Blog

Verizon 2020 Data Breach Report Analysis

If there is one source of breach-related information that CISOs, CIOs and Internet Security Leaders look forward to on a yearly basis it’s got to be Verizon’s annual Data Breach Investigations Report. Contained in the 119-page document is some of the most valuable and insightful information any cybersecurity professional could ask for.

In this year’s report, Verizon collected data from some 81 businesses ranging in industry from law enforcement agencies, government agencies, consulting firms and cybersecurity companies. Cumulatively, this data represents a total of 157,525 incidents and 108,069 data breaches. Based on the sheer volume of information, we’ve taken aim at providing a summary of some of the most interesting and important findings. From here, we’re able to provide some key recommendations to aid your organization with its next decisions in security.

Who: The Source of Cyberattacks

Perhaps one of the main takeaways the report sheds light on is the source of cyberthreats. According to the report, it’s a widely held belief that most of the threats to an organization stem from inside sources. In actuality, data from report indicates that over 70% of breaches actually originate from external actors. Of these external actors, approximately 55% can be categorized as “organized crime”; while this may sound like we’re referring to the Mob, the definition is actually with reference to criminals who “operate with a process” or with an observable methodology, excluding nation-state actors and “hacktivists.”

Here, it is important to not allow these statistics lull one into a false sense of security. The number of threats, by origin, does not equate to the relative risk posed by those same threats. It should be understood that an insider attack almost always presents a greater potential to cause harm, depending on the attack itself. Nonetheless, the origin, frequency and severity of any risk are valuable data for an organization to have when planning their security.

What: The Purpose of Cyberattacks

Spoiler alert, if you’ve heard the term “money makes the world go around,” you’d be correct in your assumption as to the main purpose of any threat actor. According to the report, 86% of all breaches reviewed were financially motivated. Interestingly enough, the purpose of the attack, and the source of the attack are quite often related.

As is common knowledge in the security field, it is very typical for a threat actor to seek the path of least resistance, the proverbial, low-hanging fruit. Simply put, if you are a cyber-criminal, and your goal is financially motivated, you are more likely to engage in attacks that require the least effort. This is often accomplished by automated attacked, or those attacks requiring the fewest number of steps.

This is very valuable information for an organization, the lesson being, if you focus your efforts well enough, remediating the obvious vulnerabilities, most financially motivated threat actors will simply move on to the next target. The law of least effort. Further, although money is most often what attackers are after, compromising credentials, customer data and the like are often simply collateral. That said, as discussed in previous Packetlabs blogs, an organization like an MSP, whose true value lies in their customers, the route of attack, and remediation, may not be so direct.

How: The Vectors of Cyberattack

The report’s data on how hackers are able to penetrate an organization’s defences are also very valuable information. Over 80% of data breaches involved some form of brute-forcing, phishing, social engineering or lost/stolen user credentials. Once in the network, acquiring further credentials becomes a major objective. The purpose here is quite likely two-fold, privilege escalation and credential stuffing. With the latter, attackers employ a barrage of login requests using stolen credentials, or, those attained in database dumps.

The report outlines this process as a form of hacker “recycling”, in which it appears that hackers obtain a leak, amend their dictionary, continue to brute-force the internet in a rinse and repeat fashion. This may offer an attacker to “stuff” their way back into the same organizations network at a later date. Sneaky. With this in mind, Packetlabs believes it is critical for organizations to intensify their focus on securing credentials regardless of the current approach.

The Numbers

Although cyberattacks against assets, on-premises, continue to overshadow the threat landscape with around 70% of breaches, cloud resources were involved in 24% of data breaches in the last year. 73% of the time, email or web application servers were involved. Web application servers are targeted more often than any other asset. Characteristically, this implicates either the use of stolen credentials or the exploitation of unpatched vulnerabilities.

On the subject of patching, the report provides two very valuable pieces of information that any security team should be aware of. First, typically, attackers will always push to exploit unpatched systems before an update is made (low hanging fruit), and next, it’s noted that IT security teams that do not patch within the first quarter of discovery are much less likely to patch, ever. Attackers always give these vulnerabilities extra attention. The moral of the story is, stay on top of your patching!

Summary

Throughout this article, there are a few recurring themes that continue to present themselves, year after year in Verizon’s DBIR – more often than not, criminals follow the money. With that in mind, they follow easy-money, the low hanging fruit, first and foremost. In order to prevent a data breach, penetration testers, have to maintain the same mindset. At Packetlabs, no matter your current security practises are, we can show you just where those low-hanging fruits are, and as a result, help your organization to design a security posture that is protected.

How Packetlabs Can Help When it comes to all thing’s cybersecurity, Packetlabs is here to help. To learn how Packetlabs can design a custom-tailored service package for your organization, please contact us for more details!

Featured Posts

See All

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

September 27 - Blog

What is InfoStealer Malware and How Does It Work?

InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.

September 26 - Blog

Blackwood APT Uses AiTM Attacks to Target Software Updates

Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.