Jacob Kaplan-Moss

2021 DBIR Highlights

The 2021 edition of Verizon’s Data Breach Investigations Report (DBIR) is out – you can read it here.

I read the DBIR every year. It’s based on a large data set of real incidents and breaches, and the report is one of the only analyses of real-world security failures that reaches any sort of scientific rigor. True, the DBIR isn’t without problems; it’s somewhat controversial within the security industry. So I read with a critical eye… but I still read.

Here are some of the highlights from the 2021 edition, with my commentary:

Breaches caused by active vulnerability exploits are rare

Only 3% of breaches involved vulnerability exploitation (p. 7). This figure stands in stark contrast to a security industry heavily focused on vulnerabilities; “scan & patch” is sometimes the only thing a security organization does. This figure suggests we need to shift the focus of our security work from purely looking at vulnerabilities to thinking more holistically about risk.

Of course, the counterpoint is SolarWinds: the unpatched vulnerabilities in Microsoft and VMWare products were a key part of what made that breach so devastating.

So there’s a balance we need to figure out. Breaches involving unpatched vulnerabilities are rare, and most organizations probably overinvest in scan & patch programs. Some of that budget and time should be shifted to mitigating other risks. I don’t believe this 3% figure means we should stop or slow down patching. But I do believe most organizations need to figure out ways to make vulnerability upgrading cheap and fast, so they can treat it as table stakes and move on to more likely risk scenarios.

Most attacks are financially-motivated

In 2020, 80% of (attributed) attacks came from organized crime groups; 70% of all attacks had financial motivation (p. 12).

Financial motivation has been a major part of cybercrime for years, and this continues to increase. It’s now a thriving business sector in its own right.

What this means for organizations is that your primary threat model should be financial. You should consider carefully how attackers will make money by attacking you. Will they:

  • go after PII or other data they can sell?
  • compromise your infrastructure and use it to mine cryptocurrencies?
  • target you with ransomware, hope you have poor backups, and thus be forced to pay?
  • launch a DDoS and try to get you to pay them to stop?

Focus on where attackers can extract value from you; that’s probably your most likely risk scenario.

Ransomware is on the rise

The Colonial Pipeline breach is fresh in the news, and it represents an increasingly-common attack pattern. Ransomware attacks continue to climb year-over-year; they now account for 10% of security incidents (p. 55). This is not unrelated to the previous point: “monetization through Ransomware seems to have become the preferred method” of extracting cash from a target (p. 57). The dirty secret of ransomware attacks is that almost everybody pays.

How are your backups? If you had to pave and restore some production servers or company laptops today how much data would you lose? Remember: if you haven’t successfully restored from backups, you don’t really have backups.

MFA – particularly Webauthn – is perhaps the single most important mitigation

About 40% of attacks involve phishing, and ~20% involve stolen credentials (p. 15).

Webauthn (aka FIDO/U2F) was specifically designed to mitigate phishing and credential-stuffing. More broadly, any sort of MFA protects against these attacks to some degree.

So, implementing MFA, and particularly Webauthn, is probably the best single investment in security mitigation you can make. It’s reasonably simple and cheap to implement and protects against many of your most likely risk scenarios. If you’re not already requiring MFA on all important systems, and Yubikeys (or similar) for the most critical ones, that should probably be your top defensive priority.

Denial-of-service is on the rise, but you can easily prepare for it

60% of incidents involved DoS – a figure that continues to climb year over year (p. 15). “DDoS for ransom” is now something of a trend: attackers will launch a denial-of-service attack, and promise to stop if you pay them (this happened to Garmin in 2020).

However, 95% of DoS attacks were under 99GBps (p. 35), which is something a competent SRE team and upstream mitigation provider can handle. There’s no reason you shouldn’t be able to prepare for and handle all but the most extreme DoS attacks.

Quantifying the impact of breaches remains difficult

One of the largest challenges facing the security industry as a whole is that it’s terrifically hard to accurately quantify impact. This makes most discussions of security mitigations difficult: if the CISO asks for $100k to mitigate some risk, but can’t quantify what the risk might cost or what the ROI might be, that budget request will be decided by superstition and feelings, not facts.

The DBIR attempts to quantify risk, but – like everyone else – doesn’t get very far. It scopes “impact” narrowly, just measuring purely financial impact, and even then the numbers are hard to interpret:

  • Many incidents have no measurable financial impact. 42% of email compromises, 76% of data breaches, and 90% of ransomware breaches didn’t result in any financial impact! (p. 25)

  • Of breaches that did have a loss, the ranges are huge. Ransomware attacks, for example, had a median loss of $11,150, but the 95% confidence interval is $70 - $1.2 million (p. 25).

  • Breaches did have a measurable impact on public companies' stock prices: on average companies took about a 5% haircut following a breach (p. 26). However, again, the confidence interval is huge: the 95% CI is -48% to +39% (p. 27).

  • None of these numbers include costs borne by customers (e.g. identify theft following a data breach); costs incurred on forensics or incident response; other internal staff costs (legal, engineering, etc).

So despite this data, it’s still not obvious how to make any decisions about how to quantify impact (and hence risk). The DBIR suggests that you “be prepared for the most common 95% of impacts”, which they simulate as costing up to $650k. (p. 27). I suppose this is as reasonable a place to start as anything, but it feels disappointingly vague, still.

Until we can do a better job here, our industry will, unfortunately, continue to be driven by cargo cults, “best practices”, and outright guesswork.

One of the more useful (but hard to summarize) parts of the report are the breakdowns by industry (p. 64-87). These parts are quite useful to read if you’re trying to build up a threat model or risk profile for your organization. Find the industry that most closely matches your business and tailor your expected scenarios and attacker profiles accordingly.

On the other hand, while in previous years small (under 1,000 employees) and large (over 1,000) organizations showed different breach patterns, this doesn’t appear to be true anymore. “The top [breach] patterns have aligned across both org sizes” (p. 89). This is connected to the rise of financial motivation: “both [sizes] are being targeted by financially motivated organized crime actors” (p. 90), who are indiscriminate in target selection.

This is bad news for smaller companies: they’re just as a big a target, but have proportionally less to invest in security.

What were your takeaways?

Anything else I missed that you thought was interesting? Drop me a line: jacob at this domain.