In the ongoing cybersecurity battle between attackers and defenders, attackers are quick to gain access to critical systems and quick to extract stolen data. Meanwhile, defenders are distressingly slow to detect that a compromise even occurred.
This is one key takeaway in Verizon’s 2019 Data Breach Investigations Report (DBIR). The newest edition of this annual cybersecurity report is built from analysis of 41,686 security incidents, including 2,013 confirmed data breaches. Data sets for the report were collected from 73 different sources, including publicly-disclosed security incidents, cases provided by the Verizon Threat Research Advisory Center (VTRAC) investigators, and information shared by a variety of external collaborators (including BeyondTrust).
The results of the research are sobering. But, considering the collective “oh it must be Tuesday” type response to data breaches in the news, it’s the wake-up call we may very well need. The reality is that cybercrime is a growing threat. This is one instance where all the media hype is warranted. And forewarned is forearmed.
A summary of the key findings of the 2019 Data Breach Investigations Report is below. However, you’re encouraged to download and read this thorough, data-driven report in its entirety.
Quick to Strike, Slow to Defend
As mentioned at the top of this post, the time it takes for an attacker to move from the first action in the cyberattack chain to the initial compromise of an asset is short, typically measured in minutes. Conversely, 56% of 2018 breaches “took months or longer” to discover.
Of course, time to discovery is likely to vary from one type of an attack to another. Theft of equipment is usually noticed quickly. But an organization might not realize its data has been stolen until it’s been used or made public. Regardless, the “quick to attack, slow to defend” situation remains unchanged from previous years.
Targeting the Keys to the Kingdom
We know that cyber attackers can succeed quickly. So, the question is - how are they doing it? Nearly one third (29%) of successful data breaches last year used stolen credentials.
Cyberattacks need privileged credentials to accomplish their objectives. These credentials grant the high-level access that attackers require – whether it’s for installing malware or key loggers, stealing or corrupting data, or disabling systems. And in many large organizations, credentials are shared amongst employees and systems. This means that just one stolen credential can potentially be leveraged to move laterally throughout the network as the intruder searches for the information he wants.
Making a bad situation worse, many organizations also do not regularly change their credentials. A compromised, static password can allow an intruder to dwell inside an environment for days, weeks, or even months--plenty of time to anonymously lurk on the network and accomplish nefarious plans. That’s likely why stolen credentials are the second most common threat action cited in the report.
What’s the top threat action? Phishing. Which, not surprisingly, is closely tied to stolen credentials. Phishing exploits are often aimed at specific individuals who may have the credentials the attacker needs to gain an initial foothold on the network. This year's Verizon report highlighted the C-suite as being particularly susceptible to phishing, revealing that executives are 12 times more likely to be the victim of a “social incident” than in years past.
The report defines privilege misuse as “the malicious or inappropriate use of existing privileges.” What this really refers to is privilege abuse by the people who either accidentally or intentionally misuse their privileged access in a manner that leads to a security incident. According the report, privilege abuse is the top misuse variety in breaches. It’s also the sixth most common threat action in data breaches.
Financial, espionage, “fun” and grudge are the top threat actor motives in misuse breaches. The malicious IT admin trope is alive and well. But more than malevolent acts, it’s the accidental abuses that mostly affect organizations.
The report says it best – “No one is perfect, but when you are a system administrator you are often provided with a better stage on which to showcase that imperfection.” Some of the most common IT administrator mistakes covered in the report are misconfiguring servers to allow for unwanted access, or publishing data to a server that should not be accessible by everyone.
It’s wise to remember that even your best employees are human. And humans make mistakes. It could be a systems administrator who fails to implement two-factor authentication for sensitive assets. It could be a customer service representative who clicks a link in a “funny” email and turns her machine into a Trojan horse. More often than not, it’s these little accidents, rather than the employee who deliberately accesses files he’s not supposed to see, that lead to data breach incidents.
Not Just the Big Fish
There seems to be a perception that victims of cyberattacks are always large, well-known organizations. But, according to the report, 43% of breaches last year involved small business victims.
If you think your business is too small to be targeted by a hacker you’d best think again. Any business that handles financial information or stores valuable data about customers is a potential target for cyberattacks.
One reason that smaller businesses may fall victim to cyberattacks is that they often don’t have the budget or the means for effective cybersecurity. But any small business that believes they are too insignificant to warrant proper cybersecurity should consider who their customers are and how unhappy they would be if their data were to be compromised. The infamous Target breach, one of the largest data breaches ever, started through one of Target’s small third-party vendors with weak, static passwords.
Another factor to consider is that most large enterprises now take cybersecurity seriously and, as a result, are getting harder to breach. Hackers historically take the path of least resistance. If that path is via a smaller business with tempting customers, the bad guys will take the easy route.
Go Where the Money Is
Perhaps the most obvious takeaway of the report is that financial gain is the leading motive behind data breaches (71%). Same as in past years. Espionage is a distant second. Financial gains were the top motive in breaches across every industry studied in the report, with the exception of public administration.
Akin to Willie Sutton’s famous quote that he robbed banks “because that's where the money is,” cybercrime is a lucrative endeavor for today’s thieves. The Verizon report reveals that the primary perpetrator in financially motivated attacks is organized crime. And these criminals have a target-rich environment. As previously discussed, it’s not just the big businesses that fall prey to financially motivated cyberattacks. Any organization that processes financial information is a potential victim.
How Cybercrimes Break Down Across Industry Verticals
While no industry is immune to cyberattacks, the hardest hit ones in 2018 were public sector entities (16% of all breaches), healthcare organizations (15% of all breaches), and the financial industry (10% of all breaches).
The report shows that different industries are more likely to be victims of different types of incidents. For example, the education industry was more than three times susceptible to phishing attacks than the retail sector. There are some commonalities though. For instance, credentials are among the 3 most common types of compromised data across every industry.
The report features extensive data points and analysis of multiple industries. It’s highly recommended to study the sections that cover your market sector.
Recommendations for Protecting Against Data Breaches
No one wants to end up in the data breach headlines. But the reality is that many organizations are under continuous cyberattack. What can be done? It often starts with routine cybersecurity hygiene and getting the basics right. Though it may seem like a bit of deja vu from our recommendations in past Verizon report posts, here are some tips:
- Use two factor authentication (2FA) for a second layer of identity-based security
- Perform regular backups to make copies of your valuable data
- Deploy the latest patches and updates to remediate known security threats
- Use unique credentials for each system and user, and change privileged credentials frequently
- Revoke logins used by former employees, partners, and contractors
- Segment the network to reduce lateral movement
- Remove local admin rights for most users
Also, if you haven’t already done so, explore our privileged access management platform and learn how it can protect your credentials and secure your privileged access against cyberattacks and insider threats.
The 2019 Microsoft Vulnerabilities Report (research report)
KuppingerCole Leadership Compass for Privileged Access Management (analyst research)
The Wipro Breach & How to Stay Protected When Your Managed Services Provider (MSP) Gets Hacked (blog)