May 8, 2019 • Allan Liska
It’s that time of year again: Verizon is releasing its Data Breach Investigations Report (DBIR), and security professionals are going to, rightfully, spend the next few days poring over the facts and figures. The DBIR provides a great deal of insight into real security incidents, and the depth and breadth of its scope makes it an invaluable asset to any security team.
Recorded Future was lucky enough to contribute to the report, and we were invited to speak on a webinar with other industry leaders, moderated by the Verizon team. It’s always impressive to see how the report authors are able to derive clear trends and unify the industry while creating meaningful impact for the community.
There are a lot of useful trends in the 2019 report:
One of the big lessons organizations should take away from this year’s report is that stolen credentials are becoming a bigger problem. Figure 1 tracks just some of the incidents that Recorded Future monitored in 2018, but there were many more, including dumps of billions of stolen credentials across a number of different underground sites.
It is important for organizations to monitor for stolen credentials, especially given the tendency of people to reuse passwords across personal and business accounts.
The additional wrinkle of stolen email credentials being used to attack web applications, where there is often little monitoring available to an organization, makes credential monitoring even more important.
In addition to the use of stolen credentials, the fact that small businesses made up 43% of breaches means that organizations cannot assume that they are “too small to be targeted” or that they can’t afford to put security procedures in place. Like it or not, every organization is potentially vulnerable and should take steps to protect their employees and their data.
Compromise of payment card information continues to be a huge problem, but the target has shifted from PoS systems to skimmers that embed themselves in the web application itself. Known as web skimmers, these were a big problem in 2018 and continue to be heading into 2019. The most well-known of these skimmers, Magecart, has been responsible for a number of payment card compromises.
As shown in Figure 2, the team behind Magecart has struck a number of different targets and managed to steal hundreds of millions of payment cards in their successful run. They are always finding new targets to go after and figuring out new ways to compromise online web applications. This looks to be a problem for a considerable time.
Some of the long-term trends that Verizon monitors in the DBIR are also interesting. Verizon breaks incident types into nine different categories, listed in the 2019 report in order of how commonly they occurred in 2018:
When Verizon first introduced these categories in 2014 (covering 2013), the top three incident categories were:
In the 2018 report (covering 2017), the top three were:
So the types of attacks are changing over time. You can see this reflected in Recorded Future data as well. For example, Figure 3 shows the number of reported distributed denial-of-service (DDoS) attacks that Recorded Future has recorded over the last five years.
The pattern of attacks we recorded roughly mirrors the rise and fall of DDoS incidents in the DBIR reports over the years. Being able to understand which threats are increasing and which are falling off allows organizations to better allocate resources to protect against the current threat landscape.
There is a lot of useful data within the Verizon DBIR, making it well worth the read to understand what the current threats are and understand what organizations can expect in the coming year.