The 2021 Data Breach Investigations report provides insights from the analysis of over 29,000 real world cyber security incidents from 2020 helping Security Managers track the evolving behaviour and tactics of threat actors.

The Verizon Data Breach Investigations report has become a regular fixture on the annual cyber security calendar over the last 14 years. This year’s report uses data from 83 organisations to analyse the tools, tactics and procedures used in 29,207 real world security incidents, including 5,257 data breaches.  We covered the lessons from last year’s DBIR report here.

How breaches happened in 2020

Here are some key takeaways from the report, focusing on the data that relates to Europe, Middle-East and Africa – which is a bit different in emphasis from the global and North American situation.

The people are the problem – they keep losing their credentials

The biggest attack vector used in data breaches (over 50%) in EMEA was basic attacks against web applications. The report defines these as: those with a small number of steps or additional actions after the initial Web application compromise. They are very focused on direct objectives, which range from getting access to email and web application data to repurposing the web app for malware distribution, defacement or future DDoS attacks.

80% of these web applications were compromised using stolen credentials – either through social engineering (see below) or through credential stuffing attacks which suggest your system admins are re-using passwords.

When it comes to web servers, in over 60% of the attacks, the objective was to repurpose the server as a malware distribution node, DDoS server or crypto miner.

Over all the kinds of breaches, 61% involved the use of compromised credentials.

The people are still the problem – social engineering on the rise

Almost 20% of data breaches in EMEA involved social engineering – phishing is on the rise along with Business Email Compromise. BEC incidents doubled compared to the previous year. Some form of Social Engineering – tricking your staff into opening malicious attachments, clicking on links or divulging their login credentials to the bad guys – was the second biggest primary attack vector observed in all the data breaches studied for the report in EMEA – but it was the largest when looking at all breaches globally.  85% of all data breaches (globally) involved a human element.

Complex System Intrusions on the rise

A new category in this year’s report, System Intrusion, refers to complex multi-step attacks where the attackers penetrate deeply into the target network. These account for just under 20% of breaches.

Starting with Social Engineering or Hacking to gain initial access, these attacks often (70% of the time) install malware – either ransomware or some form of data siphoning.  A typical data siphoning attack, often referred to as a Magecart attack after the pioneers of this technique, involves the installation of malware in a payment system to take a copy of PCI card details as they flow through the system and send a copy to the attackers who then sell them on the dark web.

The people really are the problem – they don’t read the manuals

The fourth most common cause of breaches (about 18% of the time) is human error. This includes emailing sensitive data to the wrong person or leaving cloud data stores unsecured or misconfigured. 99% of the time the error was made by an employee and not a business partner or supplier.

Half of the time it was a Sys Admin who dropped the ball, 30% of the time it was a developer and less than 20% of the time it was an end user.  According to the report, most of the compromised assets were cloud based – indicating perhaps that we are still learning how to manage and secure cloud services compared to on premises hardware.

Half of the errors were misconfiguration of systems or software which left data vulnerable and over 20% of the time the data was simply sent to the wrong person (or distribution list).

Here is a sobering thought to end with: only 3% of breaches involved the exploitation of a software vulnerability, and as we said above, 85% of breaches involved a human element. The question is:  is this an indication that our patching programs are working so well that the only effective route of attack is through Social Engineering – or are we at risk of seriously under valuing Security Awareness training and cultural approaches to security – focusing too much on technical risk and missing the bigger risk that people pose?

Why Security Incidents Happened in 2020

Not all security incidents result in a data breach, and there were five times more security incidents reported and analysed in the DBIR than there were breaches.

Kidnap and Ransom

The modern version of kidnap and ransom, that is Denial of Service attacks and Ransomware, account for half of all incidents reported in 2020.  A sobering reminder that cyber-crime is just crime, and often organised crime at that. Extortion is part of the playbook for the 21^st century mafiosi but instead of threatening to burn down your restaurant, they encrypt your database or DDoS your web server unless you pay up.  According to Verizon, in 80% of breaches, the threat actor was from organised crime.

Increasingly ransomware incidents turn into data breaches as the criminals also take a copy of your data and threaten to publish it if their ransom is not paid.

That said, DDoS attacks are by far the more prevalent form of security incident, and these days one of the easiest for most firms to defend against with the help of ISPs, Content Delivery Networks or firms like Cloudflare.

Stealing your servers

The compromise of web servers in order to re-purpose them to use as part of another attack is the second most frequent form of security incident, appearing in almost 20% of incidents.  Why would the criminals pay for their own web servers to deliver their malware downloads or mine Monero when they can simply break into your servers and use them for free?

Social Engineering

Social Engineering was a key factor in around 15% of security incidents with the loss of credentials the primary aim, and as we discussed above – overall Social Engineering is one of the main attack vectors used by threat actors today.

Lessons from the 2020 DBIR

The 2020 Data Breach Investigations Report provides a useful insight into the tactics and behaviour of threat actors in recent times. In particular it shows where threat actors are currently focusing their efforts which in turn tells security managers where to pay attention:

• Credential theft and credential stuffing attacks work – remind your team of the importance of protecting passwords, the risks of phishing emails and not to re-use passwords… ever.
• Web servers are a primary target – invest in a Web Application Firewall to protect the web server and ensure the application itself is secure with a web application penetration test.
• It’s much more likely that a Sys Admin or Developer is going to make the mistake that lets the bad guys into your network rather than someone from the call centre. Do not skimp on training for the technical team and work on building a culture of security awareness into the engineering teams.
• DDoS attacks are very common – invest in a defence against this type of extortion attack.
• Ransomware is less common – even though it grabs the headlines – but it is on the rise, doubling since 2019. Ensure you have offline backups and you have tested how long they will take to run a restore.