Data breach report: 9 attack patterns describe 92% of 100,000 security incidents

Verizon released its 2014 Data Breach Investigations Report.

There are some big changes to Verizon's 2014 Data Breach Investigations Report (DBIR) (pdf), including a deep dive into two different datasets that came from 50 different sources and 95 countries. One set of data looks back at 1,367 confirmed data breaches and 63,437 security incidents from 2013. Another looks back over a decade of data covering about 3,800 data breaches and 100,000 security incidents. Guess what? Nine types of attack patterns accounted for 92% of 100,000 incidents spanning the last 10 years. Put another way by Verizon RISK team researchers, "Nine out of 10 of all breaches can be described by nine basic patterns."

Verizon identified these nine incident classification patterns: Web app attacks, cyber-espionage, point-of-sale intrusions, insider threats and privilege misuse, payment card skimmers, denial of service attacks, physical theft or lost devices, crimeware, miscellaneous user errors, and "everything else." While the researchers wrote plenty of commentary, there are some astounding graphics in the report.

During 2013, two out of three data breaches involved using stolen passwords or misused credentials. Jay Jacobs, senior analyst and co-author of the report, explained that crooks would much rather "just log in" than try to "compromise every machine."

Verizon called web apps the "proverbial punching bag of the internet." Most web apps are hacked by exploiting a weakness in the app or by attackers using stolen credentials to impersonate a valid user. Most web app attacks in 2013 targeted off-the-shelf management systems like Wordpress or Drupal to gain control of servers for use in DDoS campaigns. 65% of these attacks were for the lulz, which Verizon called "ideology or fun" motives. 33% of the attackers were after financial gain, and 2% were motivated to commit espionage.

Recommendations to protect against web app attacks included dumping single-factor password authentication, either automate or be quick to manually deploy patches for WordPress, Drupal, or other CMS platforms, as well as the third-party plugins. Validate inputs, monitor outbound connections, and enforce lockout policies to discourage brute force attempts.

Cyber-espionage was up, too - there were 511 incidents with 306 of those confirmed data disclosure. "We knew it was pervasive," wrote the authors, "but it's a little disconcerting when it triples last year's already much-increased number." 11% of espionage attacks came from organized criminals and 87% came from governments. The U.S. was the largest victim of cyber-espionage in 2013. Eastern Asia was believed to be responsible for 49% of cyber-espionage attacks, 25% were extra sneaky and considered "unattributed," and 21% came from Eastern European actors, "Russian-speaking ones in particular."

Despite the headlines about the massive Target data breach and other RAM scraper attacks, Verizon said the number of POS intrusions has actually decreased over the last several years.

The report includes other terrific eye candy such as the one below that maps industries to specific incident patterns to help businesses understand what threats they likely face. For example, lost or stolen laptops represent the biggest problem for the healthcare sector; establishments like hotels and restaurants are most often victims of point-of-sale intrusions.  

Another DBIR graphic, based on recommendations in the Verizon report, maps critical security controls to incident patterns.

There's a lot to chew on, both in the dataset for 2013 and the dataset covering 10 years. Find out more about the threats and what controls the data breach experts recommend. Get your copy of Verizon's 2014 Data Breach Investigations Report (DBIR) here.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)