Verizon’s annual Data Breach Investigations Report (DBIR), conducted since 2008, finds that modern data breaches can be almost entirely chalked up to a combination of employee mistakes and supply chain compromises; the odds say that one of these elements will almost certainly be involved in any organizational cyber incident.
82% of data breaches logged in 2021 involved a “human element” such as falling for phishing, re-use of stolen credentials, insider malfeasance or simply causing a configuration error. 61% of breaches in 2021 involved a supply chain partner, something that criminals are increasingly targeting “upstream” in an attempt to gain access to a variety of organizations at once.
Criminals prefer human fallibility to code flaws, ransomware continues to ramp up, overwhelming majority of incidents are financially motivated
The DBIR stems from data collected by the Verizon Threat Research Advisory Center (VTRAC), which analyzed 23,896 incidents occurring in 2021 (5,212 of these being confirmed breaches). The study examines a wide variety of industries, but for nearly every industry over 90% of the threat actors were motivated by financial gain.
Given this, there were shifts in attack types that were both surprising and unsurprising. Most types of attempts have actually dropped or leveled off in recent years, with one exception being a sharp (and continual) spike in basic web application attacks. These are attack types such as cross-site scripting and SQL injection; distributed denial of service (DDoS) is also generally included in this category, but Verizon breaks this out into its own heading (which remains very high but has leveled off since 2019). These attack types seek out flaws in code, but also prey on unforced human error (such as misconfiguring private databases so that they are accessible by public internet traffic). 14% of 2021’s data breaches were attributed to this sort of error, the majority of these being improper configuration of cloud storage.
The other major spike, much more unsurprising, has been in ransomware attacks. Attempts are up 13% from 2020, and ransomware is involved in 25% of all successful breaches. At a glance those numbers might not seem shockingly high, but the increase from 2020 in this category is equivalent to the total increase in the prior five years combined.
Small businesses targeted
This is additionally the first DBIR report to include a special segment addressing very small businesses, or those that have 10 or fewer employees. The report warns that this category is becoming increasingly enticing to cyber criminals, as they operate on a “take whatever you can get” model using automated bots to do a great deal of work in scanning for and exploiting known vulnerabilities.
Nearly 80% of incidents involving these small businesses are ransomware attacks, but nearly the same rate of data breaches involved the use of stolen credentials to break in. This suggests that small businesses are very often falling prey to compromise via password re-use, with those login credentials made public via some other prior data breach (though it should be noted that Verizon also shoehorns “brute force” password guessing attacks into this category).
Phishing to breach a very small business is much less common, happening in only about 20% of incidents. And this business category still rarely sees highly targeted attacks such as fake invoicing (“pretexting”) or attempts to exploit a specific published vulnerability in software they are known to have.
DBIR findings: Regions and industries
Industries are experiencing a great degree of variance in attack frequency. Professional, technical and scientific services are the most commonly attacked with 3,566 logged incidents in 2021. But while this industry sees the greatest volume of attacks, they have a low rate of success. System intrusion, basic web app attacks and social engineering are the biggest threats, but the industry also experiences a higher rate of insider attacks (17%) than most others. Other industries with high attack rates include public administration, manufacturing, information and financial services. The most infrequently attacked industries are accommodation/food services and arts/entertainment/recreation, with only 156 and 215 incidents respectively.
Certain regions are also much more highly targeted than others, a pattern established in previous editions of the DBIR (also supported by quite a bit of other research). North America drew the largest amount of incidents, chiefly due to attacks on organizations in the United States. It also had by far the greatest amount of incidents that involved confirmed data disclosure, about 5x any other part of the world. The Asia-Pacific region had a comparable amount of overall incidents, but substantially less data disclosure. Europe, the Middle East and Africa had far more incidents than Asia-Pacific but a slightly higher rate of data disclosure. Social engineering is also most common in Europe and Asia, but system intrusion is the leading attack type in North America.
Roger Grimes, Data-Driven Defense Evangelist for KnowBe4, believes that social engineering is underlooked in spite of its ubiquity and is the likely future of attacks in the face of improving automated defenses: “Seeing that the vast majority of cyber attacks involve some human aspect is no surprise. It has been that way since the beginning of computers and likely will be that way for decades to come. Social engineering alone is responsible for a higher percentage of attacks compared to everything else, but the Verizon DBIR shows that it is human-related issues overall that is the really big problem.
