For the 13th consecutive year, Verizon has released its Data Breach Investigations Report, a comprehensive source of data breach-related information that offers invaluable insights to CISOs and CIOs. This year’s report was composed from data received from 81 organizations, including cybersecurity companies, law enforcement agencies, ISACs, CERTs, consulting firms and government agencies. It encompasses 157,525 reported incidents and 108,069 breaches. At 119 pages, there’s a lot to absorb. Here, we’ll detail the most important findings and provide our key recommendations to help inform your security operations.
Who Are Behind Most Cyber Attacks?
While insider attacks are certainly a thing (about 30% of the time, in fact) and may even be on the increase, by far the largest number of threats to your organization originate from external actors. The data for last year shows that 70% of breaches were from external actors. Only 1% involved multiple parties and again, a mere 1% were found to involve partner actions. The report states that:
However, we would caution the reader not to make the mistake of believing that the number of threats from a particular origin equates to the size of the risk presented by those threats: one insider attack could potentially cause ten times the harm of an external attack, depending on the nature of incident. Nevertheless, while security teams need to keep focus on attacks from any origin, the data make it pretty clear that external threat actors are queuing up not just to knock on your door, but to batter down your defenses.
But who are all these “external actors”, besides not being people you employ? Around 55% were categorized as “organized crime”, by which the researchers mean to refer to “criminals with a process, not the mafia”. Perhaps a better way to understand that is: an attack from criminals with a clearly observable objective and methodology. We’ll get to “objectives” in the next section, but for now let’s note that the use of “criminal” here excludes nation-state actors, and the use of “a process” excludes opportunistic attacks, hacktivists, and attacks where the motive could not be discerned.
What Do Threat Actors Want?
If you guessed the answer to the $64 million question was “money”, you would be right. At least in the overwhelming majority of cases. Some 86% of breaches were financially motivated, according to the report. This should not surprise anyone within the security industry, but for others in your organization, who keep hearing about high profile nation-state hackers and APTs, it may come as a surprise.
The focus on financial reward also makes sense of another interesting data point: attackers mostly engage in attacks that include no more than two or three steps. Anything more complicated than that is either abandoned or likely to originate from more persistent attackers. The explanation for this is that if you are a cyber criminal and your goal is financial reward, you tend to automate attacks as much as possible; picking off the low-hanging fruit is always preferable to investing time and effort in a hardened target. Operating at velocity and scale and employing automated targeting and exploitation tools is a simple ROI calculation. The lesson for defenders is straightforward: if you cover your bases and make the bad guys work hard, the vast majority of them will go elsewhere.
But while money may ultimately be what attackers really (really) want, they often come away with a whole lot more. In particular, 58% of attacks resulted in compromised personal data, and 37% of attacks either used or stole user credentials. Indeed, as we’ll see below, user credentials are a prime commodity for threat actors. Note also that your organization may be breached as a gateway to another, more valuable target. Perhaps you have a weakly-secured server that an attacker is only interested in enslaving as part of a botnet in a DDoS attack against someone else; on the other hand, perhaps you’re part of the supply chain of a more juicy victim, or you’re a compromised MSP whose real value to the threat actor lies in your clients rather than your organization itself.
How Do Hackers Penetrate Your Defenses?
The data on this one is overwhelming: stolen, phished or brute-forced credentials are attackers’ primary means into your network, and once they’re inside, obtaining further credentials for persistence or for sale is one of their primary objectives. Over 80% of breaches that involved hacking comprised some form of brute force or use of lost or stolen user credentials. That doesn’t surprise us. Credential stuffing, which involves replaying a list of (often leaked in other breaches) username/password combinations against multiple accounts, is said to occur tens of millions of times a day.
This is closely related to the fact that many organizations have shifted a substantial amount of their services and data to the cloud, where it is more difficult to drop malware. Instead, attackers opt for a much simpler, scalable solution: they bombard the service with login requests using the credentials they have stolen or obtained from data dumps. And, as the more aggressive ransomware attacks now exfiltrate data prior to encrypting it, it is highly likely that this data will be sold or even re-used by the same attackers to “stuff” their way back into the same organizations’ account at a later time. As the report authors put it:
Given the intense focus on stealing credentials both for compromise and persistence, it is imperative that organizations increase their focus on securing these.
Social engineering remains the primary way to steal new creds, gain a foothold and/or defraud companies out of money. Some 96% of phishing attacks were crafted through malicious email or malspam. The overwhelming filetype of choice for actors here was Office documents and Windows apps. Other filetypes that were seen used to a lesser extent included shell scripts, archives, Java, Flash, PDFs, DLLs and Linux, Android, and macOS applications.
Which Assets Are Attackers Leveraging the Most?
While attacks against on-premise assets still dominated the threat landscape at around 70% of breaches, cloud assets were involved in about 24% of breaches in the past year. Of these, email or web application servers were involved 73% of the time, and in those cases, credentials were stolen 77% of the time. It is evident that the attackers understand that organizations now store sensitive information in cloud infrastructure and applications, and are shifting their efforts in line with this trend in order to obtain and monetize this information.
Web application servers are targeted more than any other asset (including social engineering of people). Typically, this involves either using stolen credentials (as previously mentioned) or exploiting unpatched vulnerabilities.
