Skip to main content

Verizon Data Breach Investigations Report 2021 – What We Found Fascinating

Each year, Verizon releases their Data Breach Investigations Report (DBIR) for the year prior. In this year’s report, they examine 2020 incident data and non-incident data (ie. malware, patching, DDos, and other data types). It is always good to note, with any research that it does not speak for all data sets and there are still variables that any research team cannot account for. Verizon clearly states that when talking about their Methodology: 

“We would like to reiterate that we make no claim that the findings of this report are representative of all data breaches in all organizations at all times. Even though the combined records from all our contributors more closely reflect reality than any of them in isolation, it is still a sample. And although we believe many of the findings presented in this report to be appropriate for generalization (and our confidence in this grows as we gather more data and compare it to that of others), bias undoubtedly exists.” 

They also follow a standard Vocabulary and Event Recording and Incident Sharing (VERIS) framework with three basic methods: 

  1. Direct recording of paid external forensic investigations and related intelligence operations conducted by Verizon using the VERIS Webapp  
  2. Direct recording by partners using VERIS  
  3. Converting partners’ existing schema into VERIS 

The data processing and analysis takes roughly two months and they clearly acknowledge that their data is non-exclusively multinomial, meaning a single feature can have multiple values and there is random bias, sampling bias, and confirmation bias.  

Just to clarify before we dive in, here are the definitions for an incident and a breach: 

Incident: A security event that compromises the integrity, confidentiality or availability of an information asset.  
Breach: An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party. 

Okay, so let’s dive into the areas that we (Jeff, Ben, Jamison and I) found fascinating from the Verizon DBIR: 

Security Trends 

While we don’t believe that any of these trends are going to shock the industry, we do think some of these are great for those tricky board meetings where you have to discuss why you want budget to protect your organization. So, we pulled out a few of the security trends we thought were cool: 

  • Social Engineering – while we love a good table top exercise (TTX) around social engineering and trying to see if we can craft a great phishing email to our favorite C-Level executive for credentials. This year’s report validates that, “A lot of Social Engineering breaches steal Credentials and once you have them, what better thing to do than to put those stolen creds to good use, which falls under Hacking. On the other hand, that Phishing email may have also been dropping Malware, which tends to be a Trojan or Backdoor of some type, a trap just waiting to be sprung.” Basically, not only do you have to worry about your infrastructure, but you have to worry about the people your organization is hiring and if they are able to spot a suspicious email or Social tactics. Get them on a good KnowBe4 training and refresh that frequently. Also, just share information or good phishing emails that your organization encounters so employees know what to look for.  
  • Ransomware Breaches Over Time – well what can we say here. Ransomware as we know well before reading the Verizon DBIR is a crime of passion (as the true crime podcasts say) and now 10% of all breaches now involve ransomware. Since it has been around for more than 30 years, and its entry is usually completely opportunistic, a spam/phishing attack, or vulnerable service on the edge of networks that is easily compromised with very little skill. In addition, most ransomware as a service (RaaS) groups use opportunistic and low skill initial installation techniques like; spam/phishing campaigns, unpatched and vulnerable services exposed on the network, and previously compromised usernames/passwords that remain unchanged. From a mitigation perspective protecting your organization from these opportunistic attacks is the fundamental security best practice around knowing what you have, identifying their risks and monitoring for anomalous behavior. 

Some other cool stats that the Verizon DBIR pointed out: 

  • The rest of the vectors were split between Email, Network propagation and downloaded by other malware, which isn’t surprising 
  • 60% of the Ransomware cases involving direct install or installation through desktop sharing apps 
  • The first vector Actors are using is through the use of stolen credentials or brute force 
  • 42% of incidents had no financial loss and 90% of ransomware had NO loss – absurd right?! The headlines would make you feel differently.  

Before we take a deep dive into Healthcare and Manufacturing which had some cool data we wanted to highlight Education, Financial and Insurance, and Mining, Quarrying, and Oil & Gas Extraction + Utilities.  

 

Education 

Financial & Insurance 

Mining, Quarrying,  

and Oil & Gas  

Extraction + Utilities 

Frequency 

1,332 incidents, 344 with confirmed data disclosure 

721 incidents, 467 with confirmed data disclosure 

546 incidents, 355 with confirmed data disclosure 

Top Patterns 

Social Engineering, Miscellaneous Errors and System Intrusion represent 86% of breaches 

Miscellaneous Errors, Basic Web Application Attacks and Social Engineering represent 81% of breaches 

Social Engineering, System Intrusion and Basic Web Application Attacks represent 98% of breaches 

Threat Actors 

External (80%), Internal (20%), Multiple (1%) (breaches) 

External (56%), Internal (44%), Multiple (1%), Partner (1%) (breaches) 

External (98%), Internal (2%) (breaches) 

Actor Motives 

Financial (96%), Espionage (3%), Fun (1%), Convenience (1%), Grudge (1%) (breaches) 

Financial (96%), Espionage (3%), Grudge (2%), Fun (1%), Ideology (1%) (breaches) 

Financial (78%-100%), Espionage (0%-33%) (breaches) 

Data Compromised 

Personal (61%), Credentials (51%), Other (12%), Medical (7%) (breaches) 

Personal (83%), Bank (33%), Credentials (32%), Other (21%) (breaches) 

Credentials (94%), Personal (7%), Internal (3%), Other (3%) (breaches) 

Top IG1 Protective Controls 

These are the CIS Controls Implementation Groups 

Security Awareness and Skills Training (14), Access Control Management (6), Secure Configuration of Enterprise Assets and Software (4) 

Security Awareness and Skills Training (14), Secure Configuration of Enterprise Assets and Software (4), Access Control Management (6) 

Security Awareness and Skills Training (14), Access Control Management (6), Account Management (5) 

Also, for a stack rank on industries and their number of incidents and confirmed data disclosures, here you go: 

Industry 

Incidents 

Confirmed Data Disclosures 

Public Administration 

3,236 

885 

The Social Engineering pattern was responsible for over 69% of breaches in this vertical. Clearly, this industry is a favorite honey hole among the phishing fiends.The Social actions were almost exclusively Phishing with email as the vector. 

