bluebay2014 - Fotolia

Verizon DBIR: Breaches doubled, but plenty of silver linings

The 2020 Verizon Data Breach Investigations Report showed the number of confirmed breaches last year nearly doubled, but it also highlighted some positive trends.

The number of confirmed breaches last year nearly doubled, according to the 2020 Verizon Data Breach Investigations Report, but the telecom giant noted several positive trends that may give enterprises and infosec professionals reasons for optimism.

The 2020 Verizon DBIR, released Tuesday, analyzed a record total of 157,525 incidents in 2019, of which 3,950 were confirmed data breaches. Now in its 13th year, the report included substantially more industry breakouts for a total of 16 verticals -- the most to date, according to Suzanne Widup, principal consultant for Verizon's RISK team and DBIR contributor.

"We were able to cover and spotlight more industries than in the past because we got more data," Widup said. "And this year we had just under 4,000 breaches, which is considerably higher than last year."

The 2020 Verizon DBIR featured contributions from 81 public and private organizations and data from 81 countries. Compared to last year's report, Verizon received more incident and threat data from partners, Widup said. Though confirmed breaches doubled from 2018 to 2019, she said the same trends seem to come around again every year.

"It can be frustrating for researchers to see how slowly things change. It seems like every industry has to relearn security at their own pace," Widup said. "But with that said, some threats did stand out. Credential theft is huge. Phishing is huge. Those two, plus the error category, account for two-thirds of breaches."

2020 Verizon DBIR
2020 Verizon DBIR: Good news and bad news

Errors, which include misconfigurations that lead to data exposures, increased this year compared to 2018; misconfigurations, for example, jumped 4.9% year over year. One reason for the change may be due to new laws that went into effect this year, making recording requirements more stringent, Widup said. According to the report, "errors are now equally as common as social breaches and more common than malware and are truly ubiquitous across all industries. Only hacking remains higher, and that is due to credential theft and use."

The 2019 Verizon DBIR showed 29% of breaches involved use of stolen credentials, but this year the number rose to 37%.

Hacking and breaches in general, according to Verizon's data set, are driven by credential theft. "Over 80 percent of breaches within the hacking involve brute force or the use of lost or stolen credentials," Verizon wrote in the report.

Another threat that saw an uptick was ransomware, which accounted for 27% of malware incidents. In addition, 18% of organizations blocked at least one piece of ransomware in 2019. Beginning in November, Verizon researchers started tracking the Maze ransomware group, which steals sensitive data before triggering the encryption and then threatens companies to release the data as leverage to get them to pay the ransom. The report noted that as a result of the trend, ransomware played a greater role in confirmed breaches in 2019 instead of just incidents.

"Copying data before encryption is gaining popularity, so apparently it's working for these ransomware groups," Widup said.

Like many security vendors, Verizon saw an increase in ransomware attacks during 2019. Risk management vendor BitSight, which contributed to the 2020 Verizon DBIR, recorded substantial increases in activity last year. "In 2019, BitSight recorded 2.5 times more ransomware events than in 2018 and the percentage of ransomware events relative to all recorded security incidents jumped from 5.1% to 8.7%, a 70% increase," Tom Montroy, director of data science at BitSight, said in an email to SearchSecurity.

Overall, financial motivation made up 86% of breaches, up from 71% in 2018, far surpassing cyberespionage, which according to the report is involved in less than a fifth of breaches. Widup said that while nation-state attacks get a lot of attention, espionage only accounts for 10% of incidents.

"The reality is the vast majority of attacks are financially motivated actors who have a process, and they work it and use the internet to get as many victims as they can. It really winds up not being nation-state actors at all," she said. 

To gain further insight into attacks, Verizon researchers have been studying attack paths over the last three years. "The vast majority took four steps between when an attacker first starts, gets data and gets out," She said. "We want to make it more expensive for attackers -- make them jump through more hoops to try and get your data so your tools will notice they are there and stop them."

Those efforts may be succeeding, according to several trends in this year's DBIR.

The good news

Despite some alarming figures, the 2019 Verizon DBIR offered some good news as well. For example, detection time saw improvements over last year, as well as malware blocking.

"Trojans have dropped in our data. In 2015 it was a top action, and now it's gone all the way to the bottom largely because the tools that are blocking it from getting into organizations have been successful," Widup said.

Perhaps most importantly, 81% of breaches were "discovered in days or less," according to the report, compared to 2018 where 56% of breaches took months or longer to discover.

"You see all these people who are saying 'prevention, prevention, prevention,' but if you can't detect it, it's really hard to prevent," Widup said. "We do see some improvements but it's not happening as fast as we'd like it to as researchers. It's also challenging because the threat is shifting, so being able to detect it is also always shifting and it makes it hard for people who make these tools to make it automated and reliable."

We do see some improvements but it's not happening as fast as we'd like it to as researchers.
Suzanne WidupPrincipal consultant, Verizon's RISK team

The Verizon DBIR noted that its results may be influenced by the opposite of survivorship bias. "Our incident corpus suffers from the opposite of survivorship bias. Breaches and incidents are records of when the victim didn't survive," the report states.

Therefore, Verizon researchers said, organizations may be doing a better job addressing certain top action threats than it might appear because most of the data may be coming from enterprises and government entities that were successfully attacked. The Verizon DBIR outlined four scenarios for threats:

  1. Large numbers of incidents and blocks
  2. Large number of incidents but not blocks
  3. Large number of blocks but not incidents
  4. Small numbers for both incidents and blocks

The authors said it's difficult to say for sure what scenario applies to each top action threat because of the survivorship bias issue, though the report noted scenario #4 "ain't happening much." However, the Verizon DBIR team said ransomware attacks, for example, appeared to fall into scenario #2, while Trojans and malware droppers were included in scenario #3.

All in all, we do like to think that there has been an improvement in detection and response over the past year and that we are not wasting precious years of our life on a completely pointless battle against the encroaching void of hopelessness.
The 2020 Verizon Data Breach Investigations Report

Vulnerability exploitation in data breaches likely fell into scenario #3 too, according to the Verizon DBIR team." There are lots of vulnerabilities discovered, and lots of vulnerabilities found by organizations scanning and patching, but a relatively small percentage of them are used in breaches," the report said, noting that vulnerability exploitation "has not played a major role" with incidents over the last five years.

Companies that are regularly patching new vulnerabilities, either weekly, quarterly or however they choose to schedule updates, seems to be having a positive effect on the exploitation trend.

"We did research specifically on this to see whether every new vulnerability makes everyone else less secure and the reality is companies who do the patching of the new stuff but also keep up with the old stuff are doing a good job," Widup said. "The ones that are getting hit by vulnerabilities also tend to be vulnerable to something from 1991 as well because they're just not patching anything. It's nice to see that every new vulnerability isn't making everyone more vulnerable."

Overall, improvement in patching, incident response and threat detection bode well for the future, the Verizon DBIR team said. "All in all, we do like to think that there has been an improvement in detection and response over the past year and that we are not wasting precious years of our life on a completely pointless battle against the encroaching void of hopelessness," the report said. "Here, have a roast beef sandwich on us."

Dig Deeper on Data security and privacy

Enterprise Desktop
Cloud Computing