Security breaches follow the money
Almost nine out of 10 (86%) data breaches in recent times have been financially motivated, with the strong majority (70%) carried out by external actors, of which more than half (55%) were attributable to organised crime, according to a new report. Of the data breaches investigated, more than two thirds (67%) involved credential theft and social attacks, where attackers stole credentials or cracked weak passwords (37%), with a quarter involving phishing, and 22% involving human error.
These are some of the key findings of the 2020 Verizon Data Breach Investigations Report that analysed 32,002 security incidents and 3,950 confirmed breaches from 81 global contributors from 81 countries.
“Discover time has trended up over the last several years. There were big improvements in both discovery and containment time this year,” Gabe Bassett, Verizon
Building on previous years, the figure of 86% for financially motivated breaches has risen from 70% last year. The current report highlights two-fold increase, a year-on-year, in web application breaches, increasing to 43%, and stolen credentials were used in over 80% of these cases, which the report calls “a worrying trend” as business-critical workflows continue to move to the cloud.
Ransomware saw a slight increase, found in more than a quarter (27%) of malware incidents (up from 24% in 2019). Almost one in five (18%) organisations reported blocking at least one piece of ransomware last year.
“As remote working surges in the face of the global pandemic, end-to-end security from the cloud to employee laptop becomes paramount,” said Tami Erwin, CEO, Verizon Business. “In addition to protecting their systems from attack, we urge all businesses to continue employee education as phishing schemes become increasingly sophisticated and malicious.”
When examining the tactics used by attackers, almost half of breaches (45%) featured some kind of hacking, while almost a quarter (22%) involved human error. The same proportion (22%) involved some kind of social attack, while noticeably less (17%) involved malware. Interestingly, some 4% involved physical actions. Also of note was that 8% of investigated breaches involved misuse by authorised users.
The fact that hacking featured so highly as a form of attack is a cause for concern. The report found that more than 80% of breaches involved either brute forcing or the use of lost or stolen credentials. Vulnerability exploits is the next most common variety of hack, well below 20%, followed by use of backdoors and abuse of functionality in single digits.
A positive note from the current report was that the vast majority (81%) of breaches were contained within days or less. However, the number of breaches that took months or more to detect and contain now rises to 26%.
“This year we have seen an improvement in both time to discover as well as time to contain,” said Gabe Bassett, senior information security data scientist, Verizon. “Particularly, discover time has trended up over the last several years. There were big improvements in both discovery and containment time this year, but before we celebrate, it’s worth noting that a lot of that can be attributed to breaches reported by managed security service providers (MSSP). That isn’t necessarily a bad thing, however. Small and medium sized businesses need the ability to detect and respond to breaches too. Since they likely can’t afford their own security operations centre, the next best thing is managed security, where they can benefit from economies of scale.”
With regard to the rise in the use of social attacks, Bassett said the human element has been a driver of breaches in this year’s report, accounting for the top five actions varieties.
“When it comes to social attacks,” said Bassett, “we have heard anecdotally that phishing attacks are getting harder to spot and that more advanced phishing tests yield far higher click rates than the overall median”.
“Ultimately,” he said, “no-one is perfect, not users, not security professionals, not attackers. So our best course of action is to plan for mistakes and let our staff know that it’s ok. Instead of hiding things like clicking a phishing e-mail, we want them to know we understand, and instead need them to report what happened so that we, as security professionals, can respond to it.”
The report examines various sectors and found significant differences in the nature of breaches. In Manufacturing, less than a quarter (23%) of malware incidents involved ransomware, compared to almost two thirds (61%) in the Public Sector, both of which were dwarfed by 80% in Educational Services. Errors accounted for a third (33%) of Public Sector breaches, but only 12% of Manufacturing.
In Manufacturing, external actors leveraging malware, such as password dumpers, app data capturers and downloaders to obtain proprietary data for financial gain, account for 29% of breaches.
In Retail, almost all (99%) incidents were financially motivated, with payment data and personal credentials continuing to be prized. Web applications, rather than Point of Sale (POS) devices, are now the main cause of Retail breaches, says the report.
In the financial and Insurance sector, almost a third (30%) of breaches here were caused by Web application attacks, primarily driven by external actors using stolen credentials to get access to sensitive data stored in the cloud. The move to online services is a key factor, according to the report.
Ransomware attacks doubled this year in Educational Services, accounting for approximately 80% of malware attacks vs. last year’s 45%, and social engineering accounted for 27% of incidents.
In Healthcare, basic human error accounted for 31% of breaches, with external breaches at 51% (up from 42% in the previous year), slightly more common than insiders at 48% (59% previously). This vertical remains the industry with the highest number of internal bad actors, due to greater access to credentials, says the report.
