
EP 86: The 2021 edition of the Verizon Data Breach Investigations Report (DBIR) Part 2
Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.
Sign Up Now!
About this episode
Episode Transcript
Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle. And your virtual cybersecurity council is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.
Jake Bernstein: So Kip, what are we going to talk about today?
Kip Boyle: Hey, Jake. Well, today is part two of our now annual Verizon data breach investigation report analysis and discussion. So if you're listening and you heard the last episode, you know that last time we talked through the first two chapters of the report, this very big report, and we took a look at the overall findings. And today we're going to continue to go through the report. We're going to first discuss new attack patterns that are documented. And then we're going to take a look at some industry specific information. So that's what we're going to do. And let's just get going because I think there's so much data here. And you and I are so susceptible to just like, not paying attention to the time at all when we look at stuff like this.
All right. So let's just finish up a little bit from last time. Timeline data. That's new this year, and we should consider it. So first we learned that on an overall basis, discovery time in breaches has fallen quite a lot. So if you think about five years ago in 2016, we're getting better at discovering breaches. We used to be just awful at it. And I wouldn't say we're great at it, but we're better. So that's good, but not really where we need it to be. And it turns out that the types of breaches that take the longest to discover mostly involve insider privilege misuse. So somebody who has access because they're an employee or a contractor, what have you, and they're just exceeding their privileges somehow, maybe they've been over provisioned or maybe they've found some way to cause some other trouble.
But there's some new insights. So this year's data shows that system intrusion is now right up there with privileged misuse. And system intrusion is another one of the longest time to discover types of breaches. So now let's look at the other side. Breaches where it's obvious that something's wrong, where you can most quickly discover that something's bad, clearly have the best statistics. So employees are an effective early warning system for these kinds of breaches. And so the DBIR just says, "Hey, why aren't we training them to be more effective at telling us when something bad's happened instead of ignoring it, or just thinking that, well, this is just some kind of a system glitch. I don't really want to be bothered to call IT?"
Jake Bernstein: Well. And what's interesting about the employee kind of early warning system is, it's oftentimes with the error action pattern where the employee either lost something or screwed up.
Kip Boyle: Well, that's a good motivation to not say anything.
Jake Bernstein: Well, it is. But people are increasingly reporting things early in hopes that it could quickly be contained. So I think my advice here is, why not cultivate those employees to really speak up right away and actually not try to sweep things under the rug just because they know it's their fault? I mean, people are going to screw up. I know it's a hard thing but it would be ideal.
Kip Boyle: It's really hard because a lot of companies don't have a history of thanking people for admitting mistakes. Admitting that you've made a mistake is not something that most people look forward to in most places of employment. So you've either got to have a culture, an entire culture of making it okay for people to do this. Or you just have to hope that the person who did it has a strong individual character where they're willing to say something despite the fact that they're pretty sure it's not going to be received well.
Jake Bernstein: Agreed. And I think that's kind of why the report says, look, it's more important than ever to create the culture that would allow people to report because it's important.
Kip Boyle: Yeah. And there's a term that I like, a blameless postmortem. And we actually saw, in the recent White House executive order, asked for the creation of a national blameless postmortem following any kind of a giant country level cyber attack. And so I think that's good.
Jake Bernstein: Yeah. That is good. Okay. Well, shall we move into the incident classification patterns? Because guess what, this year they have changed things up. Maybe a start, just give us a little bit of history.
Kip Boyle: Yeah, sure. And they do often change the way that they do data analysis and the way they present data based on their own learnings, based on how the data itself is shifting. And so, we just have to accept and expect that this is going to happen. So back in 2014, DBIR introduced the idea of incident classification patterns. And the idea is that they were trying to simplify what would otherwise be really complex combinations of actors, actions, assets and attributes that you typically see. And so, like I said, the data has changed and the patterns have changed. And so, they've updated, they've adapted, they have improvised, they have innovated.
Jake Bernstein: They have indeed. So I think the easiest way to kind of do this is just to take a look at which patterns have been retired. So those ones are payment card skimmers, crimeware, cyber espionage and point of sale. Now, that's not to say that some of these things have disappeared. For example, payment card skimmers has been lumped into the everything else category. But in terms of the overall scheme, a lot of these have been replaced by social engineering and system intrusion. The ones that are back, just to be clear, are denial of service, basic web application attacks, lost and stolen assets, which don't really change, a lost or stolen asset is going to be lost or stolen no matter what, miscellaneous errors, privileged misuse. And then, of course, everything else, which is a big bucket.
Kip Boyle: Yeah, gosh. I'm a typical person in the sense that changes like this kind of like disrupt me a bit. And when they first happen, I don't really like them very much. But at the same time, it's absolutely necessary. I couldn't imagine how useful this report would not be if they still used the same approaches that they did the first time they published. But anyway, there's a lot that has changed and we just have to get used to it. But let me summarize a couple of other changes. So like you said, payment card skimmers is now lumped into everything else. And you mentioned point of sale, crimeware, cyber espionage, everything else. Those are now characteristics of the breach. So we're still going to see them in the data, but now they've sort of reoriented themselves so that they're not really driving the report, but still we can get some insight on them.
Jake Bernstein: So I think that is worth looking at. Let's say that, and this is really complicated. Actually it's not, which is why it works so well. If social engineering was a significant aspect of the breach, then guess where it goes? Into the social engineering pattern. A simple attack where the initial intrusion point was a web application, basic web application attacks. So you kind of see how this works. And something that's more elaborate where the attacker gained access, pokes around, possibly with the point of entry remaining undiscovered, that gets categorized as system intrusion.
And I particularly like the thinking behind retiring cyber espionage and crimeware. Our defense controls do not care if the attacker has a 'cushy government job' or is a free market entrepreneur, in the words of the always entertaining DBIR. This makes sense to me because, really, what's the difference from our perspective? If the person hacking into your system to do a ransomware is a government employee of a country that is not an ally versus an organized criminal, it doesn't really matter. And I think what's more important is how these things happen. And so that is what they've done. And there's a convenient table of the new patterns. I don't think we need to really read it. But it is there if people want to take a look. And I think it's worthwhile.
Kip Boyle: Now, that's figure 47 in the report. So you can flip to that, and orient yourself to these changes that we're talking about. Crimeware, I cannot help but to think about my mentor, Don Parker, when I see the term Crimeware as opposed to malware, as opposed to software. So in 1998 he published a book. And in that book, he talked about automated crime where you could write software to do all kinds of criminal things. And at the time, I remember thinking that that was just fascinating to me. It kind of made sense, but it still was kind of a groundbreaking thought. You could write software to automate payroll functions. Well, now you could write software to automate criminal behavior. So anyway, just throwing it out there. Crimeware, we loved you, but we're not going to see you anymore in the DBIR.
Okay. So moving on. So there's a lot of data about the incident patterns. But we think that's probably best left to individuals who have a specific interest in that data. So we're not going to really unpack that on the episode today. So let's move on to industry data and see what we can learn. And remember, the idea of industry data here is that when you are in the hospitality industry versus banking, versus manufacturing, you really should be scrutinizing your industry data and using it as a basis for reporting to the board of directors, to senior decision makers. And I think that's just going to increase your credibility. It's going to better prepare you for the specific types of attacks that are commonly observed.
I talk with my customers all the time about the need to prioritize, prioritize, prioritize, because you have a limited budget and you have unlimited risks. So this industry data is going to help you understand what your top risks are. And so that's just risk management goodness. Now, before we start diving into it, one kind of caveat's page 53 of the DBIR for this year. So there's a little snippet about behavioral science and how you could use knowledge of behavioral science to create effective cybersecurity cultures. And you really need to take a look at that. And Jake and I are really thinking about making that a separate episode in the future. So if you look at that, you'll actually be preparing yourself for a future episode. And most importantly, you'll start to think, if you haven't already, about shifting your culture. It really, I think, if I had a dollar to spend to deal with cyber risk and I had all the basic stuff dealt with, all the basic cyber hygiene stuff dealt with, like multi-factor authentication, I would want to spend it on culture shift. It's not easy, but that's where I'd want to spend it.
