Results and analysis

The results found in this and subsequent sections within the report are based on a dataset collected from a variety of sources, including cases provided by the Verizon Threat Research Advisory Center (VTRAC) investigators, cases provided by our external collaborators, and publicly disclosed security incidents. The year-to-year data will have new incident and breach sources as we continue to strive to locate and engage with additional organizations that are willing to share information to improve the diversity and coverage of real-world events. This is a sample of convenience,⁶ and changes in contributors—both additions and those who were not able to contribute this year—will influence the data set. Moreover, potential changes in contributors’ areas of focus can shift bias in the sample over time. Still other potential factors, such as how we filter and subset the data, can affect these results. All of this means that we are not always researching and analyzing the same population. However, they are all taken into consideration and acknowledged where necessary within the text to provide appropriate context to the reader. Having said that, the consistency and clarity we see in our data year-to-year gives us confidence that while the details may change, the major trends are sound.

Now that we have covered the relevant caveats, we can begin to examine some of the main trends you will see while reading through this report. When looking at Figure 6 below, let’s focus for a moment on the Trojan⁷ line. When many people think of how hacking attacks playout, they may well envision the attacker dropping a Trojan on a system and then utilizing it as a beachhead in the network from which to launch other attacks, or to expand the current one. However, our data shows that this type of malware peaked at just under 50% of all breaches in 2016, and has since dropped to only a sixth of what it was at that time (6.5%). Likewise, the trend of falling RAM-scraper malware that we first noticed last year continues. We will discuss that in more detail in the “Retail” section. As this type of malware decreases, we see a corresponding increase in other types of threats. As time goes on, it appears that attackers become increasingly efficient and lean more towards attacks such as phishing and credential theft. But more on those in the “Social” and “Hacking” subsections respectively. Other big players this year, such as Misconfiguration and Misdelivery, will be examined in the “Error” subsection.

Threat action varieties

Taking a peek at threat action varieties allows us to dig a bit deeper into the bad guy’s toolbox. Figure 12 provides an idea of what action varieties drive incident numbers and, shocker, Denial of Service (DoS) plays a large part. We also see a good bit of phishing, but since data disclosure could not be confirmed, they remain incidents and do not graduate to breach status (but maybe they can if they take a couple of summer classes). In sixth overall, we see ransomware popping up like a poor relation demanding money—which, in many cases, they get.

When we again switch back to looking at the top Action varieties for breaches in Figure 13, we see our old foes, Phishing, Use of stolen credentials and Misconfiguration in the top five. Misdelivery is making an impressive showing (mostly documents and email that ended up with the wrong recipients) this year. While we don’t have data to prove it, we lean toward the belief that this is an artifact of breach disclosure becoming more normalized (and increasingly required by privacy laws around the world), especially for errors.

Finally, you’ll notice “Other” in the mix. As we mentioned in the "DBIR Cheat sheet" section at the very beginning of this report, “Other” represents any enumeration not represented by one of the categories in the figure. It turns out there are a lot of breaches (675 to be specific) that didn’t contain any of the top varieties. Breaches (like people and problems) come in many shapes and sizes and are never too far away from your front door. 

Error

Errors definitely win the award for best supporting action this year. They are now equally as common as Social breaches and more common than Malware, and are truly ubiquitous across all industries. Only Hacking remains higher, and that is due to credential theft and use, which we have already touched upon. In Figure 14 you can see that since 2017, Misconfiguration errors have been increasing. This can be, in large part, associated with internet-exposed storage discovered by security researchers and unrelated third parties. While Publishing errors appear to be decreasing, we wouldn’t be surprised if this simply means that errors formerly attributed to publishing a private document on an organization’s infrastructure accidentally, now gets labeled Misconfiguration because the system admin set the storage to public in the first place.

Finally, it is also worth noting what isn’t making the list. Loss is down among the single digits this year. Disposal errors are also not really moving the needle. Errors have always been present in high-ish numbers in the DBIR in industries with mandatory reporting requirements, such as Public Administration and Healthcare. The fact that we now see Error becoming more apparent in other industries could mean we are getting better at admitting our mistakes rather than trying to simply sweep them under the rug.

