Verizon DBIR 2020: Credential Theft, Phishing, Cloud Attacks

June 9, 2020 David Higgins

Credential Theft and Privileged Access Management

Every year, the security industry at large eagerly awaits the release of the Verizon Data Breach Investigations Report (DBIR). Now in its thirteenth year, the DBIR is widely considered to be one of the industry’s most respected sources of cybersecurity data.

This year’s 119-page report covers a lot of ground, but of course, our team was particularly drawn to insights linked to privileged access and credential abuse. Here’s a look at five themes that stood out:

1. Macro Cybersecurity Trends: Money Is the Number One Motivator

The vast majority of data breaches (86%) were for financial gain, and as such, 72% involved large businesses. Seventy percent of breaches were caused by external actors, with organized crime accounting for more than half (55%). These attackers are homing in on personal data: 58% of breaches involved this – nearly double the number from a year ago.

When it comes to attacks, three methods account for 67% of all breaches: credential theft, social attacks (such as phishing) and errors. What’s most intriguing about this “attack trifecta” is that 17% of all data breaches were caused by seemingly innocuous human mistakes—representing a 50% jump from 2019.

As business adapt to new realities, attackers are shifting away from malware-based attacks to highly targeted ransomware that offers strong lateral movement capability, and ultimately, massive payouts. Report authors note, “Other attack types such as hacking and social breaches benefit from the theft of credentials, which makes it no longer necessary to add malware in order to maintain persistence.” According to the report, 27% of malware incidents were ransomware and the threat is growing in part because ransomware-as-a-service is so easy to purchase and use.

But the DBIR isn’t all doom and gloom. There are some encouraging developments. For example, organizations are getting much better and faster at detecting breaches: 81% were discovered in days or less.

2. Privilege Misuse by Authorized Insiders Highest in Healthcare

This year, Verizon analyzed “privilege misuse” through the specific lens of authorized insiders. The DBIR defines privilege misuse as “intentional actions undertaken by internal employees that result in some form of security incident.” While this analysis does not account for privileged access abuse linked to external actors (who are responsible for 70% of all breaches) or third parties across the supply chain, it does illuminate potential dangers within an organization’s own ranks.

Eight percent of all breaches were caused by privilege misuse by employees. Healthcare “remains the industry with the highest number of internal bad actors, due to greater access to credentials.” Manufacturing and finance sectors follow close behind.

3. Phishing and Credential Theft Are Rampant in the Work-from-Home Era

According to the report, phishing remains the top form of social-driven breach and “schemes are increasingly sophisticated and malicious” as remote work surges. Meanwhile, the use of stolen credentials by external actors is on a meteoric rise. More than 80% of breaches tied to hacking (the number one threat action) involve the use of lost or stolen credentials or brute force.

While these findings are not new or surprising, the DBIR reminds us that attackers nearly always take the path of least resistance by using this tried-and-true approach: start with a phishing scam (96% arrive by email) targeting a user’s endpoint, then easily crack weak passwords or steal credentials stored on the device. Using these credentials, the attacker can move from workstation to workstation in search of sensitive data to steal and privileged credentials (such as local admin rights) that enable escalation to higher-value assets and information.

4. Cloud-Based Data Is Under Attack

Credential theft is a pervasive problem everywhere and the cloud is no exception. The DBIR highlights a year-over-year two-fold increase in web application breaches to 43%. Stolen credentials were used in over 80% of these cases.

As cloud adoption accelerates, attackers are turning to cloud-based data as a “quick and easy route to victims.” Cloud assets were involved in nearly a quarter of all breaches of which 77% involved breached credentials.

5. Misconfigurations Put Everything in the Cloud at Risk

Errors won the award for best supporting threat action this year (second only to hacking). Humans have always made mistakes, but the report suggests things are getting worse as “internal end users and system admins make errors as though they were paid to do it.”

Notably, more than 40% of all error-related breaches involved misconfigurations. These happen when a person (usual a system admin or someone with privileged access) spins up a datastore in the cloud without proper security measures in place to protect the data from unauthorized privileged access.

Attackers can abuse misconfigurations to compromise a single privileged user, then move to compromise a cloud management console, or worse, take full control of the organization’s cloud environment. And, as recent headlines show, your misconfigurations will find you out. The report warns, “There are security researchers out there who spend their time looking for just this kind of opportunity. If you build it, they will come.”

The 2019 Verizon DBIR is based on an analysis of 32,002 security incidents and 3,950 confirmed breaches sourced from cases across 81 countries and 16 sectors. Want to dig in deeper? You can find all the details, including industry- and region-specific attack patterns and trends, in the full report. And to learn how to secure privilege to stop attacks, visit here.

Previous Article
Shift Left to Successfully Secure Your Apps
Shift Left to Successfully Secure Your Apps

“Shift left” is a well-known concept for security teams working with software developers. In the simplest s...

Next Article
5 Steps to Reporting PAM Outcomes
5 Steps to Reporting PAM Outcomes

The director of Identity and Access Management (IAM) is fundamentally responsible for ensuring controls are...