Jake Bernstein: Yeah, I totally agree. And I'm pretty convinced that we will do this episode. I think as a sneak peek and kind of teaser, Verizon Media, overall conglomerate, actually says in this page here that it believes the simulations and training offered by most security education teams do not mimic real life situations, do not parallel the behaviors that lead to breaches, and are not measured against real attacks that the organization receives. That's a little bit of an indictment of a fairly extensive of industry. And I think it's fascinating to why they say that they really want-
Kip Boyle: Yeah. I agree. It's a really weak soup that we're serving up to people, awareness. I don't care much about awareness. I want you to do stuff. I want you to see things for what they are, and I want you to do something about it. I want action. I don't want just awareness. This is, I think, the inertia of initial trainings that we did 20, 25 years ago, where we were just trying to broach the subject in a gentle way without freaking people out or whatnot. So it's like, Hey, we just want you to have some awareness of what's going on. Well, we're long past the awareness stage. And I know we've got some phishing simulators out there that we can use to actually train people. And I think that's good as far as it goes. But what we really need, and we've talked about this so many times, we need readiness. We need plans and we need to practice those plans. We actually need to change behavior that way. So anyway, off my soapbox.
Jake Bernstein: Yeah. Well, don't worry. You'll get a chance to get on that soapbox, very much so. So table four, on page 65. This kind of the overview of the industry numbers. What's really interesting and striking here is that, that very first line, it says total, which normally would be not as interesting. But in this case, you can see that, of the incidents, there's a total of 29,207 like we said last time. 27,351 of those, we don't know if it's a small or medium sized business.
And again, remember the DBIR team has very exacting standards on data quality. And so, I appreciate them being open here. You might wonder, well, how can you not know what the size of the company is? Well, someone has to tell you. And if they don't tell you, then you don't know. And the situation is only marginally better with breaches. 5,258, total. 4,688, we don't know if they're small or large. So it's still enough numbers to get useful information, which we'll talk about at the very, very end of the differences between large and then SMBs. But I did want to kind of bring that to everyone's attention there.
Kip Boyle: Yes. Well, I don't know. I'm holding myself back because I want to unpack that.
Jake Bernstein: We'll get there.
Kip Boyle: Yeah, yeah, yeah, yeah. Okay. So we'll get there. I will defer.
Jake Bernstein: Yeah. And then, and then just to let people know, pages 66 and 67 kind of contained the full kind of grand overview breaches and incident patterns. It breaks it down on the, what is that? The X axis has the industry code. And then it's broken between the asset, action and pattern. So you can really get a ton of information just from these two figures. So I don't know that because it's difficult to discuss something visually on a podcast, gosh, if there was only a way to fix that, Kip.
Kip Boyle: Ladies and gentlemen, that's Jake admitting that I've been pestering him for months now to go video on this podcast. So there you go. Little inside podcast information right there.
Jake Bernstein: Yeah. Regardless, they're there for everyone to look at. That's just kind of where you need to look. All right, Kip, why don't you take us through our first specific industry that tends to be common to our client base?
Kip Boyle: Yeah, absolutely. Now we're not going to cover all the industries, but we're going to cover the ones that we're most familiar with. So financial and insurance as an industry. So there's a code, there's a coding system that is being used here that's super helpful, NAICS. Excuse me. And that's the North American Industry Classification System. So if you are listening and you're located in North America, these codes are probably not as relevant. But they're still very useful for understanding different industries, assuming that your country has similar industries. They probably do. But I just wanted to let you know that this is how things are being broken out.
So NAICS 52, financial and insurance. So the interesting find this year in the report is that 44% of all breaches, not incidents. Remember, a breach and an incident has a separate definition, and breaches are a subset of incidents. So 44% of all breaches were caused by internal actors. So think about it. 44% are caused by people internal. In other words, trusted people, people you've vetted, who are on your team, are behind 44% of all breaches in this industry. Now, I'm not telling you this to make you paranoid, these are errors. Many of them are really errors. So the majority of them are just people sending it. But it could be as simple as people sending, on your team, sending an email to the wrong person. So we're not talking about malicious insiders exclusively. We're just talking about people just making mistakes for the most part. And then the other thing. You were going to say something, Jake?
