Verizon’s 2019 Data Breach Investigation Report Suggests a Shifting Threat Landscape

It’s that time of year again: Verizon is releasing its Data Breach Investigation Report (DBIR), and security professionals are going to, rightfully, spend the next few days poring over the facts and figures. The DBIR provides a great deal of insight into real security incidents, and the depth and breadth of its scope makes it an invaluable asset to any security team.

Recorded Future was lucky enough to contribute to the report, and we were invited to speak on a webinar with other industry leaders, moderated by the Verizon team. It’s always impressive to see how the report authors are able to derive clear trends and unify the industry while creating meaningful impact for the community.

There are a lot of useful trends in the 2019 report:

  • Cybercrime still dominates all activity
  • 25% of all breaches in the last year were associated with espionage
  • 29% of all breaches involved stolen credentials
  • 32% of all breaches involved phishing campaigns
  • 43% of breaches involved a small business
  • There has been a notable increase in errors caused by system administrators publishing sensitive data in public cloud spaces open to everyone
  • A move in payment card compromises away from point-of-sale (PoS) systems to web applications (such as Magecart)
  • 60% of attacks against web applications involved the compromise of cloud-based email accounts using stolen credentials

Stolen Credentials Present a Growing Problem

One of the big lessons organizations should take away from this year’s report is that stolen credentials are becoming a bigger problem. Figure 1 tracks just some of the incidents that Recorded Future monitored in 2018, but there were many more, including dumps of billions of stolen credentials across a number of different underground sites.

It is important for organizations to monitor for stolen credentials, especially given the tendency of people to reuse passwords across personal and business accounts.

Stolen Credentials Timeline

Figure 1: Some stolen credentials incidents tracked in the Recorded Future Platform over the past year.

The additional wrinkle of stolen email credentials being used to attack web applications, where there is often little monitoring available to an organization, makes credential monitoring even more important.

Breaches Affect Large and Small Businesses Alike

In addition to the use of stolen credentials, the fact that small businesses made up 43% of breaches means that organizations cannot assume that they are “too small to be targeted” or that they can’t afford to put security procedures in place. Like it or not, every organization is potentially vulnerable and should take steps to protect their employees and their data.

Compromise of payment card information continues to be a huge problem, but the target has shifted from PoS systems to skimmers that embed themselves in the web application itself. Known as web skimmers, these were a big problem in 2018 and continue to be heading into 2019. The most well-known of these skimmers, Magecart, has been responsible for a number of payment card compromises.

As shown in Figure 2, the team behind Magecart has struck a number of different targets and managed to steal hundreds of millions of payment cards in their successful run. They are always finding new targets to go after and figuring out new ways to compromise online web applications. This looks to be a problem for a considerable time.

Magecart Timeline

Figure 2: Mentions of Magecart over the past year tracked in the Recorded Future Platform.

Long-Term Trends Reveal Shifting Threat Landscape

Some of the long-term trends that Verizon monitors in the DBIR are also interesting. Verizon breaks incident types into nine different categories, listed in the 2019 report in order of how commonly they occurred in 2018:

  • Privilege misuse
  • Denial of service
  • Crimeware
  • Lost and stolen assets
  • Web applications
  • Miscellaneous errors
  • Everything else
  • Cyberespionage
  • Point of sale
  • Payment card skimmers

When Verizon first introduced these categories in 2014 (covering 2013), the top three incident categories were:

  • Miscellaneous errors
  • Crimeware
  • Privilege misuse

In the 2018 report (covering 2017), the top three were:

  • Denial of service
  • Privilege misuse
  • Crimeware

So the types of attacks are changing over time. You can see this reflected in Recorded Future data as well. For example, Figure 3 shows the number of reported distributed denial of service (DDoS) attacks that Recorded Future has recorded over the last five years.

DDoS Timeline

Figure 3: DDoS incidents tracked over the last five years in the Recorded Future Platform.

The pattern of attacks we recorded roughly mirrors the rise and fall of DDoS incidents in the DBIR reports over the years. Being able to understand which threats are increasing and which are falling off allows organizations to better allocate resources to protect against the current threat landscape.

There is a lot of useful data within the Verizon DBIR, making it well worth the read to understand what the current threats are and understand what organizations can expect in the coming year.