Data Breach Investigations Report
Data Breach Investigations Report from Verizon defines an incident as a “security event that compromises the integrity, confidentiality or availability of an information asset”. It is an event that violates security policies and practices of an organization. For instance, incidents are inclusive of unauthorized access, malware attack, Denial of Service (DoS), unauthorized probe or scan, failure of computer networks, applications and databases. Security incidents escalate into breaches. A breach is described as an incident that results in disclosure or actual loss of data to an unauthorized party. Sensitive, protected, confidential information is stolen, viewed or accessed by an unauthorized person. Data breaches are security incidents that meet specific legal definitions. An example can be the use of stolen credentials.
The 2018 DBIR covers 53308 security incidents and 2216 data breaches that took place in 65 countries with 67 contributors that helped in providing data. In 2017, majority of data breaches or attacks were performed by the outsiders of organizations (73%). They were followed by organized criminal groups who were responsible for the 50% of data breaches carried out last year. Internal actors and nation-state/state-affiliated groups were liable for 28% and 12% of the breaches respectively.
Of the 2216 security breaches, 24% of the breaches affected the healthcare industry. Followed by accommodation and food services industry at 15% and public sector at 14% of breaches. 58% of the affected victims are categorized as small businesses. The top motives reported were financial (76%), followed by 13% to espionage which, combined, covered 90% of the incidents.
The Top 10 Threats
1. Denial of Service
Denial of Service (DoS) and Distributed Denial of Service (DDOS) attacks on a target causes disruption that can last from hours to several days, rendering resources and services inaccessible. They violate one of the security components, availability. This costs businesses large amounts of revenue from the disrupted services. DoS involves the use of a single computer whereas DDoS uses multiple computers referred to as bots or zombies.
DoS is becoming more frequent, with 21409 incidents being reported in 2018. They are often used as cover ups, frequently being started, stopped and restarted to hide other breaches taking place. Although the technique of hacking is becoming popular, the magnitude of this attack has reduced to below a gigabit per second to saturate the target’s bandwidth. This may last up to three days. Amplification attacks which are a type of DDoS that consumes bandwidth between the attacker and the web resource has grown significantly compared to the non-amplified attacks. They have dominated as the most used type of DDoS, since they are reliant on people leaving services open and with vulnerable configurations to the internet.
Ransomware is a type of malicious software (malware) that can present itself in many forms, commonly as a locker ransomware or a crypto ransomware. A locker ransomware encrypts an entire storage media or a hard disk of a device, eventually locking the user out of the system while a crypto ransomware only encrypts specific files that seem important on the device i.e. pdf documents. Access to computer resources is blocked until a sum of money is paid. It does not require a breach of a target’s confidentiality for an attacker to meet their goal. It can be sent as an attachment or a link on an email which the target can trigger by clicking it. The use of ransomware is becoming global and easily accessible as a service. One needs a computer and internet connection to obtain it as a commodity and target a victim. Its’ ease of access has made it to be common to criminals hence has increased in use. Ransomware has overtaken all the other types of malware to be the most common malicious code. 2018 DBIR accounts for 39% of malware related cases which are responsible for 787 incidents. That is double of 2017’s number of cases. 16 ransomware cases were reported within the retail industry, while it also accounts for 85% of all malware in the healthcare industry. Notable examples of ransomware include NotPetya and WannaCry that spread around the world in 2017.
