Threat Intelligence

Verizon DBIR 2019 analysis

Susan Morrow
July 23, 2019 by
Susan Morrow

Introduction

The Verizon Data Breach Investigations Report (DBIR) is now an annual festival of cybersecurity analysis. The 2019 report used data from 41,686 security incidents across 2,013 data confirmed breaches. from both public and private entities, across 86 countries. 

These data allow Verizon into the mind of the cybercriminal to see what has been going on the past 12 months. From this, they can also make informed and quantitative analyses of what may happen next in the world of cybersecurity.


DBIR 2019 main findings

One of the key findings of the report is this, taken from the DBIR report brief:

“The most important defense is knowledge.”

Bearing this in mind, let’s look at some of the main findings that came out of the 2019 DBIR report.

The report focuses on nine classification areas, as shown below. This year, however, the report also includes a subsection of financially motivated social engineering (FMSE) attacks. These attacks focus on credential theft and money transfer to accounts controlled by cybercriminals.

The nine classes of attack

  1. Crimeware
  2. Cyber-espionage
  3. Denial of Service
  4. Insider and privilege misuse
  5. Miscellaneous errors
  6. Payment card skimmers
  7. Point of sale intrusions
  8. Physical theft and loss
  9. Web application attacks 

Each has their own subsections. There is also a tenth category, “everything else,” into which anything that doesn't fit into the nine above is placed. Verizon has been using these nine categories since 2014, and in the 2019 report, they still fit 98.5% of security incidents and 88% of data breaches.

Some interesting findings from the 2019 DBIR include:

The good news

  • Hardly any cryptomining bots were reported (around 2% of malware). This is probably because of the fall in cryptocurrency value
  • W2 tax form scams were almost non-existent in the DBIR data. Consequently, attacks targeting Human Resource departments were six times lower in 2018 compared to 2017

The bad news 

  • Cybercriminals are increasingly targeting company executives. C-level executives are twelve times more likely to be a target for a social incident than in previous years
  • Business Email Compromise (BEC) victims experience a greater financial loss than data breaches:
    • Median cost for a data breach being $7,611
    • Median cost for a BEC being $24,439. Though there is a bit of good news (in the U.S. at least): Actions by the IC3 Recovery Asset Team meant that half of all U.S.-based business email compromises had 99% of the money recovered or frozen
  • Payment card web application compromises are on a path to exceeding physical terminal compromises in payment card-related breaches
  • Ransomware is still a menace, with around 24% of incidents related to malware being of the ransomware variety
  • Mobile phishing is now the most successful in terms of click-through rates

The report highlights the fact that cybercrime is often not a simple case of smash and grab. Cybercrimes like BEC have ongoing repercussions. Even if money is recovered, data stolen as part of the attack is often used for secondary attacks, sold via darknet marketplaces.

Threats and actions

The top three threat actions in a breach were:

  1. Phishing
  2. Use of stolen credentials
  3. Backdoor attacks

The top three threat actions in an incident were:

  1. DOS
  2. Loss (various items including credentials)
  3. Command and control (C2)

Analysis and trends for cybersecurity in 2019

Industry breakdown

The breakdown by industry shows some general patterns: 

  1. Money makes the world (and cybercrime) go around, with financial incentives being behind the majority of the breaches. The top reason behind a cyberattack on data is financial gain; in 71% of cases, espionage is behind 25% of breaches
  2. Insider threat is still an issue but not as prevalent as external threats. The DBIR shows that 69% of attacks are from external actors with 35% being insiders; 5% used multiple parties (collusion)
  3. Errors and web application attacks are common across most industry sectors. Overall, 52% of breaches were from hacking, 33% involved social attacks and 28% malware

The industry sectors analyzed by the DBIR are: 

  • Retail
  • Accommodation
  • Financial
  • Healthcare
  • Information
  • Manufacturing
  • Professional
  • Public
  • Education 

Retail

81% of breaches were caused by external threats and 19% were insiders. 81% of breaches were due to web applications, privilege misuse and miscellaneous errors. 97% of breaches were financially motivated.

Accommodation and food services

95% of breaches were external. 93% of all breaches in this sector were due to POS intrusion, web applications and crimeware patterns. All incidents were financially motivated.

Financial

72% of breaches were caused by external actors and 36% by insiders. 72% of breaches were caused by web applications, privilege misuse and miscellaneous errors. 88% of these breaches were financially motivated; the rest were cyber-espionage.

Healthcare

59% of breaches in healthcare were carried out by internal parties, with 42% external. 81% of breaches were caused by miscellaneous errors, privilege misuse and web applications. 83% were for financial gain, with a small percentage for fun or a grudge.

Information

56% of breaches were caused by external threats and 44% were insiders. 83% of breaches were due to miscellaneous errors, web applications and cyber-espionage. Financial gain was behind 67% of the breaches.

Manufacturing

75% of breaches were caused by external threats and 30% were insiders. 71% were caused by web applications, privilege misuse and cyber-espionage. 58% of breaches were financially motivated with 27% being for espionage reasons. 

Professional

75% of breaches were caused by external threats and 30% were caused by insiders. 81% were caused by web applications, miscellaneous errors and everything else. 88% of breaches were financially motivated.

Public sector

77% of breaches were caused by external threats and 21% were insiders. 72% of breaches were due to cyber-espionage, miscellaneous errors and privilege misuse. 66% of breaches have espionage as the motive, and 29% were financially motivated. 

Education

The split of external and internal actors causing the incidents was 57% to 45%, respectively. 80% of breaches were caused by errors, web application attacks and everything else.  Breach reasons were mainly financial, but with some just for fun or a grudge.

DBIR suggestions for cyberdefense strategies

A number of suggested strategies were made across the various industry sectors. However, as many of the threats are common across the sectors, there are some general outcomes from the report that should be considered in your security strategy:

  • Data theft during capture needs to be addressed. Formjacking, which uses injection to capture data entered in a form, needs to be hardened against
  • e-Payment application security needs to be a focus as POS attacks decrease
  • Human factors continue to add a layer of complexity to security efforts. This isn’t just about social engineering. Human error in misdelivery and erroneous publishing of data, as well as insider threats, are still prevalent. Misconfiguration of servers and other assets must also be addressed
  • Credential theft is seen as a key to opening up further cybercriminal opportunities. Focus on credential safety such as Multi-Factor Authentication (MFA) and good password hygiene practices
  • Frequent security awareness training can help reduce the likelihood an employee will be a victim of a cyberscam, including cyberespionage incidents
  • DDoS continues to be an issue so needs to be protected against
  • Consider monitoring privileged access users
  • Use motivation-based awareness training

Conclusion

The DBIR is an important body of work that performs a quantitative analysis based on real-world data. Although it is natural to look at your own sector when reading the full report, it’s also important to take note of other sectors. 

Much of the results obtained from the report focus on certain areas that have commonality across industries. Human factors such as social attacks and errors are prevalent. These can be countered with education, care and knowledge.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

 

Sources

  1. 2019 Data Breach Investigations Report, Verizon
Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.