Verizon published today its yearly Data Breach Investigation Report, based on real-world data from
41,686 security incidents and 2,013 data breaches provided by 73 data sources, both public and
private entities, spanning 86 countries worldwide.
The report provides a most useful snapshot of the current state of the fight against cybercrime, and highlights not only the weaknesses in organisations’ approach to security, but also the areas where cybercriminals seem to be focussing their efforts.
IT Security professionals helped us break down the key stats from the report, providing their interpretation of the findings and advice for enterprises looking to strengthen their security posture.
Martin Jartelius, CSO at Outpost24:
It is interesting to note that 45 % breaches occur due to hacking, and 22 % went via targeting a user or employee. The attackers then on an average need less than 4 further steps in 90 % of the attacks, but most do indeed require more than a single step.
This shows clearly that defence in depth is just as important as ever.
The study shows that vulnerability management of internet facing systems is successful in most organizations, but that for those who do not address this, it is an attractive venue of attack.
Half of organizations have less than 1% of their internet facing systems with an exposed vulnerability, 90% of organizations have less than 10% of their hosts exposing a known vulnerability.
43 % of all the recorded breaches involved web applications. But when we look at hacking, the numbers get really interesting, where we see that 90 % of hacking targets web applications.
Most breaches are started via hacking, secondly via social engineering, the end phase is often malware implants. So as more and more functionality and data have shifted to web applications, so have the attacks. This is now a key piece of the vulnerability management undertaking of organizations, managing application vulnerabilities and risks.
Jamie Akhtar, CEO and co-founder at CyberSmart:
Eoin Keary, founder and CEO of Edgescan:
Contributing to the Verizon DBiR helps us as an industry move the dial in a positive direction. We can’t improve what we can’t see.
The idea of “the great and good” in the industry contributing together provides a realistic snapshot of what matters In cybersecurity today. I’m very proud of and grateful to the folks in VDBiR for all their hard work.
Chad Anderson, senior security researcher at DomainTools:
This report further goes to show that attackers do not have to be sophisticated to be effective. We see that only 45% of all breaches in this report involved some kind of traditional hacking and only 4% of the breaches in total had more than four attacker actions. Simple, low-hanging fruit for financial gain continues to dominate this space and shows where so much of our security posture can be improved with user education and basic, industry-standard security practices.
Phishing and trojans are down and ransomware is up as Ransomware-as-a-Service (RaaS) groups like REvil are on the rise. Lots of work has gone into spotting phishing domains early with machine learning algorithms and endpoint detection is improving all the time. This makes sense as most of the breaches featured in this report focus on financially motivated organized crime groups. RaaS pays, especially in this COVID-era where attackers are targeting hospitals and essential businesses that may not have the time to turn around and properly rebuild their infrastructure after key data and parts have been compromised.
Errors — mostly misconfigurations of resources — continue to be on the rise as more and more data sets are left openly exposed. This year alone we have already seen massive Elasticsearch instances and MongoDB databases that were left open and exposed, dumped, and then sold on cybercrime forums. The accessibility to cloud infrastructure and the complexity around securing it will continue to have people leaving their data on wide-open S3 buckets for all the world to scrape.
Richard Bejlich, principal security strategist at Corelight:
The DBIR offers a lot of information for security professionals to digest. One way to use it is to understand how your industry is represented, see the sorts of actors and events that affect your industry, and be sure your organization’s risk model and countermeasures mitigate the concerns reported by the DBIR.
Tim Erlin, VP, product management and strategy at Tripwire:
We often think of ransomware as a breach, but the DBIR categorizes most ransomware activity as an incident because while you may have lost access to the data, the attacker hasn’t actually stolen it. While that may give you some comfort, it doesn’t mean that a ransomware incident is materially less impactful to the security folks who have to deal with it.
The fact that “misconfiguration” is in the top five action varieties for breaches is an important acknowledgment that not all incidents are the result of an exploited vulnerability. Misconfigurations actually lead to more breaches than exploited systems, but organizations often don’t put the same effort into assessing them as they do scanning for vulnerabilities.
At a high level, the key things for every organisation to worry about are brute force and stolen credentials, and web applications.
It’s tempting to downplay vulnerability management based on this data, but the details show that, by and large, the organizations that are doing it reasonably well are safer, and the organizations that aren’t are very, very vulnerable. One key lesson, though, is that an organization can do both. The old adage “you can’t protect what you don’t know about” is true for vulnerability management. Asset management is a prerequisite for vulnerability management.
If you want to protect yourself from the most common breaches, protect your web servers, your workstations and your mail infrastructure.
Cloud assets are still a minority of targets, at 24% compared to on-premise’s 70%. Why change tactics if they’re working? The cloud has a learning curve for criminals as well as enterprises.
One important lesson to take from the DBIR is that a compromise is often made up of multiple attacks, and so, as a defender, you have multiple opportunities to stop the attacker. The concept of ‘defense in depth’ is applicable here. The data provided about how the multiple steps in a compromise occur is vital. Malware is rarely the first step, and so if you catch malware in your environment, you have to look for what came before that. Hacking is much harder to deal with because it plays a role in the beginning, middle and end stages of a breach.
The industry analysis provided by the DBIR is invaluable. Being able to see which assets, actions, and patterns are most relevant for your industry allows you to take much more decisive action as a defender. For example, Manufacturing should be more concerned about crimeware, introduced through malware and social engineering, than any other industry. If you’re in healthcare, errors figure much more prominently in your threat model than other industries.