Of course, it could also mean that since so many of them are caught by security researchers and third parties, the victims have no choice but to utter “mea culpa.” Security researcher has become the most likely Discovery method for an Error action breach by a significant amount (Figure 15), being over six times more likely than it was last year. However, we here on the DBIR team are of an optimistic nature, so we will go with the former conclusion. 

Ransomware
Traditionally, Ransomware is categorized as an incident in the DBIR and not as a breach, even though it is considered a breach in certain industries for reporting purposes (such as Healthcare) due to regulatory guidance. The reason we consider it only an incident is because the encryption of data does not necessarily result in a confidentiality disclosure. This year, however, ransomware figures more prominently in breaches due in large part to the confirmed compromise of credentials during ransomware attacks. In still other cases, the “breach” designation was due to the fact that personal information was known to have been accessed in addition to the installation of the malware.

Ransomware accounted for 3.5% of unique malware samples submitted for analysis, not such a big number overall. At least one piece of ransomware was blocked by 18% of organizations through the year,¹⁴ even though it presented a fairly good detection rate of 82% in simulated incident data. However, it shows up heavily in actual incidents and breaches, as discussed previously. This indicates that it falls into category #2 in the survivorship bias callout. It’s a big problem that is getting bigger, and the data indicates a lack of protection from this type of malware in organizations, but that can be stopped. Part of its continued growth can be explained by the ease with which attackers can kick off a ransomware attack. In 7% of the ransomware threads found in criminal forums and market places, “service” was mentioned, suggesting that attackers don’t even need to be able to do the work themselves. They can simply rent the service, kick back, watch cat videos and wait for the loot to roll in.

It's a big problem that's continuing to get bigger.

Droppers and Trojans
As we pointed out earlier, Trojans, although still in the top five malware varieties, have been decreasing over time. However, their backdoor and remote-control capabilities are still a key functionality for more advanced attackers to operate and achieve their objectives in more intricate campaigns. Downloaders are a common way to get that type of malware on the network, and they made up 19% of malware samples. Nineteen percent were classified as backdoors and 12% were keyloggers.

Droppers and Trojans seem to fall into category #3 in the survivorship bias callout. We see them quite frequently in malware, but they do not necessarily appear in a large number of incidents and breaches. One possible explanation for this is that we might be simply getting better at blocking the cruder and more commoditized versions of this type of malware, thereby pushing unsophisticated attackers increasingly to smash-and-grab tactics. Additionally, the shift to web interfaces for most of our services may simply mean Trojans have a smaller attack surface to exploit.

Malware with vulnerability exploits
If Droppers and Trojans are examples of category #3, then Malware that exploits vulnerabilities falls under category #4. It ranks at the bottom of malware varieties in Figure 16. Figure 25 (ahead in the "Hacking" section) shows that exploiting vulnerabilities in Malware is even more rare than in Hacking (where it’s already relatively scarce). While successful exploitation of vulnerabilities does still occur (particularly for low-hanging fruit as in Figure 22—also in the "Hacking" section), if your organization has a reasonable patch process in place, and you do not have a state-aligned adversary targeting you, then your time might be better spent attending to other threat varieties.

Cryptocurrency mining
The cryptocurrency mining malware variety falls squarely into category #4. It accounted for a mere 2.5% of malware among breaches and only 1.5% of malware for incidents. Around 10% of organizations received (and blocked) Cryptocurrency mining malware at some point throughout the course of the year.¹⁵

The breach simulation data clues us in on what might be happening, as it indicates that the median block rate for cryptocurrency mining malware was very high. Another valid theory is that cryptomining occurrences rarely rise to the level of “reported incident” unless we are talking about instances running on stolen cloud infrastructure. These cost your organization a lot of money while generating less loose change than the threat actor could have found in their couch cushions.

Hacking

At a high-level, Hacking can be viewed as falling into three distinct groups: 1) those utilizing stolen or brute-forced credentials; 2) those exploiting vulnerabilities; and 3) attacks using backdoors and Command and Control (C2) functionality.

However, it must be said that Hacking and even breaches in general (at least in our dataset) are driven by credential theft. Over 80% of breaches within Hacking involve Brute force or the Use of lost or stolen credentials. These Hacking varieties (Figure 20 below), along with exploitation of a vulnerability (of which SQLi is a part), are associated in a major way with web applications as illustrated in Figure 21. We have spent some time on this over the last year, and it is important to reassert that this trend of having web applications as the vector of these attacks is not going away. This is associated with the shift of valuable data to the cloud, including email accounts and business-related processes.

