Results and Analysis: Introduction

Our findings indicate that data compromises are considerably more likely to result from external attacks than from any other source. Nearly three out of four cases yielded evidence pointing outside the victim organization. In keeping with other studies revealing risks inherent to the extended enterprise business partners were involved in 39 percent of the data breaches handled by our investigators. Internal sources accounted for the fewest number of incidents (18 percent), trailing those of external origin by a ratio of four to one.

The relative infrequency of data breaches attributed to insiders may be surprising to some. It is widely believed and commonly reported that insider incidents outnumber those caused by other sources. While certainly true for the broad range of security incidents, our caseload showed otherwise for incidents resulting in data compromise. This finding, of course, should be considered in light of the fact that insiders are adept at keeping their activities secret. (2008 DBIR)

Some things haven’t changed since we first began publishing this report back in 2008 (For those of you who need context, the original iPhone had been released only one year prior). The 2008 cyber² security world, with limited access to handheld wonder machines, held the belief that insider incidents outnumbered external ones, or at least felt it was “certainly true for the broad range of security incidents.” As we look back now, with the benefit (?) of 15 years of time-wasting apps, considerably more gray hair and a few chips off the collective Infosec shoulders, we can confidently state that External actors are consistently more common than Internal, with 80% of breaches being caused by those external to the organization, as seen in Figure 11. 

The median size (as measured in the number of compromised records) for an insider by more than 10 to one. Likewise, incidents involving partners tend to be substantially larger than those caused by external sources. This supports the principle that privileged parties are able to do more damage to the organization than outsiders. (2008 DBIR)

Bottom line: most data thieves are professional criminals deliberately trying to steal information they can turn into cash. Like we said—same ol’ story. It’s not the whole story, however, nor is it the most important one. The most significant change we saw in 2011 was the rise of “hacktivism” against larger organizations worldwide. The frequency and regularity of cases tied to activist groups that came through our doors in 2011 exceeded the number worked in all previous years combined (2015 DBIR)

In the 2008 report, the number of records breached was the metric of choice. Now that we are a bit further into the 21st century, the currency of impact is the metric du jour. Though records are still of interest, they are typically not viewed with the same level of importance as in past years. In 2008 the median internal breach nabbed 375,000 records, as you can see in Figure 13, this year it’s only 80,000³. While it appears the number of records is decreasing, it is important to keep in mind that a number of changes have taken place both in this report and within the industry at large. Therefore, the change in record count could be reflective of the fact that there are now more ways for attackers to monetize data. 

Motive, for the most part, was not an initial topic of analysis for the DBIR (although in 2008 we did consider it in the context of targeted vs opportunistic breaches). In 2010, we stated “Today’s cybercriminals are not hobbyists seeking knowledge or thrills; they are motivated by the illicit profits possible in online crime.” While that may seem obvious to today’s readers, it is important to remember that at that time the stereotypical “let me hack this site from my mom’s basement to impress my bros” type of activity was believed by many to account for a certain proportion of breaches. Regardless, the motive of the threat actor is important to understand in order to attempt to quantify how many of our troubles are caused by the illicit economy, personal vendettas or by accidental blunders.

Financial has been the top motive since we began to track it in 2015. However, that same year the rise of hacktivism (particularly leaks) accounted for many attacks. Espionage-related attacks were not even on the radar, but seven years later the world is a very different place. Espionage has taken the 2^nd place spot for years, and hacktivism is, for the most part, simply an afterthought. Before we move on, however, it should be noted that while espionage has almost certainly increased over the last few years, the fact that it did not appear at all in 2015 was quite likely due to our contributors and general case load at the time.

Turning to breaches, the top varieties are a bit more dynamic, with Use of stolen credentials, Ransomware and Phishing all in the top five. The category of “Other” has stealthily crept into one of the top three spots this year as well. This is largely due to the dataset being long “tailed” and diverse. In other words, there are a lot of different things that aren’t in the top 10, but are still noteworthy. We can also flip that on its head and state that 73% of breach varieties are found in the top 10 varieties. Not too shabby considering the fact that we have more than 180 different action varieties. How’s that for the Pareto principle?⁴

In terms of vectors, these align well with the notion that the main ways in which your business is exposed to the internet are the main ways that your business is exposed to the bad guys. Web Applications and Email are the top two vectors for breaches. This is followed by Carelessness, which is associated with Errors such as Misdelivery and Misconfiguration. Next we have Desktop Sharing Software which captures things like Remote Desktop Protocol (RDP) and third-party software that allows users to remotely access another computer via the Internet. Unfortunately, if you can access the asset directly over the internet simply by entering the credentials, so can the criminals.

