Verizon released its Data Breach Investigations Report (DBIR) this morning, the massive, in-depth analysis of last year’s security breaches, based on 53,000 security incidents from 67 contributing organizations around the world, including security researchers and law enforcement agencies.
The most common types of attacks that resulted in breaches involved the use of stolen credentials, followed by RAM scraper malware, then phishing, and then privilege abuse. However, an attack doesn’t have to result in a data breach in order to do damage to a company.
The ransomware story
Ransomware was a major focus of the report. Last year, ransomware was the fifth most common type of malware associated with security incidents. In this year’s report, ransomware was in first place. “It was in 39 percent of security incidents that involved malware,” says Gabriel Bassett, information security data scientist, researcher and architect at Verizon, and co-author of the report.
More than that, ransomware is no longer targeting user desktops. Instead, attackers are increasingly going after business-critical systems, leading to bigger ransom demands and higher revenues for the criminals.
That’s not to say that ransomware was the biggest type of attack that organizations faced last year. Denial of service (DoS) attacks were 27 times more common. Accidental losses and errors were also common factors in security incidents, as were phishing attacks.
Ransomware wasn’t a factor in breaches, Bassett says, since ransomware usually isn’t associated with any data exfiltration. DoS attacks weren’t associated with many breaches either. In fact, although its common to hear that attackers use DoS attacks to cover up real breaches, this year’s data set only had one data breach that involved a DoS attack.
In that breach, the DoS attack wasn’t used to cover up a breach, it was the other way around: The breach resulted in a compromised asset that was used to help launch a distributed denial of service (DDoS) attack.
Another positive note, when it comes to DDoS attacks, the median size has been getting smaller over time, and most attacks are short — measured in just minutes. What has gone up is the percentage of amplified attacks — from around 25 percent in 2013, rising steadily to around 80 percent today.
In amplification attacks, hackers take advantage of vulnerable systems to multiply the number or size of messages that are sent to their victims. “That leads to something that’s particularly important to the IT industry, to the people hopefully looking at the report,” says Bassett. “Which is: Don’t be part of the problem.”
When companies expose, for example, web applications with known vulnerabilities, the attackers can take advantage of that. Other vectors that are used by DDoS attackers include DNS and NTP services. “They make your infrastructure their infrastructure, and use your equipment to attack other people,” he says. “That’s an important consideration. You may not be the only victim of the compromise of your system.”
The foreign spies
Russian hackers were all over the news over this past year, but nation-state and state-affiliate actors made up just 14 percent of the identified attackers. Sixty-two percent of attackers were linked to organized crime, and 20 percent were not affiliated to any groups.
Financial gain was the biggest motivating factor for attackers, accounting for 76 percent of breaches. Espionage was in second place as a motive, accounting for 13 percent of breaches. That was a big drop from last year, when espionage was the motivation for 21 percent of breaches.
Espionage-related breaches didn’t just go down as a percentage of all breaches, but also in absolute numbers, Bassett says. There were 171 incidents that occurred during the time covered by this year’s report, which was from November 2016 through October 2017, compared to 292 over the previous year.
Some of those older incidents were only recently discovered, he added, since many breaches are not immediately obvious. Espionage-related breaches, for example, might not have the same immediate impact as stolen credit card numbers that show up on the dark web marketplaces.
The major industries hit by espionage — manufacturing, public sector, and education — all saw declines this year in the number of breaches. In last year’s report, all the numbers were up compared to the previous year.
Last year’s spike was not necessarily related to the DNC breach and other high-profile attacks of 2016, says Bassett. An attack on a single organization, no matter how much of an impact it has, only counts as one breach, he says. However, an attack against, say, a single point-of-sale (PoS) technology vendor may result in reported breaches at a large number of retail organizations.
Meanwhile, the average number for espionage-related attacks for all industries is less useful than the breakdowns for individual industry verticals. “I think that sometimes we miss the trees for the forest,” he says. “Overall, espionage is clearly the second biggest motive, less than financial but more than anything else. But retail is 12 times less likely to have a breach be espionage related, while in manufacturing and government, espionage is almost half of all their breaches.”
In the public sector, for example, more breaches were associated with espionage than other attack patterns this year. Espionage was also the most common factor in breaches in the manufacturing industry.
Attackers specialize in industry sectors, he says, focusing on the attacks that make the most sense. “Different industries are like different islands,” he says, citing the hospitality industry as a case in point. “In accommodation, you see a huge trend toward PoS breaches. The attackers specialize in what’s the least effort for them and has the greatest return.”
Path to compromise is shorter than people think
This year, for the first time, Verizon has begun mapping out the paths that attackers take from initial compromise to final data breach. This requires the collection of event chain data, and, so far, the dataset isn’t large enough for detailed analysis by industry or attacker type, Bassett says, or for historical comparisons.
The big takeaway so far is that most attacks do not follow the traditionally accepted, multi-step lifecycle of reconnaissance, initial compromise, privilege escalation, lateral movement, data collection, command and control, and data exfiltration. In fact, most attack paths are very short. “The majority of attacks are just one or two steps,” Bassett says.
This goes against the prevailing idea that breaches are long, complex affairs. Bassett likened it to a golf course where the designers hope that the players take a long path to the hole, with plenty of obstacles such as water hazards and sand traps along the way. None of those obstacles will be very effective, however, if the players keep getting holes in one.
Email is the weakest link
Social attacks — those involving phishing or CEO fraud and similar attacks — have been rising over the past few years, from less than 10 percent in 2010 to nearly 40 percent in 2017’s report.
That declined this year. Only 17 percent of breaches analyzed in the latest report involved social tactics. In fact, according to the report, most people never click phishing emails. Based on analyzing results from phishing simulations, 78 percent of people don’t click on a single phishing email all year — but it only takes one person to let the attackers in.
However, financial pretexting is on the rise, from 61 incidents last year to 170 this year, driven in large part by an 83 percent increase in attacks targeting HR staff. Email was also the most common delivery method for malware. According to the report, 92 percent of detected malware came in via email, followed by just over 6 percent for web browsers. “If you’re running an organization, and you look for malware, you know where to look,” says Bassett.
As it did last year, Verizon recommended keeping patches up to date, encrypting sensitive data, and using two-factor authentication. Unpatched vulnerabilities were associated with only 6 percent of breaches last year, but one of those breaches was the year’s biggest — the Equifax breach, with nearly 150 million records exposed.
By comparison, stolen credentials were involved in 22 percent of breaches, making it the leading type of action overall. “Passwords, regardless of length or complexity, are not sufficient on their own,” the Verizon report said, and called default or easily guessable passwords “useless as the G in lasagna” and “as en vogue as tight rolling your jeans.”