2019 Data Breach
`Investigations
`Report
`
`business ready
`
`4
`
`e 6 f 2
`
`0 6
`
`3 6 f 7
`
`6 6
`
`5 7
`
`2 2
`
`0 6
`
`3 6
`
`8 6 1 6
`
`c 6
`
`c 6
`
`5 6
`
`e 6
`
`7 6
`
`5 2
`
`0 7
`
`4 6
`
`8 6
`
`9 7
`
`3 2
`
`0 7
`
`9 6
`
`5 6 1 7
`
`2
`
`WIZ, Inc. EXHIBIT - 1027
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`2
`
`A couple of tidbits
`
`Before we formally introduce you to the 2019 Data Breach Investigations Report (DBIR),
`let us get some clarifications out of the way first to reduce potential ambiguity around terms,
`labels, and figures that you will find throughout this study.
`
`VERIS resources
`
`Industry labels
`
`We align with the North American Industry Classification
`System (NAICS) standard to categorize the victim organizations
`in our corpus. The standard uses 2 to 6 digit codes to classify
`businesses and organizations. Our analysis is typically done at
`the 2-digit level and we will specify NAICS codes along with an
`industry label. For example, a chart with a label of Financial (52)
`is not indicative of 52 as a value. 52 is the NAICS code for the
`Finance and Insurance sector. The overall label of “Financial” is
`used for brevity within the figures. Detailed information on the
`codes and classification system is available here:
`
`https://www.census.gov/cgi-bin/sssd/naics/naicsrch?chart=2017
`
`New chart, who dis?
`
`You may notice that the bar chart shown may not be as, well, bar-
`ish as what you may be used to. Last year we talked a bit in the
`Methodology section about confidence. When we say a number is
`X, it’s really X +/- a small amount.
`
`Server (Just large organization breaches, n=335)
`
`Server (All breaches, n=1,881)
`
`The terms “threat actions,” “threat actors,” “varieties,” and “vectors”
`will be referenced a lot. These are part of the Vocabulary for Event
`Recording and Incident Sharing (VERIS), a framework designed to
`allow for a consistent, unequivocal collection of security incident
`details. Here are some select definitions followed by links with
`more information on the framework and on the enumerations.
`
`Threat actor:
`Who is behind the event? This could be the external “bad guy”
`that launches a phishing campaign, or an employee who leaves
`sensitive documents in their seat back pocket.
`
`Threat action:
`What tactics (actions) were used to affect an asset? VERIS uses
`seven primary categories of threat actions: Malware, Hacking,
`Social, Misuse, Physical, Error, and Environmental. Examples at a
`high level are hacking a server, installing malware, and influencing
`human behavior.
`
`Variety:
`More specific enumerations of higher level categories - e.g.,
`classifying the external “bad guy” as an organized criminal group,
`or recording a hacking action as SQL injection or brute force.
`
`Learn more here:
`• github.com/vz-risk/dbir/tree/gh-pages/2019 – DBIR figures and
`figure data.
`• veriscommunity.net features information on the framework with
`examples and enumeration listings.
`• github.com/vz-risk/veris features the full VERIS schema.
`• github.com/vz-risk/vcdb provides access to our database on
`publicly disclosed breaches, the VERIS Community Database.
`• http://veriscommunity.net/veris_webapp_min.html
`allows you to record your own incidents and breaches. Don’t fret,
`it saves any data locally and you only share what you want.
`
`Incident vs. breaches
`
`We talk a lot about incidents and breaches and we use the
`following definitions:
`
`Incident:
`A security event that compromises the integrity, confidentiality
`or availability of an information asset.
`
`Breach:
`An incident that results in the confirmed disclosure—not just
`potential exposure—of data to an unauthorized party.
`
`1https://en.wikipedia.org/wiki/Confidence_interval
`
` 80%
`
` 100%
`
` 40%
`
` 60%
`
`0%
` 20%
`Breaches
`Figure 1. Top asset variety in breaches
`Figure 1. Top asset variety in breaches
`This year we’re putting it in the bar charts. The black dot is the
`value, but the slope gives you an idea of where the real value could
`be between. In this sample figure we’ve added a few red bars to
`highlight it, but in 19 bars out of 20 (95%),1 the real number will
`be between the two red lines on the bar chart. Notice that as the
`sample size (n) goes down, the bars get farther apart. If the lower
`bound of the range on the top bar overlaps with the higher bound of
`the bar beneath it, they are treated as statistically similar and thus
`statements that x is more than y will not be proclaimed.
`
`Questions? Comments? Brilliant ideas?
`We want to hear them. Drop us a line at dbir@verizon.com,
`find us on LinkedIn, tweet @VZEnterprise with the #dbir.
`Got a data question? Tweet @VZDBIR!
`
`

