Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->
05:25 PM
Connect Directly

85% of Data Breaches Involve Human Interaction: Verizon DBIR

Ransomware, phishing, and Web application attacks all increased during a year in which the majority of attacks involved a human element.

Web application attacks, phishing, and ransomware increased over the past year, emphasizing a shift as attackers took advantage of people working from home and spending more time online amid the COVID-19 pandemic. Most (85%) attacks seen in 2020 involved human interaction.

This is a key takeaway from Verizon's "2021 Data Breach Investigations Report," published today with nearly 120 pages of data, trends, and analysis about a year in which cybercrime accelerated as many other aspects of life slowed down. The latest DBIR analyzes 29,207 "quality incidents," of which 5,258 were confirmed breaches – one-third more compared with last year's report.

The median financial impact of a breach last year was $21,659, with 95% of incidents falling between $826 and $653,587. While many breaches did not lead to losses, those that did had a wide range: Ninety-five percent of computer data breaches that led to losses fell between $148 and $1.6 million, with a median loss of $30,000. The median amount lost to ransomware was $11,150, and the range of losses in 95% of attacks that cost victims ranged from $70 to $1.2 million.

Phishing attacks and ransomware attacks increased by 11% and 6%, respectively, researchers report. 

"Any double-digit increase in the report is big," says Gabe Bassett, senior information security data scientist for the Verizon Security Research team and co-author of this year's Verizon DBIR. "It's a percentage increase, so it has to steal from somewhere else."

Phishing was seen in 25% of breaches in last year's report; this year, it was 36%. Data shows attacks with negative changes in 2020 include misdelivery (-6%), password dumper (-6%), privilege abuse (-5%), misconfiguration (-2%), theft (-2%), vulnerability exploits (-2%), and data mishandling (-2%). While there isn't an exact one-for-one in terms of gains for losses, this helps to explain where phishing and ransomware "stole" from, he notes.

"There's definitely a continued shift for the attackers toward the most efficient attacks and methods of monetization," Bassett continues. "Breaches are moving away from complexity, toward simplicity."

Most attackers are external and financially motivated, and organized crime is the top attacker category, the report states. Even as awareness of supply chain attacks has increased, the overall percentage of attacks with a secondary motive – in which the ultimate goal is to leverage the victim's access, infrastructure, or assets to launch more attacks – has decreased from last year.

Phishing attacks go hand-in-hand with the use of stolen credentials. More than 60% of breaches involved credential data, and 95% of organizations experiencing credential stuffing attacks had between 637 and 3.3 billion malicious login attempts throughout the past year. The use of stolen credentials didn't increase much, he notes, but it was already a large part of breaches.

"Credentials are the skeleton key," Bassett says. Most know stolen credentials are a problem, but what they may not think about is how they spread across attack patterns and enable the start of many different types of data breaches, from phishing campaigns, to stealing the contents of a target mailbox, to a ransomware campaign in which an attacker encrypts then steals data.

The trend toward simplicity is evident in the continued increase of business email compromise (BEC), which followed phishing as the second most common form of social engineering, reflecting a 15x spike in "misrepresentation," a type of integrity breach. BEC doubled last year and again this year. Of the 58% of BEC attacks that successfully stole money, the median loss was $30,000, with 95% of BECs costing between $250 and $984,855, researchers learned.

Of the breaches analyzed, 85% had a human element. This is a broad term that encompasses any attack that involves a social action: phishing, BEC, lost or stolen credentials, using insecure credentials, human error, misuse, and even malware that has to be clicked then downloaded.

"I think it's very easy in security to forget that what we're securing is not the computer. What we're securing is the organization," Bassett explains. "The organization is the people as well."

A Target on Web Applications
Attacks on Web applications made up 39% of all breaches, underscoring the challenges that business face as they move more business functions to the cloud.

Basic Web application attacks, a new attack pattern in this year's DBIR, are those with a small number of steps or additional actions after the initial Web application compromise. These attacks typically target open Web and Web-adjacent interfaces.

"They are very focused on direct objectives, which range from getting access to email and web application data to repurposing the web app for malware distribution, defacement or future DDoS attacks," researchers state in the report.

While most of these attacks involved hacking servers, the report states, there are sub-patterns, such as the use of stolen credentials and brute forcing a Web application to compromise either actual Web apps or Mail servers. Nearly all (96%) Mail servers compromised in these attacks were cloud-based, leading to the compromise of personal, internal, or medical information.

There are two ways to look at the challenges of businesses moving to the cloud, Basset says. The first is, organizations must be careful because there's a new threat model, "but the other is that 'attackers are following me to the cloud because that's where I'll be.'" Transitioning to the cloud changes the security mentality: Traditionally businesses have been focused on securing the computer. When they move to the cloud, that computer is no longer theirs.

"Moving to the cloud refocuses more clearly on the human element," he continues. Now organizations are more focused on protecting the people, their credentials, and how they access resources from outside the organization.

Basset emphasizes the importance of security operations for organizations large and small. One key takeaway from this DBIR and previous reports has been the "spikiness" of security data. There may be a long time between a few short distribution denial-of-source (DDoS) attacks, and then there will be a massive one. Or there could be several small instances of credential stuffing, following by a large one.

Researchers know there's no way to predict the big, one-off security events that are an exception to the norm. They can engineer for the main types of attacks, such as phishing, and those will stop more of the small and unique attacks that happen. However, they can't prepare for the next major cyberattack. That's where operations come into play. Operations "it's people – it's flexible," he says. They are the ones who can help address those exceptional threats.

"You can engineer for the expected, but you need to have ops for the exceptional," Basset says. "You're not going to be able to predict when that big thing happens, so you need to be able to operationally adapt to it."

Alex Pinto, co-author of the DBIR, will further discuss trends from this year's report, and what they mean for organizations, in an interview with Dark Reading editor-in-chief Tim Wilson at the upcoming RSA Conference. A link to the interview is here

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file