Incident Classification
Patterns and Subsets

The patterns will be referenced more in the industry sections, but to get acquainted or rekindle a relationship, they are defined below:

Crimeware:
All instances involving malware that did not fit into a more specific pattern. The majority of incidents that comprise this pattern are opportunistic in nature and are financially motivated. 

Notable findings: Command and control (C2) is the most common functionality (47%) in incidents, followed by Ransomware (28%). 

Cyber-Espionage: 
Incidents in this pattern include unauthorized network or system access linked to state-affiliated actors and/or exhibiting the motive of espionage. 

Notable findings: Threat actors attributed to state-affiliated groups or nation-states combine to make up 96% of breaches, with former employees, competitors, and organized criminal groups representing the rest. Phishing was present in 78% of Cyber-Espionage incidents and the installation and use of backdoors and/or C2 malware was found in over 87% of incidents. Breaches involving internal actors are categorized in the Insider and Privilege Misuse pattern. 

Denial of Service: 
Any attack intended to compromise the availability of networks and systems. This includes both network and application attacks designed to overwhelm systems, resulting in performance degradation or interruption of service. 

Notable findings: This pattern is based on the specific hacking action variety of DoS. The victims in our data set are large organizations over 99 percent of the time. 

Insider and Privilege Misuse: 
All incidents tagged with the action category of Misuse—any unapproved or malicious use of organizational resources—fall within this pattern. 

Notable findings: This is mainly insider misuse, but former and collusive employees as well as partners are present in the data set. 

Miscellaneous Errors: 
Incidents in which unintentional actions directly compromised a security attribute of an asset. 

Notable findings: Misdelivery of sensitive data, publishing data to unintended audiences, and misconfigured servers account for 85% of this pattern. 

Payment Card Skimmers: 
All incidents in which a skimming device was physically implanted (tampering) on an asset that reads magnetic stripe data from a payment card. 

Notable findings: Physical tampering of ATMs and gas pumps has decreased from last year. This may be attributable to EMV and disruption of card present fraud capabilities.

Point of Sale Intrusions: 
Remote attacks against the environments where card-present retail transactions are conducted. POS terminals and POS controllers are the targeted assets. Physical tampering of PIN entry device (PED) pads or swapping out devices is covered in the Payment Card Skimmers section. 

Notable findings: The Accommodation industry is still the most common victim within this pattern, although breaches were less common this year. 

Physical Theft and Loss: 
Any incident where an information asset went missing, whether through misplacement or malice. 

Notable findings: The top two assets found in Physical Theft and Loss breaches are paper documents, and laptops. When recorded, the most common location of theft was at the victim work area, or from employee-owned vehicles. 

Web Application Attacks: 
Any incident in which a web application was the vector of attack. This includes exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms. 

Notable findings: Over one half of breaches in this pattern are associated with unauthorized access of cloud-based email servers. 

Everything Else: 
Any incident or breach that was not categorized into one of the nine aforementioned patterns. 

Notable findings: Of the 241 breaches that fell into the Everything Else pattern, 28% are part of the Financially-Motivated Social Engineering attacks subset discussed later in this section.

Patterns within patterns 

There are two subsets of incidents that will be called out when looking at industry breakouts. The increase in mail server (and email account) compromise and the significant dollar losses from social attacks leading to fraudulent payments provided an opportunity to create a Financially-Motivated Social Engineering (FMSE) subset that includes incidents and breaches that would fall into Web Application Attacks or Everything Else. These incidents are included in the main corpus, but we will look at them independently as well. The incidents that comprise the botnet subset are not part of the main data set, due to the sheer volume. These incidents could fall into Crimeware if modeled from the perspective of the malware recipient, or Web applications if the botnet steals credentials from one victim and is used against another organizations’ application. Our data is from the latter, organizations whose systems are logged on via stolen user credentials.
 

Financially-Motivated Social Engineering Subset: 
Financially motivated incidents that resulted in either a data breach or fraudulent transaction that featured a Social action but did not involve malware installation or employee misuse. Financial pretexting and phishing attacks (e.g., Business Email Compromise, W-2 phishing) are included in this subset. 

Notable findings: 370 incidents, 248 of which are confirmed data breaches populate this subset. The incidents are split almost evenly between parent patterns of Everything Else and Web applications. The breaches are closer to a 3:1 Web Application to Everything Else ratio.

Analysis shows 6x fewer Human Resources personnel being impacted in breaches this year. This finding, as correlated with the W-2 scams, almost disappearing from our data set. While this may be due to improved awareness within organizations, our data doesn't offer any definitive answers as to what has caused the drop.

Botnet Subset:
Comprised of over 50,000 instances of customers as victims of banking Trojans or other credential-stealing malware. These are generally low on details and analyzed separately to avoid eclipsing the rest of the main analysis data set. 

Notable findings: 84% of the victims were in Finance and Insurance (52), 10% in Information (51), and 5% in Professional, Scientific, and Technical Services (54). 180 countries and territories are represented in these breaches. Botnets are truly a low- effort attack that knows no boundaries and brings attackers either direct revenue through financial account compromise or infrastructure to work from. 

Secondary Subset: 

Comprised of 6,527 incidents of web applications used for secondary attacks such as DDoS sources or malware hosting. These are legitimate incidents, but low on details and analyzed separately from the main analysis data set.

Notable findings: Many times, these are light on specifics, but we do know that 39% of the time they involved a malware action, with 70% of those being DDoS, and 30% exploiting a vulnerability and downloading additional malware. Attackers need infrastructure too and just like with the botnet subset, when an attacker takes over your web application, your infrastructure just got converted to multi-tenant.