Authored by: Carolyn Crandall, Chief Security Advocate, Attivo Networks – The Verizon Data Breach Investigations Report (DBIR) is always hotly anticipated by those in the cybersecurity industry, and the 2021 edition is no exception. While last year’s report analyzed data collected before the COVID-19 pandemic had begun in earnest, the 2021 report provides an in-depth look at how attack patterns evolved amid a tumultuous 2020. To create this year’s DBIR, Verizon analyzed nearly 80,000 recorded incidents from 88 countries, providing readers a data-rich breakdown of the state of cybersecurity amid the pandemic.
Verizon didn’t sugarcoat their findings, referring to the year (somewhat tongue-in-cheek) as an “unpredictable dystopian wasteland.” The report’s findings highlight several concerning changes in the way attack patterns have evolved. Notably, Verizon used a new machine learning technique to adjust its attack pattern categories for the first time since the DBIR’s inception. These new patterns highlight the continued need for more robust in-network protection against social engineering, ransomware, and other attacks capable of evading perimeter defenses—underscoring the need for network visibility, Active Directory protection, and other services provided by Attivo Networks solutions.
The Human Element Dominates the Attack Landscape
One of the most prominent findings in this year’s report was that the “human element” factors into 85% of breaches. In fairness, the human element covers a wide range of things, such as credential mismanagement, software misconfigurations, falling for phishing emails, and more—but it highlights the fact that attackers have identified human beings themselves as the weak point in most security setups.
The most compelling evidence of this shift toward human-focused attacks is the finding that phishing was present in 36% of breaches—up 11 percentage points from 25% just one year ago. Verizon notes that a jump of even just a few percentage points year-over-year is noteworthy, making an 11-point jump almost unheard of. The report notes that this is not entirely unexpected. There was already considerable data indicating that phishing (particularly COVID-19 related phishing lures) rose dramatically as remote work became the norm, but it is still a concerning development. With workers at home, where they were both more likely to be distracted and less likely to have direct access to their colleagues and managers, it’s no surprise that attackers were able to find success here.
On a related note, ransomware also continues to grow. Ransomware now makes up 5% of all incidents and 10% of all breaches (double what it was in 2019). Verizon points out that attackers have shifted their approach to ransomware, now often stealing and publishing data rather than simply encrypting it. The report also highlights that using stolen credentials or brute force attacks remains among the most prominent attack vectors. This finding leads to another worrying statistic, which is that 61% of all breaches now involve credential data, including stolen credentials, credential stuffing, brute force attacks, credential leaks, and more. Too many organizations lack sufficient visibility into exposed credentials—particularly as the attack surface has expanded amid widespread remote work—further highlighting the need for effective visibility, prevention, and detection solutions.
Shifting Attack Patterns Reveal New Vulnerabilities
This year, Verizon used a new machine learning technique to improve the DBIR’s categorization and clustering of breaches. They did this without direct input from the research team and resulted in some interesting findings. Many of the same categories that Verizon has used for years remain, but they retired others in favor of new, more pertinent categories. “Crimeware,” “cyber-espionage,” “point-of-sale,” and “payment card skimmers” have been retired, with other, more broadly applicable attack patterns subsuming them. “Denial of service,” “lost and stolen assets,” “privilege misuse,” and “misc errors” remain, while Verizon added the new categories of “social engineering” and “system intrusion”.
The addition of social engineering is expected, given the substantial growth in phishing attacks and other human-focused attack patterns. Verizon notes that social engineering attacks simply didn’t exist in this scope in 2014 when they decided upon the original attack pattern categories. It was likely overdue to incorporate them into the data.
System intrusion is the more curious addition, partly because it does not have a strict definition. It combines elements from several different categories but generally covers complex breaches accomplished via a series of smaller steps. In a recent presentation breaking down the DBIR’s findings, a Verizon representative noted that attacks within the system intrusion category generally involve a good deal of lateral movement once the attacker has breached the network. The report also notes that over 70% of the cases in the category involved malware, and 40% involved hacking.
It is also worth mentioning the privilege misuse category. While privilege misuse has declined as a percentage of breaches, this is primarily due to a rise in other attack tactics rather than a decline in privilege misuse. While this category includes many accidental breaches rather than malicious actions, such as sending confidential information to a personal email address or abusing existing privileges, 70% of breaches are due to privilege abuse. Organizations wishing to crack down on insider breaches should take this as a warning sign to regularly audit their policies and permissions. They will also want to leverage tools that can show overprovisioning and dangerous delegations to prevent privilege escalation and unnecessary access.
Exposed, misused, and stolen credentials have become an increasingly significant problem for today’s enterprises, and attackers continue to use them to bypass perimeter and identity protections. In many cases, attackers use legitimate credentials to compromise Active Directory, at which point they can further escalate their privileges and expand the scope of their attacks. Enterprises need in-network defenses capable of detecting abnormal activity such as suspicious AD queries, or they risk handing attackers the metaphorical keys to the castle. Red teams have regularly demonstrated that they can compromise AD close to 100% of the time, a key indicator that if they can do this, so can an attacker. Given the consequences when one loses Domain control, addressing exposures and vulnerabilities of this critical resource must be a priority.
Vulnerable Industry Verticals
The 2021 DBIR spends some time delving into individual industries and the types of attacks they are most likely to face. Some data worth noting is that internal actors are increasingly driving breaches within the financial and insurance industries. Although external breaches are still a slight majority, internal breaches have been steadily rising since 2017. However, while this might seem to indicate a rise in malicious actors within these industries, the truth is more mundane. Most internal breaches in the financial industry resulted from accidental actions, such as sending emails to the wrong people (a statistic representing 55% of all error-based breaches).
Other interesting data points include the fact that misdelivery and other errors dominated the healthcare industry and that personal data (66%) is compromised more often in data breaches than medical data (55%). The education industry, which the report spotlighted as students had to shift to remote learning last year, has been the target of a growing number of social engineering attacks, which fits the overall pattern of that attack method.
Finally, in the wake of the Colonial Pipeline attack, the data on the oil and gas industries have become particularly interesting. Credentials represented 94% of the data compromised in energy industry breaches, and ransomware accounted for 44% of non-social engineering attacks. This data indicates that something like the Colonial Pipeline attack was bound to happen—and that the energy industry needs to improve its ability to detect and derail ransomware attacks. If they don’t, it is only a matter of time before an attack targets another major pipeline—or worse.
Moving Forward with New Knowledge
The 2021 Verizon Data Breach Investigations Report highlights many growing trends that should concern enterprises across a wide range of industries. Attackers have zeroed in on attack tactics like social engineering and ransomware because of their high degree of success. The rate at which attackers can obtain credential data should raise alarm bells for organizations throughout the globe.
Part of why tactics like social engineering work so well is that they enable attackers to obtain valid credentials, allowing them to bypass perimeter security measures and fool identity protections. Detecting and derailing these attacks requires a comprehensive suite of in-network detection tools capable of providing extensive network visibility to allow defenders to identity exposed credentials, misconfigurations, and other potential attack paths, suspicious activities, and more. This year’s DBIR maintained its value in helping businesses better understand how attackers’ priorities shifted over the past year and what they need to be thinking about for shoring up their defenses. I always look forward to its annual release, and like in prior years, it did not disappoint.