Verizon this week published its 2020 Data Breach Investigation Report (DBIR). The report is based on insights from thousands of incidents and it’s more detailed and more thorough than ever.
The report covers threat actors, including their activities and their tools, an analysis of the targeted industries, and a regional analysis.
According to Verizon, malware incidents are down, external hackers were behind most breaches, and a majority of attacks were financially motivated.
Industry professionals have commented on various findings in the latest DBIR.
And the feedback begins…
Tim Erlin, VP, product management and strategy, Tripwire:
“We often think of ransomware as a breach, but the DBIR categorizes most ransomware activity as an incident because while you may have lost access to the data, the attacker hasn’t actually stolen it. While that may give you some comfort, it doesn’t mean that a ransomware incident is materially less impactful to the security folks who have to deal with it.
The fact that “misconfiguration” is in the top five action varieties for breaches is an important acknowledgment that not all incidents are the result of an exploited vulnerability. Misconfigurations actually lead to more breaches than exploited systems, but organizations often don’t put the same effort into assessing them as they do scanning for vulnerabilities.
At a high level, the key things for every organisation to worry about are brute force and stolen credentials, and web applications.
It’s tempting to downplay vulnerability management based on this data, but the details show that, by and large, the organizations that are doing it reasonably well are safer, and the organizations that aren’t are very, very vulnerable. One key lesson, though, is that an organization can do both. The old adage “you can’t protect what you don’t know about” is true for vulnerability management. Asset management is a prerequisite for vulnerability management.”
Chad Anderson, senior security researcher, DomainTools:
“This report further goes to show that attackers do not have to be sophisticated to be effective. We see that only 45% of all breaches in this report involved some kind of traditional hacking and only 4% of the breaches in total had more than four attacker actions. Simple, low-hanging fruit for financial gain continues to dominate this space and shows where so much of our security posture can be improved with user education and basic, industry-standard security practices.
Phishing and trojans are down and ransomware is up as Ransomware-as-a-Service (RaaS) groups like REvil are on the rise. Lots of work has gone into spotting phishing domains early with machine learning algorithms and endpoint detection is improving all the time. This makes sense as most of the breaches featured in this report focus on financially motivated organized crime groups. RaaS pays, especially in this COVID-era where attackers are targeting hospitals and essential businesses that may not have the time to turn around and properly rebuild their infrastructure after key data and parts have been compromised.”
Bob Rudis, chief data scientist, Rapid7:
“First: Attacker dwell time is significantly reduced, but that matters little to ransomware attackers, an attack vector that has only gotten worse over time. We need to keep improving this statistic, but also need to work even harder on preventing phishing attacks and shoring up internal configurations.
Second: It is no real surprise that naked S3 buckets and wide-open databases received a significant mention in the DBIR. The Rapid7 team finds millions of SMB servers, databases, and other inappropriately exposed services each time we run our Project Sonar scans. Organisations must implement stronger controls and have finely honed practices and playbooks for deploying services safely.
Third: Zombie credentials never die, they just get re-used in every gosh darn attack. Attackers have amassed a cadre of billions of credentials and that stash seems to get bigger every week. There is so little risk in reusing them (either because organisations are blind to the login attempts or because regional authorities just don’t seem to care) and so much to gain when one set of credentials actually works, that we’ll continue to see this mode of attack until organisations finally implement multi-factor authentication across the board.”
Jamie Akhtar, CEO and co-founder, CyberSmart:
“The fact that 28% of cybercrime victims are small businesses comes as no surprise- this is a trend we have seen for a while. It’s a real misconception that any business is too small to be targeted. As we continually see, that’s just not how a lot of these large-scale attacks work. But small organisations, especially those who have little IT expertise on staff, often aren’t sure where to start when it comes to protecting themselves from threats. This is why the UK government’s Cyber Essentials scheme is so helpful; it provides proven standards for basic cyber hygiene that any business (or individual for that matter) can follow to safeguard against the vast majority of these kinds of attacks.”
