Phishing attacks and stolen credentials have become attackers’ most popular avenues of network compromise, and employee errors are helping pave the way according to Verizon’s newly released 2020 Data Breach Investigations Report (DBIR).
Verizon researchers analyzed 157,525 known “incidents” (defined as a security event that results in the compromise of an information asset) and 3,950 confirmed breaches (meaning data exposure to an unauthorized party was officially disclosed) — all taking place from Nov. 1, 2018 through Oct. 31, 2019. From this data set, the researchers gleaned a trove of insights into recent cybercriminal activity and behavior. Here are six of the more insightful findings from the report.
1. As stated above, the most common threat actions that led to an organizational breach were phishing and the use of stolen credentials.
Phishing campaigns and other social engineering scams were delivered primarily via email — a whopping 96 percent of the time — while the reminder arrived via website or phone/SMS.
“The good news is that click rates are as low as they ever have been (3.4 percent), and reporting rates are rising, albeit slowly,” the report states. Indeed, social engineering scams were actually down 6.6 percent overall compared to the previous year’s report.
User credentials were the most common data attribute stolen in phishing-related breaches, the report continues. Speaking of which, the use of stolen credentials constituted the number-one variety of “hacking-style” attack.
Verizon says that the brute-forcing of passwords or the use of lost or stolen credentials was involved in roughly four out of every five breaches caused by an actual hack. (Other popular hacking methods involved vulnerability exploits and backdoors/C2, but they were a distant second and third.)
Moreover, the researchers found that 37 percent of all breaches were at least partially enabled through stolen or used credentials. “Criminals are clearly in love with credentials, and why not since they make their jobs much easier?” the report asks rhetorically, noting that stolen credential use has experienced a “meteoric rise.”
According to Verizon, the median number of credential-stuffing attack attempts experienced by organizations who reported at least one such event over the study’s time period was 922,331.
“Zombie credentials never die; they just get reused in every gosh-darn attack,” said Bob Rudis, chief data scientist at Rapid7, in reaction to the report. “Attackers have amassed a cadre of billions of credentials and that stash seems to get bigger every week. There is so little risk in reusing them — either because organizations are blind to the login attempts or because regional authorities just don’t seem to care — and so much to gain when one set of credentials actually works, that we’ll continue to see this mode of attack until organizations finally implement multi-factor authentication across the board.”
2. User error is among the fast-growing causes of breaches cited in the Verizon report.
“Errors definitely win the award for best supporting action this year. They are now equally as common as social breaches and more common than malware, and are truly ubiquitous across all industries,” the report states, noting that errors were at least a partial contributor in 22 percent of breaches.
Examples of errors include misdelivery, which is when data and documents are sent to the wrong person, and misconfiguration, which includes instances where companies fail to password-protect a cloud-based database or storage bucket. These two categories represented, respectively, the fourth and fifth most common actions associated with a breach. And misconfigurations were up 4.9 percent from the previous year’s report.
“Errors have always been present in high-ish numbers in the DBIR in industries with mandatory reporting requirements, such as public administration and health care,” the report explains. “The fact that we now see error becoming more apparent in other industries could mean we are getting better at admitting our mistakes rather than trying to simply sweep them under the rug. Of course, it could also mean that since so many of them are caught by security researchers and third parties, the victims have no choice but to utter ‘mea culpa.’”
“The fact that misconfiguration is in the top five action varieties for breaches is an important acknowledgement that not all incidents are the result of an exploited vulnerability,” said Tim Erlin, VP of product management and strategy at Tripwire. “Misconfigurations actually lead to more breaches than exploited systems, but organizations often don’t put the same effort into assessing them as they do scanning for vulnerabilities.”
“It is no real surprise that naked S3 buckets and wide-open databases received a significant mention in the DBIR,” added Rudis. “The Rapid7 team finds millions of SMB servers, databases, and other inappropriately exposed services each time we run our… scans. Organizations must implement stronger controls and have finely honed practices and playbooks for deploying services safely.”
“The Verizon DBIR validates something we’ve been seeing for a long time: that cloud storage misconfigurations are on the rise and emerging as one of the top threats to cloud infrastructure,” said Balaji Parimi, CEO at CloudKnox Security. “Managing cloud infrastructure is very complex and the unprecedented levels of automation leaves a lot of room for these types of mistakes. Enterprises need to adopt a prevention-first approach, by making sure that only properly trained personnel have the permissions to perform such risky operations.”
3. The idea that one of your employees might attack your organization or mishandle your data is a disconcerting thought for sure, but external actors still carry out 70 percent of breaches, Verizon points out, in hopes of debunking the notion that insider threats are Public Enemy No. 1.
