Analysis of the 2021 Verizon Data Breach Report (DBIR)

dbir 2021 analysis

Every year I like to look at Verizon’s DBIR report and see what kind of wisdom I can extract. This year they appear to have put in even more effort, so let’s get into it.

The format is simple: a series of content extraction bullets, some analysis and commentary along the way, and then a quick summary of what I saw as the main takeaways.

Content extraction

A definitions reminder:

Incident: A security event that compromises the integrity, confidentiality or availability of an information asset.

Breach: An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.

  • This year they analyzed 79,635 incidents, 29,207 met their quality standards, and 5,258 were confirmed data breaches

  • They covered 11 main industries across 88 countries

  • They map to the CIS controls for recommendations

  • Top three patterns in breaches were: social engineering, basic web application attacks, and system intrusion

  • Top three patterns in incidents were: denial of service, basic web application attacks, and social engineering

Interesting that social engineering and basic web application attacks were in the top three for both breaches and incidents.

  • 85% of breaches involved a human element

  • 61% of breaches involved credentials

As in past years, financially motivated attacks continue to be the most common, and actors categorized as Organized Crime continues to be number one.

  • For breaches, the breakdown of External vs. Internal actors moved significantly towards External in 2020

  • Similarly, the top threat actor motive moved away from Espionage and towards Financial

  • Organized crime made up over 80% of threat actors, with other categories—including State Actor—having very little showing

  • Top actions in breaches were: phishing (social), use of stolen credentials (hacking), other, ransomware (malware), pretexting (social), misconfiguration (error), misdelivery (error), brute force (hacking), C2 (malware), and backdoor (malware)

  • The top two (phishing and credential stuffing) were disproportionately represented in the data

  • For incidents, the breakdown was: dos (hacking), phishing (social), other, and then ransomware (malware)

  • So phishing and ransomware are the categories most shared among incidents and breaches

  • Ransomware doubled from 5% of breaches to 10% in 2020

The major change this year with regard to action types was Ransomware coming out like a champ and grabbing third place in breaches (appearing in 10% of them, more than doubling its frequency from last year).

  • They break down actions at the beginning, middle, and end of breaches

    • Top three for beginning: hacking, error, and social

    • Top three for middle: malware, hacking, social

    • Top three for end: malware, hacking, error

  • Top assets in incidents: server, person, user dev

  • Top assets in breaches: server, person, user dev

So those match perfectly, at least for the top three.

  • Top asseet varieties: web application (server), email (server), desktop or laptop (user dev), mobile phone (user dev)

Interesting to see mobile phone in there. It’s number 4, and behind desktop/laptop, but not by much. But it turns out, most of that data is from lost phones, so it doesn’t appear major afterall.

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

  • Even the median random organization with an internet presence has 17 internet-facing assets

Even the median random organization with an internet presence has 17 internet-facing assets.

  • Most of those systems had no vulnerabilities, but among those that are attacked it’s mostly the older ones that matter, not the newer ones

  • As far as what type of data is lost, the top 4 for breaches are: credentials, personal, medical, and bank

I think they mean direct financial loss.

There is massive variation in the impact of an incident. First of all, 42% of BEC incidents didn’t involve any financial loss. 76% of Computer Data Breaches didn’t involve any financial loss. And 90% of ransomware incidents didn’t have any financial loss.

The range of financial losses was pretty extraordinary:

95% of BECs fell between $250 and $985,000 dollars with $30,000 being the median.

  • CDB ranges had 95% falling between $148 and $1.6 million, with the same median of $30,000

  • Ransomware’s median loss was $11,150, with a range between $70 and $1.2 million

The takeaway here is that there really is a market scaling based on the size of the organization and their ability to pay, and the minimums start very low/cheap.

They also did analysis on total cost of breach estimates, which I found fascinating.

While you could plan for the median breach of $21,659, a better option might be to plan for the middle 80% of breach impacts, $2,038 to $194,035. Or better yet, be prepared for the most common 95% of impacts, between $826 and $653,587. If you add to that an organizational devaluation of around 5%, then you just may have yourself a tangible figure you can plan around.

  • The top hacking varieties in Basic Web Application Attacks were: use of stolen credentials, brute force, and exploit vuln—with stolen creds being over 80% and brute force and exploit vuln being around 10% a piece

Summary

  • Web application attacks continue to dominate, with credential stuffing being the main way to attack

  • Brute force is also key for web app attacks, and both are handled well by 2FA

  • We already knew this, but ransomware massively jumped in prominence, and organized crime grew as an actor type along with it

  • Errors keep featuring at the top of these lists across industries; we have to figure out a way to reduce own-goals

  • The top CIS controls are still: Enterprise Asset Inventory and Software Inventory. Never forget.