The Clock Strikes 13 on the 2020 Verizon Data Breach Investigations Report

“It was a bright day in April, and the clocks were striking thirteen.” 1984, George Orwell.

Yes, it’s May, but we are deconstructing the 13th edition of the Verizon Data Breach Investigations Report (DBIR) and we’re certainly in a starkly different era than the time period (2019) analyzed in the report. The novel coronavirus pandemic has instigated a paradigm shift in how organization’s work and maintain business continuity—and this has undeniable security implications. How much of the historical 2019 data from the 2020 Verizon DBIR will apply to the world we now inhabit?

Performing a Ctrl+F search across the 119-page report yields the following number of hits for the various terms:

remote work / remote working: 0

telework: 0

telecommute / telecommuting: 0

remote access: 0

remote: 6

vendor: 6

vendor access: 0

social distancing: 0

coronavirus: 0

pandemic: 0

essential worker: 0

For sure, there is still much to be learned from 2019 trends, but in many instances, trends have radically changed or reversed, while others are in a period of hyper-acceleration. New words (social distancing, coronavirus) have not just entered our shared vernacular, but loom over almost every decision. The 2020 Verizon report is a snapshot of a year in time that, viewed side-by-side with today, seems akin to an alternate reality.

One of myriad interesting implications of the coronavirus pandemic is how it is accelerating digital transformation. Social distancing recommendations and mandates have compelled organizations to quickly adapt in ways that have expedited technological evolution. Threat actors have also been adapting tactics to exploit the vulnerabilities created or widened amidst the coronavirus era. One thing is clear, this hyper-disruptive period is still searching for a new normal.

In this blog, we'll dissect some of the interesting data points presented by the latest Verizon report with the added context of how coronavirus is likely to, and is already, impacting trends.

Important Terminology: Security Incident Versus Data Breach

Across cybersecurity reporting, the terms “breach” and “security incident” are often used interchangeably, but Verizon lays out a clear, important distinction between the terms. Here are Verizon’s definitions:

Incident: A security event that compromises the integrity, confidentiality or availability of an information asset.

Breach: An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.

So, what’s more significant, a breach or an incident? Breaches are a subcategory of security incidents, but are not necessarily more damaging than other types of security incidents. For instance, ransomware can inflict catastrophic data or system inaccessibility issues that jeopardize an organization’s ability to operate, but it often does not involve any data exfiltration. Breach events, however, are typically subject to more types of disclosure ordinances.

The 2020 Verizon DBIR started with an analysis of 157,525 incidents. That number was culled to 32,2002 incidents that met the data quality standards of the researchers. The reduced dataset included 3,950 confirmed data breaches.

In the 2020 DBIR edition, the findings are broken down into 16 industry verticals and aligned with the MITRE ATT&CK framework and CIS Controls. Verizon also breaks down the data by organization size, SMBs (1,000 employees or smaller) and larger organizations; and across regions.

For such a hefty report, there is only modest variation in data from previous years, though a few variances do stand out. BeyondTrust is proud to have been able to contribute research to this year’s report, as it has in past years.

As substantial and influential as the annual DBIR is, Verizon is careful to qualify that the results are just a slice of security incidents and data breaches that occurred over the 1 year period—not a full inventory of annual breach/incident data. The report only encompasses the data that has been reported to Verizon and that has met the researchers’ standards. Furthermore, the data sample sources can vary from year to year, influencing the appearance of trends. With those caveats aside, the report is a tremendous service to the IT security and risk management communities, and provides an important snapshot of the threat environment, that, when combined with other data points, helps organizations better protect themselves from cyber threats and manage risk.

Attackers Remain Opportunistic - That Favors Well-Prepared Defenders

Attackers seek the simplest pathway to their target. While the onset of coronavirus has certainly had an impact on what the easiest pathways are, this attacker habit remains steadfast over the years.

An attacker might initially infiltrate an environment via a number of methods, such as an opportunistic phishing attack, brute forcing credentials, exploiting a vulnerability, etc. That initial point of compromise is usually just a beachhead for them to expand their attack. The more steps (defenses) you can put between the attacker and the assets, data, and privileges within your environment, the more the odds tip in your favor of leaving the attacker stranded, unable to execute malware, move laterally, perform reconnaissance, and inflict damage.

