Financial gain remains the key motivation for cybercrime despite extensive media coverage of espionage, accounting for 86 percent of breaches investigated in the Verizon Business 2020 Data Breach Investigations Report (DBIR).
The vast majority of breaches continue to be caused by external actors - 70 percent - with organised crime accounting for 55 percent of these.
Credential theft and social attacks such as phishing and business email compromises cause the majority of breaches (more than 67 percent).
Thirty percent of credential theft breaches used stolen or weak credentials and 25 percent involved phishing while human error accounted for 22 percent.
- DBIR data continues to show that external actors are - and always have been - more common. Some 70 percent of breaches this past year were caused by outsiders.
- While espionage grabs the headlines, it accounts for just 10 percent of breaches in the data for this year. Some 86 percent of breaches continue to be financially motivated. Advanced threats account for just four percent of breaches.
- Credential theft, social attacks such as phishing and business email compromise and errors are the cause of most breaches (67 percent or more).
- Some 27 percent of malware incidents are ransomware, with 18 percent of organisations blocking at least one piece of ransomware.
- Attacks on web apps made up 43 percent of breaches, doubling the previous year’s figures. With the move of businesses to cloud services, it makes sense for attackers to follow. The most common methods use stolen or brute-forced credentials (more than 80 percent) while less than 20 percent exploit vulnerabilities.
- Personal data was involved in 58 percent of breaches, almost doubling on last year’s data. It included email addresses, names, phone numbers, physical addresses and other types of data found in an email or stored in a misconfigured database.
- The data showed a high number of internal-error-related breaches (881, versus last year’s 424). The report said the increase is likely due to improved reporting requirements because of new legislation rather than more frequent mistakes from insiders.
- Security tools are doing a better job of blocking common malware. Data from the report shows that Trojan-type malware peaked at just under 50 percent of all breaches in 2016 and has since dropped to just 6.5 percent. Malware sampling shows 45 percent of malware is from “droppers, backdoors or keyloggers”.
- Fewer than five percent of breaches involved the exploitation of a vulnerability. The data did not show attackers attempting these kinds of attacks that often. Just 2.5 percent of security information and event management (SIEM) events involved exploiting a vulnerability.
The 2020 DBIR report showed that common patterns could be found within cyber-attack journeys, enabling businesses to “determine the bad actors’ destination” while they are in progress.
When they are linked to the order of threat actions, whether through error, malware, physical, or hacking, breach pathways can be used to predict the target.
It means that the attacks can be stopped in their tracks and so offer a “defender’s advantage”.
The report said a growing number of small and medium-sized businesses are using cloud- and web-based applications and tools.
The take up has made them targets for cyber-attackers.
2020 DBIR findings show that phishing is the biggest threat for small firms, accounting for more than 30 percent of breaches.
Next comes the use of stolen credentials (27 percent) and password dumpers (16 percent). Most often, attackers targeted credentials, personal data and business-related data such as medical records, internal secrets or payment information.
More than 20 percent of attacks were targeted web applications using stolen credentials.
- 86 percent of data breaches for financial gain - up from 71 percent in 2019
- Cloud-based data under attack - web application attacks double to 43 percent
- 67 percent of breaches caused by credential theft, errors and social attacks
- Clearly identified cyber-breach pathways enable a “defender advantage” in the fight against cyber-crime
- On-going patching has been successful - fewer than 1 in 20 breaches exploit vulnerabilities
The 2020 DBIR also provided a detailed analysis of industries, showing significant differences across business verticals.
Some 29 percent of breaches come in the manufacturing sector, where external actors use malware such as password dumpers, app data capturers and downloaders to obtain proprietary data for financial gain.
Almost all of the incidents in retail were financially motivated - some 99 percent, where payment data and personal credentials were the goals. The main cause of retail breaches is via web applications, rather than Point of Sale (POS) devices.
Financial and insurance
Almost a third (30 percent) of breaches were caused by web application attacks. Most often this was primarily driven by external actors using stolen credentials to get access to sensitive data stored in the cloud. The transition to online services has been highlighted as a key factor.
A doubling of ransomware attacks this year makes up around 80 percent of malware attacks compared to 45 percent last year. Social engineering accounted for 27 percent of incidents.
Some 31 percent of healthcare breaches came from basic human error. External breaches were at 51 percent, up from 42 percent last year, slightly more common than insiders at 48 percent (59 percent in 2019). The industry has the highest number of internal bad actors, because of greater access to credentials.
Some 61 percent of malware-based incidents were down to ransomware, while 33 percent of breaches were accidents caused by insiders. These types of organisations have improved on identifying breaches, with just six percent lying undiscovered for a year compared with 47 percent previously. This was linked to legislative reporting requirements.
