Verizon publishes its Data Breach Investigation Report 2020 (DIR) with information on thousands of confirmed data breaches.
The Verizon Data Violation Investigation Report 2020 (DBIR) is the most comprehensive report, involving 81 organizations and analyzing more than 32,000 incidents (3,950 of which were confirmed as violations). New geographical breakthroughs and new data visualisation possibilities have been added to the recently published report.
At a high level, Verizon believes that analysis brings good news for security professionals. In particular, it is noted that the number of malware incidents has decreased, indicating that modern antivirus products are winning the battle. Trojan horse malware reached its peak in 2016, when it was responsible for 50% of all offences, but has now dropped to just 6.5%. The clean-up also seems more successful than one might think: less than 5% of the SIEM events were exploitative vulnerabilities, while only 2.5% of the SIEM events were exploitative vulnerabilities. This result suggests that most organizations are doing a good job of correcting, says the report, but the tab adds to that: These are forgotten assets that will never be repaired, creating dangerous gaps in your defenses.
DBIR numbers (PDF) debunk common myths. It is often assumed that the biggest threat to security comes from insiders, but DBIR shows that 70% of breakthroughs are caused by external hackers. Although international espionage and sophisticated attacks make the headlines, money, not cyber warfare, remains an important motive: 86% of violations are motivated by financial considerations, 10% by espionage, and only 4% are described as sophisticated threats.
The DBIR has become a bible for security professionals. Its great strength lies in the fact that it contains a scientific analysis of the actual events, which goes beyond the analysis of a manufacturer’s own telemetry, and thus has not led to or anticipated the nature of the attack. As the last report is the thirteenth in the series, it is possible to identify trends in offences.
However, two potential drawbacks need to be considered. First, only infractions that Verizon reports or of which Verizon is aware can be recorded. For example, this may distort the ransom figures when medical facilities are required to report ransoms when production does not take place – it is unlikely that ransom paying producers will report the incident quickly and discreetly.
Secondly, the data are historical (since last year) in this rapidly evolving field. For example, there can be no details about the appearance of the Maze and REvil-like buyout for double extortion this year (the latest example is the recent post-rib auction of client data from a law firm in New York).
The dramatic criminal response to this year’s COWID 19 pandemic and the growing threat of the home run are not mentioned or described in detail. Rick Holland, CISO and Vice President of Strategy at Digital Shadows, will raise this issue. What strikes me about this year’s DBIR report is that it told SecurityWeek that the dataset is pre-pandemic. The current security situation is fundamentally different from two months ago. I am very curious how the new teleworking paradigm will affect next year’s report.
Chris Morales, head of security analysis at Vectra, agrees. What happened last year only gives an incomplete picture of the tools, tactics and procedures now used in the threat landscape that has changed dramatically in recent months. A threat landscape that can be more permanent than temporary. The problem is that you cannot predict such sudden and serious changes. This year it was caused by a global pandemic – but next year or a year later something else could happen.
Shahroh Shahidzade, the CEO of Akcepto, is stricter on the historical aspect of the DBIR. The decrease in malware is simply the same as last year’s trend and depends on the risk of the crushed ball as an alternative to attack, he told SecurityWeek. These reports are generally an indicator of delay, as a significant number of offences occurring in 2019 have simply not yet been detected. And yes, understanding the risk associated with a threat balloon and the financial motivation behind it is how we deal with risk. However, a reduction of less than 6% is only noise.
Gabrielle Basset, the researcher who worked on the report, accepts the historical nature of the figures, but believes that this more than contradicts the importance of the new trends that arise in relation to the annual nature of the reports. He told SecurityWeek that the true value of DBIR lies not only in the raw numbers, but also in identifying trends in criminal methods and activities to enable security professionals to adopt a risk-based approach to defense.
For example, double extortion remains largely a ransom, and the increase in ransom payments in recent years is a remarkable trend. (The ransom requirements accounted for 27% of all malware incidents in 2019, 60% in the public sector and 80% in education). Similarly, much of the COVID 19 attack is based on phishing – and the prevalence of phishing has been monitored for years.
A graph based on this year’s trends shows the frequency of infringement proceedings from 2016 onwards. Physical ailments have remained fairly constant, but low. Piracy, social networks, malware and abuse are declining. The only exception, however, is a mistake. In the course of 2019, violations due to errors exceeded violations due to malicious activities and were quickly stopped for violations due to public activities. (Error is defined as an act unrelated to malice).
If you look closely, the number of delivery and publication errors has decreased and the number of configuration errors has increased dramatically (following the NSA’s warning in January 2020 that misconfiguration is the most common vulnerability in cloud environments). However, the DBIR analysis goes further and emphasizes the detection of faulty configurations: more than 50% by the security researcher, about 15% by another external party, almost 15% by the customer, but less than 10% by the employer. In total, more than 90% of inappropriate speeches are reported to the organization afterwards, instead of being detected and prevented by the organization.
As the threat increases and companies are unable to detect the wrong configuration on their own, it is clear that many companies need to work on detecting and preventing errors before they occur. This level of detail can be found in the analysis of DBIR data, which can be used by security experts to refine their own risk-based approach to security controls. Nobody’s perfect, Mr. Bassett said. An incorrect configuration is primarily an administrator error, or someone else places confidential data in a public place. But we have to be prepared to make mistakes and not just assume they won’t happen.
One of the solutions, he says, is to remove the stigma of the error. Staff should feel comfortable reporting errors without having to worry about anything serious. Companies can complement this approach by looking at process improvement techniques in technology, some of which are used to detect and correct errors. A question practitioners should ask themselves: How can we adapt the engineering methods to the safety methods?
The great value of DBIR is that it converts the damage data from anecdotal to visual facts that are analyzed in detail. This helps practitioners focus on the areas they need to focus on. It’s important to understand the dataset and the limitations of each report, adds Rick Holland of Digital Shadows. The fact that the RDBIR focuses on analytical data for 2019 does not detract from the report; there are still long-standing trends that are useful for human rights defenders. In addition, the RDBIR should be used as a data point in your risk management strategy, supplemented by your own reporting of incidents and irregularities internally to the organization.
RDBMS remains a fundamental asset in identifying existing and evolving threats so that practitioners can see what they need to focus on to ensure an effective risk-based safety posture.
That’s what it looks like: Verizon Releases 2019 Data Breach Investigation Report (DBIR).
That’s what it looks like: State hackers are responsible for almost one in five external data breaches.
That’s what it looks like: Verizon 2016 DBIR : What you need to know.
That’s what it looks like: Verizon 2015 DBIR : Motive and I.D.O. don’t sweat.
Kevin Townsend is a prominent member of SecurityWeek. He wrote about high-tech problems even before Microsoft was born. Over the past 15 years, he has specialized in information security and has published several thousand articles in dozens of different magazines, from The Times and Financial Times to modern and old computer magazines.
Kevin Townsend’s previous columns: