2019 Data Breach
`2019 Data Breach
`Investigations
`Investigations
`Report
`Report
`
`verizonv
`
`business ready
`business ready
`
`WIZ, Inc. EXHIBIT - 1027
`WIZ, Inc. v. Orca Security LTD.
`
`4
`
`e 6 f 2
`
`0 6
`
`3 6 f 7
`
`6 6
`
`5 7
`
`2 2
`
`0 6
`
`3 6
`
`8 6 1 6
`
`c 6
`
`c 6
`
`5 6
`
`e 6
`
`7 6
`
`5 2
`
`0 7
`
`4 6
`
`8 6
`
`9 7
`
`3 2
`
`0 7
`
`9 6
`
`5 6 1 7
`
`2
`
`WIZ, Inc. EXHIBIT - 1027
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`2
`2
`
`A couple of tidbits
`A couple of tidbits
`
`Before we formally introduce you to the 2019 Data Breach Investigations Report (DBIR),
`Before we formally introduce you to the 2019 Data Breach Investigations Report (DBIR),
`let us get some clarifications out of the way first to reduce potential ambiguity around terms,
`let us get some clarifications out of the way first to reduce potential ambiguity around terms,
`labels, and figures that you will find throughout this study.
`labels, and figures that you will find throughout this study.
`
`VERIS resources
`VERIS resources
`
`Industry labels
`Industry labels
`
`We align with the North American Industry Classification
`We align with the North American Industry Classification
`System (NAICS) standard to categorize the victim organizations
`System (NAICS) standard to categorize the victim organizations
`in our corpus. The standard uses 2 to 6 digit codes to classify
`in our corpus. The standard uses 2 to 6 digit codes to classify
`businesses and organizations. Our analysis is typically done at
`businesses and organizations. Our analysis is typically done at
`the 2-digit level and we will specify NAICS codes along with an
`the 2-digit level and we will specify NAICS codes along with an
`industry label. For example, a chart with a label of Financial (52)
`industry label. For example, a chart with a label of Financial (52)
`is not indicative of 52 as a value. 52 is the NAICS code for the
`is not indicative of 52 as a value. 52 is the NAICS code for the
`Finance and Insurance sector. The overall label of “Financial” is
`Finance and Insurance sector. The overall label of "Financial" is
`used for brevity within the figures. Detailed information on the
`used for brevity within the figures. Detailed information on the
`codes and classification system is available here:
`codes and classification system is available here:
`
`https://www.census.gov/cgi-bin/sssd/naics/naicsrch?chart=2017
`https://www.census.gov/cgi-bin/sssd/naics/naicsrch?chart=2017
`
`New chart, who dis?
`New chart, who dis?
`
`You may notice that the bar chart shown may not be as, well, bar-
`You may notice that the bar chart shown may not be as, well, bar-
`ish as what you may be used to. Last year we talked a bit in the
`ish as what you may be used to. Last year we talked a bit in the
`Methodology section about confidence. When we say a number is
`Methodology section about confidence. When we say a number is
`X, it’s really X +/- a small amount.
`X, it's really X +/- a small amount.
`
`Server (Just large organization breaches, n=335)
`Server (Just large organization breaches, n=335)
`
`Server (All breaches, n=1,881)
`Server (All breaches, n=1,881)
`
`The terms “threat actions,” “threat actors,” “varieties,” and “vectors”
`The terms "threat actions," "threat actors," "varieties," and "vectors"
`will be referenced a lot. These are part of the Vocabulary for Event
`will be referenced a lot. These are part of the Vocabulary for Event
`Recording and Incident Sharing (VERIS), a framework designed to
`Recording and Incident Sharing (VERIS), a framework designed to
`allow for a consistent, unequivocal collection of security incident
`allow for a consistent, unequivocal collection of security incident
`details. Here are some select definitions followed by links with
`details. Here are some select definitions followed by links with
`more information on the framework and on the enumerations.
`more information on the framework and on the enumerations.
`
`Threat actor:
`Threat actor:
`Who is behind the event? This could be the external “bad guy”
`Who is behind the event? This could be the external "bad guy"
`that launches a phishing campaign, or an employee who leaves
`that launches a phishing campaign, or an employee who leaves
`sensitive documents in their seat back pocket.
`sensitive documents in their seat back pocket.
`
`Threat action:
`Threat action:
`What tactics (actions) were used to affect an asset? VERIS uses
`What tactics (actions) were used to affect an asset? VERIS uses
`seven primary categories of threat actions: Malware, Hacking,
`seven primary categories of threat actions: Malware, Hacking,
`Social, Misuse, Physical, Error, and Environmental. Examples at a
`Social, Misuse, Physical, Error, and Environmental. Examples at a
`high level are hacking a server, installing malware, and influencing
`high level are hacking a server, installing malware, and influencing
`human behavior.
`human behavior.
`
`Variety:
`Variety:
`More specific enumerations of higher level categories - e.g.,
`More specific enumerations of higher level categories - e.g.,
`classifying the external “bad guy” as an organized criminal group,
`classifying the external "bad guy" as an organized criminal group,
`or recording a hacking action as SQL injection or brute force.
`or recording a hacking action as SQL injection or brute force.
`
`Learn more here:
`Learn more here:
`• github.com/vz-risk/dbir/tree/gh-pages/2019 – DBIR figures and
`• github.com/vz-risk/dbir/tree/gh-pages/2019 - DBIR figures and
`figure data.
`figure data.
`• veriscommunity.net features information on the framework with
`• veriscommunity.net features information on the framework with
`examples and enumeration listings.
`examples and enumeration listings.
`• github.com/vz-risk/veris features the full VERIS schema.
`• github.com/vz-risk/veris features the full VERIS schema.
`• github.com/vz-risk/vcdb provides access to our database on
`• github.com/vz-risk/vcdb provides access to our database on
`publicly disclosed breaches, the VERIS Community Database.
`publicly disclosed breaches, the VERIS Community Database.
`• http://veriscommunity.net/veris_webapp_min.html
`• http://veriscommunity.net/veris webapp min.html
`allows you to record your own incidents and breaches. Don’t fret,
`allows you to record your own incidents and breaches. Don't fret,
`it saves any data locally and you only share what you want.
`it saves any data locally and you only share what you want.
`
`Incident vs. breaches
`Incident vs. breaches
`
`We talk a lot about incidents and breaches and we use the
`We talk a lot about incidents and breaches and we use the
`following definitions:
`following definitions:
`
`Incident:
`Incident:
`A security event that compromises the integrity, confidentiality
`A security event that compromises the integrity, confidentiality
`or availability of an information asset.
`or availability of an information asset.
`
`Breach:
`Breach:
`An incident that results in the confirmed disclosure—not just
`An incident that results in the confirmed disclosure-not just
`potential exposure—of data to an unauthorized party.
`potential exposure-of data to an unauthorized party.
`
`Ihttps://en.wikipedia.org/wiki/Confidence_interval
`1https://en.wikipedia.org/wiki/Confidence_interval
`
`40%
` 40%
`
`60%
` 60%
`
`80%
` 80%
`
`100%
` 100%
`
`20%
`0%
` 20%
`0%
`Breaches
`Breaches
`Figure 1. Top asset variety in breaches
`Figure 1. Top asset variety in breaches
`Figure 1. Top asset variety in breaches
`This year we’re putting it in the bar charts. The black dot is the
`This year we're putting it in the bar charts. The black dot is the
`value, but the slope gives you an idea of where the real value could
`value, but the slope gives you an idea of where the real value could
`be between. In this sample figure we’ve added a few red bars to
`be between. In this sample figure we've added a few red bars to
`highlight it, but in 19 bars out of 20 (95%),1 the real number will
`highlight it, but in 19 bars out of 20 (95%),1 the real number will
`be between the two red lines on the bar chart. Notice that as the
`be between the two red lines on the bar chart. Notice that as the
`sample size (n) goes down, the bars get farther apart. If the lower
`sample size (n) goes down, the bars get farther apart. If the lower
`bound of the range on the top bar overlaps with the higher bound of
`bound of the range on the top bar overlaps with the higher bound of
`the bar beneath it, they are treated as statistically similar and thus
`the bar beneath it, they are treated as statistically similar and thus
`statements that x is more than y will not be proclaimed.