In the Public Sector, Ransomware accounted for almost two thirds (61%) of malware-based incidents. A third (33%) of breaches are accidents caused by insiders. However, organisations have got much better at identifying breaches, the report found, as only 6% lay undiscovered for a year compared with 47% previously, linked to legislative reporting requirements.
The report notes significant regional variations too, with financially motivated breaches in general accounting for 91% of cases in Northern America, compared to 70% in Europe, Middle East and Africa and 63% in Asia Pacific.
The technique most commonly leveraged in Northern America was stolen credentials, accounting for over 79% of hacking breaches; 33% of breaches were associated with either phishing or pretexting.
Denial of Service (DoS) attacks accounted for more than 80% of malware incidents in Europe, Middle East and Africa (EMEA), where 40% of breaches targeted web applications, using a combination of hacking techniques that leverage either stolen credentials or known vulnerabilities. Only 14% of breaches were associated with cyber-espionage, according to the report.
In Asia Pacific (APAC), almost two thirds (63%)of breaches were financially-motivated, and phishing attacks are also high, at more than 28%.
“Security headlines often talk about spying, or grudge attacks, as a key driver for cyber-crime,” said Alex Pinto, lead author, Verizon Business Data Breach Investigations Report, “our data shows that is not the case. Financial gain continues to drive organised crime to exploit system vulnerabilities or human error. The good news is that there is a lot that organisations can do to protect themselves, including the ability to track common patterns within cyber-attack journeys – a security game changer – that puts control back into the hands of organisations around the globe.”
In terms of overall trends, Bassett said what was high last year continues to be in this year’s report.
“However, error has risen to pass malware as the third most common action within breaches (and is in a tie with social actions such as phishing and BEC),” said Bassett. “While errors due to mis-delivery (sending person A, person B’s data, whether in a physical envelope, e-mail, or through a Web app) is still high, the increase is very much due to unsecured cloud storage holding sensitive information. This data is then discovered by security researchers who tend to publish the finding publicly. However, it doesn’t necessarily mean that more errors are occurring. (In US industries with mandatory reporting requirements – healthcare and the public sector – errors have always been high.) Instead, I think it means we are seeing more reporting of errors. Ultimately, I hope for this to be a good thing, as it normalises error reporting. As I said before, no-one is perfect. But it’s only through acknowledging our mistakes, fixing them, and improving, that we can improve.
Bassett notes that while errors went up, malware went down, particularly Trojans, “which is a good thing,” he adds.
“When we look at our malware blocks, it’s clear Trojans are still in heavy use, but they simply aren’t involved in as many breaches any more. That’s not to say all malware is down. Password dumpers are rising, as is ransomware. Ransomware is a clear threat that every type of organisation needs to be prepared for. It comes both in advanced forms, where an attacker manually compromises the network and spends some time understanding it before acting, and in much simpler attacks, which may just be an e-mail with a macro-enabled office document that executes the ransomware when run.”
The period of the report’s investigations was from 1 November 2018, to 31 October 2019, and therefore does not shed any light on the trends seen during the Covid-19 emergency around the globe. However, the trends do have some bearing on the issue, says Bassett, as the rise in the use of Web applications suggests a worrying trend related to working from home.
“Some more mature organisations are already geographically spread out and so are well prepared for this type of situation,” said Bassett. “They are able to maintain the security of assets whether within their parameter or outside it. But for many organisations with a more traditional IT stack, they may not be used to providing primary business services through web apps. Unfortunately, the pandemic may have forced them to do so and attackers are well prepared to take advantage of it.”
“Organisations need to first focus on the basics, getting email, their VPN service, remote collaboration and video chat up and running,” argues Bassett. “However, they need to follow that with extending their current security practices to assets outside their boundary. That means continuing to deploy patches and antivirus signatures (even if it means laptops and such receive them directly from the AV and OS developers). It means ensuring web and email proxies function even when the asset is outside of the corporate network. It also means preparing for remote monitoring, digital forensics, and incident response.”
In conclusion, Bassett asserts that no organisation is perfect, but that there is little need to be.
“It’s ok to be imperfect,” says Bassett. “Imperfect or non-standard security is how most businesses do it, and it’s working in many ways. Remember to focus on where the attackers are targeting (phishing and credentials), look for ways to prevent errors such as process improvement frameworks, and continue doing what you are doing (pushing patches and malware signatures).”
“My advice for businesses,” concludes Bassett, “is be prepared for mistakes. Accept them. Fix them. And move on.”