As Verizon calls out, “the difference between two steps, and three or four steps, can be important in your defensive strategy.”

The following two figures from the report show the number of steps per incident (Figure 41) and per breach (Figure 42).

Across incidents and breaches, we can see a precipitous drop off in successful attacks after the initial few steps. A small minority of successful attacks entail five or more steps. These longer, multi-step attacks would tend to signify more sophisticated campaigns that require a persistent, undetected presence.

Here’s a representation of the cyberattack chain created by BeyondTrust, which displays the pathways of a typical cyberattack.

The more points in the attack chain that you can break, or disrupt, the more protected your environment and the harder a threat actor must work to be successful. Years of diverse data points tell us that most attackers will simply turn to easier prey.

So, how might coronavirus impact the number of steps? Expect the attack pathways to shorten and the number of steps to decrease even further in the year ahead. Why? The coronavirus has at least several impacts here:

1. Rapidly expanded remote workforces without proper tooling and infrastructure: Topping the list is lack of enterprise-grade secure remote access technologies, which opens up gaping holes to enterprise resources (such as through inadequately secured VPNs), and could even let attackers piggyback on a legitimate user’s access.

2. BYOD and shadow IT proliferate: Many workers and end users (i.e. students) are compelled to rely on their personal devices, rather than company-hardened and provisioned endpoints. Moreover, users have been forced into circumstances where they have had to self-provision applications to enable remote productivity. Consequently, shadow IT proliferates, creating a massively expanded surface for malware, and creating potential backdoors for attackers. BYOD and VPNs are also mixing—which is a huge security taboo. Of course, this environment is also fertile ground for introducing errors. Until robust endpoint security deployments catch up to the growing number of vulnerable endpoints, attackers will find many ways to execute quick leaps from exploit to sensitive data.

3. Insider threats increase: Waves of layoffs have hit industries like hospitality and retail, and impacted so many other industries, making it easier for attackers to crack the perimeter and expedite data exfiltration. Orphaned accounts that have not been de-provisioned when an employee is furloughed or let go could be exploited by a threat actor. Forgotten privileged accounts (human or machine), in particular, pose a substantive risk. Disgruntled employees may exit the organization and take valuable or sensitive data with them, or retain access to the environment. Or, well-intentioned employees could simply succumb to pandemic-related fatigue and overwork, resulting in inadvertent errors or missed detection of suspicious activity on an endpoint or network.

Top Cyber Threat Vectors

Now, to the bread and butter of the Verizon report—the most common and effective threat actors. In 2019, 86% of breaches were financially motivated. The most common tactics leveraged in breaches were:

• Hacking (45%)
• Errors (22%)
• Social attacks (i.e. phishing) (22%)
• Malware (17%)
• Misuse (8%)
• Physical actions (4%)

Hacking

By far, the top hacking variety implicated in breaches was use of stolen credentials/brute force (when an attacker floods a target with credentials in hopes of eventually make a correct guess), occurring in over 80% of breaches. 37% of all breaches involved credentials.

Verizon says, “Use of credentials has been on a meteoric rise... Today’s criminal (lacking the work ethic of 2013) is primarily concerned with obtaining Credentials, regardless of the target victims’ size.”

Allowing employees to choose their own credentials is fraught with security pitfalls. Credential re-use is rampant. When the same credentials are reused across many accounts, or even across personal and work accounts, the compromise of one account can lead to the compromise of multiple accounts. Personal password managers should be used to generate unique passwords and centrally secure them for application and resource access. Credentials and secrets for privileged access—whether by humans or machines—should be secured and managed by enterprise privileged password management solutions, which can be used to generate unique passwords, rotate them, audit and monitor sessions, and enable just-in-time access.

Web applications ranked as the most frequent vector compromised by hacking, comprising a 90% slice of that pie. Attacks on web apps were involved with 43% of breaches, over twice the share of the previous year. This trend should continue with the drive toward SaaS and the Cloud, especially as a premium is put on flexibility, scale, and support for remote workforces. Stopping these attack requires a multi-layered approach for application security, including vulnerability management, systems hardening, privilege management, and more.

