The 2021 Verizon Data Breach Investigations Report (DBIR) provides an analysis of information security incidents, with a specific focus on data breaches, which it defines as an incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.
The report breaks down breach-related items into high-level categories known as the Four A’s
:
In this blog, we will investigate the four A’s and consider actions to defend against breaches.
When it comes to threat actors, there are a few key questions to answer, such as: Who are the attackers? What is their motivation? Where do their attacks originate?
The data shows these attacks are primarily launched by external actors and organized criminals. The recent Colonial Pipeline attack, together with Darkside’s involvement, is a great recent example of this type of attacker. And though the share of external attacks is rising, about 20-25 percent still come from an internal actors. We know those internal actors are generally of at least two types:
These actors are typically motivated by money. According to the Verizon DBIR, between 84-94 percent of all attacks in the dataset show financials were the motivator. Attackers are usually seeking information related to credit cards, bank information, or a direct payment. However, there is often more than one motivator at play and attackers are also eager to use your infrastructure for future, follow-up attacks.
The big Actor-related takeaway for IRONSCALES is to ensure clients 1) limit any publicly facing attack surface (internally and externally) and 2) harden that attack surface. One attack surface too frequently neglected is the newest endpoint: the user themselves. Continuous security awareness training that feeds into your tools is critical to establishing a robust security strategy and culture.
What is the number one action threat actors take in a breach? Based on the latest DBIR, it is phishing, a form of social engineering, which is used in about 40 percent of breach scenarios.
And what data is compromised the most in social engineering attacks? Credentials are the number one compromised dataset, at a stunning 85 percent. Personal information comes in at a distant number two, accounting for a mere 17 percent of social engineering breaches.
Now, if social engineering (phishing) is the most common action and credentials represent the most sought-after data in social engineering attacks, can you guess what the second-most common attack Action is? If you guessed “use of stolen credentials” (aka hacking), you are right!
This is a classic from the attacker’s playbook: use social engineering to get a foothold into an organization, then figure out what is next. Maybe that is a ransomware deployment or perhaps more social engineering in the form of pretexting (the fifth-most common Action). But if you really want to understand how attackers think, put yourself in their shoes: Why go through all the effort of brute-forcing your way into an organization when someone internal will let you walk right in or hand over what you want? The path of least resistance often means simply buying a phishing toolkit for $15 in an online dark web marketplace with 24/7 customer support.
As far as assets are concerned, there has not been a tremendous amount of change over the years — servers continue to hold the number one spot in the Assets breached category. When we dig into the Asset varieties, we find that web app servers take the top spot, with mail servers coming in second, confirming that email remains a huge focus for hackers infiltrating company environments.
The big change for Assets this year aligns with the overall theme of this year’s report: social engineering. User devices have yielded their number two position to “Person.” (When we noted above that the user is the new endpoint, that wasn’t hyperbole — it’s a direct reflection of the data. As technical controls get stronger over time, we expect the Person relevance to grow in importance, becoming a critical endpoint for organizations to psychologically harden.
Finally, speed to detect and remediate has always been a critical element for success in thwarting attackers. Now that most employees carry critical company assets around on their mobile devices all day, speed is more important than ever. The report section focusing on mobile data showed the probability of receiving a malicious URL based on organization size starts at 75 percent with the first employee, and the chance increases linearly as employees are added, until it reaches 100 percent at around 50 people.
The Asset takeaway appears to be like the Actor takeaway: the “Person” is the new endpoint we must increasingly focus on hardening psychologically. Training data should feed into your security suite and consider that additional data in its response accordingly.
This section of the 2021 Verizon DBIR frames three aspects of any given attribute subject to violation in a breach: Confidentiality, Integrity, and Availability (the CIA Triad) of the data.
Confidentiality is addressed largely in the types of data sought. We addressed this briefly in the Action section, but to underscore the point: first and foremost, attackers want credentials. They also want personal data like Social Security numbers, insurance information, and any other data they can sell. This type of information is also ideal for executing campaigns for additional financial gain.
Availability violations generally come in two methods that are straightforward:
Obscuring data through something like ransomware is approximately three quarters of the availability varieties while data loss makes up the remaining 25%.
The top Integrity violations are the typical patterns we see in email:
There is much more in the Verizon DBIR we could unpack, but for now, our takeaways zero in on the change in attack focus. Attackers are switching tactics, which may be the result of target companies standing up more technical controls, or they have found more optimal weak links in a given environment. They know the user is the new endpoint; organizations must allow them access to the environment or there will be no business to protect and secure. This is the challenge and reflects our difference in approach.
At IRONSCALES, we fundamentally believe in hardening the psychology of the end user. That is where we began, and we have only improved that with time by blending human and machine intelligence, which drives the best possible outcome. We recognize vendors will always attempt to sell you a better mousetrap, but without an approach to harden your most valuable endpoints, it is nothing more than hope that something built by a human cannot be broken or evaded by another human.
Similarly, claiming “just give the user less opportunity to engage with malicious content” is another way of saying “we hope our tool can never be broken by another human.” Unfortunately, based on history, we know that technical controls alone won’t get the job done. The 2021 Verizon DBIR reveals the attackers know this too, and over time they will find a way to break through technical controls alone. Technical controls must therefore augment the human they are protecting. And in turn, the human being protected must be trained and given a methodology to augment and improve the technical controls providing protection.
To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today.