Jake Bernstein: I do. I just want to quickly highlight that it's important to remember that a lot of these breaches and these incidents are caused by internal actors. And in the vast majority of cases, that just means human error, a mistake. I think it's really important to remember that this is why, again maybe foreshadowing to that culture episode, is just so important. People do make mistakes. And you can't eliminate that.
Kip Boyle: Not completely, no. But I mean, you can train people to increase their reliability. That's what training is all about. And certainly, practice. Practice, practice, practice. When you practice stuff, your error rate will go down. Now, the other thing about insider threats. So you've got errors. I also want to make sure that you understand that if I receive a phishing email and I actually follow its instructions, that's still an error. But it's an error not brought on by my own lack of attention to detail so much as it is brought on by that I've been manipulated by an outsider. So I'm still an insider threat because I'm allowing myself to be manipulated by an outsider. So I just want to point that out as well.
So another thing that I want to say about financial and insurance as an industry that pops out from this report is that 74% of breaches are discovered by external parties. So three quarters of all breaches are not discovered by the people who actually caused those breaches. And that's been true for a long time, is that the majority of breach discovery does not come from the people responsible for it.
Jake Bernstein: No, hold on. I think you misspoke. 74% of breaches are discovered by not the victim. So hold on. Let's restate that just to make sure no one's confused. 74% of breaches are discovered by external parties. 38% are actually the bad guys themselves saying, "Hey, I'm in your system." And 36% are a notification from monitoring services. So only 24%, or 26%, I guess it is, are discovered by the victim. That's the key finding.
Kip Boyle: But hold on. Victim. So let's define victim. So in a data breach, the victim, I don't think of the victim as primarily the company that fumbled the ball. Rather, I think the victim is the people whose data was compromised. So, how are you defining victim?
Jake Bernstein: Well, so I'm using victim there as the entity that was attacked.
Kip Boyle: Okay. So the business or the organization.
Jake Bernstein: There are multiple victims. The business or the organization. The target of the attacker.
Kip Boyle: The target of the attack. Okay. Well, yeah. This is why you need precise language. I can see.
Jake Bernstein: Defined terms, again. See why it's so important.
Kip Boyle: Yeah. For sure. All right. So that's financial and insurance. We could obviously talk a long, long time about any one of these. Let's move on to the next one, which I think is healthcare. Right, Jake?
Jake Bernstein: It is healthcare indeed. So this is N-A-I-C-S or NAICS Code 62. Similar issues here, basic human error, misdelivery, whether it's email or physical mail, interestingly enough, physical items, is the most common type of error. Ransomware is a big hit, obviously. That's no surprise. There wasn't a ton to say about healthcare this year, except one piece of good news, is that malicious internal action types have dropped off yet again, I think for the third year in a row and are no longer in the top three for this area.
Kip Boyle: Well, that's good.
Jake Bernstein: That is good. So healthcare-
Kip Boyle: Pretty much the way it was last year for healthcare.
Jake Bernstein: Pretty much the way it was. Really, again, human error being an issue. One thing that is interesting is that for some unknown reason, personal data has actually overtook medical information as the type of information taken. Which is interesting, just because you would think if you're going to have medical data, you'd think it would come from the healthcare industry. So, the report writers found that interesting as well.
Kip Boyle: Well, if you work at the healthcare industry, then you need to dig into this. Unpack this a little bit more. Get really, really familiar with the industry specific data for yourself. Let's turn our attention now to NAICS 51. And I almost feel like we could do a quiz based just on the NAICS codes, but that's in information. The information industry, which is varied in terms of its makeup. But the information industry has been in the news a lot lately. So they were talking about technology companies and so forth like SolarWinds and Kaseya. So these are digital supply chain attacks, for example, that have happened in the last few months. God, this industry just seems to struggle with credential stealing, botnets. Errors resulting from misconfiguration are also depressingly common. And it's like the Cobbler's kids have no shoes. I don't know if people know what a cobbler is anymore. I guess I should probably upgrade my analogy. So a cobbler is somebody who makes shoes. And we don't have those anymore.