When comparing the threat action varieties between security incidents and breaches, a couple salient differences stand out. Denial of service (DoS) attacks were involved in nearly 60% of security incidents, far ahead of the next most common threat action, phishing. For breaches, phishing was the leading threat action, followed closely by use of stolen credentials, and “other”, each at just above 20% of the pie.

While DOS attacks already consume such a large slice of the attack pie, it’s conceivable these attacks could increase in frequency, scope, and severity several years from now as 5G becomes more widely deployed. Regardless, the increase of connected endpoints (from desktops and servers to smartphones and IoT) means there is a vastly growing army of potential devices that can be compromised, owned, and leveraged, whether by a bot master or other means. While well-resourced organizations can avail themselves of defensive measure that work at the network-level to mitigate DoS/DDoS attacks, the most effective approach to fighting DoS/DDoS requires everyone (both enterprises and individual users/consumers) taking ownership of their own security hygiene to achieve a safer ecosystem for all. Everyone has an endpoint security role to play to ensure their endpoints aren’t weaponized against others in DoS/DDoS campaigns.

Errors

In 2019, the share of errors involved with breaches rose to be on par with phishing. Errors—defined as an action that does not involve any malicious intent—are also a substantial factor for overall security incidents. Over 90% of misconfiguration errors resulting in breaches were discovered and reported to the organization by an external party. Anecdotally, it definitely seemed like 2019 was full of breach stories around misconfigured AWS S3 buckets and other databases inadvertently publicly exposed due to lack of password protection or other basic access controls.

The rise of the error category underscores the need for less IT complexity, and better testing and security controls around DevOps. Putting guard rails around employees and assets, such as access controls / privileged access controls can also help curb errors and mitigate their impact.

COVID-19 has accelerated the migration to cloud environments for many organizations. Due to both the scale and hastiness of many of these efforts this year, expect the Error category to continue its upward trend Cloud assets were involved in roughly 24% of the breaches reported on by Verizon in this year’s report. 77% of those cloud breaches also involved breached credentials. One of the key findings is a recent CDW report was how cloud security measures continues to lag far behind general cloud adoption. I think it’s likely we see cloud assets increase their share of breaches and security incidents in the year ahead.

Social

As noted in the Hacking section above, phishing played a considerable role in breaches again this year. So far in 2020, email data has been telling an interesting story. Apparently, less time in the office with face-to-face communications means—more email! There’s been a sharp increase not only in email volume, but also in open rates. Another interesting finding is that, instead of getting snagged by spam filters, emails that mention “coronavirus” and “COVID-19” tend to see better deliver rates.

Countless threat actors have already been orchestrating coronavirus-related phishing campaigns for months. So, with many defenses stretched, it’s likely phishing attack success will at least hold roughly steady in the year ahead.

Malware

Malware’s slice of the incident and breach pie has been diminishing for several years. After all, with easy access to credentials, why bother with malware? On that note… within the malware category, password dumper malware was responsible for the highest number of breaches (roughly 40% of malware incidents), trailed next by capture app data, and ransomware, both making up just over 20% of malware incidents.

While ransomware accounted for 27% of all malware incidents in the report, it was particularly a pronounced issue within the Public Sector and Education verticals, where it accounted for 60% and 80% of all malware incidents respectively.

Here’s a figure from the report that shows how various threat actions involved in breaches have fluctuated over time:

Office documents and Windows apps were generally the preferred malware filetypes by attackers. Effective vulnerability management (vulnerability scanning and discovery, patching, remediation) and endpoint privilege management (enforcing least privilege and application control) are fundamental security controls organization's can continue to employ to win the battle against malware—including ransomware. According to the Microsoft Vulnerabilities Report 2020, 77% of Critical Microsoft vulnerabilities could be mitigated by removing local admin rights from users. BeyondTrust’s CTO & CISO, Morey Haber, crunched vulnerability disclosure numbers last year to reveal that privilege management could have a similar, broad-based impact across third-party applications, including from Google, Oracle, Adobe, Cisco, VMware, etc.

