Web application attacks, phishing, and ransomware increased over the past year, emphasizing a shift as attackers took advantage of people working from home and spending more time online amid the COVID-19 pandemic. Most (85%) attacks seen in 2020 involved human interaction.
This is a key takeaway from Verizon's "2021 Data Breach Investigations Report," published today with nearly 120 pages of data, trends, and analysis about a year in which cybercrime accelerated as many other aspects of life slowed down. The latest DBIR analyzes 29,207 "quality incidents," of which 5,258 were confirmed breaches – one-third more compared with last year's report.
The median financial impact of a breach last year was $21,659, with 95% of incidents falling between $826 and $653,587. While many breaches did not lead to losses, those that did had a wide range: Ninety-five percent of computer data breaches that led to losses fell between $148 and $1.6 million, with a median loss of $30,000. The median amount lost to ransomware was $11,150, and the range of losses in 95% of attacks that cost victims ranged from $70 to $1.2 million.
Phishing attacks and ransomware attacks increased by 11% and 6%, respectively, researchers report.
"Any double-digit increase in the report is big," says Gabe Bassett, senior information security data scientist for the Verizon Security Research team and co-author of this year's Verizon DBIR. "It's a percentage increase, so it has to steal from somewhere else."
Phishing was seen in 25% of breaches in last year's report; this year, it was 36%. Data shows attacks with negative changes in 2020 include misdelivery (-6%), password dumper (-6%), privilege abuse (-5%), misconfiguration (-2%), theft (-2%), vulnerability exploits (-2%), and data mishandling (-2%). While there isn't an exact one-for-one in terms of gains for losses, this helps to explain where phishing and ransomware "stole" from, he notes.
"There's definitely a continued shift for the attackers toward the most efficient attacks and methods of monetization," Bassett continues. "Breaches are moving away from complexity, toward simplicity."
Most attackers are external and financially motivated, and organized crime is the top attacker category, the report states. Even as awareness of supply chain attacks has increased, the overall percentage of attacks with a secondary motive – in which the ultimate goal is to leverage the victim's access, infrastructure, or assets to launch more attacks – has decreased from last year.
Phishing attacks go hand-in-hand with the use of stolen credentials. More than 60% of breaches involved credential data, and 95% of organizations experiencing credential stuffing attacks had between 637 and 3.3 billion malicious login attempts throughout the past year. The use of stolen credentials didn't increase much, he notes, but it was already a large part of breaches.
"Credentials are the skeleton key," Bassett says. Most know stolen credentials are a problem, but what they may not think about is how they spread across attack patterns and enable the start of many different types of data breaches, from phishing campaigns, to stealing the contents of a target mailbox, to a ransomware campaign in which an attacker encrypts then steals data.
The trend toward simplicity is evident in the continued increase of business email compromise (BEC), which followed phishing as the second most common form of social engineering, reflecting a 15x spike in "misrepresentation," a type of integrity breach. BEC doubled last year and again this year. Of the 58% of BEC attacks that successfully stole money, the median loss was $30,000, with 95% of BECs costing between $250 and $984,855, researchers learned.
Of the breaches analyzed, 85% had a human element. This is a broad term that encompasses any attack that involves a social action: phishing, BEC, lost or stolen credentials, using insecure credentials, human error, misuse, and even malware that has to be clicked then downloaded.
"I think it's very easy in security to forget that what we're securing is not the computer. What we're securing is the organization," Bassett explains. "The organization is the people as well."
A Target on Web Applications
Attacks on Web applications made up 39% of all breaches, underscoring the challenges that business face as they move more business functions to the cloud.
Basic Web application attacks, a new attack pattern in this year's DBIR, are those with a small number of steps or additional actions after the initial Web application compromise. These attacks typically target open Web and Web-adjacent interfaces.
"They are very focused on direct objectives, which range from getting access to email and web application data to repurposing the web app for malware distribution, defacement or future DDoS attacks," researchers state in the report.
While most of these attacks involved hacking servers, the report states, there are sub-patterns, such as the use of stolen credentials and brute forcing a Web application to compromise either actual Web apps or Mail servers. Nearly all (96%) Mail servers compromised in these attacks were cloud-based, leading to the compromise of personal, internal, or medical information.
There are two ways to look at the challenges of businesses moving to the cloud, Basset says. The first is, organizations must be careful because there's a new threat model, "but the other is that 'attackers are following me to the cloud because that's where I'll be.'" Transitioning to the cloud changes the security mentality: Traditionally businesses have been focused on securing the computer. When they move to the cloud, that computer is no longer theirs.
"Moving to the cloud refocuses more clearly on the human element," he continues. Now organizations are more focused on protecting the people, their credentials, and how they access resources from outside the organization.
Basset emphasizes the importance of security operations for organizations large and small. One key takeaway from this DBIR and previous reports has been the "spikiness" of security data. There may be a long time between a few short distribution denial-of-source (DDoS) attacks, and then there will be a massive one. Or there could be several small instances of credential stuffing, following by a large one.
Researchers know there's no way to predict the big, one-off security events that are an exception to the norm. They can engineer for the main types of attacks, such as phishing, and those will stop more of the small and unique attacks that happen. However, they can't prepare for the next major cyberattack. That's where operations come into play. Operations "it's people – it's flexible," he says. They are the ones who can help address those exceptional threats.
"You can engineer for the expected, but you need to have ops for the exceptional," Basset says. "You're not going to be able to predict when that big thing happens, so you need to be able to operationally adapt to it."
Alex Pinto, co-author of the DBIR, will further discuss trends from this year's report, and what they mean for organizations, in an interview with Dark Reading editor-in-chief Tim Wilson at the upcoming RSA Conference. A link to the interview is here.