The inclusion of the CIS controls, after a hiatus, is a good addition for defenders. CIS is well-respected in the industry, and the controls provide enough information to be actionable but avoid being overwhelming at the same time.
Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Center):
In all cyberattacks, it is the attacker who defines the rules, and often opportunism is the best play in any numbers game. The 2020 DBIR confirms that most successful breaches employed opportunistic tactics ranging from social engineering and credential attacks through to opportunistic hacks and exploits of misconfigurations. This means that we could see a material reduction in breaches if basic principles such as securing S3 buckets, applying password security to databases, having a patch management strategy and applying reasonable malware protections were in place.
If we look beyond the basics and dig into an attack strategy, such as exploiting a vulnerability, we’re really looking at targeting a process and exploiting its weaknesses. In the case of a vulnerability exploit, the success is directly related to both a patch management strategy and how accurate the software asset management list matches what’s currently deployed. The exploit becomes actionable if there is any software that isn’t part of the asset manifest which then means it’s likely missing patches. While such manifests and processes are manageable when describing systems managed by enterprise IT teams, the weakest and most opportunistic link could be the remote worker or an employee’s mobile device which creates a bridge between the processes of enterprise IT and the practices of consumer “IT”. This is why zero-trust network architectures are interesting and also why patch policies must include open source governance – attackers look for blind spots in process as those blind spots enable them to invest in more sophisticated attacks.
Prateek Bhajanka, Vice President, Product Management at Qualys:
The 2020 Verizon DBIR shows how an effective patching program (as part of a complete vulnerability management lifecycle) can significantly reduce the risk to an organization. The examples of assets having Exim and Eternal Blue vulnerability states that these assets are often completely unpatched for years and are found to have very old vulnerabilities which tell us that these assets were not in the records of the organization, hence ignored. This reinforces the fact ‘Security is only as strong as your weakest link’ and that vulnerability management should begin with asset management, as these neglected systems can be entry points for an attacker, even if that system itself does not hold important data.
To have an effective security program, the solution should be based on a firm foundation of complete and real time visibility into your entire Hybrid IT environment, continuous detection and rapid response through patching to close the exposure window.
Satnam Narang, Staff Research Engineer, Tenable:
The findings in the Data Breach Investigations Report (DBIR) 2020 show that while attack vectors may fluctuate over time, cybercriminals often set their sights on low-hanging fruit. Zero-days may garner most of the attention, but foundational cyber hygiene issues enable most breaches. The motivation for cybercriminals is primarily financial. As the Cybersecurity and Infrastructure Security Agency (CISA) recently underscored in a recent report about the top 10 routinely exploited vulnerabilities, cybercriminals focus their efforts on exploiting unpatched vulnerabilities. It’s a cost-effective measure that provides the most bang for the buck, because they don’t have to spend the capital needed to acquire zero-day vulnerabilities when there are so many unpatched systems to take advantage of. As the DBIR notes, even if a newly-discovered vulnerability wasn’t patched in a network, those same systems would likely also be vulnerable to a plethora of other vulnerabilities, which signifies a lack of basic cyber hygiene.
Ransomware increased by 2.6% from last year, landing at number three in the most common Malware breach variety, while also taking the number two spot for most common malware incident variety, according to the DBIR. What’s changed in that time is that ransomware isn’t solely devoted to encrypting files anymore. Cybercriminals have escalated their attacks to another level, siphoning off sensitive information from organizations whose files they’ve encrypted. These cybercriminals threaten to publish this sensitive information publicly, often publicly sharing a teaser of files from organizations they’ve compromised. The belief is that naming and shaming these victims would encourage them to pay the ransom demand, and in many cases, that’s proven to be true.
Another notable finding is that 43% of breaches involved web applications. This is often fueled by the exploitation of some of the most common vulnerabilities, such as SQL injection or PHP injection flaws. As more and more businesses have migrated to the cloud, their attack surface increases, especially with respect to web applications. The DBIR notes that web applications along with email application servers were involved in 73% of cloud breaches, while most of those were the result of breached credentials.
Dan Conrad, field strategist at One Identity:
Stolen credentials are still one of the easiest exploits and therefore will continue to be a target for attackers. Of course, acquired credentials or authentication is a means to an end goal. Passwords have been discussed repeatedly but it is difficult to make organizations and people care. The identities are protected with authentication, and authentication is there to protect the assets (corporate or even personal). This becomes more real when considering credentials that have elevated privileges such as access to more types of data or even credentials that manage other credentials.
Credentials are an easy target because we make them easy. We must consider the “friction” of credentials. Are we always looking for ways to spend less time verifying authentication so the user or admin experience is better? We must
1) understand the value of the identities and accounts in our organization.
2) Determine what level of authentication is required for users vs admins.
3) Balance that with the level of organizational risk we are willing to accept.
4) Implement the policies without exception. (Considering if an exception is required the policy must be adjusted)
Across the DBR, regardless of business vertical, it is evident that privileges are the target. Whether it’s a malware exploit that was installed by a local admin or ransomware that was distributed to the entire organization, all of these were done via compromised privileges. Even social engineering has the goal of gaining privileges to get the goods. Identities, accounts, and authentication are critical to protect the “crown jewels” and privileged accounts require the highest level of protection. We must ensure the right people have access to them, at the right time, for the right reasons, and they are using them in accordance with the established corporate security policy and best practices.