A bot is a script designed to perform automated functions. The script is installed in a computing device and uses their processing power to perform a task (botnets: the anatomy of a case). On the other hand, a botnet is a short name for the word roBOT NETwork. It is a huge network of compromised systems. Bots report to a command-and-control (C2) server which relays the commands. Bots perform various functions, both positive and negative. It is used to perform useful services i.e. search engine indexing and web spidering and used maliciously to perform tasks for instance automated extraction of credentials, distribution of spam, participation in DoS attacks, or extension of the botnet by recruiting new bots. Ransomware is not the only prominent malware in use for attacks. Verizon reports extensively about botnet-based infections. The report cites more than 43000 breaches using stolen customer credentials took place from botnet infected clients. It is also stated that botnets affect victims in two different ways. The first way, the victim never sees the malicious script. They proceed to download the bot, which steals their credentials, then uses them to log in to their systems. This technique targeted banking organizations (91%), information (5%) and professional services organizations (2%). The second way victims are affected involves compromised hosts within a network of an organization acting as foot soldiers in a botnet. They run commands provided by the command and control server. The report also shows that most organizations clear most bots within the first 100 days after detection.
Phishing is the act of obtaining sensitive information fraudulently. It employs social engineering and technical manipulation to steal information. Such information may include usernames, passwords, credit card details, etc. for malicious reasons. It is commonly done by sending an email that entices a user to click on a malicious link or attachment. Phishing is often the first step in a larger chain of events that lead to a breach. an email-based attack is often “followed by malware installation and other actions that ultimately lead to exfiltration of data.” Verizon gave out the following statistics on phishing as a threat:
• 59% of phishing attacks are financially motivated while 41% are motivated by espionage
• Phishing was involved in 70% of breaches associated with state-affiliated actors
• 4% of people will click on the bait in a simulated phishing campaign
• People who click on phishing emails are more likely to click in the future
Pretexting is the “creation of a false narrative to obtain information or influence behavior. It includes some dialogue back and forth i.e. over the phone, and most often targets finance and human resource employees of an organization. It can involve impersonating people to get the information, for instance an executive. Financial pretexting has risen from 61 to 170 incidents while an increase of 83 incident attacks targeting the human resource were recorded. It is important to note that pretexting does not rely on malware installation for an attacker to accomplish their goal. Malware was found in less than 10% of incidents that used pretexting. So, pretexting is more about acquiring information directly from the target rather than compromising a system.
6. Privilege Misuse
This occurs when the privileges associated with an account are used inappropriately, which can be unapproved, malicious, accidental, or out of ignorance of policies. Incidents within this category are primarily by insiders. However, partners (since they all have privileges) within the organization and outsiders can collude to perform an attack. Breaches related to privilege misuse in the accommodation industry to be specific, which is rich in personal information and credit card information, increased from 5 to 302 in the 2018 report. This is an increase in 5940% of breaches.
7. Cyber Espionage
Cyber espionage, also called spying, can be defined as a form of cyber warfare between different countries to acquire valuable information or secrets using unethical ways. These state-affiliated actors with the motive of espionage acquire or steal information stored in digital formats, computer devices and networks. Nation-affiliated groups contribute to 93% of breaches. Other threat actors are former employees, competitors, and organized criminal groups that represent the rest. Most of the cyber espionage take the form of phishing scams that plant malware to create backdoors for hackers to exploit the vulnerabilities.
8. Physical Theft and Loss
As the term suggests, it is the disappearance of information assets of an organization whether maliciously or not. Verizon reports that paper documents and laptops were the most stolen assets commonly at the victims work area, or from their vehicles.
9. Web Application Attacks
These attacks focus on an application itself and functions on the layer 7 of the OSI model. Nearly 70% of all attacks happen at the application layer (SANS Institute InfoSec Reading Room). This is through exploiting vulnerabilities of the running applications together with their authentication mechanisms. It is still a popular attack vector resulting in 414 breaches (18.5%). Weaknesses such as inadequate input validation, are exploited using phishing techniques or malware to steal user credentials which are used to log in to systems and impersonate a legitimate user.
10. Miscellaneous Errors
These are incidents where unintentional actions directly compromise the security of an asset. Over half of the breaches in this pattern were due to mis-delivery of information. Sending email to the wrong recipient, posting sensitive information on a company’s web server, misconfigurations of computer systems result in data breach.
Data Breach Investigations Report