2016 Verizon DBIR: It’s All About the Benjamins, Baby
Since the beginning of the data breach era, which most often is pegged to the disclosure of the ChoicePoint compromise, security analysts have been looking for telltale signs of shifts in the techniques and motives that attackers are using. But after more than a decade of breaches and the collection of data about what’s caused them, what’s become clear is that there’s no magic or mystery behind it.
Attackers are after your money and your intellectual property, and they’re using malware and hacking to get it.
In its latest Data Breach Investigations Report, released this week, Verizon analyzed information from more than 2,200 confirmed breaches and more than 100,000 separate security incidents and the data shows that hackers are still playing the hits. Of the breaches analyzed in the report, nearly 1,500 of them involved hacking, with malware coming in a close second. These are the same techniques and tools that attackers have been using since the dawn of the Internet, and they’re continuing to succeed with them. This data should come as no surprise, as hacking and malware have been in the top two spots in the DBIR since 2009.
Of course, there’s plenty of variety in terms of what hacking techniques and kinds of malware attackers are using, and that has changed over the years. In 2015 the most commonly seen kinds of malware are those that use a command-and-control infrastructure, malware that exports data, and spyware and keyloggers. In terms of hacking techniques, the top three are the use of stolen credentials, the use of backdoors and C2, and the use of brute force attacks. In fact 63% of all of the breaches in the new DBIR involved the use of stolen, weak, or default credentials. That’s a depressingly high number, given how long we’ve known that the use of usernames and passwords as primary authenticators is a bad idea.
As little as the tools and tactics used by attackers in data breaches have changed, their motivations have evolved even less. They’re after your money, in one way or another.
“So why do the Actors do what they do? Money, loot, cash, filthy lucre, greed … get the idea? In fact, it can be money even when it’s not money... In the 2013 DBIR it appeared that perhaps the reigning lothario of ‘financial gain’ was in danger of being cast aside in favor of ‘espionage.’ Could such a thing come to pass? No, not really,” the DBIR authors wrote.
In 2013, the percentage of breaches with a financial motivation had dipped from 100% down to about 75%, and those with espionage as the main motivator had crept up to nearly 25%. But those trends have reversed in the last couple of years, as attackers have refocused on pulling in cash for their operations.
And while the attackers have continued to hone their skills and get better at stealing our money, they also have improved in terms of how quickly they’re getting into networks and endpoints. In 2015, 81.9% of the breaches involved a compromise that took minutes and another 11% happened in seconds. Unfortunately, as that number has continued to climb in recent years, the speed at which defenders are discovering breaches hasn’t kept pace. Much of this has to do with the tactics attackers are using, which are designed to work quickly and get the data out as fast as possible.
“The phishing scenario is going to work quickly, with the dropping of malware via malicious attachments occurring within seconds. Physical compromises of ATMs and gas pumps also happen in seconds. In the majority of confirmed data breaches, the modus operandi of nation-states as well as financially motivated attackers is to establish control via malware and, when successful, it is lightning fast,” the report says.
The lesson, as always, is if you can defend against the most common attack types, you’re ahead of the game.