`

`4
`
`5
`
`6
`
`20
`
`24
`
`27
`
`30
`
`35
`
`38
`
`41
`
`44
`
`46
`
`49
`
`52
`
`55
`
`58
`
`61
`
`62
`
`65
`
`68
`
`71
`
`75
`
`3 T
`
`able of contents
`
`Introduction
`
`Summary of findings
`
`Results and analysis
`
`Unbroken chains
`
`Incident classification patterns and subsets
`
`Data breaches: extended version
`
`Victim demographics and industry analysis
`
`Accommodation and Food Services
`
`Educational Services
`
`Financial and Insurance
`
`Healthcare
`
`Information
`
`Manufacturing
`
`Professional, Technical and Scientific Services
`
`Public Administration
`
`Retail
`
`Wrap up
`
`Year in review
`
`Appendix A: Transnational hacker debriefs
`
`Appendix B: Methodology
`
`Appendix C: Watching the watchers
`
`Appendix D: Contributing organizations
`
`

`

`It is our charge to present information on the common
`tactics used by attackers against organizations in
`your industry. The purpose of this study is not to
`rub salt in the wounds of information security, but to
`contribute to the “light” that raises awareness and
`provides the ability to learn from the past. Use it as
`another arrow in your quiver to win hearts, minds, and
`security budget. We often hear that this is “required
`reading” and strive to deliver actionable information in
`a manner that does not cause drowsiness, fatigue,
`or any other adverse side effects.
`
`We continue to be encouraged and energized by
`the coordinated data sharing by our 73 data sources,
`66 of which are organizations external to Verizon.
`This community of data contributors represents an
`international group of public and private entities willing
`to support this annual publication. We again thank
`them for their support, time, and, of course, DATA.
`
`We all have wounds, none of us knows everything,
`let’s learn from each other.
`
`Excelsior!2
`
`4 I
`
`ntroduction
`
`“The wound is the place where the light enters you.”
`— Rumi
`
`Welcome! Pull up a chair with the 2019 Verizon
`Data Breach Investigations Report (DBIR).
`The statements you will read in the pages that follow
`are data-driven, either by the incident corpus that
`is the foundation of this publication, or by non-incident
`data sets contributed by several security vendors.
`
`This report is built upon analysis of 41,686 security
`incidents, of which 2,013 were confirmed data
`breaches. We will take a look at how results are
`changing (or not) over the years as well as digging
`into the overall threat landscape and the actors,
`actions, and assets that are present in breaches.
`Windows into the most common pairs of threat
`actions and affected assets also are provided.
`This affords the reader with yet another means to
`analyze breaches and to find commonalities above
`and beyond the incident classification patterns that
`you may already be acquainted with.
`
`Fear not, however. The nine incident classification
`patterns are still around, and we continue to focus on
`how they correlate to industry. In addition to the nine
`primary patterns, we have created a subset of data to
`pull out financially-motivated social engineering (FMSE)
`attacks that do not have a goal of malware installation.
`Instead, they are more focused on credential theft and
`duping people into transferring money into adversary-
`controlled accounts. In addition to comparing industry
`threat profiles to each other, individual industry
`sections are once again front and center.
`
`Joining forces with the ever-growing incident/breach
`corpus, several areas of research using non-incident
`data sets such as malware blocks, results of phishing
`training, and vulnerability scanning are also utilized.
`Leveraging, and sometimes combining, disparate data
`sources (like honeypots and internet scan research)
`allows for additional data-driven context.
`
`2If you didn’t expect a Stan Lee reference in this report, then you are certainly a first-time reader. Welcome to the party pal!
`
`

