Once a year, every year, the security team at Verizon puts out a fantastic report called the Verizon Data Breach Incident Report, commonly known as the DBIR. It is respected as being extremely data driven with findings based on thousands of incidents and breaches from around the world. For 2020 the Verizon DBIR team analyzed over 32,000 incidents and 3,900 breaches, a big increase from last year. The report is also highly valued for the extremely scientific approach they use in both analyzing and presenting their findings. The report leverages the data to identify “Patterns” in those incidents/breaches and provides detailed information to help guide you in making data-driven decisions on how to best understand, prioritize and manage your risk. I use the report to better understand the top human risks organizations face and how those risks are changing. In this post I review the 2020 report with a human focus on breaches.
- Overview: The top threat actions driving breaches include Phishing, Stolen Credential and human Error (Figure 13). The use of malware in breaches is down, attackers are becoming more efficient and leveraging attacks such as phishing and credential theft. In other words, the primary drivers of breaches today almost all involve the human. This also explains why the Verizon DBIR identifies awareness and training as one of the primary controls to most effectively manage risk for most industries (see Controls point below).
- Error: Error (or accidental) is when a trusted individual such as an employee or contractor causes harm by accident. The two most common are Misdirection (emailing the wrong person sensitive documents due to auto-complete in email) and Misconfiguration (usually accidently exposing data via internet-exposed storage). What jumps out is that not only does Error continue to be a big driver of breaches, but it’s one of the very few causes that continues to grow. On page 12 the DBIR specifically states “The only action type that is consistently increasing year-to-year in frequency is Error”. Far too often we get so focused on the bad guys that we forget simple mistakes can be one of our biggest risks.
- Credentials: On page 19 and 20 the report once again confirms what it has been saying for years, stolen credentials are one of the primary methods involved in breaches. In fact, to quote “Over 80% of breaches within Hacking involve Brute force or the Use of lost or stolen credentials”. From an awareness perspective, this means we need to focus on good password practices including passphrases, unique passwords and 2FA when possible. Arm your workforce with password managers, and for heaven’s sake kill those painful complexity and expiration password policies that cause far more harm than good.
- Social: On pages 24 and 25 the report analyzes Social based attacks, to include Phishing. Interesting the number one finding is these attacks are going after Credentials first. Get peoples credentials and then you can get any data you want. Good news is average click rates are down to 3.4% and reporting rates continue to go up. All that phishing training is making a difference!
- Malware: Malware has been on a consistent and steady decline as a percentage of breaches over the last five years (page 12). Note, the Verizon DBIR does not classify Ransomware as a breach, in most cases it classifies it as an Incident (though it also notes this is changing as of late last year). This implies that more advanced threat actors are “going native” or “living off the land” and using local tools and password credentials to blend in with their target organization. Malware is often too easy to spot, so it is primarily used by the ‘smash-and-grab’ community, which describes Ransomware perfectly.
- Controls: For this year the DBIR expanded its reporting to 16 industries. For these 16 industries the reports identified the top drivers (called Patterns) for incidents. Then, based on those risks it references the Center for Internet Security’s top 20 Critical Security Controls and identified the key controls for each industry that would most effectively manage their top risks. Of the 16 industries analyzed, 13 of them had Security Awareness (CSC#17) listed as one of the key controls to manage their top risks.
- Path: Starting on page 31 the report does a fantastic job of explaining the typical path different threat actors take, the steps involved, and how you can use that information to better understand how to identify and stop an active attack. If you are a fan of the Cyber Kill Chain or the Mitre ATT&CK model, this data will help put all the pieces together.
- Actors: The report found that external attackers are considerably more common than malicious internal actors. I’ve never been a fan of the term “insiders are your biggest threat” because it implies your employees are hacking you. The report clearly calls this out on page 10. What I also found fascinating is the DBIR has a new motive for incidents called Secondary. In other words, you were hacked not because the bad guys wanted to hack you, but because you were a path to the ultimate goal. Even if you have no value, you have value. Thirty percent of incidents were driven by the Secondary motive.
Finally, be sure to review the detailed analysis of your specific industry, which starts on page 40 of the report. Not only does the report do a fantastic analysis of your industry, but it’s always interesting to the just how different the risks are between other industries.
The Verizon DBIR is a fantastic data-driven report, please take the time to read it. The authors have done a great job of taking highly complex data sets and made them easy to understand. The also help you understand just how difficult it can be normalize so much data, and how the report is only as good as they data they get.