Security teams should pay heed to this particular data point: only around half of all reported vulnerabilities are actually patched in the first quarter after discovery. This presents two points of weakness. First, attackers often move fast to beat the patch cycle, using services like Shodan to scan the entire net for vulnerable devices. Second, and perhaps more likely to be overlooked, is that the IT teams that don’t patch in the first quarter after discovery are less likely to ever patch at all. Vulnerabilities that receive special attention from attackers include those affecting SQL, PHP and local file injection, particularly against targets in the Retail industry.
Are Poor Security Practices Contributing to Your Own Downfall?
To err is human, it is said, but organizations are people guided by processes, and human error is something that businesses, if not the individuals within them, can control with better process implementation and oversight. In particular, human error leading to misconfigured storage is on the increase in reported breaches. According to the data, errors were causally significant in 22% of confirmed breaches. To put that in context, that’s the same percentage as attributed to social engineering as a tactic across the same dataset.
While the good news is that some portion, perhaps a significant one, of breaches due to misconfigured storage are reported by security researchers rather than discovered by threat actors, the bad news is such reports tend to make headlines, and reputational damage, though hard to quantify, could be as costly as a data theft by a malicious actor.
What Kinds of Malware Are Favored by Attackers?
Around 17% of confirmed breaches involved some form of malware. Of those, 27% were due specifically to ransomware, something that should come as no surprise given the volume of high-profile incidents reported in the media over the previous year.
As SentinelLabs has been noting for some time, ransomware tactics have evolved in recent months to include an element of extortion: by exfiltrating data before encryption, ransomware gangs are then able to threaten leaking sensitive customer data or IP if victims don’t pay. This trend began in earnest after the cut-off point for Verizon’s data collection, so we will see this trend more evident in next year’s report. However, even prior to October 2019 (the latest date for entry into the 2020 report), it’s clear that ransomware was on the increase during the earlier part of the year. Ransomware was noted as:
Of the various sectors covered by the report, the Education and Public sectors were heavily targeted by ransomware operators throughout the year.
The most common kind of malware, in keeping with the data showing that credential theft was most threat actors’ top priority, were password dumpers. Following that, downloaders (think Emotet and TrickBot, for example) came in next, along with Trojans, which are largely a tool associated with advanced attackers looking for long-term persistence through backdoors and C2 functionality. Interestingly, there has been a sharp decline in cryptojacking malware after its surge in popularity during 2017 and, in particular, 2018.
At 119 pages, there is much more detail in the report than we could cover here, but we do hope to have painted a clear picture of the report’s main findings. In this section, we outline some recommendations based on our understanding of the entire report and SentinelOne’s own telemetry.
Unlike APTs, the majority of attackers do not go in for hugely complicated attacks with multiple stages. This means that catching an attack at any – rather than every – stage of the threat lifecycle (aka ‘The kill chain‘) will significantly increase your chances of avoiding a breach. Moreover, the earlier you can do that the better chance you have of forcing the attacker out empty-handed and determined to try his luck elsewhere. As the recent MITRE ATT&CK evaluation results proved, SentinelOne excels at stopping attacks at all stages, but specifically at preventing attacks before they have taken a foothold. Hence, our first and obvious recommendation: ensure you have a trusted, proven next-gen AI platform protecting your endpoints.
As we have seen above, attackers are using automated attacks to make their own lives easy. Make it harder for them by ensuring that you do not leave unnecessary ports open and reduce the number of exposed ports. Allow only essential services to access the internet, and limit who has access to them. SSH and Telnet (on default ports 22 and 23, respectively) are a major target for malicious connection attempts. Who in your organization really needs them? Identify your needs and restrict everyone else.
Credentials are the pot of gold at the end of the rainbow for attackers. Ensure your Windows systems have all moved away from legacy LM and NTLMv1 and implement our recommendations here for protecting Windows credentials.
Data is your lifeblood. Control access to data, maintain an up-to-date inventory of confidential and sensitive files and, above all, use encryption.
Aside from weakly protected servers, people are one of the main “assets” attackers seek to exploit, through social engineering and phishing attacks. By all means, keep up your user awareness programs to help educate your staff about phishing attacks. Support them with automated endpoint security software that will catch malware even if they fall for a malicious link or drive-by download scam. Raise the bar for attackers by enforcing 2FA and MFA on all user login accounts.
Error and misconfigurations are your unintentional backdoors to being compromised. Conduct a thorough review on your storage permissions, and just as importantly, implement proper review processes that can help prevent and identify misconfigurations. How many people are allowed to spin up repositories without some kind of security oversight or review? The answer should be none.
Finally, you’ve heard it before and you’ll no doubt hear it again. Patch early, patch often. That failure to patch within the 1st quarter of a vulnerability disclosure is a telling statistic that you don’t want your organization to add to, and it’s a failure you don’t want adversaries to discover, either.
It’s not exactly news, but it’s also worth emphasizing: most threat actors follow the money. And just as surely as organizations have begun the move from on-prem to the cloud, attackers are following. As the perimeter-less, zero trust network paradigm ripples out across global enterprises, attackers care most about obtaining those priceless sign-on credentials. And while organizations continue to rely on email and expecting people to click links to do their work, attackers will keep on sending phishing links to do their work, too.
The latest data on breach investigations is a reflection of current practices in organizational behavior. Where we go, they follow. Preventing breaches is a matter of recognizing this symbiotic relationship, anticipating the dangers and putting into place the security solutions, people practices and organizational processes that raise the cost of attack beyond that which the threat actor is willing to pay.