Over 80% of breaches within Hacking involve Brute force or the Use of lost or stolen credentials.

Use of backdoor or C2 (checking in at third place) are both associated with more advanced threats, since for more intricate campaigns and data exfiltration missions there is nothing quite like the human touch. For better or worse, the promise of fully autonomous Artificial Hacking Intelligence (AHI) is still at least 15 years away,¹⁸ along with flying cars.

Additional contributor data sheds light onto the credential stuffing attacks criminals are attempting. Figure 23²⁰ shows the number of attempts orgs who had any credential stuffing attempts typically received. As you will notice, it is a relatively smooth bell curve with a median of 922,331. Granted, a good number of those login/password combos attempted will be as complex as “admin/admin” or “root/hunter2” but those sustained attacks over time are succeeding according to our incident dataset.

Exploiting vulnerabilities
Vulnerabilities occupy a huge amount of mind-share in information security. Yet, harkening back to that bit about survivorship bias in the "Malware" section, it’s more of situation #3 than situation #1. There are lots of vulnerabilities discovered, and lots of vulnerabilities found by organizations scanning and patching, but a relatively small percentage of them are used in breaches, as you can see in Figure 25. Although exploiting vulnerabilities is in second place in breach Hacking varieties, it has not played a major role within incidents found in the DBIR over the last five years. In fact, it reached its peak at just over 5% as a Hacking variety in 2017. In our security information and event management (SIEM) dataset, most organizations had 2.5% or less of alerts involving exploitation of a vulnerability.²²

But that doesn’t mean that the attackers don’t give it a try anyway. Clearly, the attackers are out there and if you leave unpatched stuff on the internet, they’ll find it and add it to their infrastructure.²³ We hear a lot about new vulnerabilities and their prevalence both on the internet and within organizations. Does the internet as a whole become more vulnerable with every new vulnerability that gets discovered?²⁴ And are those unpatched vulnerabilities that are adding to the problem likely to be present on your systems?

To test whether that²⁵ is true, we conducted a little investigation this summer. We looked at two sets of servers hosted on public IP addresses: ones vulnerable to an Exim vulnerability discovered in 2019²⁶ and randomly chosen IPs. As we see in Figure 26, hosts that were vulnerable to the EXIM vulnerability were also vulnerable to 10-year-old SSH vulnerabilities²⁷ much more frequently than the random sample.

The takeaway is that it wasn’t just the Exim vulnerability that wasn’t patched on those servers. NOTHING was patched. For the most part, no, the internet as a whole does not seem to be getting less secure with each new vulnerability, at least not after the short window before organizations that are on top of their patch management update their systems.²⁸ You can just as easily exploit those vulnerable servers with that l33t 10-year-old exploit you got from your h4x0r friend on Usenet.

But what about the second question: Are those likely to be your systems that are vulnerable?²⁹ To test this, we took two samples from vulnerability scan data: organizations with the Eternal Blue vulnerability³⁰ present on their systems and those without. In Figure 27,³¹ we see the same thing as in Figure 26. The systems that were vulnerable to Eternal Blue were also vulnerable to everything from the last decade or two. Once again, no, each new vulnerability is not making you that much more vulnerable. Organizations that patch seem to be able to maintain a good, prioritized patch management regime.

Still, we’re not in the fourth survivorship bias situation here. Attackers will try easy-to-exploit vulnerabilities if they encounter them while driving around the internet. Since you just came from the "Credentials" section, you may remember that Figure 22, which illustrates that once you get below the SSH and Telnet lines on the chart, the next three services that we conveniently highlighted are port 5555 (Android Debug Bridge, or adb—really popular lately), port 7547 (common router RPC port) and port 37777 (popular with IP cameras and DVRs). If you will allow us a mixed metaphor, there is no outrunning the bear in this case, because the bears are all being 3D-printed in bulk and automated to hunt you.

So, carry on my wayward son and keep doing what you’re doing (you know, patching), and perhaps skip over to the "Assets" section to get an inkling of what you might be missing.