But the idea is that these information industry participants like technology companies really should have their act together. They know more about this than their customers do, or at least that's the presumption. But it's concerning that external actors typically deliver the news that a breach has occurred. And in 50% of the cases, it's the bad actors themselves who alert the victim. So it's not just that they're kind of their own worst enemy, but they don't even realize until somebody tells them in half the cases. And by the way, denial of service, this is the industry that seems to really be victimized by denial of service attacks more than any other. So we're talking like 90% of all the hacking actions observed for information are showing up in this category. Am I reading that correctly?
Jake Bernstein: Yeah. And that's not really surprising. These are your servers, your kind of infrastructure companies. So this is where you crosstalk.
Kip Boyle: Like a SaaS provider, software as a service. I mean your website is your-
Jake Bernstein: SaaS provider. Exactly. Obviously, denial of service can occur anywhere, but this would definitely be the place to go for it. Okay. Manufacturing, code 31 through 33. Really, two main patterns here, social engineering and ransomware. For some reason, they decided to give this industry a new little attack life cycle chart. And that allows us to give you the following hard hitting insights. Breaches tend to start with social engineering via phishing or hacking via, usually, use of stolen credentials. They continue with malware and additional stolen credentials with hacking. And the vast majority are ending with ransomware.
And so, I think the idea here is these attack life cycle chart breakdowns, I think, do give you clues as to how to defend against the most common type of attack. So manufacturing has really been hit recently. It was JBS Meat Packing plants a few months ago. Just lots and lots of manufacturing attacks. And I think it tends to be that, generally speaking, these aren't 'technology companies'. And they tend to have a blind spot. It would be good to have them remember more often that if they go down, then there are no goods flowing into the economy. So that's bad.
Kip Boyle: Yeah. Manufacturers, they have three codes, 31, 32 and 33, which tells you how abundant they are that they actually have to have three separate codes. And they're all-
Jake Bernstein: Or how old this classification system is.
Kip Boyle: Okay. Maybe a combination of both. But I popularly thought of manufacturing as like heavy industry, like steel or automobiles or something like that. But if you grow fruit and you pack that fruit into boxes, or you are a dairy farmer and you put milk into containers and send them out to stores, those are forms of manufacturing. You may not be doing much to the apple that you are packing-
Jake Bernstein: Well, there is an agriculture code.
Kip Boyle: But I'm speaking more generally. Anytime you have an assembly line, a packing line, anything like that, where-
Jake Bernstein: Oh, yes, yes, definitely.
Kip Boyle: Materials come in one door, finished materials go out another door. I'm just speaking very, very generally. You need to pay attention to this data here, is the point that I'm getting at. Because ransomware, 61.2%, that's the whole point. The whole point is you've lost control of your technology. And you may not think of yourselves as a technology company. I guarantee you, I see this over and over and over again. I've had apple growers say to me like, "Hey, we're farmers. We don't want to be tech experts." And I'm like, "Well, you're actually a technology company that happens to deal in cherries or whatever, because you can't survive without your computer controlled packing lines. And can't wash your fruit and get it into a box or a bag or whatever without a computer. So you really are a technology company. You just don't recognize that that change has happened to you yet." Sometimes we're our own worst enemy.
Anyway. So I seem to be getting on my soapbox a lot today. Maybe I do that all the time and I'm just realizing it. Okay, we're ready to move on to another area? This is NAICS 54. So 54 is labeled as professional, scientific and technical services. And let's take a look at that. 1,892 incidents, 630 breaches, so about a third. And system intrusion, social engineering, and basic web application attacks. You put all those together, that's 81% of all the breaches for this industry. Credentials are most commonly compromised, and they help complete a ransomware attack. So the ransomware plus confirmed breach pattern is really strong in this industry. Very evident social engineering, also a major pattern.
Jake Bernstein: Yeah. And the ransomware plus confirmed breach, that's the whole double or so called ransomware 2.0 idea where it's not, just to make sure that having a backup isn't going to be enough to get you out of their grip, they're also going to threaten to release the information. So that's what that's referring to.