Analysis of geography
The report found financially-motivated breaches, in general, accounted for 91 percent of cases in Northern America, compared to 70 percent in Europe, Middle East and Africa and 63 percent in Asia Pacific.
In Northern America, the technique most commonly used was stolen credentials, accounting for more than 79 percent of hacking breaches. Some 33 percent of breaches were associated with either phishing or pretexting.
In Europe, Middle East and Africa (EMEA) Denial of Service (DoS) attacks accounted for more than 80 percent of malware incidents; 40 percent of breaches targeted web applications, using a combination of hacking techniques that leverage either stolen credentials or known vulnerabilities. Just 14 percent of breaches were associated with cyber-espionage.
In Asia Pacific (APAC) 63 percent of breaches were financially-motivated, and phishing attacks are also high, at over 28 percent.
Alex Pinto, lead author of the Verizon Business Data Breach Investigations Report
“Security headlines often talk about spying, or grudge attacks, as a key driver for cyber-crime - our data shows that is not the case.
“Financial gain continues to drive organised crime to exploit system vulnerabilities or human error. The good news is that there is a lot that organisations can do to protect themselves, including the ability to track common patterns within cyber-attack journeys - a security game changer - that puts control back into the hands of organisations around the globe.”
Mark Bower, SVP at comforte AG
“The report shows the Great Digital Train Robbery is alive and well. External, multi-faceted and industrialised hacking continues to pepper large enterprises at 72 percent of overall victims. It’s no surprise that web applications, around 45 percent of attacks, expose technology services firms, retail, financial and Insurance services and professional services most to compromise. They are the highest aggregators of highly sensitive data with substantial third-party data sharing risk.
“Personal data theft is trending up, now 49 percent of retail breaches, overtaking payment data at 47 percent putting privacy regulation risk high on the compliance agenda. 70 percent of breaches were from external actors, insiders 30 percent, and human left doors open in 22 percent of cases. In a world quickly moving to post-Covid cloud IT, now 24 percent of investigated breaches, enterprises have no choice but to modernise data security strategies to neutralise data from attack or become a victim.
“The numbers don’t lie - the barrier between attackers and valuable sensitive data can be broken, enabling rapid data theft and abuse unless the real data has no value in the attacker’s hands.
"Industries that progressively shielded data with contemporary security measures such as data tokenisation and encryption showed a strong decline in breach impact (POS attack incidents trended close to zero), but attackers followed the path of least resistance – to online compromise opportunities – now 50 percent of retail breaches.”
Jake Moore, cybersecurity specialist at ESET
“Many cyber-attacks can be stopped with a few small steps, coupled with some training and awareness. We all like to think that we’re not susceptible to social engineering or manipulation, but the truth is that even cautious, self-aware people still get caught up in online scams that can have very damaging consequences.
"Zero trust always wins, but we have to remember that we are human and humans make mistakes. This is simply because there still isn’t sufficient education and people will continue to be fooled.
“Far too many of us ignore those important updates too. Huge numbers of people wrongly think they won’t be hit with an attack, or believe they are too busy to update their devices. The problem is, however, that usually those updates are the result of discovering brand new vulnerabilities that have damaging consequences to business and personal data.”
Paul Bischoff, privacy advocate at Comparitech
"The report dispels many commonly held misconceptions about how and why data breaches happen. Many breaches and data incidents are easily preventable.
“Most breaches are perpetrated by organised crime and are financially motivated, not by internal sources. Hacking through the use of stolen credentials, phishing, and errors top the list of actions that lead to breaches.
“Web applications are the most common hacking vector through which criminals obtain stolen credentials.
“Although ransomware often makes the news, password dumpers that steal hashed passwords which can then be brute-forced are the most common type of malware that leads to data breaches. Malware, in general, is on the decline when it comes to data breaches."
Eoin Keary, founder and CEO of Edgescan
"Contributing to the Verizon DBIR helps us as an industry move the dial in a positive direction. We can't improve what we can't see.
“The idea of "the great and good" in the industry contributing together provides a realistic snapshot of what matters In cybersecurity today. I'm very proud of and grateful to the folks in VDBiR for all their hard work."
Chad Anderson, senior security researcher at DomainTools
"This report further goes to show that attackers do not have to be sophisticated to be effective. We see that only 45 percent of all breaches in this report involved some kind of traditional hacking and only four percent of the breaches in total had more than four attacker actions.
"Simple, low-hanging fruit for financial gain continues to dominate this space and shows where so much of our security posture can be improved with user education and basic, industry-standard security practices.
“Phishing and trojans are down and ransomware is up as Ransomware-as-a-Service (RaaS) groups like REvil are on the rise. Lots of work has gone into spotting phishing domains early with machine learning algorithms and endpoint detection is improving all the time. This makes sense as most of the breaches featured in this report focus on financially motivated organised crime groups.