`

`69% perpetrated by outsiders
`
`34% involved Internal actors
`
`2% involved Partners
`
`5% featured Multiple parties
`
`Organized criminal groups
`were behind 39% of breaches
`
`5 S
`
`ummary
`of findings
`
`16% were breaches of Public sector entities
`
`15% were breaches involving Healthcare organizations
`
`10% were breaches of the Financial industry
`
`43% of breaches involved small business victims
`
`Actors identified as nation-state or state-
`a(cid:17)liated were involved in 23% of breaches
`
` 40%
`
`0%
` 20%
`Breaches
`Figure 2. Who are the victims?
`
` 60%
`
` 80%
`
` 100%
`
`52% of breaches featured Hacking
`
`33% included Social attacks
`
`28% involved Malware
`
` 40%
`
`0%
` 20%
`Breaches
`Figure 4. Who's behind the breaches?
`
` 60%
`
` 80%
`
` 100%
`
`71% of breaches were financially motivated
`
`25% of breaches were motivated by the gain
`of strategic advantage (espionage)
`
`Errors were causal events in 21% of breaches
`
`32% of breaches involved phishing
`
`15% were Misuse by authorized users
`
`29% of breaches involved use of stolen credentials
`
`Physical actions were present in 4% of breaches
`
`56% of breaches took months or longer to discover
`
` 40%
`
`0%
` 20%
`Breaches
`Figure 3. What tactics are utilized?
`
` 60%
`
` 80%
`
` 100%
`
` 40%
`
`0%
` 20%
`Breaches
`Figure 5. What are other commonalities?
`
` 60%
`
` 80%
`
` 100%
`
`

`

`6
`
`Results and analysis
`
`year the trend continues. There are some subsets
`of data that are removed from the general corpus,
`notably over 50,000 botnet related breaches. These
`would have been attributed to external groups and,
`had they been included, would have further increased
`the gap between the External and Internal threat.
`
`External
`
`Internal
`
`Partner
`
`2011
`
`2013
`
`2015
`
`2017
`
`Figure 6. Threat actors in breaches over time
`
`Financial
`
`Espionage
`
`2011
`
`2013
`
`2015
`
`Other
`
`2017
`
`Figure 7. Threat actor motives in breaches over time
`
`80%
`
`60%
`
`40%
`
`20%
`
`0%
`
`Breaches
`
`75%
`
`50%
`
`25%
`
`0%
`
`Breaches
`
`The results found in this and subsequent sections
`within the report are based on a data set collected
`from a variety of sources such as publicly-disclosed
`security incidents, cases provided by the Verizon
`Threat Research Advisory Center (VTRAC)
`investigators, and by our external collaborators. The
`year-to-year data set(s) will have new sources of
`incident and breach data as we strive to locate and
`engage with organizations that are willing to share
`information to improve the diversity and coverage
`of real-world events. This is a convenience sample,
`and changes in contributors, both additions and
`those who were not able to participate this year, will
`influence the data set. Moreover, potential changes
`in their areas of focus can stir the pot o’ breaches
`when we trend over time. All of this means we are not
`always researching and analyzing the same fish in
`the same barrel. Still other potential factors that may
`affect these results are changes in how we subset
`data and large-scale events that can sometimes
`influence metrics for a given year. These are all
`taken into consideration, and acknowledged where
`necessary, within the text to provide appropriate
`context to the reader.
`
`With those cards on the table, a year-to-year view of
`the actors (and their motives),3 followed by changes
`in threat actions and affected assets over time is
`once again provided. A deeper dive into the overall
`results for this year’s data set with an old-school
`focus on threat action categories follows. Within
`the threat action results, relevant non-incident data
`is included to add more awareness regarding the
`tactics that are in the adversaries’ arsenal.
`
`Defining the threats
`
`Threat actor is the terminology used to describe
`who was pulling the strings of the breach (or if an
`error, tripping on them). Actors are broken out into
`three high-level categories of External, Internal, and
`Partner. External actors have long been the primary
`culprits behind confirmed data breaches and this
`
`3And we show the whole deck in Appendix B: Methodology.
`
`

