This blog post was written by Rick Simon.
The annual Verizon Data Breach Investigations Report (DBIR) was published today. Once again, it is a hefty report that is sure to become one of the most referenced data breach reports in the world.
That is because Verizon’s analysis is based on a broad set of real breach data collected from 65 law enforcement agencies, security product vendors, and security consulting firms. In fact, this year’s report analyzed more than 42,000 incidents and 1,900 confirmed breaches spanning 84 countries and 20 industries. Although the data set is neither comprehensive nor a random sample, it certainly looks at a large set of data and is very likely to be directionally accurate.
The report reconfirms many of the things we already know, but it also provides many “aha” moments. In the “what we already know” category, here are the main findings:
- 75% of the breaches in VERIS, Verizon’s incident database, were perpetrated by outsiders; 51% involved organized crime.
- A whopping 81% involved stolen or weak passwords.
- 73% of the breaches were financially motivated.
- 66% of malware was installed through malicious email attachments.
- Typical time-to-compromise continues to be measured in minutes, while time-to-discovery remains in weeks or months.
- Financial services firms are still the top dogs in confirmed breaches, with health care running second.
- In the manufacturing sector, cyber espionage is by far the most common type of incident; usually, this comes from competitors or nation-states trying to steal intellectual property.
In the “aha” category, the report reveals these interesting finding:
- Over a billion credential sets were stolen in 2016, more than three times greater than the previous high-water mark in 2013. In the McAfee Labs 2017 Threats Predictions report, we predicted increased credential theft activity, so we think this trend will continue.
- Social attacks were part of 43% of all breaches. Phishing is the most common social tactic (93% of social incidents). Almost all phishing attacks that led to a breach were followed with some form of malware.
- There was a disturbing rise in cyber espionage in the education sector, with state-affiliated actors most often the culprits; manufacturing and the public sector remain the most common targets for cyber espionage.
- Chip-and-pin (the EMV standard) use in the United States is still in its infancy (just 25% of ATMs are chip-and-pin ready, lower for other payment card terminals), so the impact of 2015’s chip-and-pin mandate still does not show up in the numbers.
McAfee coauthored the chapter on ransomware, highlighting ransomware technical advancements in 2016 and ways in which the security industry is fighting back. We also provided anonymized breach data, used by Verizon in their analysis throughout the report.
Here are some highlights from the ransomware chapter:
- Ransomware has moved up to the fifth most common form in this year’s data from the 22nd most common form of malware in 2013.
- The number of ransomware incidents increased to 229 in 2016 from 159 in 2015.
- The most significant change to ransomware in 2016 was the swing away from targeting individual consumer systems toward vulnerable organizations.
- Web drive-by’s were the number one attack vector in 2015, but were supplanted by email in 2016. Social actions, notably phishing, were found in 21% of incidents in 2016, up from just 8% in 2015.
- Public sector organizations were the number one industry target, with healthcare second, and financial services third.
- In 2016, attackers introduced master boot record locking and partial- and full-disk encryption in an effort to make it more difficult to recover systems without paying. They also experimented with a variety of methods to avoid detection by security sandboxes.
- Criminals began offering ransomware-as-a-service in 2016, enabling anyone to extort their favorite targets, while taking a cut of the action.
In the McAfee Labs 2017 Threats Predictions report, we postulated that ransomware will subside in the latter half of 2017. We believe this for several reasons:
- Security software will better protect and detect ransomware: Endpoint protection software can now detect millions of ransomware samples. Security vendors are also adding detection techniques such as sandboxes that can mimic a user environment to catch obfuscated ransomware, behavioral analysis to prevent ransomware from executing completely, and file-creation blocks to prevent ransomware from writing encrypted files.
- Vendors, law enforcement agencies, and other organizations will share more threat intelligence: Organizations of all sizes are increasingly sharing threat intelligence information to help detect ransomware before it reaches systems.
- Security vendors will increasingly work with law enforcement: Collaborating with law enforcement agencies will lead to the disruption of ransomware criminal enterprises.
- Ransomware will become less profitable: These efforts, coupled with free methods to decrypt locked systems without paying the ransom, will make it harder for criminals to make a buck. The most visible source for free decryption tools is the No More Ransom initiative, which now offers several dozen decryption tools.