Kip Boyle: Yeah. That's right. So you could restore control over your systems and still feel under threat because oh man, they got our customer records and they're going to auction them off to the highest bidder. And if you look at the happy blog, which you got to use a Tor browser to get to it. But you can see our evil's parade of victims that they are auctioning off their records. And we mentioned this when we did the continuing legal education back on June 23rd. And you can get that replay if you go onto YouTube. But anyway, so that's what's going on here. And it seems to be pretty effective in favor of the criminals.
So that's the last industry that we specifically wanted to focus on in today's episode. There's more. And we haven't even scratched really the depth of data and insight in each one of these areas. So get your DBIR, crack it open and start digging, ladies and gentlemen. Well, let's see, what else do we got to talk about before we wrap up this episode?
Jake Bernstein: Now you get to do your SMB breaches. So one more soapbox.
Kip Boyle: Oh, yes. Okay. Small medium business. So breaches affecting small medium businesses. So the confirmed, numbers aren't very high here in the report. But you they could be. You had said it earlier, Jake, where they had a lot of information, but they weren't really sure about the sizes of these companies. And I find that's kind of surprising. I wonder if that was just a lack of resources to do the research. Because when you go on LinkedIn, for example, and you pull up a company profile, it's pretty clear how big they are. The precision of the data may not be all that great. Maybe they've got 75 employees and LinkedIn's only showing 62 or whatever. But I mean, just as far as putting them in a bucket labeled SMB, I would think it'd be pretty straightforward, Dun and Bradstreet. There's got to be other places where you can figure that out. But again, maybe it's just allocation of resources. They have a lot of data they have to comb through. I don't know, maybe they'll figure out a way to get through that.
But in any event, here's the point, here's the takeaway. You look at this report, and you have to be impressed with the fact that being a small or a medium sized business is not any kind of a safe harbor for you. It's not getting safer. I don't know that it's been safe to be an SMB for several years now. With automated cyber attacks, it doesn't matter how big you are. The cyber criminals are just using automation to examine IP addresses. And they don't necessarily know which IP address belongs to whomever. I don't think they really stop to think about that. They just start plowing through IP addresses, looking for the vulnerabilities that would allow them to conduct their attacks. So being small or medium is in no way, again, a safe harbor for you
So if you're listening to this podcast, you probably don't believe that. Because the people who believe that they're in a safe harbor probably don't think that they have any reason to be listening to a podcast like this. So probably this is preaching to the choir. But if you know somebody who is a senior decision maker at an SMB org, maybe you should encourage them to just listen to this episode, maybe just the last five minutes. I don't know. Maybe it'll help.
Jake Bernstein: Yeah. I don't know. I think there's so many wake up calls for SMBs here. The one area where large business has kind of gotten better is that they are discovering breaches faster. But it's not a huge, huge differential.
Kip Boyle: I think the big wake up call, to the extent that there is going to be one, it probably has to do with the Kaseya ransomware attack from early July 2021. And we'll probably do a future episode once the details of that become completely clear. At the time that we're recording this, the details are not totally clear. But what we are seeing is that a strong suspicion that the majority of the victims are small, medium businesses. And that they got that way because of their use of a vulnerable IT service provider. So again, we'll unpack that later on. But it's looking like this is going to be the case study for a long time to come to prove this point that a small, medium business is not the same as a safe harbor from cyber attacks.
Jake Bernstein: Definitely agree.
Kip Boyle: Any final comments, Jake, or is that a wrap?
Jake Bernstein: Download your copy and take a look.
Kip Boyle: Yep. All right. So I am in fact going to declare that we have wrapped up this episode of the Cyber Risk Management Podcast. And today we did part two of our analysis of the 2021 edition of the Verizon data breach investigations report to see what we could learn and to tease you, our audience, into getting your own copy and doing your own research and using it to justify your cyber risk management program. Thanks, everybody. We'll see you next time.
Jake Bernstein: See you next time.
Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR, and IT for full effectiveness. So if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.
YOUR HOST:
Kip Boyle
Cyber Risk Opportunities
Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).
YOUR CO-HOST:
Jake Bernstein
K&L Gates LLC
Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.