`

`Organized crime
`
`State-a(cid:26)liated
`
`Cashier
`
`Activist
`
`2011
`
`2013
`
`2015
`
`2017
`
`Figure 8. Select threat actors in breaches over time
`
`System Admin
`
`7
`
`80%
`
`60%
`
`40%
`
`20%
`
`0%
`
`Breaches
`
`Financial gain is still the most common motive behind
`data breaches where a motive is known or applicable
`(errors are not categorized with any motive). This
`continued positioning of personal or financial gain at
`the top is not unexpected. In addition to the botnet
`breaches that were filtered out, there are other
`scalable breach types that allow for opportunistic
`criminals to attack and compromise numerous
`victims.4 Breaches with a strategic advantage as the
`end goal are well-represented, with one-quarter of
`the breaches associated with espionage. The ebb
`and flow of the financial and espionage motives are
`indicative of changes in the data contributions and
`the multi-victim sprees.
`
`This year there was a continued reduction in
`card-present breaches involving point of sale
`
`environments and card skimming operations.
`Similar percentage changes in organized criminal
`groups and state-affiliated operations are shown in
`Figure 8 above. Another notable finding (since we
`are already walking down memory lane) is the bump
`in Activists, who were somewhat of a one-hit wonder
`in the 2012 DBIR with regard to confirmed data
`breaches. We also don’t see much of Cashier (which
`also encompasses food servers and bank tellers)
`anymore. System administrators are creeping up
`and while the rogue admin planting logic bombs and
`other mayhem makes for a good story, the presence
`of insiders is most often in the form of errors. These
`are either by misconfiguring servers to allow for
`unwanted access or publishing data to a server that
`should not have been accessible by all site viewers.
`Please, close those buckets!
`
`4In Appendix C: “Watching the Watchers”, we refer to these as zero-marginal cost attacks.
`
`

`

`8
`
`Hacking
`
`Malware
`
`Social
`
`Error
`
`Misuse
`
`Physical
`
`Environmental
`
`2018
`
`2013
`
`53%
`
`56%
`
`DIFF
`
`-3
`
`Server
`
`2018
`
`2013
`
`63%
`
`65%
`
`29
`
`30
`
`17
`
`35
`
`17
`
`21
`
`14
`
`16
`
`4
`
`10
`
`0
`0
`
`-1
`
`+18
`
`+5
`
`-2
`
`-6
`
`0
`
`User Dev
`
`28
`
`30
`
`Person
`
`19
`
`39
`
`Media
`
`9
`
`17
`
`Kiosk/Term
`
`Network
`
`1
`
`7
`
`0
`
`1
`
`DIFF
`
`-2
`
`+2
`
`+20
`
`-8
`
`-5
`
`+1
`
`Breaches
`Figure 9. Threat actions in data breaches over time
`Figure 9. Threat actions in data breaches over
`n=2,501 (2013), n=1,638 (2018)
`time n=2,501 (2013), n=1638 (2018)
`
`Breaches
`Figure 10. Asset categories in data breaches over
`Figure 10. Asset categories in data breaches over time
`time n=2,294 (2013), n=1,513 (2018)
`n=2,294 (2013), n=1,513 (2018)
`
`Figures 9 and 10 show changes in threat actions and
`affected assets from 2013 to 2018.5,6 No, we don’t have
`some odd affinity for seven-year time frames (as far
`as you know). Prior years were heavily influenced by
`payment card breaches featuring automated attacks
`on POS devices with default credentials, so 2013
`was a better representative starting point. The rise in
`social engineering is evident in both charts, with the
`action category Social and the related human asset
`both increasing.
`
`Threat action varieties
`
`When we delve a bit deeper and examine threat actions
`at the variety level, the proverbial question of “What are
`the bad guys doing?” starts to become clearer. Figure 11
`shows Denial of Service attacks are again at the top
`
`of action varieties associated with security incidents,
`but it is still very rare for DoS to feature in a confirmed
`data breach. Similarly, Loss, which is short for Lost or
`misplaced assets, incidents are not labeled as a data
`breach if the asset lost is a laptop or phone, as there
`is no feasible way to determine if data was accessed.
`We allow ourselves to infer data disclosure if the asset
`involved was printed documents.
`
`Switching over to breaches in Figure 12, phishing and
`the hacking action variety of use of stolen credentials
`are prominent fixtures. The next group of three
`involves the installation and subsequent use of back-
`door or Command and Control (C2) malware. These
`tactics have historically been common facets of data
`breaches and based on our data, there is still much
`success to be had there.
`
`5 Credit where it’s due. These dumbbell charts are based on the design at http://www.pewglobal.org/2016/02/22/social-networking-very-popular-among-adult-internet-users-in-emerging-and-developing-nations/ and code at
`https://rud.is/b/2016/04/17/ggplot2-exercising-with-ggalt-dumbbells/
`6Note these are incident years, not DBIR years. All of the 2018 will be represented in this year’s data, but a 2012 breach not discovered until 2013 would be part of the 2014 DBIR.
`
`

