hacking and social attacks have decreased, they have remained close to the levels we have seen for the past few years. On the other hand, malware has been on a consistent and steady decline as a percentage of breaches over the last five years. Why is this? Attack types such as hacking and social breaches benefit from the theft of credentials, which makes it no longer necessary to add malware to maintain persistence.
Hacking activity falls into three distinct groups:
1. Utilizing stolen or brute forced credentials
2. Exploiting vulnerabilities
3. Using backdoors and Command and Control (C2) functionality
However, it must be said that hacking and even breaches, in general, are driven by credential theft. Over 80% of breaches within hacking involve brute force or the use of lost or stolen credentials. These hacking varieties, along with exploitation of a vulnerability, are associated in a major way with web applications.
Figure 1: Hacking varieties and vectors in breaches. Image courtesy of Verizon.
According to the report, cloud assets were involved in about 24% of breaches, while on-premises assets accounted for 70% of reported breaches. Cloud breaches involved an email or web application server 73% of the time. Additionally, 77% of those cloud breaches also involved breached credentials.
As businesses are adopting hybrid workloads, so too are the criminals. These findings are not so much an indictment of cloud security as it is an illustration of the trend of cybercriminals finding the quickest and easiest route to their victims.
Asset and Vulnerability Management
The report findings indicate that organizations which fail to patch major new vulnerabilities tend to be defenseless against many older vulnerabilities. This finding indicates that asset management is not working, and hence patch management can be defective.
According to the report, organizations have approximately 43% of their internet-facing IPs in one network. However, the most common number of networks that an organization occupies is five, and half of all organizations are present on seven or more networks. The question is, do you know where these networks are and do you have visibility into the assets of these networks?
If you don’t, then you have an asset management problem. Therefore, it might not just be an asset management problem, but also a vulnerability management problem on the assets you did not know were there.
The Path to a Breach
The writers of the report has done an excellent job analyzing the course of actions criminals take to finally breach a company. The incidents and breaches analysis demonstrated that most of the attacks are short, having a small number of steps. The long ones tend to be hacking and malware breaches, compromising confidentiality and integrity as the attacker systematically works their way through the network and expands their persistence (lateral movements).
Attackers are lazy and prefer short paths and rarely attempt long ones. This means that if you increase the number of steps they have to walk to get to their target, it is likely to significantly decrease the chance of messing with your data. For example, although two-factor authentication is imperfect, it does help by adding an additional step for the attacker. The difference between two steps and three or four steps can be important in your defensive strategy.
Figure 2: Number of steps per incident and per breach. Image courtesy of Verizon.
The benefit in knowing the “areas” attackers are more likely to pass through in their journey to a breach gives you the advantage to choose where to intercept them.
As we mentioned in the beginning, this year the DBIR features a breakdown of the findings per 16 industry verticals. Except for the energy sector, which we covered in the beginning, here are some interesting findings in other industries or sectors.
Education experienced phishing attacks in 28% of breaches and hacking via stolen credentials in 23% of breaches. In incident data, ransomware accounted for approximately 80% of malware infections. Educational Services performed poorly in terms of reporting phishing attacks, losing critical response time. According to the report, education is the only industry where malware distribution took place more commonly via websites than via email. Considering the peculiarities of education where students access their personal mail accounts from their personal devices, which are often connected to shared campus networks, this finding makes perfect sense.
Financial and Insurance
The attacks in this sector were the result of external actors who are financially motivated to get easily monetized data (63%), internal financially motivated actors (18%) and internal actors committing errors (9%). Web applications attacks that leverage the use of stolen credentials also continue to affect this industry. Breaches caused by internal actors have shifted from malicious actions to benign errors, such as misdelivery, although both are still damaging.
Financially motivated criminal groups (88%) continued to target this industry via ransomware attacks. Lost and stolen assets were also a problem. Basic human error (30%) was alive and kicking with misdelivery being the top cause of erroneous actions. It is interesting that the internal privilege misuse decreased to just 8.7% from 23% in 2019. Medical data was the one mostly breached, followed by personal data (which can be anything from basic demographic information to other covered data elements) and credentials stolen in these attacks.
Attacks against e-commerce applications were by far the leading cause of breaches in this industry. As organizations continue to move their primary operations to the web, the criminals migrate along with them. Consequently, Point of Sale (PoS) related breaches, which were for many years the dominant concern for this vertical, continued in the general the low levels identified in the 2019 DBIR. While payment data was a commonly lost data type, personal data and credentials also continued to be highly sought after in this sector.
Financially motivated organized criminals utilizing attacks against web applications had their sights set on this industry. But employee errors such as standing up large databases without controls were also a recurring problem. These, combined with social engineering in the forms of phishing and pretexting attacks, were responsible for the majority of breaches in this industry.
U.S. and Canadian organizations suffered greatly from financially motivated attacks against their web application infrastructure. Hacking via the use of stolen credentials was the threat actor most commonly experienced, with social engineering attacks that encouraged the sharing of those credentials following suit. Employee error was also routinely observed.
Although this region accounted for 69% of all incidents and 55% of all breaches in the DBIR dataset, this was due to the strict reporting requirements in Finance, Healthcare and Public Administration. The same trend was witnessed in Europe, where GDPR and NIS force industries to report all incidents and breaches.
Recommendations based on CIS Controls
To align the report findings with the corporate security efforts, the DBIR includes a section where the findings are mapped to CIS Controls. And there is a good reason for selecting the CIS Controls because they are a relatively short list of high-priority, highly effective defensive actions that provide a “must-do, do-first” starting point for every enterprise seeking to improve their cyber defense.
Based on the report findings, the following CIS Controls are recommended:
- Continuous Vulnerability Management (CSC 3)
- Secure Configuration (CSC 5 and CSC 11)
- Email and Web Browser Protection (CSC 7)
- Limitation and Control of Network Ports, Protocols and Services (CSC 9)
- Boundary Defense (CSC 12)
- Data Protection (CSC 13)
- Account Monitoring (CSC 16)
- Implement a Security Awareness and Training Program (CSC 17)
ITEGRITI helps protect some of the nation’s most critical infrastructure, serving clients in energy, healthcare, transportation, education, retail and financial sectors. We develop and implement programs that mitigate cyber and compliance risk, supported by internal controls to measure, monitor and report ongoing program effectiveness. Our programs help companies avoid hacks and minimize business impact during a cybersecurity event. To learn how we can help you, visit our website or follow us on LinkedIn and Twitter.