Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

5/13/2021
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

85% of Data Breaches Involve Human Interaction: Verizon DBIR

Ransomware, phishing, and Web application attacks all increased during a year in which the majority of attacks involved a human element.

Web application attacks, phishing, and ransomware increased over the past year, emphasizing a shift as attackers took advantage of people working from home and spending more time online amid the COVID-19 pandemic. Most (85%) attacks seen in 2020 involved human interaction.

This is a key takeaway from Verizon's "2021 Data Breach Investigations Report," published today with nearly 120 pages of data, trends, and analysis about a year in which cybercrime accelerated as many other aspects of life slowed down. The latest DBIR analyzes 29,207 "quality incidents," of which 5,258 were confirmed breaches – one-third more compared with last year's report.

The median financial impact of a breach last year was $21,659, with 95% of incidents falling between $826 and $653,587. While many breaches did not lead to losses, those that did had a wide range: Ninety-five percent of computer data breaches that led to losses fell between $148 and $1.6 million, with a median loss of $30,000. The median amount lost to ransomware was $11,150, and the range of losses in 95% of attacks that cost victims ranged from $70 to $1.2 million.

Phishing attacks and ransomware attacks increased by 11% and 6%, respectively, researchers report. 

"Any double-digit increase in the report is big," says Gabe Bassett, senior information security data scientist for the Verizon Security Research team and co-author of this year's Verizon DBIR. "It's a percentage increase, so it has to steal from somewhere else."

Phishing was seen in 25% of breaches in last year's report; this year, it was 36%. Data shows attacks with negative changes in 2020 include misdelivery (-6%), password dumper (-6%), privilege abuse (-5%), misconfiguration (-2%), theft (-2%), vulnerability exploits (-2%), and data mishandling (-2%). While there isn't an exact one-for-one in terms of gains for losses, this helps to explain where phishing and ransomware "stole" from, he notes.

"There's definitely a continued shift for the attackers toward the most efficient attacks and methods of monetization," Bassett continues. "Breaches are moving away from complexity, toward simplicity."

Most attackers are external and financially motivated, and organized crime is the top attacker category, the report states. Even as awareness of supply chain attacks has increased, the overall percentage of attacks with a secondary motive – in which the ultimate goal is to leverage the victim's access, infrastructure, or assets to launch more attacks – has decreased from last year.

Phishing attacks go hand-in-hand with the use of stolen credentials. More than 60% of breaches involved credential data, and 95% of organizations experiencing credential stuffing attacks had between 637 and 3.3 billion malicious login attempts throughout the past year. The use of stolen credentials didn't increase much, he notes, but it was already a large part of breaches.

"Credentials are the skeleton key," Bassett says. Most know stolen credentials are a problem, but what they may not think about is how they spread across attack patterns and enable the start of many different types of data breaches, from phishing campaigns, to stealing the contents of a target mailbox, to a ransomware campaign in which an attacker encrypts then steals data.

The trend toward simplicity is evident in the continued increase of business email compromise (BEC), which followed phishing as the second most common form of social engineering, reflecting a 15x spike in "misrepresentation," a type of integrity breach. BEC doubled last year and again this year. Of the 58% of BEC attacks that successfully stole money, the median loss was $30,000, with 95% of BECs costing between $250 and $984,855, researchers learned.

Of the breaches analyzed, 85% had a human element. This is a broad term that encompasses any attack that involves a social action: phishing, BEC, lost or stolen credentials, using insecure credentials, human error, misuse, and even malware that has to be clicked then downloaded.

"I think it's very easy in security to forget that what we're securing is not the computer. What we're securing is the organization," Bassett explains. "The organization is the people as well."

A Target on Web Applications
Attacks on Web applications made up 39% of all breaches, underscoring the challenges that business face as they move more business functions to the cloud.

Basic Web application attacks, a new attack pattern in this year's DBIR, are those with a small number of steps or additional actions after the initial Web application compromise. These attacks typically target open Web and Web-adjacent interfaces.

"They are very focused on direct objectives, which range from getting access to email and web application data to repurposing the web app for malware distribution, defacement or future DDoS attacks," researchers state in the report.

While most of these attacks involved hacking servers, the report states, there are sub-patterns, such as the use of stolen credentials and brute forcing a Web application to compromise either actual Web apps or Mail servers. Nearly all (96%) Mail servers compromised in these attacks were cloud-based, leading to the compromise of personal, internal, or medical information.

There are two ways to look at the challenges of businesses moving to the cloud, Basset says. The first is, organizations must be careful because there's a new threat model, "but the other is that 'attackers are following me to the cloud because that's where I'll be.'" Transitioning to the cloud changes the security mentality: Traditionally businesses have been focused on securing the computer. When they move to the cloud, that computer is no longer theirs.

"Moving to the cloud refocuses more clearly on the human element," he continues. Now organizations are more focused on protecting the people, their credentials, and how they access resources from outside the organization.

Basset emphasizes the importance of security operations for organizations large and small. One key takeaway from this DBIR and previous reports has been the "spikiness" of security data. There may be a long time between a few short distribution denial-of-source (DDoS) attacks, and then there will be a massive one. Or there could be several small instances of credential stuffing, following by a large one.

Researchers know there's no way to predict the big, one-off security events that are an exception to the norm. They can engineer for the main types of attacks, such as phishing, and those will stop more of the small and unique attacks that happen. However, they can't prepare for the next major cyberattack. That's where operations come into play. Operations "it's people – it's flexible," he says. They are the ones who can help address those exceptional threats.

"You can engineer for the expected, but you need to have ops for the exceptional," Basset says. "You're not going to be able to predict when that big thing happens, so you need to be able to operationally adapt to it."

Alex Pinto, co-author of the DBIR, will further discuss trends from this year's report, and what they mean for organizations, in an interview with Dark Reading editor-in-chief Tim Wilson at the upcoming RSA Conference. A link to the interview is here

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-18442
PUBLISHED: 2021-06-18
Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value "zzip_file_read" in the function "unzzip_cat_file".
CVE-2021-3604
PUBLISHED: 2021-06-18
Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database.
CVE-2005-2795
PUBLISHED: 2021-06-18
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2021-32954
PUBLISHED: 2021-06-18
Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to a directory traversal, which may allow an attacker to remotely read arbitrary files on the file system.
CVE-2021-32956
PUBLISHED: 2021-06-18
Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to redirection, which may allow an attacker to send a maliciously crafted URL that could result in redirecting a user to a malicious webpage.