Mark Bower, SVP, comforte AG:
“The report shows the Great Digital Train Robbery is alive and well. External, multi-faceted and industrialized hacking continues to pepper large enterprises at 72% of overall victims. It’s no surprise that web application patters, around 45% of attacks, expose technology services firms, retail, financial and Insurance services and professional services most to compromise. They are the highest aggregators of highly sensitive data with substantial 3rd party data sharing risk.
Personal data theft is trending up, now 49% of retail breaches, overtaking payment data at 47% putting privacy regulation risk high on the compliance agenda. 70% of breaches were from external actors, insiders 30%, and human left doors open in 22% of cases. In a world quickly moving to post-covid cloud IT, now 24% of investigated breaches, enterprises have no choice but to modernise data security strategies to neutralize data from attack or become a victim.
The numbers don’t lie – the barrier between attackers and valuable sensitive data can be broken, enabling rapid data theft and abuse unless the real data has no value in the attacker’s hands. Industries that progressively shielded data with contemporary security measures like data tokenization and encryption showed a strong decline in breach impact (POS attack incidents trended close to zero), but attackers followed the path of least resistance – to online compromise opportunities – now 50% of retail breaches.”
Tim Mackey, principal security strategist, Synopsys CyRC (Cybersecurity Research Center):
“In all cyberattacks, it is the attacker who defines the rules, and often opportunism is the best play in any numbers game. The 2020 DBIR confirms that most successful breaches employed opportunistic tactics ranging from social engineering and credential attacks through to opportunistic hacks and exploits of misconfigurations. This means that we could see a material reduction in breaches if basic principles such as securing S3 buckets, applying password security to databases, having a patch management strategy and applying reasonable malware protections were in place.
If we look beyond the basics and dig into an attack strategy, such as exploiting a vulnerability, we’re really looking at targeting a process and exploiting its weaknesses. In the case of a vulnerability exploit, the success is directly related to both a patch management strategy and how accurate the software asset management list matches what’s currently deployed. The exploit becomes actionable if there is any software that isn’t part of the asset manifest which then means it’s likely missing patches. While such manifests and processes are manageable when describing systems managed by enterprise IT teams, the weakest and most opportunistic link could be the remote worker or an employee’s mobile device which creates a bridge between the processes of enterprise IT and the practices of consumer “IT”. This is why zero-trust network architectures are interesting and also why patch policies must include open source governance – attackers look for blind spots in process as those blind spots enable them to invest in more sophisticated attacks.”
Murali Palanisamy, Chief Solutions Officer, AppViewX:
“Drilling down into Verizon’s 2020 version of the DBIR tells us two things: One, the number of incidents and data breaches is snowballing year-on-year, confirming the trend that digital transformation will result in threat vectors compounding and growing in number. And two, hacking for financial gain has taken precedence over malware and other low-impact techniques as the primary motivator for malicious actors.
The need for heightened security infrastructures for all systems (internal, external, critical, and peripheral) notwithstanding, there are simply too many endpoints today to be protected individually by security teams — given that hackers are actively gunning to exploit even the tiniest weak link in the system. Automation of security systems is the name of the game here, which will not only reduce the manual effort involved (which eliminates human error), but also allow for enterprises to scale security along with business growth at every level, without having to expend time and effort on implementing it from scratch when it is needed — scalability is the most important buzzword in high growth ecosystems in this day and age.”
Balaji Parimi, CEO, CloudKnox Security:
“The Verizon DBIR validates something we’ve been seeing for a long time – that cloud storage misconfigurations are on the rise and emerging as one of the top threats to cloud infrastructure. Managing cloud infrastructure is very complex and the unprecedented levels of automation leaves a lot of room for these types of mistakes. Enterprises need to adopt a prevention first approach, by making sure that only properly trained personnel have the permissions to perform such risky operations. AWS and other cloud providers are touting this as one of the top security priorities to address this misconfiguration problem.”
