Verizon’s data breach report for 2021 frames the degree to which the pandemic has influenced cyber criminal activity, with the focus shifting strongly toward work-at-home infrastructure. 39% of all data breaches in 2020 stemmed from web application compromise, and both phishing and ransomware incidents jumped significantly from 2019. One thing has not changed, however—human negligence continues to be the leading cause of security breaches.
“The COVID-19 pandemic has had a profound impact on many of the security challenges organizations are currently facing,” said Tami Erwin, CEO of Verizon Business. “As the number of companies switching business-critical functions to the cloud increases, the potential threat to their operations may become more pronounced, as malicious actors look to exploit human vulnerabilities and leverage an increased dependency on digital infrastructures.”
The 2021 Verizon Data Breach Investigations Report (DBIR) draws on 29,207 incidents investigated in 2020, over 5,200 of which were confirmed breaches.
Denial of service (DDoS) were the most common type of attack, but social engineering and basic web application attacks caused the majority of data breaches. Among these breaches, a whopping 85% were attributed to a “human element.” 61% additionally involved the use of unauthorized credentials. Over 10% of data breaches involved ransomware, double the number seen in 2019.
In addition to the spike in ransomware attempts, the count of data breaches that involved phishing rose to 36% (from 25% the previous year). But in all the incidents that involved hacking, attacks on web applications were overwhelmingly frequent (80%).
An increase in ransomware and phishing was to be expected given the pandemic conditions, with work-from-home schemes creating scores of new vulnerable endpoints for attackers to exploit. However, the Verizon data breach report actually found an overall decrease in end user compromised devices in 2020. Attackers are moving with the times and the circumstances, but they appear to be focusing more on obtaining credentials for external cloud assets and email systems rather than the computers of remote workers.
Data breaches are also becoming more costly. The Verizon data breach report finds that the median breach cost is $21,659, but that most organizations can expect their costs to rise as high as about $650,000.
Social engineering attempts have been steadily on the rise since 2017, with the fastest-growing subset of these attacks being “business email compromise” (BEC) attempts. BEC breaches doubled in 2020, with the majority of them traced back to a web-based email account compromise. The 2021 Verizon data breach report also notes a rise in the use of phishing templates as a component of social engineering attacks, with the success rates of these templates being all over the map; some templates ensnared no victims at all, but the best of them had a click rate of around 50%. A random sampling of 1,148 people that received phishing emails found that 2.5% clicked on them.
The Verizon data breach report specifically defines the “basic” web application attacks that dominate hacking attempts as those that use a small and fairly simple series of steps. Most of these attacks were directed against cloud-based servers, and most tried using stolen credentials obtained from other breaches or “brute force” password guessing aided by automated scripts. These attacks are generally driven by botnets, and organizations can expect anywhere from hundreds to billions of these sorts of attempts each year depending on how interesting of a target they are to criminals.
James McQuiggan, Security Awareness Advocate for KnowBe4, observes that even the basic phishing templates that unsophisticated operators use have increased substantially in quality in recent years: “For the past several years, this report has repeatedly shown that phishing or other social engineering is the initial attack vector for the breach. Cybercriminals are evolving their social engineering attacks through creative means. Whether it’s a password reset to a social media account, or having kits that can automatically insert the logo of the target company, or even misinformation about the gas shortage and where to find gas have caused people to fall for the phishing lures of curiosity, fear, or greed.”
Though unsophisticated script-driven attacks remain the most common threat by far, there is also a rise in targeted attacks. This is particularly true in the ransomware category. 99% of ransomware attacks observed by the report were classified as “complex” by the DBIR team, primarily meaning that they involved passing malware or hands-on hacking attempts. This is a major change from the original patterns of ransomware, where a more botnet-driven indiscriminate “spray and pray” approach was used. Ransomware gangs now more carefully focus in on targets that they believe have the ability and willingness to make big payments.
Chris Clements, VP of Solutions Architecture for Cerberus Sentinel, sees ransomware as only being in the initial stages of its explosive growth: “Ransomware continues to be a pervasive scourge on organizations of all verticals. The meteoric rise of cryptocurrency has effectively, if inadvertently, monetized every network in the world for cybercriminals. Their continued success in extorting victims across the globe has provided these criminal operations with budgets that are larger than most of the organizations they target. These budgets allow them to acquire talented hackers as well as custom zero-day exploits that make them incredibly successful in quickly compromising entire computer networks. With these resources, often all that is necessary for these attackers to succeed is for a single successful phishing email to land or acquiring one compromised account password.”
The Verizon data breach report also notes that different industries are seeing different patterns of attempts. For example, the education sector is disproportionately targeted by social engineering scams that have fraudulent funds transfers as their end goal. Public administration also sees a disproportionate amount of social engineering attempts, but most of these involve a direct phishing email. And, as the Colonial Pipeline incident illustrated, mining and utilities are quickly becoming a leading target for ransomware groups. The types of data that attackers focus on also varies by industry: for example, 83% of the data compromised in the financial and insurance industries was personal information while the majority in professional/technical/scientific services was research or confidential business information. All of this suggests that attackers are becoming much more discriminating and focused in on particular objectives.
The annual Verizon data breach report typically ends with a collection of suggested best practices informed by the year’s new patterns, and this year’s edition recommends an emphasis on secure configuration of enterprise assets/software and account management practices.