`statements that x is more than y will not be proclaimed.
`
`Questions? Comments? Brilliant ideas?
`Questions? Comments? Brilliant ideas?
`We want to hear them. Drop us a line at dbir@verizon.com,
`We want to hear them. Drop us a line at dbir@verizon.com,
`find us on LinkedIn, tweet @VZEnterprise with the #dbir.
`find us on Linkedln, tweet @VZEnterprise with the #dbir.
`Got a data question? Tweet @VZDBIR!
`Got a data question? Tweet @VZDBIR!
`
`

`

`3 T
`
`3
`
`Table of contents
`able of contents
`
`Introduction
`Introduction
`
`Summary of findings
`Summary of findings
`
`Results and analysis
`Results and analysis
`
`Unbroken chains
`Unbroken chains
`
`Incident classification patterns and subsets
`Incident classification patterns and subsets
`
`Data breaches: extended version
`Data breaches: extended version
`
`Victim demographics and industry analysis
`Victim demographics and industry analysis
`
`Accommodation and Food Services
`Accommodation and Food Services
`
`Educational Services
`Educational Services
`
`Financial and Insurance
`Financial and Insurance
`
`Healthcare
`Healthcare
`
`Information
`Information
`
`Manufacturing
`Manufacturing
`
`Professional, Technical and Scientific Services
`Professional, Technical and Scientific Services
`
`Public Administration
`Public Administration
`
`Retail
`Retail
`
`Wrap up
`Wrap up
`
`Year in review
`Year in review
`
`Appendix A: Transnational hacker debriefs
`Appendix A: Transnational hacker debriefs
`
`Appendix B: Methodology
`Appendix B: Methodology
`
`Appendix C: Watching the watchers
`Appendix C: Watching the watchers
`
`Appendix D: Contributing organizations
`Appendix D: Contributing organizations
`
`4
`4
`
`5
`5
`
`6
`6
`
`20
`20
`
`24
`24
`
`27
`27
`
`30
`30
`
`35
`35
`
`38
`38
`
`41
`41
`
`44
`44
`
`46
`46
`
`49
`49
`
`52
`52
`
`55
`55
`
`58
`58
`
`61
`61
`
`62
`62
`
`65
`65
`
`68
`68
`
`71
`71
`
`75
`75
`
`

`

`4 I
`
`4
`
`Introduction
`ntroduction
`
`It is our charge to present information on the common
`It is our charge to present information on the common
`tactics used by attackers against organizations in
`tactics used by attackers against organizations in
`your industry. The purpose of this study is not to
`your industry. The purpose of this study is not to
`rub salt in the wounds of information security, but to
`rub salt in the wounds of information security, but to
`contribute to the “light” that raises awareness and
`contribute to the "light" that raises awareness and
`provides the ability to learn from the past. Use it as
`provides the ability to learn from the past. Use it as
`another arrow in your quiver to win hearts, minds, and
`another arrow in your quiver to win hearts, minds, and
`security budget. We often hear that this is “required
`security budget. We often hear that this is "required
`reading” and strive to deliver actionable information in
`reading" and strive to deliver actionable information in
`a manner that does not cause drowsiness, fatigue,
`a manner that does not cause drowsiness, fatigue,
`or any other adverse side effects.
`or any other adverse side effects.
`
`We continue to be encouraged and energized by
`We continue to be encouraged and energized by
`the coordinated data sharing by our 73 data sources,
`the coordinated data sharing by our 73 data sources,
`66 of which are organizations external to Verizon.
`66 of which are organizations external to Verizon.
