Verizon’s 119 page 2020 Data Breach Investigations Report (DBIR) provides a comprehensive analysis of breaches and incidents. The report’s underlying data set consists of 157,525 incidents gathered between 11/1/18 and 10/31/19 from 81 contributing partners across 16 verticals, 81 countries, and 4 regions.
Twenty percent – or 32,002 incidents – met Verizon’s stringent data quality standards and twelve percent of those – or 3,950 – were confirmed data breaches. Changing trends can be seen over time against the backdrop of a total of 755,000 incidents Verizon has collected and painstakingly analyzed for 13 years running.
In addition to sections covering industry segments, regional analysis, and organization size (< 1000 employee SMB versus large organizations review), the report analyses a wide variety of factors. Factors include: Type of Actors (i.e., external, internal, organized crime nation states); Actors’ Motives (i.e., financial, espionage, fun/grudge/other etc.); Threat Actions (i.e., Phishing, Use of stolen Creds, Mis-delivery, Misconfiguration, Password Dumper, Trojan, Ransomware, RAM Scraper); Threat Varieties (i.e., Malware, Hacking, Social, Misuse, Physical, Error and Environmental); Data compromised (i.e., Credentials, Payment, Personal, Medical, Internal, Other); and incident classification Patterns (i.e., Crimeware, Cyber-Espionage, Denial of Service, Privilege Misuse, Miscellaneous Errors, Point of Sale, Lost and Stolen Assets, Payment Card Skimmers, Web Applications and Everything Else). There is a lot to dig into and there is something in the report for every type of reader.
Breach findings include:
- 86% were financially motivated
- 43% involved web applications – double last year
- 37% stole or used credentials
- 22% involved phishing
- 17% due to errors
- 24% cloud assets vs. 70% on premises assets
- 96% involved IT (information technology) vs. 4% OT (operational technology)
- 60% were discovered in 1 day or less vs. 26% discovered in 1 month or more
Additional general insights include:
- Human errors are on the rise with the increase in technical complexity.
- Credentials are still the favorite attack surface.
- Security researcher has become the most likely Discovery method for an Error action breach by a significant amount – over six times more likely than it was last year.
- While patching practices seem to have strengthened, Asset Management problems become vulnerability management problems on the assets organizations do not realize are there.
Effective data sharing is key to fighting bad actors’ evolving tactics. Verizon is improving how VERIS (Vocabulary for Event Recording and Incident Sharing) data connects and interacts with other existing standards like the Center for Internet Security (CIS)4 Critical Security Controls and the MITRE ATT&CK®5 framework to improve the types of data that can be collected and reported on. Mapping industry vulnerabilities to top controls – a new feature in this year’s report – help readers translate attack information into positive, constructive actions vital to organizations’ defenses.
Report Presentation: A Labor of Love
Kudos on Graphics
The quality of and care given to visualization graphics in Verizon’s 2020 DBIR is inspired. The report author’s took care to make sure the abstract work of art image below would not be mistaken for “Butterfly Vomit” by clarifying that “No, a butterfly did not just vomit on your report.” p 32. The graphic depicts the number of steps involved by threat action type and the associated attribute that was compromised helping to visualize the range of Attack paths.
In my perfect world, the actual data points would be or become visible when hovered over on bar charts.
Engaging Headlines and Tone
I felt like I got to know the 5 person Verizon DIBR team (Gabriel Bassett, C. David Hylender, Philippe Langlois , Alexandre Pinto , and Suzanne Widup) a bit by reading the report and really appreciated the narrative they provided. Some favorites quotes included:
“If you will allow us a mixed metaphor, there is no outrunning the bear in this case, because the bears are all being 3D-printed in bulk and automated to hunt you. So, carry on my wayward son and keep doing what you’re doing (you know, patching), and perhaps skip over to the “Assets” section to get an inkling of what you might be missing.” p. 23
“Many of the attacks studied in this report fall somewhere between a stickup and the Great Train Robbery in terms of complexity.” p. 36
“All in all, we do like to think that there has been an improvement in detection and response over the past year and that we are not wasting precious years of our life in a completely pointless battle against the encroaching void of hopelessness.” p. 37
“For whatever reason, these Error types – Misdelivery (sending data to the incorrect recipient) and Misconfiguration (i.e, forgetting to secure to a storage bucket) – seem to be the peanut-butter-and jelly sandwich of the breach world this year. Perhaps Internal actors are simply too busy trying to perfect their Renegade dance on TikTok these days; we do not know for sure. Whatever the reason, these errors are found in every industry and region, and in alarmingly large percentages. As mentioned elsewhere in this report, the vector for these errors is almost entirely carelessness on the part of the employee.” p. 89
Longed for a Discussion of Financial Implications
While Appendix C of the report did share that “In 2019, the Secret Service prevented $7.1 billion of cybercrime losses and returned over $31 million in stolen assets to victims of fraud” p115 and the Financially Motivated Social Engineering section stated that “median impact cost for incidents reported to the FBI IC3… for business email compromises (BEC), most companies either lost $1,240 or $44,000 with the latter being slightly more frequent” p25, I found myself longing to be grounded in basic macro statistics like – How much gets stolen each year? What do we spend on defending ourselves? I also wonder about collateral damage and the follow-on impacts of how stolen funds are used.
As I ran at answering these questions for myself, I found there to be a wide range of answers for key statistics. Here are some starting points:
According to IDC, worldwide spending on security-related hardware, software and services will be $106.6 billion in 2019, an increase of 10.7% over 2018. This amount will reach $151.2 billion in 2023 with a compound annual growth rate (CAR) of 9.4% over the 2019-2023 forecast period.
This is against a backdrop of global spending on IT overall is expected to be 3.9 trillion dollars in 2020 according to Gartner.
According to Cyber Security Ventures, global spending on cybersecurity products and services are predicted to exceeded $1 trillion cumulatively over 5 years, from 2017 to 2021.
According to Cybersecurity Ventures, cybercrime damage costs are predicted to hit $6 trillion annual by 2020, up from $3 trillion in 2015. They state that “this represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment and will be more profitable than the global trade of all major illegal drugs combined.”
It is sobering to contemplate how the stolen funds are being used to to fund ever bigger and badder activities.
“Cybersecurity is the central challenge of the digital age.” – Satja Nadella CEO, Microsoft
Verizon’s DIBR is a great report on a terrible situation. I found it well worth diving into the details and was impressed by the graphics and refreshingly engaging and accessible tone of the analysis which lowers the hurdle to raising broader awareness about cyber threats. I did need to begin researching key macro financial implications of the report findings. Identifying a handful of key impact statistics and tracking them over time could serve as a companion to or possibly become part of the report. By providing a data based view of security gaps and mapping to controls, Verizon enables organizations to take important steps to shutting down known security gaps – so key to protecting our economy, democracy, and way of life.