Graydon McKee Site Logo

My thoughts on the 2021 Verizon DBIR

This Article is primarily hosted on LinkedIn.

Verizon has recently released their annual
Data Breach Investigations Report (DBIR) and after reading it over, I thought I’d share with you my thoughts on what I consider to be the most important aspect of their findings. Let me say though that while you may find my interpretation useful, you should take the time to read the full report for yourself. Only you will be able to see those facts that are pertinent to your environment. This insight is invaluable in communicating the “so what” to your organization.

Verizon’s 2021 report, the 14th iteration, analyzed over 29,000 incidents; 5,258 of which were qualified breaches. Their analysis identified two new patterns in the Social Engineering and System Intrusion clusters as well as updated some previously identified cluster patterns. 

Now, I'm the type of person who doesn’t like long lists of priorities. The reason for this is, as the number of priorities grows, it becomes more of a list than a priority. My experience tells me that the vast majority of organizations out there can really only focus on two (2) priorities in a given budget cycle, three (3) maximum. 

Looking at the DBIR, I see two patterns that I feel most organizations can tackle in a single budget cycle. Those are the patterns of Social Engineering and Basic Web Application Attacks. Verizon listed the most prevalent patterns found in both the overall data set (29,206 incidents) and verified breaches (5,275). Social Engineering ranked third in the overall dataset and number one in actual breaches. Basic Web Application Attacks ranked second in the overall dataset and number two in actual breaches.

The top five patterns in the overall data set were:

  1. Denial of Service,
  2. Basic Web Application Attacks,
  3. Social Engineering,
  4. System Intrusion, and
  5. Lost and Stolen Assets. 

The top five patterns in the verified breach data set were:

  1. Social Engineering,
  2. Basic Web Application Attacks,
  3. System Intrusion, and
  4. Miscellaneous Errors

The reason I’m focusing on Social Engineering and Basic Web Application Attacks is because my experience tells me that preventative investment these categories will yield the greatest improvement in an organizations ability to weather ups and downs of the perpetual storm of security challenges facing organizations today. To use business terms, investment into these areas will yield the greatest return on investment in both the near term and the long term. Yes, other investments will be needed but focus on these first to build the right foundation. 

Let me focus in on each of these one at a time.

Social Engineering
Verizon defines Social Engineering as the “psychological compromise of a person , which alters their behavior into taking an action or breaching confidentiality.” Verizon found these patterns in 3,841 incidents (1,767 of which were verified breaches). The threat actors were all external and primarily motivated by money (94%) and espionage (6%). The data that was compromised was mostly credentials (85%). Verizon didn’t go further with this but experience tells me that proprietary, confidential, and sensitive data was also impacted once valid credentials were obtained. In order to combat Social Engineering attacks, investment should focus on employee training and awareness augmented by some technical controls around phishing and link sandboxing. 

Basic Web Application Attacks

Verizon defines Basic Web Application Attacks as “simple web application attacks with a small number of steps/additional actions after the initial web application compromise.” Don’t be fooled by the use of the word “basic” here. These are focused attacks which cover the spectrum of getting access to email to repurposing a web site/application for malware distribution. Verizon found these patterns in 4,862 incidents (1,384 of which were verified breaches). Again the threat actors were all external and primarily motivated by money (89%) and espionage (7%). (Interestingly, Verizon also noted the motivations of Grudge (2%) and Fun (1%) as identified motivations.) The data that was compromised was mostly credentials (80%) followed by Personal (53%) information. In order to combat Basic Web Application Attacks, investment in this category should also begin with the training of your developers. The better trained developers are in secure coding practices, the less likely there will be vulnerabilities in the code. Technical controls would also augment the training and should consist of vulnerability scanners, penetration tests, and web application firewalls among others.

This is getting long but before I wrap up let me say that employee and developer training shouldn’t consist of a short course once a year followed by reminder emails and the occasional lunch and learn. Employee and Developer training should be engaging, varied, frequent and employ gamification to be effective. This is a topic I will address in my next post.

In summation, I chose to focus on the two top “take-away” items from this years DBIR. There are many, many more items of interest in the full report.  Again I urge you to
read the full report for yourself. The report covers 118 pages and just cannot be fully summarized in 1,000 words or less. 

If you would like to comment, please do so on LinkedIn.
Here is the Link.