Information 

2,935 

381 

If we look at only incidents, we find that this industry tends to be bombarded with DoS attacks, a trend that has been occurring ever since computers were networked, or at least since we’ve been doing this report (Figure 108). Of the incidents, DoS alone accounts for over 90% of the Hacking actions we observed, with the rest being credential-based attacks such as Brute force or the Use of stolen credentials. 

Professional, Scientific and Technical Services 

1,892 

630 

Educational Services 

1,332 

344 

ArtsEntertainmentand Recreation  

7,065 

109 

What was a bit surprising was the high level of Medical information breached in this sector. One would typically associate medical record loss with the Healthcare industry. However, upon digging into the data a bit more, the Personal Health Information (PHI) was related to athletic programs, which fall under this vertical.  

Retail 

725 

165 

Financial and Insurance 

721 

467 

Misdelivery represents 55% of Financial sector errors. The Financial sector frequently faces Credential and Ransomware attacks from External actors 

Healthcare 

655 

472 

Manufacturing 

585 

270 

Mining, Quarryingand Oil & Gas Extraction + Utilities 

546 

355 

Accomodation and Food Services 

69 

40 

 

“Security postures and principles, such as proper network segmentation, the prevention of lateral movement, least privilege, and “never trust, always verify” have proven to be strong indicators of an organization’s ability to prevent or recover from unauthorized presence in its network environment.” 

 

Healthcare 

Frequency 655 incidents 

472 with confirmed data disclosure  

Top Patterns

Miscellaneous Errors, Basic Web Application Attacks and System Intrusion represent 86% of breaches  

Threat Actors  

  • External (61%), 
  • Internal (39%) (breaches)  

Actor Motives: 

  • Financial (91%) 
  • Fun (5%) 
  • Espionage (4%) 
  • Grudge (1%) (breaches)  

Data Compromised  

  • Personal (66%) 
  • Medical (55%) 
  • Credentials (32%) 
  • Other (20%), (breaches)  

Top IG1 Protective Controls: 

  •  Security Awareness and Skills Training (14),  
  • Secure Configuration of Enterprise Assets and Software (4) 
  • Access Control Management (6) 
“In 2020, in the midst of the pandemic, cyber actors increased malware attacks against U.S. victims, including the healthcare and public health sector. The U.S. Secret Service noted a marked uptick in the number of ransomware attacks, ranging from small dollar to multi-million dollar ransom demands. While most organizations had adequate data backup solutions to mitigate these attacks, cyber actors shifted their focus to the exfiltration of sensitive data. These cyber actors, often organized criminal groups, proceeded to monetize the theft by threatening to publicize the data unless additional ransom was paid. The monetization of proceeds was typically enabled by cryptocurrency, in an attempt to obfuscate the destination of proceeds and hamper the ability of law enforcement to locate and apprehend those responsible for the crime.” 

But, you might ask what has changed? Well, in 2020 there was a significant shift in Healthcare, where breaches were no longer Internal actors but moved to be primarily External actors. So, some good news, right? No longer is your primary threat actor your own employees! 
 
And lastly, we found it interesting that for the second year in a row, Personal data was compromised more often than Medical. One could make the leap that Personal data can actually be used more widely than someone’s Medical data.  

Manufacturing (not mining, quarrying or oil & gas) 

Frequency 585 incidents 

270 with confirmed data disclosure  

Top Patterns

System Intrusion, Social Engineering and Basic Web Application Attacks represent 82% of breaches  

Threat Actors  

  • External (82%),  
  • Internal (19%),  
  • Multiple (1%) (breaches)  

Actor Motives  

  • Financial (92%) 
  • Espionage (6%) 
  • Convenience (1%) 
  • Grudge (1%) 
  • Secondary (1%) (breaches)  
  • Data Compromised  
  • Personal (66%),  
  • Credentials (42%),  
  • Other (36%),  
  • Payment (19%) (breaches)  

Top IG1 Protective Controls  

  • Security Awareness and Skills Training (14) 
  • Access Control Management (6) 
  • Secure Configuration of Enterprise Assets and Software (4) 

The Verizon DBIR uses organic almond milk and toilet paper – we will use the example of primed lumber and DIY tools for our examples of shortages that surround the manufacturing supply chain and implications of 2020. While facilities were shut down, you might think...cool we might get some time to relax...the answer to that was a BIG NO. Manufacturing saw ransomware as a significantly increased role in malware associated breaches (61.2%) in relation to previous years, overtaking both DoS and Phishing as the most common varieties of attacks.  

How Ordr Can Help 

It wouldn’t be a good vendor blog if we didn’t also mention that we are willing to help out and give you a 30 day free trial. For more information on how Ordr delivers visibility and security of all connected devices -- from traditional servers, workstations and PCs to IoT, IoMT and OT devices, contact us at info@ordr.net. Also, if you want to see how we map to the CIS Controls you can take a look at our new CIS Controls Solutions Brief, here: https://resources.ordr.net/solution-briefs/ordr-cis-controls-solutions-brief

 

 

 

About the Author

Corin Imai, is the Head of Product Marketing at Ordr. Previously, Corin served as the Senior Security Advisor and Head of Product Marketing at DomainTools. She began her career working on desktop virtualization and cloud computing technologies before delving into security with Hewlett-Packard Software and WhiteHat Security.

Profile Photo of Corin Imai