Every year I like to look at Verizon’s DBIR report and see what kind of wisdom I can extract. This year they appear to have put in even more effort, so let’s get into it.
The format is simple: a series of content extraction bullets, some analysis and commentary along the way, and then a quick summary of what I saw as the main takeaways.
Content extraction
My Definitions of Event, Alert, and Incident
A definitions reminder:
Incident: A security event that compromises the integrity, confidentiality or availability of an information asset.
Breach: An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.
- This year they analyzed 79,635 incidents, 29,207 met their quality standards, and 5,258 were confirmed data breaches
- They covered 11 main industries across 88 countries
- They map to the CIS controls for recommendations
- Top three patterns in breaches were: social engineering, basic web application attacks, and system intrusion
- Top three patterns in incidents were: denial of service, basic web application attacks, and social engineering
Interesting that social engineering and basic web application attacks were in the top three for both breaches and incidents.
- 85% of breaches involved a human element
- 61% of breaches involved credentials
As in past years, financially motivated attacks continue to be the most common, and actors categorized as Organized Crime continues to be number one.
- For breaches, the breakdown of External vs. Internal actors moved significantly towards External in 2020
- Similarly, the top threat actor motive moved away from Espionage and towards Financial
- Organized crime made up over 80% of threat actors, with other categories—including State Actor—having very little showing
- Top actions in breaches were: phishing (social), use of stolen credentials (hacking), other, ransomware (malware), pretexting (social), misconfiguration (error), misdelivery (error), brute force (hacking), C2 (malware), and backdoor (malware)
- The top two (phishing and credential stuffing) were disproportionately represented in the data
- For incidents, the breakdown was: dos (hacking), phishing (social), other, and then ransomware (malware)
- So phishing and ransomware are the categories most shared among incidents and breaches
- Ransomware doubled from 5% of breaches to 10% in 2020
The major change this year with regard to action types was Ransomware coming out like a champ and grabbing third place in breaches (appearing in 10% of them, more than doubling its frequency from last year).
- They break down actions at the beginning, middle, and end of breaches
- Top three for beginning: hacking, error, and social
- Top three for middle: malware, hacking, social
- Top three for end: malware, hacking, error
- Top assets in incidents: server, person, user dev
- Top assets in breaches: server, person, user dev
So those match perfectly, at least for the top three.
- Top asseet varieties: web application (server), email (server), desktop or laptop (user dev), mobile phone (user dev)
Interesting to see mobile phone in there. It’s number 4, and behind desktop/laptop, but not by much. But it turns out, most of that data is from lost phones, so it doesn’t appear major afterall.
- Even the median random organization with an internet presence has 17 internet-facing assets
Even the median random organization with an internet presence has 17 internet-facing assets.
- Most of those systems had no vulnerabilities, but among those that are attacked it’s mostly the older ones that matter, not the newer ones
- As far as what type of data is lost, the top 4 for breaches are: credentials, personal, medical, and bank
I think they mean direct financial loss.
There is massive variation in the impact of an incident. First of all, 42% of BEC incidents didn’t involve any financial loss. 76% of Computer Data Breaches didn’t involve any financial loss. And 90% of ransomware incidents didn’t have any financial loss.
The range of financial losses was pretty extraordinary:
95% of BECs fell between $250 and $985,000 dollars with $30,000 being the median.
- CDB ranges had 95% falling between $148 and $1.6 million, with the same median of $30,000
- Ransomware’s median loss was $11,150, with a range between $70 and $1.2 million
The takeaway here is that there really is a market scaling based on the size of the organization and their ability to pay, and the minimums start very low/cheap.
They also did analysis on total cost of breach estimates, which I found fascinating.
While you could plan for the median breach of $21,659, a better option might be to plan for the middle 80% of breach impacts, $2,038 to $194,035. Or better yet, be prepared for the most common 95% of impacts, between $826 and $653,587. If you add to that an organizational devaluation of around 5%, then you just may have yourself a tangible figure you can plan around.
- The top hacking varieties in Basic Web Application Attacks were: use of stolen credentials, brute force, and exploit vuln—with stolen creds being over 80% and brute force and exploit vuln being around 10% a piece
Summary
- Web application attacks continue to dominate, with credential stuffing being the main way to attack
- Brute force is also key for web app attacks, and both are handled well by 2FA
- We already knew this, but ransomware massively jumped in prominence, and organized crime grew as an actor type along with it
- Errors keep featuring at the top of these lists across industries; we have to figure out a way to reduce own-goals
- The top CIS controls are still: Enterprise Asset Inventory and Software Inventory. Never forget.