"RaaS pays, especially in this Covid-era where attackers are targeting hospitals and essential businesses that may not have the time to turn around and properly rebuild their infrastructure after key data and parts have been compromised.
“Errors - mostly misconfigurations of resources - continue to be on the rise as more and more data sets are left openly exposed. This year alone we have already seen massive Elasticsearch instances and MongoDB databases that were left open and exposed, dumped, and then sold on cybercrime forums. The accessibility to cloud infrastructure and the complexity around securing it will continue to have people leaving their data on wide-open S3 buckets for all the world to scrape."
Richard Bejlich, principal security strategist at Corelight
“The DBIR offers a lot of information for security professionals to digest. One way to use it is to understand how your industry is represented, see the sorts of actors and events that affect your industry, and be sure your organisation’s risk model and countermeasures mitigate the concerns reported by the DBIR.”
Tim Erlin, VP, product management and strategy at Tripwire
"We often think of ransomware as a breach, but the DBIR categorises most ransomware activity as an incident because while you may have lost access to the data, the attacker hasn’t actually stolen it. While that may give you some comfort, it doesn’t mean that a ransomware incident is materially less impactful to the security folks who have to deal with it.
“The fact that “misconfiguration” is in the top five action varieties for breaches is an important acknowledgement that not all incidents are the result of an exploited vulnerability. Misconfigurations actually lead to more breaches than exploited systems, but organisations often don’t put the same effort into assessing them as they do scanning for vulnerabilities.
“At a high level, the key things for every organisation to worry about are brute force and stolen credentials, and web applications.
“It’s tempting to downplay vulnerability management based on this data, but the details show that, by and large, the organisations that are doing it reasonably well are safer, and the organisations that aren’t are very, very vulnerable.
"One key lesson, though, is that an organisation can do both. The old adage “you can’t protect what you don’t know about” is true for vulnerability management. Asset management is a prerequisite for vulnerability management.
“If you want to protect yourself from the most common breaches, protect your web servers, your workstations and your mail infrastructure.
“Cloud assets are still a minority of targets, at 24 percent compared to on-premise’s 70 percent. Why change tactics if they’re working? The cloud has a learning curve for criminals as well as enterprises.
“One important lesson to take from the DBIR is that a compromise is often made up of multiple attacks, and so, as a defender, you have multiple opportunities to stop the attacker. The concept of ‘defence in depth’ is applicable here.
"The data provided about how the multiple steps in a compromise occur is vital. Malware is rarely the first step, and so if you catch malware in your environment, you have to look for what came before that. Hacking is much harder to deal with because it plays a role in the beginning, middle and end stages of a breach.
“The industry analysis provided by the DBIR is invaluable. Being able to see which assets, actions, and patterns are most relevant for your industry allows you to take much more decisive action as a defender.
"For example, Manufacturing should be more concerned about crimeware, introduced through malware and social engineering, than any other industry. If you’re in healthcare, errors figure much more prominently in your threat model than other industries.
“The inclusion of the CIS controls, after a hiatus, is a good addition for defenders. CIS is well-respected in the industry, and the controls provide enough information to be actionable but avoid being overwhelming at the same time."
Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Center)
"In all cyberattacks, it is the attacker who defines the rules, and often opportunism is the best play in any numbers game. The 2020 DBIR confirms that most successful breaches employed opportunistic tactics ranging from social engineering and credential attacks through to opportunistic hacks and exploits of misconfiguration.
"This means that we could see a material reduction in breaches if basic principles such as securing S3 buckets, applying password security to databases, having a patch management strategy and applying reasonable malware protections were in place.
“If we look beyond the basics and dig into an attack strategy, such as exploiting a vulnerability, we’re really looking at targeting a process and exploiting its weaknesses. In the case of a vulnerability exploit, the success is directly related to both a patch management strategy and how accurate the software asset management list matches what’s currently deployed. The exploit becomes actionable if there is any software that isn’t part of the asset manifest which then means it’s likely missing patches.
“While such manifests and processes are manageable when describing systems managed by enterprise IT teams, the weakest and most opportunistic link could be the remote worker or an employee’s mobile device which creates a bridge between the processes of enterprise IT and the practices of consumer “IT”.
"This is why zero-trust network architectures are interesting and also why patch policies must include open source governance – attackers look for blind spots in process as those blind spots enable them to invest in more sophisticated attacks."
Satnam Narang, staff research engineer, Tenable
"The findings in the Data Breach Investigations Report (DBIR) 2020 show that while attack vectors may fluctuate over time, cybercriminals often set their sights on low-hanging fruit. Zero-days may garner most of the attention, but foundational cyber hygiene issues enable most breaches. The motivation for cybercriminals is primarily financial.
"As the Cybersecurity and Infrastructure Security Agency (CISA) recently underscored in a recent report about the top 10 routinely exploited vulnerabilities, cybercriminals focus their efforts on exploiting unpatched vulnerabilities.