Social

If action types were people, you would probably give Hacking, Malware and Error a wide berth because they just sound like they would be less than friendly. But Social sounds as though it would be much more happy-go-lucky. More likely to house-sit for you, invite you to play bunko and include you in neighborhood barbecues. You’d be wrong though. Social comes with a devious attitude and a “take me to your manager” haircut. Figure 28 shows Social broken down into two types of incidents: Phishing and Pretexting.³² When it comes to breaches, the ratio remains quite similar, only with slightly lower numbers.

Social actions arrived via email 96% of the time, while 3% arrived through a website. A little over 1% were associated with Phone or SMS, which is similar to the amount found in Documents. If you take a glance at Figure 29, you’ll notice that while credentials are by far the most common attribute compromised in phishing breaches, many other data types are also well represented. Phishing has been (and still remains) a fruitful method for attackers. The good news is that click rates are as low as they ever have been, (3.4%) and reporting rates are rising, albeit slowly (Figure 30).

Financially Motivated Social Engineering
Financially Motivated Social Engineering (FMSE) keeps increasing year-over-year (Figure 31), and although it is a small percentage of incidents, in raw counts, there were over 500 in our dataset this year. These attacks typically end up in our Everything Else pattern, as they are purely social in nature. There is no malware component, as you would see in the more advanced nation-state scenario, nor is there any effort to gain a foothold and remain persistent in the victim’s network. These are simply a “get what you can when you can” kind of attack.

This is not to say that they cannot be sophisticated in the lengths the adversary is willing to go to for success. In prior years, they would impersonate CEOs and other high- level executives and request W-2 data of employees. They have largely changed their tactics to just asking for the cash directly— why waste time with monetizing data? It’s so inefficient. Their inventiveness in the pretext scenario to lend a level of believability to their attempt is a measure of how good these people are at their jobs.

Last year, we looked at the median impact cost for incidents reported to the FBI IC3. With regard to business email compromises (BEC), we noticed that most companies either lost $1,240 or $44,000 with the latter being slightly more frequent (Figure 32).

Also, last year we stated that when “the IC3 Recovery Asset Team acts upon BECs, and works with the destination bank, half of all U.S.-based business email compromise victims had 99% of the money recovered or frozen; and only 9% had nothing recovered." They continued to record that metric and this year it improved slightly, indicating that 52% recovered 99% or more of the stolen funds and only 8% recovered nothing.

Assets

Figure 33 provides an overview of the asset landscape. Servers are the clear leader and they continue to rise. This is mainly due to a shift in industry toward web applications (the most common asset variety in Figure 34) with system interfaces delivered as a software as a service (SaaS), moving away from that seven-year-old spreadsheet with those great macros that Bob from accounting put together. Person³³ holds second place for the second year in a row, which is not surprising given how Social actions have stayed relevant throughout this period.

Kiosks and Terminals continued to decline as they did last year. This is primarily due to attackers transitioning to “card not present” retail as the focus of their efforts, rather than brick-and-mortar establishments.

Head in the clouds
Cloud assets were involved in about 24% of breaches this year, while on-premises assets are still 70%³⁴ in our reported breaches dataset. Cloud breaches involved an email or web application server 73% of the time. Additionally, 77% of those cloud breaches also involved breached credentials. This is not so much an indictment of cloud security as it is an illustration of the trend of cybercriminals finding the quickest and easiest route to their victims.

Attributes

The compromise of the Confidentiality of Personal data leads the pack among attributes affected in breaches, as shown in Figure 37. But keep in mind that this contains email addresses and is not just driven by malicious data exfiltration, but also by “benign” errors. The one-two punch of Hacking and Error puts email addresses (and by extension personal information) at the front of the pack. Certainly, Personal information goes way beyond just email addresses, but that is the designation where those reside.

In second place, we see Credentials, which should come as no surprise since we have covered that topic sufficiently already. Alter behavior appears next and is a result of Social breaches affecting the Integrity of our victims’ Person assets. Finally, we see Malware-related breaches causing the integrity violation of Software Installation.

One other notable observation from Figure 37 is that Bank and Payment data are almost equal. Five years ago, Payment information was far more common, but while compromise of bank information has stayed relatively level, Payment has continued to decline to an equivalent level.

