In May, Verizon released their 12th installment of the company’s Verizon Data Breach Investigations Report (DBIR). Results are collected from a variety of sources including publicly-disclosed security incidents, cases provided by the Verizon Threat Research Advisory Center (VTRAC) investigators, and external collaborators. This year, researchers looked at 41,686 security incidents, of which 2,013 were confirmed data breaches, to build the report.
Though some of the statists in the report are frightening, Verizon would like organizations to be aware of cybercrime and adopt proactive cybersecurity strategies.
“It is our charge to present information on the common tactics used by attackers against organizations in your industry. The purpose of this study is not to rub salt in the wounds of information security, but to contribute to the ‘light’ that raises awareness and provides the ability to learn from the past. Use it as another arrow in your quiver to win hearts, minds, and security budget.”
The Tactics Hackers Use
This year’s DBIR follows the usual format of showing high level trends from 2019 data and compares it to data over the last seven years. It takes a deep dive and shows the different tactics that are used and who is behind the breaches.
According to the report, hackers’ motives have not changed, with 71% of breaches launched for financial gain, and 52% of these breaches featuring hacking. Ransomware attacks account for nearly 24% of the attacks involving malware, and breaches continue to take a long time to be detected, with 56% taking several months or longer to be discovered. And typically, by the time the breach has been discovered, the damage has already been done.
But there is some good news. There is a decreasing number of physical terminal compromises in payment card-related breaches, attacks on Human Resource personnel have decreased by 6x, and click-through rates on phishing simulations for data partners fell during the past seven years.
“A year-to-year view of the actors (and their motives), followed by changes in threat actions and affected assets over time, is once again provided. A deeper dive into the overall results for this year’s data set with an old-school focus on threat action categories follows. Within the threat action results, relevant non-incident data is included to add more awareness regarding the tactics that are in the adversaries’ arsenals.”
The Major Threat Vectors
“When we delve a bit deeper and examine threat actions at the variety level, the proverbial question of ‘What are the bad guys doing?’ starts to become clearer.”
Denial of Service (DoS) attacks, phishing, and the use of stolen credentials remain at the top of happenings linked with security incidents. Hackers continue to have success using backdoor or Command and Control (C2) malware tactics with data breaches. The less obvious but more interesting option is using stolen credentials.
“The reason it becomes noteworthy is that 60% of the time, the compromised web application vector was the front-end to cloud-based email servers”
Malware continues to control attacks in many ways. Email is the number one delivery method, at 94%. Once malware gains access, additional malware is installed.
Ransomware attacks account for nearly 24% of incidents where malware is used. It is a serious threat, but is only mentioned in the media if someone that is high-profile is targeted. Interestingly, while crypto-mining gets a lot of attention, it only accounts for 2% of incidents.
The good news is that the click rate for phishing from combined results of multiple security awareness vendors is going down. However,
“Research points to users being significantly more susceptible to social attacks they receive on mobile devices. This is the case for email-based spear phishing, spoofing attacks that attempt to mimic legitimate webpages, as well as attacks via social media. Thus, the confluence of design and how users interact with mobile devices make it easier for users to make snap, often uninformed decisions—which significantly increases their susceptibility to social attacks on mobile devices.”
The Aftermath
“Like all good stories, attackers need somewhere to begin, and whether this starting point is with a list of vulnerable servers, phished emails, or stolen credentials, if the proverbial lever is long enough they will breach your perimeter. Therefore, it is wise to do all that you can to reduce the number of starting points that they are provided.”
Sometimes there is only so much an organization can do to prevent a breach, but how companies deal with the aftermath is another story. After the breach, several things need to happen to make it worth the hacker’s time. For example, stealing identities and filing fraudulent tax returns involve many steps, and one mistake could spell exposure of the attackers. Cyber criminals’ choice for payment is cryptocurrency, which has a lower risk of getting caught, but not as much profit.
“When the IC3 Recovery Asset Team acts upon BECs, and works with the destination bank, half of all US-based business email compromises had 99% of the money recovered or frozen; and only 9% had nothing recovered. Let that sink in. BECs do not pay out as well as it initially appears, and just because the attacker won the first round doesn’t mean you shouldn’t keep fighting.”
Industry Comparison
Verizon also summarizes industry specific data breaches, followed by the nine incident patterns most commonly associated with the reported data breaches. The report explored 101,168 incidents. Public administration topped the list with 330 breaches, followed by healthcare (304), and the financial sector (207).
DBIR 2019 – Conclusion
This year’s report is chock full of valuable information and the authors hope that after reading this document, companies will use it to make their organization’s cybersecurity decisions differently and more proactively.
Bluefin is a staunch believer in a proactive security approach to protect data, which is why we teamed up with Verizon Enterprise Solutions to issue our new white paper on the Value of P2PE in POI and POS environments. The paper, authored by Verizon’s Ciske van Oosten, overviews the POI/POS threat landscape and details how criminals obtain access to cardholder data (CHD), while discussing the evolution of P2PE, the differences between certified and non-certified encryption solutions, benefits of PCI-validated P2PE solutions in POI environments, including compliance management and scope reduction, and the roles of tokenization, EMV and P2PE in protecting data.