`This community of data contributors represents an
`This community of data contributors represents an
`international group of public and private entities willing
`international group of public and private entities willing
`to support this annual publication. We again thank
`to support this annual publication. We again thank
`them for their support, time, and, of course, DATA.
`them for their support, time, and, of course, DATA.
`
`We all have wounds, none of us knows everything,
`We all have wounds, none of us knows everything,
`let’s learn from each other.
`let's learn from each other.
`
`Excelsior!'
`Excelsior!2
`
`“The wound is the place where the light enters you.”
`"The wound is the place where the light enters you."
`— Rumi
`— Rumi
`
`Welcome! Pull up a chair with the 2019 Verizon
`Welcome! Pull up a chair with the 2019 Verizon
`Data Breach Investigations Report (DBIR).
`Data Breach Investigations Report (DBIR).
`The statements you will read in the pages that follow
`The statements you will read in the pages that follow
`are data-driven, either by the incident corpus that
`are data-driven, either by the incident corpus that
`is the foundation of this publication, or by non-incident
`is the foundation of this publication, or by non-incident
`data sets contributed by several security vendors.
`data sets contributed by several security vendors.
`
`This report is built upon analysis of 41,686 security
`This report is built upon analysis of 41,686 security
`incidents, of which 2,013 were confirmed data
`incidents, of which 2,013 were confirmed data
`breaches. We will take a look at how results are
`breaches. We will take a look at how results are
`changing (or not) over the years as well as digging
`changing (or not) over the years as well as digging
`into the overall threat landscape and the actors,
`into the overall threat landscape and the actors,
`actions, and assets that are present in breaches.
`actions, and assets that are present in breaches.
`Windows into the most common pairs of threat
`Windows into the most common pairs of threat
`actions and affected assets also are provided.
`actions and affected assets also are provided.
`This affords the reader with yet another means to
`This affords the reader with yet another means to
`analyze breaches and to find commonalities above
`analyze breaches and to find commonalities above
`and beyond the incident classification patterns that
`and beyond the incident classification patterns that
`you may already be acquainted with.
`you may already be acquainted with.
`
`Fear not, however. The nine incident classification
`Fear not, however. The nine incident classification
`patterns are still around, and we continue to focus on
`patterns are still around, and we continue to focus on
`how they correlate to industry. In addition to the nine
`how they correlate to industry. In addition to the nine
`primary patterns, we have created a subset of data to
`primary patterns, we have created a subset of data to
`pull out financially-motivated social engineering (FMSE)
`pull out financially-motivated social engineering (FMSE)
`attacks that do not have a goal of malware installation.
`attacks that do not have a goal of malware installation.
`Instead, they are more focused on credential theft and
`Instead, they are more focused on credential theft and
`duping people into transferring money into adversary-
`duping people into transferring money into adversary-
`controlled accounts. In addition to comparing industry
`controlled accounts. In addition to comparing industry
`threat profiles to each other, individual industry
`threat profiles to each other, individual industry
`sections are once again front and center.
`sections are once again front and center.
`
`Joining forces with the ever-growing incident/breach
`Joining forces with the ever-growing incident/breach
`corpus, several areas of research using non-incident
`corpus, several areas of research using non-incident
`data sets such as malware blocks, results of phishing
`data sets such as malware blocks, results of phishing
`training, and vulnerability scanning are also utilized.
`training, and vulnerability scanning are also utilized.
`Leveraging, and sometimes combining, disparate data
`Leveraging, and sometimes combining, disparate data
`sources (like honeypots and internet scan research)
`sources (like honeypots and internet scan research)
`allows for additional data-driven context.
`allows for additional data-driven context.
`
`21f you didn't expect a Stan Lee reference in this report, then you are certainly a first-time reader. Welcome to the party pal!
`2If you didn’t expect a Stan Lee reference in this report, then you are certainly a first-time reader. Welcome to the party pal!