`

`9
`
`DoS
`
`Loss
`
`C2
`
`Misdelivery
`
`Phishing
`
`Phishing
`
`Use of stolen creds
`
`Backdoor
`
`C2
`
`Use of backdoor or C2
`
`Use of stolen creds
`
`Privilege abuse
`
`Ransomware
`
`Privilege abuse
`
`Backdoor
`
`Spyware/Keylogger
`
`Misdelivery
`
`Capture app data
`
`Use of backdoor or C2
`
`Data mishandling
`
`Spyware/Keylogger
`
`Adminware
`
`Pretexting
`
`Data mishandling
`
`Adminware
`
`Adware
`
`Publishing error
`
`Pretexting
`
`Exploit vuln
`
`Misconfiguration
`
` 40%
`
`0%
` 20%
`Incidents
`Figure 11. Top threat action varieties in incidents, (n=17,310)
`
` 60%
`
` 80%
`
` 100%
`
` 40%
`
` 60%
`
`0%
` 20%
`Breaches
`Figure 12. Top threat action varieties in breaches (n=1,774)
`
` 80%
`
` 100%
`
`

`

`10
`
`Hacking
`
`A quick glance at the figures below uncovers two
`prominent hacking variety and vector combinations.
`The more obvious scenario is using a backdoor or
`C2 via the backdoor or C2 channel, and the less
`obvious, but more interesting, use of stolen
`credentials. Utilizing valid credentials to pop web
`applications is not exactly avant garde.
`
`The reason it becomes noteworthy is that 60%
`of the time, the compromised web application vector
`was the front-end to cloud based email servers.
`
`Web application
`
`Backdoor or C2
`
`Desktop sharing
`
`Desktop sharing software
`
`Other
`
`VPN
`
`Partner
`
`Command shell
`
`3rd party desktop
`
`Physical access
`
`Use of stolen creds
`
`Use of backdoor or C2
`
`Exploit vuln
`
`Brute force
`
`Bu(cid:6)er overflow
`
`Abuse of functionality
`
`RFI
`
`SQLi
`
`Other
`
` 40%
`
`0%
` 20%
`Breaches
`Figure 13. Top hacking action varieties in breaches (n=755)
`
` 60%
`
` 80%
`
` 40%
`
` 60%
`
`0%
` 20%
`Breaches
`Figure 14. Top hacking action vectors in breaches (n=862)
`
` 80%
`
` 100%
`
` 100%
`
`Even though stolen credentials are not directly
`associated with patch currency, it is still a necessary
`and noble undertaking. At most, six percent of
`breaches in our data set this year involved exploiting
`vulnerabilities. Remember that time your network
`was scanned for vulnerabilities and there were zero
`findings? You slept soundly that night only to be
`jolted from your drowsy utopia by your alarm radio
`blaring “I Got You Babe.” Vulnerability scanning always
`yields findings (even benign informational ones) and
`it is up to the administrators to determine which are
`accepted, and which are addressed.
`
`

`

`Malware
`
`Malware can be leveraged in numerous ways to
`establish or advance attacks. Command and Control
`(C2) and backdoors are found in both security
`incidents and breaches. Ransomware is still a major
`issue for organizations and is not forced to rely on
`data theft in order to be lucrative.
`
`C2
`
`Ransomware
`
`Backdoor
`
`Spyware/keylogger
`
`Adminware
`
`Adware
`
`Capture app data
`
`Spam
`
`Downloader
`
`Capture stored data
`
`11
`
`Figure 15 shows the patching behavior of hundreds
`of organizations from multiple vulnerability scanning
`contributors. Based on scan history, we determine
`that organizations will typically have a big push to
`remediate findings after they are initially discovered
`and after that there is a steady increase in percentage
`of findings fixed until it levels out. Not unlike the
`amount of romance and mutual regard that occurs
`while dating vs. once married. You get the idea.
`
`The area under the curve (AUC) is how protected
`you are while you are actively patching. Quick
`remediation will result in a higher AUC. The
`percentage completed-on-time (COT) is the amount
`of vulnerabilities patched at a pre-determined
`cut-off time; we used 90 days. Your COT metric
`could be different, and it would make sense to have
`different COTs for Internet-facing devices or browser
`vulnerabilities, and certainly for vulnerabilities with
`active exploitation in the wild.
`
`It is important to acknowledge that there will always
`be findings. The key is to prioritize the important
`ones and have a plan for the remaining actionable
`vulnerabilities; and to be able to defend acceptance of
`unaddressed findings.
`
`AUC: 32.4%
`COT: 43.8%
`
`30
`7
`Days taken to patch
`Figure 15. Time to patch
`
`60
`
`90
`
`100%
`
`75%
`
`50%
`
`25%
`
`0%
`
`Findings fixed
`
` 40%
`
` 60%
`
`0%
` 20%
`Incidents
`Figure 16. Top malware action varieties in incidents (n=2,103)
`
` 80%
`
` 100%
`
`