“External attackers are considerably more common in our data than are internal attackers, and always have been,” the report states. “This is actually an intuitive finding, as regardless of how many people there may be in a given organization, there are always more people outside it. Nevertheless, it is a widely held opinion that insiders are the biggest threat to an organization’s security, but one that we believe to be erroneous.”
Verizon says 86 percent of the confirmed breaches were financially motivated, and 55 percent of them were committed by organized cybercrime groups. After that, the culprits are a fairly even mix of state-aligned actors, system admins, internal end users and others.
But while most attackers are external, they can still surprisingly closer in geographic proximity to the victim than you might think. Citing computer data breach and BEC complaints to the FBI, Verizon says 85 percent of victims and subjects were based in the same country, 56 percent were located in the same state, and 35 percent were stationed within the same city. “So, the proverbial call is almost coming from inside the building,” the report states.
4. The report lends credence to the concept of defense in depth.
In its report, Verizon encourages organizations to deter cybercriminals by requiring them to jump through as many hoops as possible if they want truly to get past defenses and access vital data.
Of 429 studied breaches, the overwhelming majority required fewer than five steps to achieve the compromise.
“Attackers prefer short paths and rarely attempt long paths. This means anything you can easily throw in their way to increase the number of actions they have to take is likely to significantly decrease their chance of absconding with the data,” says the report, recommending two-factor authentication as one such obstacle.
Additionally, Verizon advises security professionals to analyze and understand the path attackers likely will take within your organization in order to accomplish a breach, in order to pinpoint areas where you can lay in wait to intercept them.
“…[A] compromise is often made up of multiple attacks, and so, as a defender, you have multiple opportunities to stop the attacker. The concept of defense in depth is applicable here,” said Erlin. “The [report] data provided about how the multiple steps in a compromise occur is vital. Malware is rarely the first step, and so if you catch malware in your environment, you have to look for what came before that. Hacking is much harder to deal with because it plays a role in the beginning, middle and end stages of a breach.”
5. Far and away, web applications comprised the vector category that was most commonly exploited in hacking-related breaches. Indeed, web applications were hit in nine out of 10 such occasions, and they accounted for 43 percent of breaches of all varieties — more than double the previous year’s total.
“This trend of having web applications as the vector of these attacks is not going away,” the report states. “This is associated with the shift of valuable data to the cloud, including email accounts and business-related processes.”
Verizon says cloud assets were involved in about 24 percent of the breaches reflected in its dataset — and in these cases, an email or applications server was targeted 73 percent of the time.
Mark Bower, senior vice president at comforte AG, said it’s not surprising the report found that web app attacks tend to “expose technology services firms, retail, financial and insurance services and professional services most to compromise. They are the highest aggregators of highly sensitive data with substantial third-party data sharing risk.”
Satnam Narang, staff research engineer at Tenable, said web app attacks are “often fueled by exploitation of some of the most common vulnerabilities, such as SQL injection or PHP injection flaws. As more and more businesses have migrated to the cloud, their attack surface increases, especially with respect to web applications.”
6. Certain malware varieties have taken a bit of a back seat. But most of the data was gathered before several prominent ransomware groups added data exfiltration to their repertoire.
Verizon’s report notes that the usage of ransomware and RAM-scraping malware in breaches was, respectively, only the seventh and eighth most common “threat actions” associated with breaches. (A ransomware attack is not counted as a breach if only data encryption is confirmed; there must be confirmed access to data.)
However, the report notes that ransomware-related breaches increased year-over-year by 2.6 percent, and acknowledges that it’s “a big problem that is getting bigger, and the data indicates a lack of protection from this type of malware in organizations, but that can be stopped.”
Trojan and RAM-scraper use, however, is trending downward.
“When many people think of how hacking attacks play out, they may well envision the attacker dropping a trojan on a system and then utilizing it as a beachhead in the network from which to launch other attacks, or to expand the current one. However, our data shows that this type of malware peaked at just under 50 percent of all breaches in 2016, and has since dropped to only a sixth of what it was at that time (6.5 percent),” the report states. “Likewise, the trend of falling RAM-scraper malware that we first noticed last year continues…”
Verizon postulates that the success of hacking and socially-engineering campaigns — aided by the theft of credentials — “makes it no longer necessary to add malware in order to maintain persistence. So, while we definitely cannot assert that malware has gone the way of the eight-track tape, it is a tool that sits idle in the attacker’s toolbox in simpler attack scenarios.”
Password-dumping malware was most often used in successful breaches. Verizon actually saw a 4.2 percent year-over-year increase in the use of such tools.