“Trying to mitigate social engineering attacks alone is a huge, tough issue. It is imperative to educate people about misconfiguration errors, misses in patching, stolen credentials and just regular errors, such as when a user accidentally emails the wrong person data. Humans have always been a big part of the computing picture, but for some reason, we always thought only technology solutions alone can fix or prevent issues. Three decades of trying to fix cybersecurity issues by focusing on everything but the human element has shown that it is not a workable strategy. Both technological fixes and better security awareness education is needed to best mitigate cybersecurity attacks. Nothing else is going to work. No matter how great your technical defenses are, some portion of attacks will be made by humans, so it is up to the end user to be well educated to detect and prevent human-focused attacks and errors. It is going to take it all.”
The corporatization of cyber crime
The DBIR findings leave one strong overall impression: the only meaningful segments of cyber crime that remain are financially-motivated attacks and espionage conducted by nation-state threat groups, with attacks for profit representing at least 9 out of 10 threats for nearly all types of industry.
Ransomware is the biggest overall segment of cyber crime, the one that continues to be the fastest-growing, and the one that is becoming so polished and professional that its major players are starting to operate and carry themselves like legitimate companies. Part of its enduring popularity is that it turns any type of business, no matter the vertical and no matter how small, into a potential source of cash. Overall, 93% of data breaches were conducted for financial gain, with just 6% tied to espionage.
As Chris Clements, VP of Solutions Architecture for Cerberus Sentinel, forecasts: “Ransomware is by far the most reliable way that cybercriminals can capitalize on compromising their victims. No other action attackers can take comes close to the ease and magnitude of guaranteeing a payout from their operations.”
“Couple this with the staggering amounts of money now routinely paid out as a result of a successful ransomware attack and it’s no wonder that more and more criminals are joining the leagues of ransomware gangs. A single attack can net the perpetrator a literally lifechanging sum of money. It’s an unbelievably powerful motivator for bad actors to both multiply as well develop increasingly sophisticated means to compromise their victims. The stolen sums of money can be reinvested into buying or researching zero-day exploits and advanced anti-malware evasion techniques to defeat even organizations with mature cybersecurity programs. The uncomfortable truth is that the attackers often time have more budget to devote to their operations than the defenders do. Until these factors change, ransomware will continue to be a massive problem,” explained Clements.
Globally, 80% of attacks are external; this number rises to 90% in North America. However, Saryu Nayyar (CEO and Founder, Gurucul) warns that even one insider attack can be exceptionally devastating and the possibility still needs to be front-of-mind in any security strategy: “The research points to the fact that based on human behaviors and poor supply chain visibility, a compromise is all but inevitable, especially if the target of a persistent and organized threat actor. This shifts the investment by CISO/CSOs and security teams to be in products and resources focused on security operations center (SOC) transformation for monitoring and threat detection of both insider and external threats that are already inside the castle walls. Current SIEM and XDR solutions have also been available for the better part of two years and threat actors continue to evade these systems easily. In order to achieve a successful SOC transformation, what is required is a more complete set of telemetry, advanced analytics and trained, not rule-based, machine learning models that adapt to both the organization and variations in tools and techniques by threat actor groups. This can automate manual tasks, prioritize and optimize resources and speed detection and response with full context and an understanding of risk.”
Some security professionals note that the trend data the DBIR comes up with has not tended to change much since the report began in 2008, even though it has expanded from solely relying on Verizon’s own internal data to include information from 87 additional monitoring companies in recent years. As Rick Holland, Chief Information Security Officer / Vice President Strategy at Digital Shadows, notes: “If I had to sum up this year’s DBIR, the more things change, the more they stay the same. The use of stolen credentials, phishing, and vulnerabilities remains the top way threat actors gain initial access to organizations. Companies are spending billions of dollars on defense, yet these problems persist.”
“The DBIR doesn’t address one area when mentioning ransomware: data leakage extortion. For many years now, actors are no longer encrypting data; they are stealing data and extorting the victim organization. If Shodan queries, CISA alerts, and extortion ‘press releases’ weren’t enough, the report highlights why you shouldn’t have external-facing services available to the world,” noted Holland. “Proponents of ‘killing the password’ will find much evidence to support their cause in this DBIR report. Even if passwordless authentication isn’t ready for prime time in your organization, the report findings can be used to help fund and implement multi-factor authentication.”