Security Report Analysis: 2016 DBIR Report


In this Security Report Analysis (SRA) series I look at various security reports and pull out the main points.

This doesn’t replace a complete and detailed read of these reports, but at least you’ll get exposed to some of the key takeaways that you might not otherwise have seen.

Key points

[ NOTE: These points are a combination of the report’s actual points combined with my own interpretation of them. Some of the analysis is not theirs, in other words. Don’t take this as me putting words in their mouths, but rather me trying to parse and interpret for my and your benefit. ]

  • Report covers 100,000 incidents, of which there were 3,141 data breaches

  • 64,199 incidents and 2,260 breaches made up the report statistics

  • They lack information to say mobile or IoT is killing us

  • 89% of breaches had a financial or espionage motive

  • Countries all over the world were compromised; geography is not safety

  • VERIS is the Vocabulary for Event Recording and Incident Sharing, and it allows an organization to record and share security events, incidents, and breaches

  • VERIS asks, “What threat actor took what action on what asset compromising what attribute?”, also known as the 4 A’s.

  • The vast majority of threat actors (around 80%) are external. There is very little collusion (around 2% ?), around 10% internal, and very little partner (~1%).

  • Less than 1/4 of companies detected issues in a few days or less

  • There were many web attacks against CMSs, especially due to plugins

  • Financial services was hit the most with data breaches last year with some 795 breaches, followed by the hospitality sector (282), information sector (194), public sector (193), retail (137), and healthcare (115)

  • Espionage is picking up as a reason for compromise, catching up to financial reasons (but still far behind)

  • Many attacks have secondary motives, like aiding another attack

  • Phishing is a major attack technique, which often leads to others

  • Discovery times went up, not down (bad)

  • The two rules of vulnerabilities still hold: attackers use old vulns, and attackers automate exploitation and spray it over the internet to get hits

  • Phishing was usually used to install persistent software (why else?)

  • People doing phishing are usually organized crime (89%) and state actors (9%)

  • Around 3% told management alerted someone to possibly being targeted

  • Credentials and trade secrets were the biggest targets

  • Verizon recommends segmentation and strong authentication to prevent additional compromise

  • 63% of data breaches invoved weak, default, or stolen passwords

  • Top three attacks were web app attacks, POS intrusions, and miscellaneous errors

  • There were interesting breakdowns of type of attack vs. vertical (see full report)

  • 95% of confirmed web attacks were financially motivated

  • Web shells were commonly used against ecommerce servers

  • POS attacks continue to yield credit card information

  • It’s getting harder for attackers to hit POS due to increased security

  • 97% of breaches using stolen credentials leveraged legitimate partner access

  • Privilege misuse often includes collusion between internal and external actors

  • You can’t protect your data if you don’t know where it resides

  • Unintentional actions go into miscellaneous errors, and the number of these is massive

  • Decomissioning security is a problem

  • In this year’s data, an asset is lost over 100 times more frequently than it is stolen

  • 70% of Payment card skimming incidents in our dataset can be blamed on criminal organizations

  • There is a dramatic decline in internal discovery and a corresponding increase in discovery by fraud detection

  • Cyber-espionage actors are predominantly state-affiliated groups. Competitors and nation states are also mixing it up

  • Phishing, as a leading action of cyber-espionage, provides a number of advantages—the time to compromise can be extremely quick and attackers can target specific people

  • 90% of Cyber-espionage breaches capture trade secrets or proprietary information

  • DoS attacks are either large in magnitude or they are long in duration, but typically not both

  • As DoS attacks continue to evolve, cloud service providers must have solutions in place to protect their infrastructure.

  • By far, the biggest source of incidents in this pattern is phishing attacks where not much else is known

  • Actions taken by the adversary are not exclusive to a single pattern

  • Having an understanding of how patterns complement each other can help direct your efforts as to what to prioritize your limited resources against

  • PCI breaches had a much higher median of documented record loss than PHI or PII

  • Legal guidance during the crisis management phase and forensics investigations is where the majority of the cash is going

  • There are seemingly endless types of stolen data available for sale from an equally endless variety of sources

  • Profiting from stolen card not-present (CNP) transactional data is similar to old school fencing of stolen goods

  • In cases of Privilege Misuse, employees have access to data and use it for their own gain or in collusion with criminals

  • Sellers of stolen cards began differentiating, basing their prices on geography or the validity rate of the cards


  1. While this capture can be helpful, I suggest reading the whole report for full context. The writing was remarkably easy to move through.

Related posts: