Security Experts:

Verizon 2020 DBIR: More Extensive, More Detailed and More Thorough Than Ever

Verizon Publishes 2020 Data Breach Investigation Report (DBIR) With Insights From Thousands of Confirmed Breaches

Verizon's 2020 Data Breach Investigations Report (DBIR) is the most extensive yet, with 81 contributing organizations, and more than 32,000 incidents analyzed (of which 3,950 were confirmed breaches). New geographical breakouts in the just-released report have been added together with new ways of visualizing the data.

At a high level, Verizon believes the analysis provides good news to security professionals. In particular, it notes that malware incidents are down, suggesting that current anti-malware products are winning the battle. Trojan-type malware peaked in 2016 when it accounted for 50% of all breaches, but has now dropped to just 6.5%. Similarly, patching seems to be more successful than we might think, with less than 5% of breaches involving the exploitation of a vulnerability -- while only 2.5% of SIEM events involved exploiting a vulnerability. "This finding suggests that most organizations are doing a good job at patching," says the report, but adds the rider, " It’s the forgotten assets that never get patched that can create dangerous holes in your defenses."

Verizon 2020 Data Breach Investigations Report (DBIR)The DBIR (PDF) figures also dispel common myths. It is often held that the insider is the greatest threat to security, but DBIR shows that 70% of breaches are caused by external hackers. Similarly, while international acts of espionage and 'advanced' attacks tend to get media headlines, money rather than cyberwarfare remains the great motivator: 86% of breaches are financially motivated, 10% are espionage, and just 4% are described as advanced threats.

DBIR has become the bible for security professionals. Its great strength is that it involves the scientific analysis of actual events that goes beyond the analysis of a single vendor's own telemetry, and consequently has no product or attack-type bias. Similarly, since the latest report is the thirteenth in the series, it can highlight trends in breach-related activity. 

But there are also two potential weaknesses that should be considered. Firstly, only breaches reported to or known to Verizon can be included. This could, for example, skew ransomware figures where healthcare institutions are required to report ransomware incidents while manufacturing is not -- manufacturers who quickly and quietly pay the ransom are not likely to report the event.

Secondly, it is 'historical' data (from last year) in a field that changes rapidly. So, for example, it can include no details on this year's emergence of Maze-and REvil-style double extortion ransom (the latest example being the current post-ransomware auction of client details from a New York law firm).

Similarly, there is no mention or details on this year's dramatic criminal response to the COVID-19 pandemic and the expanding threat landscape caused by the rush to 'work from home'. Rick Holland, CISO and VP of strategy at Digital Shadows, picks up on this. "One thing that strikes me about this year's DBIR report," he told SecurityWeek, "is that the data set is pre-pandemic. The 'current state of security' is dramatically different today than it was two months ago. I'm very interested to see how the new remote working paradigm impacts next year's report."

Chris Morales, head of security analytics at Vectra, has a similar viewpoint. "What happened last year will only paint a partial picture of the tools, tactics and procedures being implemented now in what is a dramatically shifted threat landscape over the last few months. A threat landscape that might be more permanent than temporary." The problem is that you cannot plan for such sudden and major shifts. This year it has been driven by a global pandemic -- but there could be something different next year or the year after that.

Shahrokh Shahidzadeh, CEO at Acceptto, is more severe on the historical aspect of DBIR. "The reduction in malware is just aligned with the previous year’s trend and is a function of the risk balloon getting squeezed as alternative attacks reward balance out," he told SecurityWeek. "These reports are usually a trailing indicator given a significant number of breaches that occurred in 2019 simply have not been discovered yet. And yes, understanding the threat balloon risk and the associated financial motivation is how we deal with risk management. That said, any less than 6% reduction is simply noise."

Gabriel Bassett, a data scientist who worked on the report, accepts the historical nature of the figures, but believes this is more than countered by the value of the emerging trends surfaced by the annual nature of the reports. He told SecurityWeek that the true value of the DBIR is not just in raw figures, but in highlighting trends in criminal methods and activity to enable security practitioners to take a risk management approach to defense. 

Double extortion, for example, remains fundamentally ransomware, and the rise of ransomware over the last few years has been a highlighted trend. (Ransomware in 2019 accounted for 27% of all malware incidents, 60% in the public sector, and 80% in education.) Similarly, a large portion of COVID-19 attacks are based around phishing -- and the prevalence of phishing has been tracked for many years.

One trend-based graph this year shows the frequency of the actions involved in breaches since 2016. Physical breaches have remained fairly constant, but low. Hacking, social, malware and misuse have all declined. However, the one exception is 'error'. During 2019, breaches caused by an error action overtook those caused by malware activity and are closing fast on those caused by social activity. (An error is defined as an action that does not involve any malicious intent.)

Looking more closely at this, misdelivery and publishing errors have declined, while misconfiguration errors have spiked dramatically (echoing the NSA warning in January 2020 that misconfiguration is the most prevalent vulnerability in cloud environments). However, the DBIR analysis goes deeper by highlighting the discovery of misconfigurations: more than 50% by a security researcher, around 15% by some other external party, nearly 15% by a customer, but less than 10% by an employer. In total, more than 90% of misconfigurations are reported to the organization after the event rather than found and prevented by the organization.

Since the threat is rising and organizations are not detecting the misconfiguration themselves, there is a clear indication that many companies need to spend more effort on detecting and preventing the error before it happens. It's the level of detail that can be found within the DBIR's data analysis that can be used by security practitioners to fine tune their own risk-based approach to security controls. "Nobody is perfect," said Bassett. "Misconfigurations are primarily an administrator's error, or somebody else posting sensitive data to a public area. But we need to be prepared for error, rather than simply assuming it won't happen." 

One solution, he suggests, is to remove the stigma from errors. Staff need to become comfortable in reporting errors without being concerned it's any big thing. This can be augmented by companies looking at the process improvement methodologies used in engineering that are employed in part to detect and eliminate error. The question practitioners should ask, is how can we adapt engineering methods to security methods?

The great value of DBIR is that it converts breach data from anecdotal to demonstrable fact that is analyzed in great detail. It helps practitioners focus on the areas that need focus. "It is essential to understand the data set and limitations for any reporting" adds Digital Shadows' Rick Holland. "The fact that the DBIR's primary analytical data focus is from the 2019 caseload doesn't devalue the report; there are still many year over year trends that are useful for defenders. Also, the DBIR should serve as one of many data points in your risk management strategy, which should be complemented by an organization's own internal incident and breach reporting."

DBIR remains a fundamental asset for the discovery of existing and evolving threats, allowing practitioners to see where they should focus effort for an effective risk-based security posture.

Related: Verizon Publishes 2019 Data Breach Investigations Report (DBIR) 

Related: State-Linked Hackers Responsible for Nearly 1 in 5 External Data Breaches

Related: Verizon 2016 DBIR: What You Need to Know 

Related: Verizon 2015 DBIR: Don't Sweat Mobile and IoT 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.