Providing further proof of the increasing professionalisation of the cyber criminal underground, the number of data breaches motivated for financial gain has grown by more than 15% in the past year to 86%, according to 2020 edition of Verizon Business’ annual Data Breach Investigations Report (DBIR), which has grown over the past 13 years into a landmark study of the cyber security landscape.
The latest edition of the DBIR also reported that 67% of data breaches resulted from credential theft, human error or social attacks, and saw attacks through web applications double to 43%, reflecting the growth in use of cloud-based services.
However, and reckoning without the impact of the Covid-19 coronavirus pandemic, which began after the data was compiled, Verizon said it also found cause for optimism – fewer than one in 20 hacks involve known vulnerabilities, suggesting people are getting the message that patching is one of the quickest and simplest things they can do to protect themselves, and the fact that cyber criminals use clearly identified “breach pathways” means defenders already have an almost innate advantage against cyber criminals, if they care to capitalise on it.
Report co-author Gabriel Bassett told Computer Weekly that the headline findings on the financial motivation behind cyber attacks reflected to some extent the nature of the cyber criminal world.
“A lot of times cyber espionage gets more mindshare because, let’s be honest, it’s cooler, it’s more interesting, it’s more exciting,” he said. “But the reality is that the vast majority of hackers are just out there to make a buck, and they’re out there to make a buck in the quickest and easiest way possible.”
Bassett said this drive for money also went some way to explaining the part of the data that shows the majority of breaches seen in the wild are not terribly complex, and tend to have, at most, three or fewer discrete actions involved, such as convincing someone to click a link in a phishing email, using their credentials to log in to the target network, and then encrypting its systems with ransomware.
“Attackers are not only in there for financial gain,” said Bassett. “They’re in there to do it quickly and easily, which really suggests how organisations should go about defending themselves.
“First, if you haven’t done the basics, if you haven’t stopped those attacks that only take one or two or three actions, then you need to target those first because the attackers go for the easy targets first and you want to do anything you can to make yourself a slightly less easy target.
“You don’t have to be perfect, you just have to make things slightly harder for the attacker because there are so many targets out there that there’s no reason for them to target you if they could target another 10 slightly easier-to-target organisations in the same time.”
As these staged attacks will almost always follow the same kind of pattern, Verizon said canny defenders could even analyse attacks when in progress to determine what hackers are trying to breach. This defensive advantage can help security teams better understand where their security defences need to be concentrated, said the firm.
“We often forget that there is this progression within attacks,” said Bassett. “The attacker has to start somewhere, they have to do these other steps, and they have the opportunity to fail in their attack at every step along the way. By thinking in that way, we open up different ways to defend.
“So if you know to expect that a lot of attacks start with phishing and then steal credentials and then potentially install malware, maybe what you want to do is stop the phishing emails, or maybe you want to try to stop phishing emails, but also emphasise your employees reporting when they get phished, with the intent of decreasing the time the attacker has to execute.
“If you think in terms of paths, you can say ‘I can choose where I want to meet this threat along the path and I can choose to meet them at the place that is most advantageous to me as the defender’.”
Besides wide-ranging insights into the current threat landscape, the 2020 edition of the DBIR also contains more detailed insight into multiple different verticals than it ever has before.
In terms of some of the more frequently targeted industries, Verizon found that 30% of breaches in the financial and insurance sectors were caused by web application attacks driven by malicious actors using stolen credentials, while healthcare saw more breaches occurring through human error.
The wider public sector was also liable to suffer accidents caused by insiders, and is also more prone to ransomware, as is the education sector. In retail, 99% of incidents were financially motivated, with payment data particularly prized, and in manufacturing, external threat actors tended to use malware such as password dumpers, data capturers and downloaders to obtain proprietary data.
The full report, which runs to well over 100 pages, can be downloaded from Verizon’s website. Its compilers analysed more than 32,000 security incidents, 3,950 of them confirmed breaches, with input from 81 organisations, including cyber security suppliers and national and regional government cyber security and law enforcement agencies from Australia, Ireland, Malaysia, Spain and the US, among other countries.