`
`

`

`69% perpetrated by outsiders
`69% perpetrated by outsiders
`
`34% involved Internal actors
`34% involved Internal actors
`
`2% involved Partners
`2% involved Partners
`
`5% featured Multiple parties
`5% featured Multiple parties
`
`5 S
`
`5
`
`Summary
`ummary
`of findings
`of findings
`
`16% were breaches of Public sector entities
`16% were breaches of Public sector entities
`
`15% were breaches involving Healthcare organizations
`15% were breaches involving Healthcare organizations
`
`t
`
`10% were breaches of the Financial industry
`10% were breaches of the Financial industry
`
`Organized criminal groups
`Organized criminal groups
`were behind 39% of breaches
`were behind 39% of breaches
`
`43% of breaches involved small business victims
`43% of breaches involved small business victims
`
`Actors identified as nation-state or state-
`Actors identified as nation-state or state-
`affiliated were involved in 23% of breaches
`a(cid:17)liated were involved in 23% of breaches
`
`()oz.
`0%
` 20%
`20%
`Breaches
`Breaches
`Figure 2. Who are the victims?
`Figure 2. Who are the victims?
`
` 40%
`40%
`
` 60%
`60%
`
` 80%
`80%
`
` 100%
`100%
`
`52% of breaches featured Hacking
`52% of breaches featured Hacking
`
`33% included Social attacks
`33% included Social attacks
`
`28% involved Malware
`28% involved Malware
`
` 40%
`40%
`
` 20%
`0%
`20%
`0%
`Breaches
`Breaches
`Figure 4. Who's behind the breaches?
`Figure 4. Who's behind the breaches?
`
` 60%
`60%
`
` 80%
`80%
`
` 100%
`100%
`
`71% of breaches were financially motivated
`71% of breaches were financially motivated
`
`25% of breaches were motivated by the gain
`25% of breaches were motivated by the gain
`of strategic advantage (espionage)
`of strategic advantage (espionage)
`
`Errors were causal events in 21% of breaches
`Errors were causal events in 21% of breaches
`
`32% of breaches involved phishing
`32% of breaches involved phishing
`
`15% were Misuse by authorized users
`15% were Misuse by authorized users
`
`29% of breaches involved use of stolen credentials
`29% of breaches involved use of stolen credentials
`
`Physical actions were present in 4% of breaches
`Physical actions were present in 4% of breaches
`
`56% of breaches took months or longer to discover
`56% of breaches took months or longer to discover
`
`I
` 20%
`0%
`20%
`0%
`Breaches
`Breaches
`Figure 3. What tactics are utilized?
`Figure 3. What tactics are utilized?
`
` 40%
`40%
`
` 60%
`60%
`
` 80%
`80%
`
` 100%
`100%
`
` 40%
`40%
`
` 20%
`0%
`20%
`0%
`Breaches
`Breaches
`Figure 5. What are other commonalities?
`Figure 5. What are other commonalities?
`
` 60%
`60%
`
` 80%
`80%
`
` 100%
`100%
`
`

`

`6
`6
`
`Results and analysis
`Results and analysis
`
`year the trend continues. There are some subsets
`year the trend continues. There are some subsets
`of data that are removed from the general corpus,
`of data that are removed from the general corpus,
`notably over 50,000 botnet related breaches. These
`notably over 50,000 botnet related breaches. These
`would have been attributed to external groups and,
`would have been attributed to external groups and,
`had they been included, would have further increased
`had they been included, would have further increased
`the gap between the External and Internal threat.
`the gap between the External and Internal threat.