Satnam Narang, Staff Research Engineer, Tenable:
“The findings in the Data Breach Investigations Report (DBIR) 2020 show that while attack vectors may fluctuate over time, cybercriminals often set their sights on low-hanging fruit. Zero-days may garner most of the attention, but foundational cyber hygiene issues enable most breaches. The motivation for cybercriminals is primarily financial. As the Cybersecurity and Infrastructure Security Agency (CISA) recently underscored in a recent report about the top 10 routinely exploited vulnerabilities, cybercriminals focus their efforts on exploiting unpatched vulnerabilities. It’s a cost-effective measure that provides the most bang for the buck, because they don’t have to spend the capital needed to acquire zero-day vulnerabilities when there are so many unpatched systems to take advantage of. As the DBIR notes, even if a newly-discovered vulnerability wasn’t patched in a network, those same systems would likely also be vulnerable to a plethora of other vulnerabilities, which signifies a lack of basic cyber hygiene.
Ransomware increased by 2.6% from last year, landing at number three in the most common Malware breach variety, while also taking the number two spot for most common malware incident variety, according to the DBIR. What’s changed in that time is that ransomware isn’t solely devoted to encrypting files anymore. Cybercriminals have escalated their attacks to another level, siphoning off sensitive information from organizations whose files they’ve encrypted. These cybercriminals threaten to publish this sensitive information publicly, often publicly sharing a teaser of files from organizations they’ve compromised. The belief is that naming and shaming these victims would encourage them to pay the ransom demand, and in many cases, that’s proven to be true.”
Chris Morales, head of security analytics, Vectra:
“The 2020 Verizon DBIR highlights who is targeting what industry and what they are doing. Attribution is interesting in the sense that it demonstrates who is behind a breach and what they do. The motives behind an attack tend to be consistent for each industry, as does the risk and data in those industries.
Nevertheless, what happened last year will only paint a partial picture of the tools, tactics and procedures being implemented now in what is a dramatically shifted threat landscape over the last few months. A threat landscape that might be more permanent than temporary.
For example, an increase in the use of SaaS, such as Office 365 and Zoom, for intrusion and lateral movement techniques. The higher obfuscation of command and control and data exfiltration in companies that previously would never allow remote work from home.”
Shahrokh Shahidzadeh, CEO, Acceptto:
“The Verizon DBIR highlights the top actions for breaches, which continue to be credentials, misconfiguration and phishing. Credentials are still the favorite attack surface, and within the past three years, range fluctuates between 75%-81%. The reduction in malware is aligned with the previous year’s trend and is a function of the risk balloon getting squeezed as alternative attacks reward balance out. Besides, if you think about January 2020 alone, and weigh in the key breaches reported during the first month of 2020, then you will realize the shift is insignificant.
These reports are usually a trailing indicator given a significant number of breaches that occurred in 2019 simply have not been discovered yet. And yes, understanding the threat balloon risk and the associated financial motivation is how we deal with risk management. That said, any <6% reduction is simply noise.”
Rick Holland, Chief Information Security Officer, Vice President Strategy, Digital Shadows:
“The prominence and continued use of stolen credentials indicates that there is still work to be done to prevent breaches.
One thing that strikes me about this year’s DBIR report is that the data set is pre-pandemic. The “current state of security” is dramatically different today than it was two months ago. I’m very interested to see how the new remote working paradigm impacts next year’s report.
It is essential to understand the data set and limitations for any reporting. The fact that the DBIR’s primary analytical data focus is from the 2019 caseload doesn’t devalue the report; there are still many year over year trends that are useful for defenders. Also, the DBIR should serve as one of many data points in your risk management strategy, which should be complemented by an organization’s own internal incident and breach reporting.”
Olivier Gaudin, CEO and co-founder, SonarSource:
“The findings from the Verizon report demonstrate that, as an industry, we are spending more time reacting to threats rather than proactively taking steps to ensure assets are secure before they go to market. This is why it’s crucial to think about security as early as when developers are actually coding applications. Technology that provides code security feedback throughout software development workflows does exist, and not only will it help organizations prevent future incidents, it also supports the growth of their development team with regards to bolstering the security of the product. Developers get to learn and leverage secure coding practices, resulting in more secure applications delivered to end-users. This type of technology can also identify and eliminate the most commonly exploited web app vulnerabilities, according to Verizon’s report–SQL injection and PHP injection vulnerabilities.”