“It’s a cost-effective measure that provides the most bang for the buck, because they don’t have to spend the capital needed to acquire zero-day vulnerabilities when there are so many unpatched systems to take advantage of.
"As the DBIR notes, even if a newly-discovered vulnerability wasn’t patched in a network, those same systems would likely also be vulnerable to a plethora of other vulnerabilities, which signifies a lack of basic cyber hygiene.
“Ransomware increased by 2.6 percent from last year, landing at number three in the most common malware breach variety, while also taking the number two spot for most common malware incident variety, according to the DBIR. What’s changed in that time is that ransomware isn’t solely devoted to encrypting files anymore.
“Cybercriminals have escalated their attacks to another level, siphoning off sensitive information from organisations whose files they’ve encrypted. These cybercriminals threaten to publish this sensitive information publicly, often publicly sharing a teaser of files from organisations they’ve compromised. The belief is that naming and shaming these victims would encourage them to pay the ransom demand, and in many cases, that’s proven to be true.
“Another notable finding is that 43 percent of breaches involved web applications. This is often fueled by the exploitation of some of the most common vulnerabilities, such as SQL injection or PHP injection flaws. As more and more businesses have migrated to the cloud, their attack surface increases, especially with respect to web applications. The DBIR notes that web applications along with email application servers were involved in 73 percent of cloud breaches, while most of those were the result of breached credentials."
Patrick Spencer, senior director, Contrast Security
“Web applications are a growing focus point for cybercriminals. Motivated by financial outcomes, they understand the value of the information exchanged and stored in web applications. The 2020 Verizon Data Breach Investigations Report (DBIR) confirms that this is the case: 43 percent of data breaches are tied to web application vulnerabilities- which more than doubled year over year. Legacy, outside-in DevOps security is failing, and a new approach is needed that takes an inside-out approach.”
Ralitsa Miteva, business solutions manager, OneSpan
“As usual, the 2020 Verizon Data Breach Investigations Report did not disappoint in terms of providing an interesting analysis of the past year’s data breach happenings. As identified in the report, attacks continue to become more sophisticated and we are seeing a huge increase in organised crime targeting larger organisations. We are seeing these organised crime groups seek skilled professionals and technology to ensure faster monetisation of the stolen data via phishing attacks.
“It’s no surprise that phishing remains the most preferred method for attackers when it comes to stealing credentials. Technologies such as intelligent authentication and risk analytics play a big part in monitoring for fraud that occurs as a result of these social engineering attacks.
"Being able to identify attack patterns in real-time with machine learning and artificial intelligences will help banks and other financial institutions protect their users and themselves from these complex attacks.”
Niamh Muldoon, senior director of trust and security at OneLogin
"37 percent of breaches stole or used credentials highlights the need for businesses and organisations to provide their end-users with a secure mechanism for accessing systems and data that doesn't rely on passwords alone.
“With more and more of our lives becoming digital, securing and protecting are digital identity and lives will come more into focus. Businesses and organisations who demonstrate good security practices to it end-users will remain a distinct advantage. Secure access control to data and systems is fundamental to building this end-user trust."
Bob Rudis, chief data scientist, Rapid7
“First: Attacker dwell time is significantly reduced, but that matters little to ransomware attackers, an attack vector that has only gotten worse over time. We need to keep improving this statistic, but also need to work even harder on preventing phishing attacks and shoring up internal configurations.
“Second: It is no real surprise that naked S3 buckets and wide-open databases received a significant mention in the DBIR. The Rapid7 team finds millions of SMB servers, databases, and other inappropriately exposed services each time we run our Project Sonar scans. Organisations must implement stronger controls and have finely honed practices and playbooks for deploying services safely.
“Third: Zombie credentials never die, they just get re-used in every gosh darn attack. Attackers have amassed a cadre of billions of credentials and that stash seems to get bigger every week.
"There is so little risk in reusing them (either because organisations are blind to the login attempts or because regional authorities just don't seem to care) and so much to gain when one set of credentials actually works, that we'll continue to see this mode of attack until organisations finally implement multi-factor authentication across the board.”
Jamie Akhtar, CEO and co-founder at CyberSmart
"The fact that 28 percent of cybercrime victims are small businesses comes as no surprise- this is a trend we have seen for a while. It's a real misconception that any business is too small to be targeted. As we continually see, that's just not how a lot of these large-scale attacks work.
"But small organisations, especially those who have little IT expertise on staff, often aren't sure where to start when it comes to protecting themselves from threats. This is why the UK government's Cyber Essentials scheme is so helpful; it provides proven standards for basic cyber hygiene that any business (or individual for that matter) can follow to safeguard against the vast majority of these kinds of attacks. "