`
`*N . External
`External
`
`Internal
`Internal
`
`Partner
`Partner
`
`2011
`
`2013
`2013
`
`2015
`2015
`
`2017
`2017
`
`Figure 6. Threat actors in breaches over time
`Figure 6. Threat actors in breaches over time
`
`80%
`80%
`
`60%
`60%
`
`40%
`40%
`
`20%
`
`0%
`0%
`
`Breaches
`
`75%
`75%
`
`50%
`50%
`
`25%
`25%
`
`0%
`0%
`
`Financial
`Financial
`
`Espionage,
`Espionage
`
`Other
`Other
`
`2011
`2011
`
`2013
`2013
`
`2015
`2015
`
`2017
`2017
`
`Figure 7. Threat actor motives in breaches over time
`Figure 7. Threat actor motives in breaches over time
`
`cn
`
`Breaches
`
`co
`
`The results found in this and subsequent sections
`The results found in this and subsequent sections
`within the report are based on a data set collected
`within the report are based on a data set collected
`from a variety of sources such as publicly-disclosed
`from a variety of sources such as publicly-disclosed
`security incidents, cases provided by the Verizon
`security incidents, cases provided by the Verizon
`Threat Research Advisory Center (VTRAC)
`Threat Research Advisory Center (VTRAC)
`investigators, and by our external collaborators. The
`investigators, and by our external collaborators. The
`year-to-year data set(s) will have new sources of
`year-to-year data set(s) will have new sources of
`incident and breach data as we strive to locate and
`incident and breach data as we strive to locate and
`engage with organizations that are willing to share
`engage with organizations that are willing to share
`information to improve the diversity and coverage
`information to improve the diversity and coverage
`of real-world events. This is a convenience sample,
`of real-world events. This is a convenience sample,
`and changes in contributors, both additions and
`and changes in contributors, both additions and
`those who were not able to participate this year, will
`those who were not able to participate this year, will
`influence the data set. Moreover, potential changes
`influence the data set. Moreover, potential changes
`in their areas of focus can stir the pot o’ breaches
`in their areas of focus can stir the pot o' breaches
`when we trend over time. All of this means we are not
`when we trend over time. All of this means we are not
`always researching and analyzing the same fish in
`always researching and analyzing the same fish in
`the same barrel. Still other potential factors that may
`the same barrel. Still other potential factors that may
`affect these results are changes in how we subset
`affect these results are changes in how we subset
`data and large-scale events that can sometimes
`data and large-scale events that can sometimes
`influence metrics for a given year. These are all
`influence metrics for a given year. These are all
`taken into consideration, and acknowledged where
`taken into consideration, and acknowledged where
`necessary, within the text to provide appropriate
`necessary, within the text to provide appropriate
`context to the reader.
`context to the reader.
`
`With those cards on the table, a year-to-year view of
`With those cards on the table, a year-to-year view of
`the actors (and their motives),3 followed by changes
`the actors (and their motives),' followed by changes
`in threat actions and affected assets over time is
`in threat actions and affected assets over time is
`once again provided. A deeper dive into the overall
`once again provided. A deeper dive into the overall
`results for this year's data set with an old-school
`results for this year’s data set with an old-school
`focus on threat action categories follows. Within
`focus on threat action categories follows. Within
`the threat action results, relevant non-incident data
`the threat action results, relevant non-incident data
`is included to add more awareness regarding the
`is included to add more awareness regarding the
`tactics that are in the adversaries’ arsenal.
`tactics that are in the adversaries' arsenal.
`
`Defining the threats
`Defining the threats
`
`Threat actor is the terminology used to describe
`Threat actor is the terminology used to describe
`who was pulling the strings of the breach (or if an
`who was pulling the strings of the breach (or if an
`error, tripping on them). Actors are broken out into
`error, tripping on them). Actors are broken out into
`three high-level categories of External, Internal, and
`three high-level categories of External, Internal, and
`Partner. External actors have long been the primary
`Partner. External actors have long been the primary
`culprits behind confirmed data breaches and this
`culprits behind confirmed data breaches and this
`
`'And we show the whole deck in Appendix B: Methodology.
`3And we show the whole deck in Appendix B: Methodology.
