Verizon 2020 Data Breach Investigations Report
The Verizon 2020 Data Breach Investigations Report ("DBIR") is here. In this 13th DBIR, Verizon analyzed a record total of 157,525 incidents, of which 32,002 met their quality standards and 3,950 were confirmed data breaches.
Before we dive into some the data, here are some helpful definitions:
Threat actor: Who is behind the event? This could be the external “bad guy” that launches a phishing campaign or an employee who leaves sensitive documents in their seat-back pocket.
Threat action: What tactics (actions) were used to affect an asset? VERIS uses seven primary categories of threat actions: Malware, Hacking, Social, Misuse, Physical, Error and Environmental. Examples at a high level are hacking a server, installing malware and influencing human behavior through a social attack.
Incident: A security event that compromises the integrity, confidentiality or availability of an information asset.
Breach: An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.
As usual, the DBIR is highly detailed––on first glance, here are some of Verizon's findings.
45% of breaches featured Hacking
22% included Social attacks
17% involved Malware (of which 27% were ransomware)
28% involved small business victims
22% involved phishing
30% involved internal actors
55% were conducted by organized criminal groups
22% involve Errors (Misconfiguration Errors (i.e., when someone fails to secure a cloud storage bucket or misconfigures firewall settings) have been increasing since 2017.)
Interestingly, with respect to Actions over time, Verizon noted that:
While Hacking and Social are down as a percent, they have remained close to the levels we have seen for the past few years. On the other hand, Malware has been on a consistent and steady decline as a percentage of breaches over the last five years. Why is this? Has malware just goneout of fashion like poofy hair and common courtesy? No, we think that other attack types such as hacking and social breaches benefit from the theft of credentials, which makes it no longer necessary to add malware in order to maintain persistence. So, while we definitely cannot assert that malware has gone the way of the eight-track tape, it is a tool that sits idle in the attacker’s toolbox in simpler attack scenarios.It is important to keep in mind that the points made above are in reference to breaches and not incidents. The incidents tell us a somewhat different story. Ransomware—which in our dataset rarely results in a confirmed breach unless paired with credential use—is on the rise.
In addition, other notable observations include:
Ransomware is the third most common Malware breach variety and the second most common Malware incident variety.
Over 80% of breaches within Hacking involve Brute force or the Use of lost or stolen credentials.
Social actions arrived via email 96% of the time, while 3% arrived through a website. A little over 1% were associated with Phone or SMS, which is similar to the amount found in Documents. (The good news is that click rates are as low as they ever have been (3.4%), and reporting rates are rising, albeit slowly.)
. . .