External Threats Versus Insider Threats

This year’s Verizon DBIR reported that 70% of breaches were perpetrated by external attackers, whereas 30% involved internal actors. Again, with organization's and their workforces now beset with a host of pandemic-induced challenges—both work-related and existential—insider threats (errors and misuse) will likely trend upward.

But why is the distinction between external threat and insider threat important, and what can be done about it? In the attack chain, insiders essentially start one step ahead of external attackers. That’s one step nearer to sensitive data, assets, privileges, etc. Plus, insiders, particularly privileged insiders, have a closer line of sight into an environment’s pathways and resources. Once a threat actor succeeds at Step 1 in the attack chain, they essentially become an insider. That means you better have more than just a perimeter defense. This is where techniques such as network segmentation, and technologies, such as privileged access management (PAM) play a critical defensive action of restricting lateral movement and resistance against privilege escalation. Of course, by enforcing the principle of least privilege you can stop many external attacks from landing in the first place. For instance, without administrative privileges, most ransomware can’t properly execute and spread. Dialing in the precise privilege/privileged access legitimately needed, and nothing more, enables productivity for people, applications, and machines, while limiting their risk to do damage—whether intentional or inadvertent.

Vertical Miscellany

Aside from the sharp increase in ransomware in the Public Sector and Education vertical which we covered early, there were a few other industry-specific trends that stood out for me. Healthcare organizations incurred 521 data breaches within the 2020 DBIR report sample versus 304 in last year’s report. That's a striking increase. In 2020, perhaps no industry better epitomizes “essential” than healthcare and perhaps no industry is being battle-tested in so many ways.

Point-of-sale attacks have been trending downward for the Retail sector and they should experience an even deeper dip this year due to the relative absence of retail transactions in this age of social distancing. While insider-based threats were low for the Retail sector in 2019, that trend is likely to reverse in 2020.

IT Security Tips for the Year Ahead

2020 started off with a focus on disaster and contingency planning in the scramble to preserve business continuity. Some organizations were more prepared for the abrupt, mass shift to remote workforces than others, but few have had the time to perfect it. In many cases, rather than building a bridge to the next phase of technological evolution, organizations have been forced to make technological and policy leaps, catching their hands on the edge of cliff-tops, clawing their way up and forward. At some point, we can hope the entire world may derive benefits from the accelerated pace of technological evolution, but in the meantime, advantage: cyber threat actors.

Putting the Verizon 2020 DBIR into the context of today's reality, the year ahead in cybersecurity should focus on these themes:

• Fiercely protecting the endpoint—whatever it is, wherever it resides
• Reducing enterprise cyber threat exposure by managing vulnerabilities and reducing errors
• Scaling and enabling secure remote access for employees, vendors, and service desks
• Enabling secure applications and tools workers can access anywhere
• Managing and securing enterprise identities and credentials – human and machine
• Increasing the steps it takes an attacker to get from any endpoint in your environment to sensitive data, assets, or privileged access

How BeyondTrust Secures Endpoints Everywhere & Protects Remote Access

Thousands of organizations have been relying on BeyondTrust to help them securely adapt to the new work realities ushered in during 2020. The BeyondTrust privileged access management portfolio is an integrated solution set that provides visibility and control over the entire universe of privileges—identities, endpoints, and sessions. Working together, our PAM solutions can break 5 of the 6 key points in the attack chain. Our solutions are proven, quick-to-deploy, and demonstrate value more rapildy than competitors. These following three BeyondTrust solutions comprise our privileged access management platform:

Endpoint Privilege Management solutions combines privilege management and application control to efficiently manage admin rights on Windows, Mac, Unix, Linux, and network devices, without hindering productivity. Least privilege also can help act as guardrails, preventing inadvertent errors that lead to breaches or productivity loss.

Secure Remote Access solutions enable organizations to apply least privilege and robust audit controls to all remote access required by employees, vendors, and service desks.

Privileged Password Management solutions enable automated discovery and onboarding of all privileged accounts, secure access to privileged credentials and secrets, and auditing of all privileged activities.

BeyondTrust’s extensible, centrally managed platform allows you to roll out a complete set of PAM capabilities at once, or phase in capabilities over time at your own pace. To learn more, contact us today.