Throughout 2020 we often heard the word unprecedented, seemingly in excess. Yet, for cybersecurity, it is an apt description of the challenges companies faced as they shifted to a work-from-home culture. These challenges — with phishing, ransomware, and social engineering as the reigning champions of attack vectors — are outlined in the 2021 Verizon Data Breach and Investigations Report (DBIR 2021.)
According to Verizon, “breaches are moving toward social and webapp vectors, and those are becoming more server based, such as gathering credentials and using them against cloud-based email systems”. “The DBIR is not in the business of prediction, but it can go a long way to help you shape your response strategy in the face of an uncertain future”, states the report.
What you need to know:
Report analyzed 29,207 quality incidents, of which 5,258 were confirmed breaches
Phishing attacks increased by 11 percent, while attacks using ransomware rose by 6 percent
85 percent of breaches involved a human element, while over 80 percent of breaches were discovered by external parties.
Breach simulations found the median financial impact of a breach is $21,659, with 95 percent of incidents falling between $826 and $653,587.
Key points from Verizon’s data breach report
The incidence of phishing attacks in data breaches increased 11% more than in the previous year. It went from 25% to 36%.
This high variation is related to the pandemic and scams that use COVID-19 to deceive and persuade people. An important point to note is the analysis of at least 150 templates of phishing emails.
“Phishing remains one of the top action varieties in breaches and has done so for the past two years”, says the report.
“This increase correlates with our expectations given the initial rush in phishing and COVID-19-related phishing lures as the worldwide stay-at-home orders went into effect.”
- Social engineering
The report also points to an increase in social engineering attacks that result in data breaches: from 22% to almost 35%.
“We’ve definitely seen a jump in social engineering breaches as a pattern from last year with an overall upward trend since 2017. For the past couple of years, it appears to be correlated to an uptick in the compromise of cloud-based mail servers. What we cannot say is why email is so enticing to threat actors”.
Verizon says that the most common forms of social engineering are phishing, BEC (Business Email Compromise), and spam. These scams are mostly propagated via malicious emails.
“BEC were the second most common form of social engineering. This attack scenario reflects the meteoric rise of misrepresentation, which was 15 times higher than last year in social incidents.”
Verizon also claims that social engineering and phishing attacks are widely used to steal credentials and spread malware, such as C2, backdoor, trojan, and ransomware.
“The majority of social engineering incidents were discovered externally. (…) This means that when employees are falling for the bait, they don’t realize they’ve been hooked”.
- Most common types of compromised data
As in previous years, credentials remain at the top of the list as the type of data most compromised by cybercriminals. By hacking credentials, criminals have access to systems and sensitive information.
In addition to credentials, personal data is another type of data that is highly targeted by cybercriminals. This kind of information is then sold on the dark web or even used in other types of fraud.
Check the list with the most compromised data in breaches:
- Personal data.
- Medical data.
- Bank data.
- Internal data.
- System intrusion
A chapter in the Verizon report is dedicated to system intrusion. According to the document, system intrusion is a pattern that consists of sophisticated and complex attacks that have several steps.
“The majority of these attacks involve malware (70%), usually of the Ransomware variety, but also of the magecart attack type used to target payment card data in web applications. Hacking (40%) also appears in many attacks and most often consists of the use of stolen credentials or brute force attacks.”
Making a comparative analysis, the use of malware in breaches has not changed much compared to the previous year. The percentage remains in about 20% of cases. The most used types of malware are:
“We found 30% of the malware was directly installed by the actor, 23% was sent there by email and 20% was dropped from a web application. While this probably doesn’t surprise many people, it does highlight the importance of having a robust defense to cover these three major entry paths for malware”.
Ransomware is responsible for the vast majority of data breaches involving malware. About 10% of all breaches analyzed by Verizon involve ransomware.
This percentage represents more than twice the frequency of the previous year, which confirms an upward trend since 2016.
“This is because actors have adopted the new tactic of stealing the data and publishing it instead of just encrypting it. These attacks have some variety in terms of how the ransomware gets on the system, with actors having strong preferences that can be broken into several vectors”.
The most common forms of ransomware infections involve stolen credentials, brute force attacks, and malicious emails.
“Attackers are less likely to purely target payment data and are more likely to broadly target any data that will impact the victim organization’s operations. This will increase the likelihood that the organization will pay up in a Ransomware incident”.
- Human error and misuse
Verizon continues to rate human errors and misuse as significant actions in cases of breaches. Despite this, the numbers dropped this year.
The error is present in 17% of breaches (from 22%). The main varieties of error are misconfiguration and misdelivery.
“Sadly, misdelivery remains alive and well in our dataset, and while a number of these breaches are electronic data only (e.g., email to the wrong distribution list), there remains a significant number that involve paper documents.”
The misuse corresponds to about 5% of cases (from 8%). In these cases, the most common variety is privilege abuse. The second place went to data mishandling.
“We would have expected an appreciable increase in people performing misuse from home, given the increase of those who are working remotely due to the pandemic. However, we did not see an increase from remote access as a vector.”
However, Verizon reports that companies’ difficulty identifying and reporting this access vector may influence the data.
- Actors and motivation
Compared to last year, the participation of external actors in breaches rose to 80% (from 70%). Internal actors and partners now account for 20% of cases.
“It seems clear that our external actors are not giving up their close-ups, as they continue year after year to dominate the actor types in breaches.”
“As in past years, financially motivated attacks continue to be the most common (90%), likewise, actors categorized as organized crime continue to be number one (80%),”