The format is simple: a series of content extraction bullets, some analysis and commentary along the way, and then a quick summary of what I saw as the main takeaways.
A definitions reminder:
Incident: A security event that compromises the integrity, confidentiality or availability of an information asset.
Breach: An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.
This year they analyzed 79,635 incidents, 29,207 met their quality standards, and 5,258 were confirmed data breaches
They covered 11 main industries across 88 countries
They map to the CIS controls for recommendations
Top three patterns in breaches were: social engineering, basic web application attacks, and system intrusion
Top three patterns in incidents were: denial of service, basic web application attacks, and social engineering
Interesting that social engineering and basic web application attacks were in the top three for both breaches and incidents.
85% of breaches involved a human element
61% of breaches involved credentials
For breaches, the breakdown of External vs. Internal actors moved significantly towards External in 2020
Similarly, the top threat actor motive moved away from Espionage and towards Financial
Organized crime made up over 80% of threat actors, with other categories—including State Actor—having very little showing
Top actions in breaches were: phishing (social), use of stolen credentials (hacking), other, ransomware (malware), pretexting (social), misconfiguration (error), misdelivery (error), brute force (hacking), C2 (malware), and backdoor (malware)
The top two (phishing and credential stuffing) were disproportionately represented in the data
For incidents, the breakdown was: dos (hacking), phishing (social), other, and then ransomware (malware)
So phishing and ransomware are the categories most shared among incidents and breaches
Ransomware doubled from 5% of breaches to 10% in 2020
They break down actions at the beginning, middle, and end of breaches
Top three for beginning: hacking, error, and social
Top three for middle: malware, hacking, social
Top three for end: malware, hacking, error
Top assets in incidents: server, person, user dev
Top assets in breaches: server, person, user dev
So those match perfectly, at least for the top three.
Top asseet varieties: web application (server), email (server), desktop or laptop (user dev), mobile phone (user dev)
Interesting to see mobile phone in there. It’s number 4, and behind desktop/laptop, but not by much. But it turns out, most of that data is from lost phones, so it doesn’t appear major afterall.
Unsupervised Learning — Security, Tech, and AI in 10 minutes…
Get a weekly breakdown of what's happening in security and tech—and why it matters.
Even the median random organization with an internet presence has 17 internet-facing assets
Even the median random organization with an internet presence has 17 internet-facing assets.
Most of those systems had no vulnerabilities, but among those that are attacked it’s mostly the older ones that matter, not the newer ones
As far as what type of data is lost, the top 4 for breaches are: credentials, personal, medical, and bank
I think they mean direct financial loss.
There is massive variation in the impact of an incident. First of all, 42% of BEC incidents didn’t involve any financial loss. 76% of Computer Data Breaches didn’t involve any financial loss. And 90% of ransomware incidents didn’t have any financial loss.
The range of financial losses was pretty extraordinary:
CDB ranges had 95% falling between $148 and $1.6 million, with the same median of $30,000
Ransomware’s median loss was $11,150, with a range between $70 and $1.2 million
The takeaway here is that there really is a market scaling based on the size of the organization and their ability to pay, and the minimums start very low/cheap.
They also did analysis on total cost of breach estimates, which I found fascinating.
The top hacking varieties in Basic Web Application Attacks were: use of stolen credentials, brute force, and exploit vuln—with stolen creds being over 80% and brute force and exploit vuln being around 10% a piece
Web application attacks continue to dominate, with credential stuffing being the main way to attack
Brute force is also key for web app attacks, and both are handled well by 2FA
We already knew this, but ransomware massively jumped in prominence, and organized crime grew as an actor type along with it
Errors keep featuring at the top of these lists across industries; we have to figure out a way to reduce own-goals
The top CIS controls are still: Enterprise Asset Inventory and Software Inventory. Never forget.