Every year I like to look at Verizon’s DBIR report and see what kind of wisdom I can extract. This year they appear to have put in even more effort, so let’s get into it.

The format is simple: a series of content extraction bullets, some analysis and commentary along the way, and then a quick summary of what I saw as the main takeaways.

Content extraction

My Definitions of Event, Alert, and Incident

A definitions reminder:

Incident: A security event that compromises the integrity, confidentiality or availability of an information asset.

Breach: An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.

This year they analyzed 79,635 incidents, 29,207 met their quality standards, and 5,258 were confirmed data breachesThey covered 11 main industries across 88 countriesThey map to the CIS controls for recommendationsTop three patterns in breaches were: social engineering, basic web application attacks, and system intrusionTop three patterns in incidents were: denial of service, basic web application attacks, and social engineering

Interesting that social engineering and basic web application attacks were in the top three for both breaches and incidents.

85% of breaches involved a human element61% of breaches involved credentials

As in past years, financially motivated attacks continue to be the most common, and actors categorized as Organized Crime continues to be number one.

For breaches, the breakdown of External vs. Internal actors moved significantly towards External in 2020Similarly, the top threat actor motive moved away from Espionage and towards FinancialOrganized crime made up over 80% of threat actors, with other categories—including State Actor—having very little showingTop actions in breaches were: phishing (social), use of stolen credentials (hacking), other, ransomware (malware), pretexting (social), misconfiguration (error), misdelivery (error), brute force (hacking), C2 (malware), and backdoor (malware)The top two (phishing and credential stuffing) were disproportionately represented in the dataFor incidents, the breakdown was: dos (hacking), phishing (social), other, and then ransomware (malware)So phishing and ransomware are the categories most shared among incidents and breachesRansomware doubled from 5% of breaches to 10% in 2020

The major change this year with regard to action types was Ransomware coming out like a champ and grabbing third place in breaches (appearing in 10% of them, more than doubling its frequency from last year).

They break down actions at the beginning, middle, and end of breachesTop three for beginning: hacking, error, and socialTop three for middle: malware, hacking, socialTop three for end: malware, hacking, errorTop assets in incidents: server, person, user devTop assets in breaches: server, person, user dev

So those match perfectly, at least for the top three.

Top asseet varieties: web application (server), email (server), desktop or laptop (user dev), mobile phone (user dev)

Interesting to see mobile phone in there. It’s number 4, and behind desktop/laptop, but not by much. But it turns out, most of that data is from lost phones, so it doesn’t appear major afterall.

Even the median random organization with an internet presence has 17 internet-facing assets

Even the median random organization with an internet presence has 17 internet-facing assets.

Most of those systems had no vulnerabilities, but among those that are attacked it’s mostly the older ones that matter, not the newer onesAs far as what type of data is lost, the top 4 for breaches are: credentials, personal, medical, and bank

I think they mean direct financial loss.

There is massive variation in the impact of an incident. First of all, 42% of BEC incidents didn’t involve any financial loss. 76% of Computer Data Breaches didn’t involve any financial loss. And 90% of ransomware incidents didn’t have any financial loss.

The range of financial losses was pretty extraordinary:

95% of BECs fell between $250 and $985,000 dollars with $30,000 being the median.

CDB ranges had 95% falling between $148 and $1.6 million, with the same median of $30,000Ransomware’s median loss was $11,150, with a range between $70 and $1.2 million

The takeaway here is that there really is a market scaling based on the size of the organization and their ability to pay, and the minimums start very low/cheap.

They also did analysis on total cost of breach estimates, which I found fascinating.

While you could plan for the median breach of $21,659, a better option might be to plan for the middle 80% of breach impacts, $2,038 to $194,035. Or better yet, be prepared for the most common 95% of impacts, between $826 and $653,587. If you add to that an organizational devaluation of around 5%, then you just may have yourself a tangible figure you can plan around.

The top hacking varieties in Basic Web Application Attacks were: use of stolen credentials, brute force, and exploit vuln—with stolen creds being over 80% and brute force and exploit vuln being around 10% a pieceSummaryWeb application attacks continue to dominate, with credential stuffing being the main way to attackBrute force is also key for web app attacks, and both are handled well by 2FAWe already knew this, but ransomware massively jumped in prominence, and organized crime grew as an actor type along with itErrors keep featuring at the top of these lists across industries; we have to figure out a way to reduce own-goalsThe top CIS controls are still: Enterprise Asset Inventory and Software Inventory. Never forget.