Mid-year is Christmas for us in the cybersecurity business. It's the time of year where Verizon releases the Data Breach Investigations Report, or DBIR. This report, now on its 13th version, is one of the most important sources of data in Infosec. Many strategies against threats get defined by it, and a lot of IT pros rely on its analysis.
This year, the DBIR is better than ever. On its "coming-of-age", the 2020 report analyzed 32.000 incidents, four thousand of which are confirmed breaches. With 119 pages, it can be tricky to digest even for the keenest of professionals.
So, instead of a deep and through analysis of every threat discussed, we selected the most relevant pieces of information. We hope these takeaways to be useful when devising your own strategies.
Money is still the main motivation behind cyberattacks
A whopping majority of data breaches (86%) are motivated by financial gain. This may not sound as news for anyone, but in context, it speaks miles about the actors behind the attacks. For example, organized cybercrime accounted for 55% of the attacks, and 72% of the total of attacks targeted large businesses. Those businesses aren't only financial or public institutions, but industries like healthcare, manufacturing, and education.
The malicious actors behind these money-motivated attacks have a defined target: personal data. 58% of all attacks involved the theft of credentials, which can be easily used for profit. Speaking about attacks: credential theft, social attacks, and errors account for 67% of all confirmed breaches. "Error" is a new trend, which we will discuss shortly.
In recent years, the most notable money-motivated threat is ransomware. This year, the growing tendency is still there. While malware is on the decline, 27% of total malware threats were some sort of ransomware. The report states that it's "a big problem that is getting bigger", in part because of how easy it is to roll out an attack. Nevertheless, the old problems seem to still be here. For example, 96% of phishing attacks still happen by email, a fact to consider when preparing for disaster.
Our takeaway: take good measures to protect any asset of your organization that, if breached, can give the hackers leverage. Personal data and critical endpoints that may be hit by ransomware are a priority. Consider countermeasures if encryption and endpoint protection aren't enough.
Human error is a threat on the rise
We always try to put the blame on someone else, but sometimes our own mistakes lead to the worst scenarios. The DBIR lists error as the second cause of incidents behind hacking, and misconfigurations have been rising as a threat since 2017. Some security researchers have an answer: web applications' complexity. This in turn leads to dependence on external, cloud-based services and nested dependencies, the cause for configuration mistakes.
Those mistakes usually happen when our admins handle a database or service without proper security, leading to unauthorized access. This is the cream of the crop for avid hackers looking for holes in web software. Like a compromised endpoint, a misconfigured web application is a very exploitable entryway to a larger target.
The abuse of misconfigurations isn't just for malicious actors, though. The DBIR states "there are security researchers out there who spend time looking for just this kind of opportunity". As 40% of all error incidents come from misconfigurations, security experts are on the lookout for your (and our) mistakes.
Our takeaway: human error is inevitable. First of all, it's better to be humble and admit a mistake than staying quiet and let everything burn. An auditing mentality when developing –having more than one person to work on a project– can help avoid issues. If you have one guy in charge of your infrastructure –or your security, your permissions, or else– you have a disaster waiting to happen. And of course: always check twice!
Breaches using brute force or stolen credentials are bigger than ever
As we stated earlier, credential theft is a big motivation for an attack, but the use of those stolen credentials for hacking purposes is dangerous as well. The DBIR reports that over 80% of breaches within hacking involve the use of stolen credentials or brute force. Hackers possess millions of usernames and passwords to use against any login. If your organization becomes a target, rest assured: hackers will most likely get in.
The main vector of these attacks seems to be web applications, with growth in incidents year-over-year of 43%. The authors claim the shift of valuable data to the cloud, including email accounts and business processes, is associated. Seems obvious: as many services move to the cloud, so do the credentials. The data backs this claim, as cloud assets are involved in almost a quarter of all breaches.
This threat is even worse in the remote work environment we have today. Workers leave their mostly secure workplaces to inhabit unsafe home connections. And of course, employees rely on remote access to assets, uncontrolled VPN use, and lax policies. As BYOD gets bigger and the principle of least privilege gets pushed aside, Cloud and SaaS applications become even more vulnerable.
Our takeaway: if you haven't implemented multi-factor authentication, what are you waiting for? A solid strategy on logins and authentication is the minimum requirement, Cloud or otherwise. Apply the principle of least privilege to Cloud and SaaS services, as well as endpoints. Get your policies together! Enforce the use of a VPN! Be careful with SSH & Telnet ports!
When attacked we act quicker than before, but it's not enough
Not everything has to be bad news, right? The DBIR states that more than 60% of breaches are discovered in days or less, and contained in the same timeframe in the 81% of cases. In fact, the containment percentage is at an all-time high. A ray of hope, as they say.
The main factor behind the swift detection of threats is the improvement of detection and response. However, the growth of ransomware we described earlier may also be favorable to the figure. As the DBIR quickly clears out, discovery on ransomware cases is almost immediate due to "actor disclosure".
Ransomware is a main factor in the data because even if the user acts quickly –because it has to disclose the breach immediately– the damage it does is gruesome.
On the other hand, the DBIR reports that at least a quarter of all breaches are discovered in months or more. Nevertheless, they are quick to point out that the data is a trailing indicator and not the actual number, and some threats from 2019 may not have been discovered yet. Tough news.
Our takeaway: as we've been pointing out, detection and response is key when dealing with cyberthreats. Ransomware is a tough one to handle, so be prepared. Consider the service of "first responders": organizations that pay to the hackers in case of ransomware, being a helping hand in the decoding process.