`

`12
`
`We were at a hipster coffee shop and it was packed
`with people talking about cryptomining malware as
`the next big thing. The numbers in this year’s
`data set do not support the hype, however, as this
`malware functionality does not even appear in the
`top 10 varieties. In previous versions of VERIS,
`
`cryptominers were lumped in with click-fraud, but
`they received their own stand-alone enumeration
`this year. Combining both the new and legacy
`enumerations for this year, the total was 39—more
`than zero, but still far fewer than the almost 500
`ransomware cases this year.
`
`Backdoor
`
`C2
`
`Spyware/keylogger
`
`Capture app data
`
`Adminware
`
`Downloader
`
`Email attachment
`
`Direct install
`
`Email unknown
`
`Web drive-by
`
`Download by malware
`
`Remote injection
`
`Capture stored data
`
`Email link
`
`Password dumper
`
`Network propagation
`
`Ram scraper
`
`Ransomware
`
`Other
`
`Web download
`
` 40%
`
` 60%
`
`0%
` 20%
`Breaches
`Figure 17. Top malware action varieties in breaches (n=500)
`
` 80%
`
` 100%
`
` 40%
`
` 60%
`
`0%
` 20%
`Incidents
`Figure 18. Top malware action vectors in incidents (n=795)
`
` 80%
`
` 100%
`
`

`

`13
`
`Delivery Method
`
`File Type
`
`94%
`
`23%
`
`0%
`
`45%
`
`26%
`
`22%
`
`email
`
`web
`
`other
`
`O(cid:19)ce doc
`
`Windows app
`
`other
`
`Figure 19. Malware types and delivery methods
`
`100%
`
`75%
`
`50%
`
`25%
`
`0%
`
` 100%
`
` 80%
`
`Figure 18 displays that when the method of malware
`installation was known, email was the most common
`point of entry. This finding is supported in Figure 19,
`which presents data received from millions of
`malware detonations, and illustrates that the median
`company received over 90% of their detected
`malware by email. Direct install is indicative of a
`device that is already compromised and the malware
`is installed after access is established. It is possible
`for malware to be introduced via email, and once the
`foothold is gained, additional malware is downloaded,
`encoded to bypass detection and installed directly. Like
`most enumerations, these are not mutually exclusive.
`
`Social
`
`While hacking and malicious code may be the words
`that resonate most with people when the term “data
`breach” is used, there are other threat action catego-
`ries that have been around much longer and are still
`ubiquitous. Social engineering, along with Misuse,
`Error, and Physical, do not rely on the existence of
`“cyberstuff” and are definitely worth discussing. We
`will talk about these “OGs” now, beginning with the
`manipulation of human behavior.
`
`There is some cause for hope in regard to phishing,
`as click rates from the combined results of multiple
`security awareness vendors are going down. As you
`can see in Figure 21, click rates are at 3%.
`
`Phishing
`
`Pretexting
`
`Bribery
`
`Extortion
`
`Forgery
`
`Influence
`
`Other
`
`Scam
`
` 40%
`
` 60%
`
`0%
` 20%
`Breaches
`Figure 20. Top social action varieties in breaches (n=670)
`
`