`
`

`

`80%
`80%
`
`60%
`60%
`
`40%
`40%
`
`20%
`20%
`
`0%
`
`Organized crime
`Organized crime
`
`State-affiliated
`State-a(cid:26)liated
`
`Cashier
`Cashier
`
`Activist
`Activist
`
`2011
`2011
`
`2013
`2013
`
`2015
`2015
`
`2017
`
`Figure 8. Select threat actors in breaches over time
`Figure 8. Select threat actors in breaches over time
`
`---'--------7.--System Admin
`
`System Admin
`
`7
`7
`
`Breaches
`
`co
`
`et1
`
`Financial gain is still the most common motive behind
`Financial gain is still the most common motive behind
`data breaches where a motive is known or applicable
`data breaches where a motive is known or applicable
`(errors are not categorized with any motive). This
`(errors are not categorized with any motive). This
`continued positioning of personal or financial gain at
`continued positioning of personal or financial gain at
`the top is not unexpected. In addition to the botnet
`the top is not unexpected. In addition to the botnet
`breaches that were filtered out, there are other
`breaches that were filtered out, there are other
`scalable breach types that allow for opportunistic
`scalable breach types that allow for opportunistic
`criminals to attack and compromise numerous
`criminals to attack and compromise numerous
`victims.4 Breaches with a strategic advantage as the
`victims: Breaches with a strategic advantage as the
`end goal are well-represented, with one-quarter of
`end goal are well-represented, with one-quarter of
`the breaches associated with espionage. The ebb
`the breaches associated with espionage. The ebb
`and flow of the financial and espionage motives are
`and flow of the financial and espionage motives are
`indicative of changes in the data contributions and
`indicative of changes in the data contributions and
`the multi-victim sprees.
`the multi-victim sprees.
`
`This year there was a continued reduction in
`This year there was a continued reduction in
`card-present breaches involving point of sale
`card-present breaches involving point of sale
`
`environments and card skimming operations.
`environments and card skimming operations.
`Similar percentage changes in organized criminal
`Similar percentage changes in organized criminal
`groups and state-affiliated operations are shown in
`groups and state-affiliated operations are shown in
`Figure 8 above. Another notable finding (since we
`Figure 8 above. Another notable finding (since we
`are already walking down memory lane) is the bump
`are already walking down memory lane) is the bump
`in Activists, who were somewhat of a one-hit wonder
`in Activists, who were somewhat of a one-hit wonder
`in the 2012 DBIR with regard to confirmed data
`in the 2012 DBIR with regard to confirmed data
`breaches. We also don't see much of Cashier (which
`breaches. We also don’t see much of Cashier (which
`also encompasses food servers and bank tellers)
`also encompasses food servers and bank tellers)
`anymore. System administrators are creeping up
`anymore. System administrators are creeping up
`and while the rogue admin planting logic bombs and
`and while the rogue admin planting logic bombs and
`other mayhem makes for a good story, the presence
`other mayhem makes for a good story, the presence
`of insiders is most often in the form of errors. These
`of insiders is most often in the form of errors. These
`are either by misconfiguring servers to allow for
`are either by misconfiguring servers to allow for
`unwanted access or publishing data to a server that
`unwanted access or publishing data to a server that
`should not have been accessible by all site viewers.
`should not have been accessible by all site viewers.
`Please, close those buckets!
`Please, close those buckets!
`
`fln Appendix C: "Watching the Watchers", we refer to these as zero-marginal cost attacks.
`4In Appendix C: “Watching the Watchers”, we refer to these as zero-marginal cost attacks.
