Verizon has published their 13^th annual Data Breach Investigations Report – and it focuses on security incidents and breaches that occurred during 2019. The 2020 DBIR analysed 157,525 incidents, 32,002 in detail and confirmed 3950 breaches in 81 countries.

Although the scope is global, half of the incidents in the data come from North America and only 13% from Europe.

The DBIR differentiates between a breach (where data is confirmed to have been stolen) and an incident (where data disclosure was not confirmed but the confidentiality, integrity or availability of the data was compromised).

The DBIR reports incidents and breaches that took place (succeeded in other words) – so it paints a somewhat different view of the world compared to reports from security vendors who also include data about failed attacks which were blocked by their security systems.  For example, Cryptocurrency mining malware was present in just 1.5% of incidents – yet 10% of organisations received (and blocked) Cryptocurrency mining malware during the year.

The full report can be obtained from the Verizon website

Why breaches happen

Knowing your enemy helps you defend your network.  When it comes to understanding the motivation of threat attackers the adage to ‘follow the money’ proves true:

86% of breaches were financially motivated and Organised Crime was behind 55% of breaches.

70% of breaches were perpetrated by external actors and they were prepared to work for their money – 45% of breaches featured active Hacking whereas Malware was involved in only 17% of breaches.

However, a growing trend in the report this year is the own-goals scored by in-house teams. Errors and Misconfigurations were causal events in 22% of breaches

When considering just breaches: all types of threat actions are trending down over the last five years (including Hacking, Social engineering and Malware) except for Errors and Misconfigurations which is slowly on the rise.

What is being targeted

Web applications were involved in 43% of breaches and 37% of breaches stole or abused credentials.  So, when it comes to data theft, not surprisingly threat attackers are focusing on the main exposed attack surface – which is the internet facing web application servers in most networks.

Criminals don’t want to have to work for a living any more than anyone else -so they start with the low hanging fruit and try to brute force or steal credentials where they can. The primary means for obtaining credentials is Phishing (present in 22% of breaches) or credential theft by other means (in another 20% of breaches).

The next two most prevalent threat actions in breaches are based on Errors – with either misdelivery of confidential information or misconfiguration of access controls accounting for another 20% between them.  We don’t know how much of this growth in the Errors category is a result of more transparent and honest reporting by organisations when they make a mistake and how much is down to the increased use of cloud and SaaS systems and staff are making errors with unfamiliar new tools.

Over 70% of attacks are focused on servers (as opposed to personal computers or kiosks/terminals etc). The attacks on servers are biased with 40% of total attacks  being against web application servers, 20% against mail servers and 10% against database servers – reflecting both where the weaknesses lie and how exposed the different types of server are to the internet.

Hacking that resulted in successful breaches is focused on Brute Force of use of Stolen Credentials (in 80% of breaches that involved Hacking) – and over 80% of those attacks were focused on Web Applications.

Vulnerability Management is only the start

Identifying and patching vulnerabilities occupies a lot of time and effort in security teams.  Perhaps because (regulatory mandates aside) Peter Drucker was right: ‘what gets measured gets managed’ and it is easy to measure vulnerabilities and patching thanks to the existence of automated vulnerability scans.   The exploitation of vulnerabilities was a factor in only 5% of breaches.

Patching is important but once it is in place there are other things that will have a much greater impact on your network’s security that need to be addressed.

Dominant themes in the DBIR report suggest it will be prudent to invest in steps that will: Enhance the security of Web Application servers – these are the main target of attacks and reduce the number of Errors performed by your staff.

Practice Makes Perfect

SIEM systems and a well-rehearsed Security Incident Response Plan will help you spot and contain incidents more quickly.  Generally, organisations have made great strides in recent years to spot and contain incidents much more quickly.

Breaches are being spotted and contained more quickly – practicing the Incident Response Plan really pays off.  In 2016 over 60% of breaches went undetected for several months, but in 2019 over 60% of breaches were detected and contained in ‘days or less.’

Key takeaways

Web Application servers were the primary target in most breaches – first using stolen credentials or credential stuffing and secondly by hacking the application server software.  Invest in enhancing the security of the network components which are the target of most attacks – validate your network security through Web Application Penetration Testing.

Credential theft and Phishing is implicated in over 40% of breaches – Security Awareness Training will help your team improve their password hygiene and protect their credentials.

Misconfiguration of Cloud Services and Network Devices is increasingly mentioned in data breach reports – it was a factor in over a fifth of breaches in 2019.  A External Network Penetration Test will identify problems in your network infrastructure.