By J Stephen Kowski on July 14, 2021

Dissecting the Four A’s of the 2021 Verizon Data Breach Investigations Report

The annual Verizon Data Breach Investigations Report (DBIR) provides analysis of information security incidents, with a specific focus on data breaches, which it defines as an incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.

The report breaks down breach-related items into high-level categories known as the Four A’s:

  1. Actor – who is behind an incident
  2. Action – methods used
  3. Assets – devices affected
  4. Attribute – how the Assets were affected

In this blog we will investigate the four A’s and consider actions to defend against breaches.


When it comes to threat actors, there are a few key questions to answer, such as: Who are the attackers? What is their motivation? Where do their attacks originate?

The data shows these attacks are primarily launched by external actors and organized criminals. The recent Colonial Pipeline attack, together with Darkside’s involvement, is a great recent example of this type of attacker. And though the share of external attacks is rising, about 20-25 percent still come from an internal actors. We know those internal actors are generally of at least two types:

  1. The intentional malicious actor: the employee exploiting privileged access/information for personal gain.
  2. The negligent/unknowing actor: an employee who fails to take proper action to protect the organization, e.g., falling for social engineering tactics.

These actors are typically motivated by money. According to the DBIR, between 84-94 percent of all attacks in the dataset show financials were the motivator. Attackers are usually seeking information related to credit cards, bank information, or a direct payment. However, there is often more than one motivator at play and attackers are also eager to use your infrastructure for future, follow-up attacks.

The big Actor-related takeaway for IRONSCALES is to ensure clients 1) limit any publicly facing attack surface (internally and externally) and 2) harden that attack surface. One attack surface too frequently neglected is the newest endpoint: the user themselves. Continuous security awareness training that feeds into your tools is critical to establishing a robust security strategy and culture.


What is the number one action threat actors take in a breach? Based on the latest DBIR, it is phishing, a form of social engineering, which is used in about 40 percent of breach scenarios.

And what data is compromised the most in social engineering attacks? Credentials are the number one compromised dataset, at a stunning 85 percent. Personal information comes in at a distant number two, accounting for a mere 17 percent of social engineering breaches.

Now, if social engineering (phishing) is the most common action and credentials represent the most sought-after data in social engineering attacks, can you guess what the second-most common attack Action is? If you guessed “use of stolen credentials” (aka hacking), you are right!

This is a classic from the attacker’s playbook: use social engineering to get a foothold into an organization, then figure out what is next. Maybe that is a ransomware deployment or perhaps more social engineering in the form of pretexting (the fifth-most common Action). But if you really want to understand how attackers think, put yourself in their shoes: Why go through all the effort of brute-forcing your way into an organization when someone internal will let you walk right in or hand over what you want? The path of least resistance often means simply buying a phishing toolkit for $15 in an online dark web marketplace with 24/7 customer support.


As far as assets are concerned, there has not been a tremendous amount of change over the years — servers continue to hold the number one spot in the Assets breached category. When we dig into the Asset varieties, we find that web app servers take the top spot, with mail servers coming in second, confirming that email remains a huge focus for hackers infiltrating company environments.

The big change for Assets this year aligns with the overall theme of this year’s report: social engineering. User devices have yielded their number two position to “Person.” (When we noted above that the user is the new endpoint, that wasn’t hyperbole — it’s a direct reflection of the data. As technical controls get stronger over time, we expect the Person relevance to grow in importance, becoming a critical endpoint for organizations to psychologically harden.

Finally, speed to detect and remediate has always been a critical element for success in thwarting attackers. Now that most employees carry critical company assets around on their mobile devices all day, speed is more important than ever. The report section focusing on mobile data showed the probability of receiving a malicious URL based on organization size starts at 75 percent with the first employee, and the chance increases linearly as employees are added, until it reaches 100 percent at around 50 people.

The Asset takeaway appears to be like the Actor takeaway: the “Person” is the new endpoint we must increasingly focus on hardening psychologically. Training data should feed into your security suite and consider that additional data in its response accordingly.


This section of the DBIR frames three aspects of any given attribute subject to violation in a breach: Confidentiality, Integrity, and Availability (the CIA Triad) of the data.

Confidentiality is addressed largely in the types of data sought. We addressed this briefly in the Action section, but to underscore the point: first and foremost, attackers want credentials. They also want personal data like Social Security numbers, insurance information, and any other data they can sell. This type of information is also ideal for executing campaigns for additional financial gain.

Availability violations generally come in two methods that are straightforward:

  1. Data is obscured in such a way that you may no longer access it (ransomware)
  2. The data is lost or stolen.

Obscuring data through something like ransomware is approximately three quarters of the availability varieties while data loss makes up the remaining 25%.

The top Integrity violations are the typical patterns we see in email:

  1. Alter behavior
  2. Install software
  3. Fraudulent transactions.
These violations are focused on compromising the individual at the keyboard. Attackers want to alter behavior to get employees to do something they normally would not, such as providing credentials to another individual. Convincing a user to install malicious code, which opens your company’s environment to further attacks, is a classic integrity violation. Finally, the fraudulent financial transaction is a modern classic, where banking details are swapped in an email or a non-malicious but convincing attachment. Remember, traditional tools may only address #2 on this list because there are no significant indicators of compromise.

The power of human and machine intelligence

There is much more in the DBIR we could unpack, but for now our takeaways zero in on the change in attack focus. Attackers are switching tactics, which may be the result of target companies standing up more technical controls, or they have found more optimal weak links in a given environment. They know the user is the new endpoint; organizations must allow them access to the environment or there will be no business to protect and secure. This is the challenge and reflects our difference in approach.

At IRONSCALES, we fundamentally believe in hardening the psychology of the end user. That is where we began, and we have only improved that with time by blending human and machine intelligence, which drives the best possible outcome. We recognize vendors will always attempt to sell you a better mousetrap, but without an approach to harden your most valuable endpoints, it is nothing more than hope that something built by a human cannot be broken or evaded by another human.

Similarly, claiming “just give the user less opportunity to engage with malicious content” is another way of saying “we hope our tool can never be broken by another human.” Unfortunately, based on history, we know that technical controls alone won’t get the job done. The latest DBIR reveals the attackers know this too, and over time they will find a way to break through technical controls alone. Technical controls must therefore augment the human they are protecting. And in turn, the human being protected must be trained and given a methodology to augment and improve the technical controls providing protection.

To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today.

Published by J Stephen Kowski July 14, 2021

Join thousands of your peers! Subscribe to our blog.

Ironscales needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Privacy Policy.