‘08 Throwback

While the DBIR has grown and evolved dramatically since its inception, we find it incredibly interesting how many of the core stats remain the same. In Figure 0a31addb from 2008, you’ll find that the numbers are eerily similar to what we see today. Hacking continues to be the main action, followed by Malcode (Malware). In the 2008 report, Error was recorded in two ways: Errors that directly caused the breach (the full bar) and Errors that contributed to the breach (light colored bar). We no longer use this breakdown (for a few reasons, one of which is that it can be argued that errors play at least a small part in almost all breaches), but Error accounts for 14% of breaches overall. From there, however, things begin to deviate slightly. This is particularly true with regard to Social and Error, but please keep in mind that our data has grown both in size and diversity of source over the years, expanding from 500 incidents that first year to over 23K incidents this year.

If security incidents did not have associated attributes, the life of an InfoSec professional would be a good deal easier. Unfortunately, they do: Confidentiality, Integrity and Availability (commonly referred to as the CIA triad), and they can greatly impact numerous aspects of an incident (who needs to be notified, what actions need to be taken and what explanations need to be given to senior management to name a few). Figure 25 shows CIA over time in our dataset (with regard to security incidents). 

The DBIR defines a data breach as a compromise of the Confidentiality attribute, and anytime Confidentiality is compromised, it begs the question what type of data was involved? 

15 years ago, (Figure 20 from the 2008 DBIR) Payment card data led the pack by a large margin. However, it has slowly declined over the last few years. No doubt this decline is to some degree reflective of the additional security controls that have been added in recent years to protect this type of data. Regardless, Figure 41a99c26 shows the top two data types are now Credentials and Personal data.  We’ve long held that Credentials are the favorite data type of criminal actors because they are so useful for masquerading as legitimate users on the system. Much like the proverbial wolf in sheep’s clothing, their actions appear innocuous until they attack. With regard to breaches, attackers are frequently exfiltrating Personal data, including email addresses, since it is useful for financial fraud. There is also a large market for their resale, which means they are truly the “gift” that keeps on giving. Unfortunately, what it gives is mostly trouble to the data subjects (whom the data is about). 

Discovery time is a good place to begin when viewing timelines. While Figure 29 might seem like good news, (that we are more likely to detect breaches within days than months), it gets to be a little less comforting once you start looking at some of the drivers. The top Discovery Method for breaches (more than 50%) is now “Actor Disclosure” (normally either on the asset in the form of a ransomware note or on a criminal forum to sell the data or announce the breach). Neither of which is desirable. “Ignorance is bliss” doesn’t readily apply to breaches. 

Value Chain

Over the last two years the DBIR team has been collecting value chain information, defined as the capabilities and investments an attacker must acquire prior to the actions on the target, either by purchase or investment in its creation. Traditionally, defenders are largely focused on the events that occur within their boundaries, which makes sense since those are the things they control. However, an attacker ecosystem exists both before and after the breach, and it plays into and feeds off of the incident. The value chain asks the question “Where did that email address come from?” Or “Where do those stolen credentials go?” It often seems that breaches beget more breaches, creating a Circle of Breach⁷ so to speak. By understanding the transactions associated with this ecosystem, we can understand the key steps involved in attacks and work collaboratively to make those transactions more difficult, expensive or unsustainable for the attackers.

“It takes money to make money”

There are several things attackers must invest in for a breach:

Development: software or content that must be developed to accomplish the actions on the target.

Targeting: work that identifies exploitable opportunities. These overlap heavily with the data varieties that are compromised.

Distribution: services used to distribute actor content including email, compromised servers, and websites.

Non-Distribution Services: services provided and used by threat actors other than those used for distribution of actor content.

Cash-out: methods for converting something (likely the attribute compromised) into currency.

Figure 31 provides the top variety for each part of the value chain. Email is the most common method. We can infer the email chain because it is the primary reason other things, such as malware in development or credentials in targeting, aren’t higher. Malware can be freely available and credentials may be stolen. The takeaway is not to think of breaches only in terms of starting or ending. Instead, think of them like you might think of a sports team: they are either on the field or preparing to be. 

¹ It’s not just rhymes that are tricky to rock.

² Can you find all 45 “cyber” references in the DBIR this year? I bet you can’t…

³ And it should be noted that most internal breaches are from errors, not malice.

⁴ Not to be confused with the Peter Principle, which is something else entirely.

⁵ We feel a Schoolhouse Rock song coming on.

⁶ Event Chains are kinda like Attack Flows in the Controls Appendix, but more basic.

⁷ Like the Circle of Life, but for threat actors.