`

`25%
`
`20%
`
`15%
`
`10%
`
`5%
`
`0%
`2012
`
`2014
`
`2016
`
`2.99%
`
`2018
`
`Clicked
`
`Figure 21. Click rates over time in sanctioned
`Figure 21. Click rates over time in sanctioned phishing exercises
`phishing exercises
`
`14
`
`With regard to the event chain for these attacks, if the
`device on which the communication was read and/or
`interacted with does not have malicious code installed
`as part of the phish, it may not be recorded as an
`affected asset. For example, if a user is tricked into
`visiting a phony site and he/she then enters credentials,
`the human asset is recorded as well as the asset that
`the credentials are used to access. To that end, those
`moments when the users thoughts are adrift provide
`an excellent opportunity for criminals to phish via SMS
`or emails to mobile devices. This is supported by the
`18% of clicks from the sanctioned phishing data that
`were attributed to mobile. Below is a window into
`mobile devices and how the way humans use them can
`contribute to successful phishing attacks provided by
`researcher Arun Vishwanath, Chief Technologist, Avant
`Research Group, LLC.
`
`Research points to users being significantly
`more susceptible to social attacks they
`receive on mobile devices. This is the case for
`email-based spear phishing, spoofing attacks
`that attempt to mimic legitimate webpages, as
`well as attacks via social media.7, 8, 9
`
`The reasons for this stem from the design
`of mobile and how users interact with these
`devices. In hardware terms, mobile devices
`have relatively limited screen sizes that restrict
`what can be accessed and viewed clearly.
`Most smartphones also limit the ability to
`view multiple pages side-by-side, and navi-
`gating pages and apps necessitates toggling
`between them—all of which make it tedious
`for users to check the veracity of emails and
`requests while on mobile.
`
`Mobile OS and apps also restrict the
`availability of information often necessary
`for verifying whether an email or webpage is
`fraudulent. For instance, many mobile browsers
`limit users’ ability to assess the quality of a
`website’s SSL certificate. Likewise, many
`mobile email apps also limit what aspects of
`the email header are visible and whether the
`email-source information is even accessible.
`
`Mobile software also enhances the prominence
`of GUI elements that foster action—accept,
`reply, send, like, and such —which make it easier
`for users to respond to a request. Thus, on the
`one hand, the hardware and software on mobile
`devices restrict the quality of information that
`is available, while on the other they make it
`easier for users to make snap decisions.
`
`The final nail is driven in by how people use
`mobile devices. Users often interact with
`their mobile devices while walking, talking,
`driving, and doing all manner of other activities
`that interfere with their ability to pay careful
`attention to incoming information. While
`already cognitively constrained, on screen
`notifications that allow users to respond to
`incoming requests, often without even having
`to navigate back to the application from which
`the request emanates, further enhance the
`likelihood of reactively responding to requests.
`
`Thus, the confluence of design and how
`users interact with mobile devices make it
`easier for users to make snap, often
`uninformed decisions—which significantly
`increases their susceptibility to social
`attacks on mobile devices.
`
`7 Vishwanath, A. (2016). Mobile device affordance: Explicating how smartphones influence the outcome of phishing attacks. Computers in Human Behavior, 63, 198-207.
`8Vishwanath, A. (2017). Getting phished on social media. Decision Support Systems, 103, 70-81.
`9 Vishwanath, A., Harrison, B., & Ng, Y. J. (2018). Suspicion, cognition, and automaticity model of phishing susceptibility. Communication Research, 45(8), 1146-1166.
`
`

`

`15
`
`Misuse
`
`Misuse is the malicious or inappropriate use of
`existing privileges. Often it cannot be further defined
`beyond that point in this document due to a lack
`of granularity provided; this fact is reflected in the
`more generic label of Privilege abuse as the
`
`
`top variety in Figure 22. The motives are
`predominantly financial in nature, but employees
`taking sensitive data on the way out to provide
`themselves with an illegal advantage in their next
`endeavor are also common.
`
`Privilege abuse
`
`Data mishandling
`
`Unapproved workaround
`
`Knowledge abuse
`
`Email misuse
`
`Possession abuse
`
`Financial
`
`Espionage
`
`Fun
`
`Grudge
`
`Other
`
`Unapproved hardware
`
`Convenience
`
`Unapproved software
`
`Net misuse
`
`Illicit content
`
`Ideology
`
`Fear
`
`Secondary
`
` 40%
`
`0%
` 20%
`Breaches
`Figure 22. Top misuse varieties in breaches (n=292)
`
` 60%
`
` 80%
`
` 100%
`
` 40%
`
` 60%
`
`0%
` 20%
`Breaches
`Figure 23. Actor motives in misuse breaches (n=245)
`
` 80%
`
` 100%
`
`

