The new 2019 Verizon Data Breach Investigation Report (DBIR) provides a wealth of data and statistical research about where new cyber threats are coming from in the world, and how cyber criminals are altering their tactics in response to new defensive measures in place. The 12th annual Verizon data breach report provides an excellent snapshot view of where organizations should be looking to shore up their defensive cyber resources in 2019 and beyond.
Details of the Verizon data breach report
Overall, the Verizon data breach report is the most extensive ever conducted, tracking 41,686 security incidents around the world, including 2,013 data breaches. The Verizon data breach report includes incidents from 86 different countries and 73 different data sources. For the first time ever, the Verizon data breach report includes information and data about security incidents reported to the U.S. FBI. The data, compiled purely for analytical purposes, is then used by cyber security researchers and analysts around the world to help their clients deliver an improved user experience that is safe and secure.
Adam Laub, SVP Product Management for STEALTHbits Technologies, commented on the comprehensive nature of the report: “As usual, the 2019 Verizon Data Breach Investigations Report did not disappoint in terms of providing an interesting and captivating analysis of the past year’s data breach happenings. While there didn’t appear to be any particularly shocking findings with regards to attack TTPs, motives, industry statistics, or attack timelines, the 2019 DBIR again delivered the message – perhaps indirectly – that the absence of foundation-level and layered security controls, internal security discipline, and general security awareness are the common denominators in the data breach dilemma.”
One key finding of the Verizon data breach report focused on the specific industries that are being targeted most frequently by hackers. Overall, small businesses accounted for 43% of all data breaches. Other industries and sectors that came under attack in the past year included public sector entities (15%), healthcare organizations (15%) and financial services companies (10%).
The Verizon data breach report also investigated the motives of the cyber criminals, finding that an astounding 71% of the security incidents were financially motivated. The rise of ransomware, for example, has made hacking much more profitable for cyber criminals. By threatening to disable a computer system and wipe out the data of any organization, hackers can force these organizations to pay a large ransom fee. Another 25% of the security incidents were related to cyber espionage.
Brian Higgins, security specialist at Comparitech.com, commented on the rise of ransomware as a new preferred tactic of global hackers: “Ransomware is the ‘New Black’ for cyber criminals. It’s easier than trading in stolen credit card details, less reliant on TOR and a far more reliable money maker because, unfortunately, it’s still easier to pay up than report it, even with GDPR hanging over your head.”
So who is behind all of these attacks? According to the Verizon data breach report, outsiders account for 69% of all attacks, with insiders accounting for approximately one-third of all cyber incidents. In 2% of the cases, business partners were involved, and in 5% of the security incidents, multiple parties (both external and internal) were involved. One important finding of the Verizon data breach report is that nation-states and state-sponsored hackers are playing a much greater role in global security incidents. At some level, then, cyber criminals and nation-states are starting to align their activities and approaches. In the 2019 DBIR, criminal groups were linked to 39% of all security incidents, while nation-states and state-supported hackers were linked to another 23% of incidents.
The new threat matrix
Based on the above data that can be found on the Verizon website, it’s possible to sketch out the evolving threat landscape for organizations worldwide. One big theme, for example, is what some security researchers refer to as the “detection deficit.” The time between an attack on an internal system and the discovery of that attack is still far too long. In fact, according to the Verizon data breach report, 56% of data breaches took “months” to discover. That’s far too much time for hackers to have access to a computer system. Even if they are not actively exfiltrating data during that time period, they are probably inserting back doors and escalating their internal security privileges for later attacks.
Satya Gupta, CTO and Co-founder of Virsec, commented on these findings: “There continues to be a temporal disconnect between the time frame for attacks versus response. The report points out that attack chains act within minutes while the time to discovery is more likely to be months. This gap must be tightened and security tools need to focus on real-time attack detection if we are to have any chance to curtail these breaches.”
Another emerging threat is the growing popularity of targeting C-suite officials with phishing, spearphishing or malware scams. These are sometimes known as “social engineering” attacks because they focus on exploiting known social connections within an organization. According to the Verizon data breach report, executives were 6 times more likely to be the result of a cyber attack than in the year-earlier period. And C-suite executives (e.g. the CEO or CFO) are 12 times more likely to be the victim of a BEC (business email compromise) attack. The Verizon DBIR tracked 370 BEC incidents and 248 confirmed breaches. The idea of attacking a top C-suite official is logical: these individuals have considerable approval authority and privileged access to an organization’s computer systems. Moreover, they are usually very time-pressed, and are unlikely to spend much time examining where an email is coming from, or why it might not be legitimate. As one cyber security analyst points out, it’s much like e-mailing a CEO and asking him or her to send you money.
According to Gupta, “The latest Verizon DBIR highlights that cyberattacks are becoming much more targeted and dangerous. They noted a huge increase in C-level executives being individually targeted. The same trend is happening with specific network tools and industrial equipment. Attackers are prolific at scanning networks and finding specific types of vulnerable equipment, then targeted them with specific malware designed for these devices.”
George Wrenn, CEO of CyberSaint Security, also highlighted the increased targeting of C-level executives and what that means in terms of security, “The drastic increase in social attacks on C-level personnel points to the increased demand for cybersecurity awareness in the C-suite. More and more, we are seeing information security leaders brought into business side discussions to provide cyber-focused insights and feedback on business strategy. The flywheel effect at work – involvement of cyber leaders and increased awareness in the C-suite – has an ongoing positive effect, a necessary change given that personnel, as well as systems, are under attack.”
When it comes to attack postures, hackers appear to be moving towards areas that provide the least resistance. One good example involves payment card transactions. Now that many point of sale (POS) systems have been converted to “chip-and-pin” systems (in which buyers must physically insert a card with a chip in it, and then enter a PIN code), it’s much harder for hackers to skim credit card information. As a result, they are focusing on “card-not-present” web applications, where users of a website are able to make payments by leveraging stolen credentials. There is no physical chip for online transactions, so the right combination of letters and numbers entered into the website at time of purchase can create a very successful type of attack.
Possible security responses
The goal of the Verizon data breach investigations report is to suggest possible security measures that can help to protect organizations from future attacks and make them more resilient in recovering from these attacks. For example, simply creating an incident response team can help organizations reduce the “detection deficit.” Developing a playbook of incident response plans can help to minimize the financial cost of financially motivated cyber attacks. And investing in appropriate tools and training can help to make routing phishing and BEC attacks less effective.
Overall, this Verizon research into the success of various hacking attacks and approaches should be a wakeup call for organizations. At the end of the day, any organization – no matter how big or small – can be the victim of a data breach. As a result, organizations should be making security a primary concern, especially when it comes to safeguarding and protecting the data of their users. A few common sense steps – such as patching computer systems on a regular basis – can go a long way in deterring potential cyber attacks.