`
`

`

`2018 2013
`2018
`2013
`
`53%
`53%
`
`56%
`56%
`
`DIFF
`DIFF
`
`-3
`-3
`
`Server
`Server
`
`2018 2013
`2018
`2013
`•
`63%
`65%
`63% 65%
`
`DIFF
`DIFF
`
`-2
`-2
`
`8
`8
`
`Hacking
`Hacking
`
`Malware
`Malware
`
`Social
`Social
`
`Error
`Error
`
`Misuse
`Misuse
`
`Physical
`Physical
`
`Environmental
`Environmental
`
`0
`0
`
`30
`29
`29 30
`
`0 - 0
`17
`35
`17
`35
`
`17
`21
`17 21
`
`16
`14
`14 16
`
`SID
`10
`4
`4 10
`
`-1
`-1
`
`+18
`+18
`
`+5
`+5
`
`-2
`-2
`
`-6
`-6
`
`0
`0
`
`User Dev
`User Dev
`
`
`
`+2
`+2
`
`30
`28
`28 30
`
`Person
`Person
`
`0-0
`19
`19
`
`39
`39
`
`Media
`Media
`
`NN
`9
`17
`9 17
`
`Kiosk/Term
`Kiosk/Term
`
`1
`7
`17
`
`Network
`Network
`
`•
`01
`1
`0
`
`+20
`+20
`
`-8
`-8
`
`-5
`-5
`
`+1
`+1
`
`Breaches
`Breaches
`Figure 9. Threat actions in data breaches over time
`Figure 9. Threat actions in data breaches over time
`Figure 9. Threat actions in data breaches over
`n=2,501 (2013), n=1,638 (2018)
`n=2,501 (2013), n=1,638 (2018)
`time n=2,501 (2013), n=1638 (2018)
`
`Breaches
`Breaches
`Figure 10. Asset categories in data breaches over
`Figure 10. Asset categories in data breaches over time
`Figure 10. Asset categories in data breaches over time
`time n=2,294 (2013), n=1,513 (2018)
`n=2,294 (2013), n=1,513 (2018)
`n=2,294 (2013), n=1,513 (2018)
`
`Figures 9 and 10 show changes in threat actions and
`Figures 9 and 10 show changes in threat actions and
`affected assets from 2013 to 2018.5,6 No, we don’t have
`affected assets from 2013 to 20182' No, we don't have
`some odd affinity for seven-year time frames (as far
`some odd affinity for seven-year time frames (as far
`as you know). Prior years were heavily influenced by
`as you know). Prior years were heavily influenced by
`payment card breaches featuring automated attacks
`payment card breaches featuring automated attacks
`on POS devices with default credentials, so 2013
`on POS devices with default credentials, so 2013
`was a better representative starting point. The rise in
`was a better representative starting point. The rise in
`social engineering is evident in both charts, with the
`social engineering is evident in both charts, with the
`action category Social and the related human asset
`action category Social and the related human asset
`both increasing.
`both increasing.
`
`Threat action varieties
`Threat action varieties
`
`When we delve a bit deeper and examine threat actions
`When we delve a bit deeper and examine threat actions
`at the variety level, the proverbial question of “What are
`at the variety level, the proverbial question of "What are
`the bad guys doing?” starts to become clearer. Figure 11
`the bad guys doing?" starts to become clearer. Figure 11
`shows Denial of Service attacks are again at the top
`shows Denial of Service attacks are again at the top
`
`of action varieties associated with security incidents,
`of action varieties associated with security incidents,
`but it is still very rare for DoS to feature in a confirmed
`but it is still very rare for DoS to feature in a confirmed
`data breach. Similarly, Loss, which is short for Lost or
`data breach. Similarly, Loss, which is short for Lost or
`misplaced assets, incidents are not labeled as a data
`misplaced assets, incidents are not labeled as a data
`breach if the asset lost is a laptop or phone, as there
`breach if the asset lost is a laptop or phone, as there
`is no feasible way to determine if data was accessed.
`is no feasible way to determine if data was accessed.
`We allow ourselves to infer data disclosure if the asset
`We allow ourselves to infer data disclosure if the asset
`involved was printed documents.
`involved was printed documents.
`
`Switching over to breaches in Figure 12, phishing and
`Switching over to breaches in Figure 12, phishing and
`the hacking action variety of use of stolen credentials
`the hacking action variety of use of stolen credentials
`are prominent fixtures. The next group of three
`are prominent fixtures. The next group of three
`involves the installation and subsequent use of back-
`involves the installation and subsequent use of back-
`door or Command and Control (C2) malware. These
`door or Command and Control (C2) malware. These
`tactics have historically been common facets of data
`tactics have historically been common facets of data
`breaches and based on our data, there is still much
`breaches and based on our data, there is still much
`success to be had there.
`success to be had there.
`
`5 Credit where