`

`16
`
`Error
`
`Affected assets
`
`As we see in Figure 24, the top two error varieties
`are consistent with prior publications, with
`Misconfiguration increasing at the expense of Loss
`and Disposal Errors. Sending data to the incorrect
`recipients (either via email or by mailed documents)
`is still an issue. Similarly, exposing data on a public
`website (publishing error) or misconfiguring an asset
`to allow for unwanted guests also remain prevalent.
`
`Workstations, web applications, and surprisingly,
`mail servers are in the top group of assets affected
`in data breaches. There is a great deal to be
`learned about how threat actions associate with
`assets within the event chains of breaches. We
`get down to business in Table 1 to pull out some of
`the more interesting stories the 2019 DBIR data
`has to tell us.
`
`Misdelivery
`
`2010
`
`2018
`
`32%
`
`37%
`
`DIFF
`
`+5
`
`Publishing
`error
`
`16
`
`21
`
`Misconfiguration
`
`0
`
`21
`
`Loss
`
`7
`
`31
`
`Programming
`error
`
`0
`
`5
`
`Disposal
`error
`
`5
`
`14
`
`Omission
`
`Ga(cid:13)e
`
`2
`
`4
`
`0
`
`4
`
`+5
`
`+21
`
`-24
`
`+5
`
`-9
`
`+2
`
`-4
`
`Breaches
`Figure 24. Top error varieties in breaches
`Figure 24. Top error varieties in breaches over time
`over time n=100 (2010), n=347 (2018)
`n=100 (2010), n=347 (2018)
`
`Server - Mail
`
`User Dev - Desktop
`
`Server - Web application
`
`Server - Database
`
`Media - Documents
`
`Person - End-user
`
`User Dev - Laptop
`
`Server - POS controller
`
`User Dev - POS terminal
`
`Person - Finance
`
` 40%
`
`0%
` 20%
`Breaches
`Figure 25. Top asset varieties in breaches (n=1,699)
`
` 60%
`
` 80%
`
` 100%
`
`

`

`17
`
` Action
`
` Hacking - Use of stolen creds
`
` Social - Phishing
`
` Social - Phishing
`
` Malware - Backdoor
`
` Malware - C2
`
`Asset
`
`Server - Mail
`
`Server - Mail
`
`User Dev - Desktop
`
`User Dev - Desktop
`
`User Dev - Desktop
`
` Hacking - Use of backdoor or C2
`
`User Dev - Desktop
`
` Malware - Spyware/Keylogger
`
` Malware - Adminware
`
` Misuse - Privilege abuse
`
`User Dev - Desktop
`
`User Dev - Desktop
`
`Server - Database
`
` Malware - Capture app data
`
`Server - Web application
`
`Table 1
`Top action and asset variety combinations within breaches, (n= 2,013)
`
`Count
`
`340
`
`270
`
`251
`
`229
`
`210
`
`208
`
`103
`
`91
`
`90
`
`83
`
`The table above does exclude assets where a
`particular variety was not known. In the majority of
`phishing breaches, we are not privy to the exact
`role of the influenced user and thus, Person -
`Unknown would have been present. We can deduce
`that phishing of Those Who Cannot Be Named
`leads to malware installed on desktops or tricking
`users into providing their credentials.
`
`Most often, those compromised credentials were to
`cloud-based mail servers. There was an uptick
`in actors seeking these credentials to compromise a
`user’s email account. It turns out there are
`several ways to leverage this newly found access.
`Actors can launch large phishing campaigns from
`
`the account, or if the account owner has a certain
`degree of clout, send more targeted and elaborate
`emails to employees who are authorized to pay
`bogus invoices.
`
`There were also numerous cases where an
`organization’s email accounts were compromised
`and the adversary inserted themselves into
`conversations that centered around payments. At
`this point, the actors are appropriately positioned
`to add forwarding rules in order to shut out the
`real account owner from the conversation. Then
`they simply inform the other recipients that
`they need to wire money to a different account on
`this occasion because…reasons.
`
`

`

`18
`
`Another trend in this year’s data set is a marked shift
`away from going after payment cards via ATM/gas
`pump skimming or Point of Sale systems and towards
`e-commerce applications. The 83 breaches with
`the association of web application and the action of
`type capture application data is one indicator of this
`change. Figure 26 below illustrates how breaches
`with compromised payment cards are becoming
`increasingly about web servers –