Email address compromises
Given that email addresses are Personally Identifiable Information (PII) and that Personal is the most common variety of data to be breached in this year’s report, we looked a bit more closely at some of the email leaks we have seen over the last 10 years. Figure 38 gives you a feel for what email top-level domains (TLDs) are being compromised the most. The “Other” category includes TLDs with less than 1% of emails, by the way.

Since .com accounts for approximately 59% of leaked emails, we focused in on that a bit. The first 150 domains that we looked at showed that most were mail registration services. That accounted for about 97% of the breaches, and provides hope that most emails compromised aren’t your employees’ corporate addresses. However, the little matter of the remaining 3% was comprised of tens of millions of addresses. 
 

What’s that attribute going to cost you?
As reported in FBI IC3 complaints, the most common loss was $32,200 this year, up from about $29,300 last year. That’s still basically in the preowned car range, and while no one wants to lose that much money, it could certainly be much worse.

How many paths must a breach walk down?

We tend to think about incidents and breaches as a point in time. You snap your fingers and all the attacker actions are complete, the stolen data is in the attacker’s saddlebags and they are off down Old Town Road and away into the sunset. Still, we all know that is not quite what actually happens. Many of the attacks studied in this report fall somewhere between a stickup and the Great Train Robbery in terms of complexity. The good news is that defenders can use this to their advantage.

As you can see in Figure 40, attacks come in numerous forms and sizes, but most of them are short, having a small number of steps (you can notice that by how the volume of line segments thin out between the four and six steps markers). The long ones tend to be Hacking (blue) and Malware (green) breaches, compromising Confidentiality (the middle position) and Integrity (the lower position) as the attacker systematically works their way through the network and expands their persistence. The benefit in knowing the “areas” (threat actions—colors/compromising specific attributes—positions) attackers are more likely to pass through in their journey to a breach gives you first advantage, because you can choose where to intercept them. You may want to stop their initial action or their last. You may not want to go near them, so you don’t have to listen to “Old Town Road.” All of these options are understandable in accordance with your response strategy.³⁶

Figures 41 and 42 provide us with our next defensive advantage. Attackers prefer short paths and rarely attempt long paths. This means anything you can easily throw in their way to increase the number of actions they have to take is likely to significantly decrease their chance of absconding with the data. Hopefully by now we have driven home the significance and prevalence of credential theft and use. While we admit that two-factor authentication is imperfect, it does help by adding an additional step for the attacker. The difference between two steps (the Texas two-step) and three or four steps (the waltz) can be important in your defensive strategy.

The difference between two steps (the Texas two-step) and three or four steps (the waltz) can be important in your defensive strategy.

Finally, take a look at Figure 43. It shows what actions happen at the beginning, middle and end of both incidents and breaches. It is not what is on top that’s interesting (we already know “Social—Phishing” and “Hacking—Use of stolen creds” are good ways to start a breach and “Errors” are so short that the beginning of the path is also the end). The interesting bit is what’s near the bottom. Malware is rarely the first action in a breach because it obviously has to come from somewhere. Conversely, Social actions almost never end an attack. In the middle, we can see Hacking and Malware providing the glue that holds the breach together. And so, our third defensive opportunity, is to guess what you haven’t seen based on what you have. For example, if you see malware, you need to look back in time for what you may have missed, but if you see a social action, look for where the attacker is going, not where they are.

All in all, paths can be hard to wrap your head around, but once you do, they offer a valuable opportunity not just for understanding the attackers, but for planning your own defenses.

Timeline
As we analyze how breach timelines have evolved over time, Discovery in days or less is up (Figure 44) and Containment in that same timeframe has surpassed its historic 2017 peak (Figure 45). However, before you break out the bubbly, keep in mind that this is most likely due to the inclusion of more breaches detected by managed security service providers (MSSPs) in our incident data contributors’ sampling, and the relative growth of breaches with Ransomware as collateral damage, where Discovery is often close to immediate due to Actor disclosure. ³⁷

Discovery in Months or more still accounts for over a quarter of breaches. We are obligated to point out that since this is a yearly report, this is usually a trailing indicator of the actual number, as there are potentially a significant number of breaches that occurred in 2019 that just have not been discovered yet.

All in all, we do like to think that there has been an improvement in detection and response over the past year and that we are not wasting precious years of our life in a completely pointless battle against the encroaching void of hopelessness. Here, have a roast beef sandwich on us.