1、2019 Data Breach Investigations Report business ready 4e 6f 20 63 6f 76 65 72 20 63 68 61 6c 6c 65 6e 67 65 20 74 68 69 73 20 79 65 61 72 2 Server (All breaches, n=1,881) Server (Just large organization breaches, n=335) Breaches Figure 1. Top asset variety in breaches 0% 20% 40% 60% 80% 100% Before
2、we formally introduce you to the 2019 Data Breach Investigations Report (DBIR), let us get some clarifications out of the way first to reduce potential ambiguity around terms, labels, and figures that you will find throughout this study. VERIS resources The terms “threat actions,” “threat actors,” “
3、varieties,” and “vectors” will be referenced a lot. These are part of the Vocabulary for Event Recording and Incident Sharing (VERIS), a framework designed to allow for a consistent, unequivocal collection of security incident details. Here are some select definitions followed by links with more inf
4、ormation on the framework and on the enumerations. Threat actor: Who is behind the event? This could be the external “bad guy” that launches a phishing campaign, or an employee who leaves sensitive documents in their seat back pocket. Threat action: What tactics (actions) were used to affect an asse
5、t? VERIS uses seven primary categories of threat actions: Malware, Hacking, Social, Misuse, Physical, Error, and Environmental. Examples at a high level are hacking a server, installing malware, and influencing human behavior. Variety: More specific enumerations of higher level categories - e.g., cl
6、assifying the external “bad guy” as an organized criminal group, or recording a hacking action as SQL injection or brute force. Learn more here: DBIR figures and figure data. features information on the framework with examples and enumeration listings. features the full VERIS schema. provides access
7、 to our database on publicly disclosed breaches, the VERIS Community Database. allows you to record your own incidents and breaches. Dont fret, it saves any data locally and you only share what you want. Incident vs. breaches We talk a lot about incidents and breaches and we use the following defini
8、tions: Incident: A security event that compromises the integrity, confidentiality or availability of an information asset. Breach: An incident that results in the confirmed disclosurenot just potential exposureof data to an unauthorized party. Industry labels We align with the North American Industr
9、y Classification System (NAICS) standard to categorize the victim organizations in our corpus. The standard uses 2 to 6 digit codes to classify businesses and organizations. Our analysis is typically done at the 2-digit level and we will specify NAICS codes along with an industry label. For example,
10、 a chart with a label of Financial (52) is not indicative of 52 as a value. 52 is the NAICS code for the Finance and Insurance sector. The overall label of “Financial” is used for brevity within the figures. Detailed information on the codes and classification system is available here: https:/www.ce
11、nsus.gov/cgi-bin/sssd/naics/naicsrch?chart=2017 This year were putting it in the bar charts. The black dot is the value, but the slope gives you an idea of where the real value could be between. In this sample figure weve added a few red bars to highlight it, but in 19 bars out of 20 (95%),1 the rea
12、l number will be between the two red lines on the bar chart. Notice that as the sample size (n) goes down, the bars get farther apart. If the lower bound of the range on the top bar overlaps with the higher bound of the bar beneath it, they are treated as statistically similar and thus statements th
13、at x is more than y will not be proclaimed. Questions? Comments? Brilliant ideas? We want to hear them. Drop us a line at , find us on LinkedIn, tweet VZEnterprise with the #dbir. Got a data question? Tweet VZDBIR! A couple of tidbits Figure 1. Top asset variety in breaches 1https:/en.wikipedia.org/
14、wiki/Confidence_interval New chart, who dis? You may notice that the bar chart shown may not be as, well, bar- ish as what you may be used to. Last year we talked a bit in the Methodology section about confidence. When we say a number is X, its really X +/- a small amount. 3 Table of contents Introd
15、uction 4 Summary of findings 5 Results and analysis 6 Unbroken chains 20 Incident classification patterns and subsets 24 Data breaches: extended version 27 Victim demographics and industry analysis 30 Accommodation and Food Services 35 Educational Services 38 Financial and Insurance 41 Healthcare 44
16、 Information 46 Manufacturing 49 Professional, Technical and Scientific Services 52 Public Administration 55 Retail 58 Wrap up 61 Year in review 62 Appendix A: Transnational hacker debriefs 65 Appendix B: Methodology 68 Appendix C: Watching the watchers 71 Appendix D: Contributing organizations 75 4
17、 Introduction 2If you didnt expect a Stan Lee reference in this report, then you are certainly a first-time reader. Welcome to the party pal! Welcome! Pull up a chair with the 2019 Verizon Data Breach Investigations Report (DBIR). The statements you will read in the pages that follow are data-driven
18、, either by the incident corpus that is the foundation of this publication, or by non-incident data sets contributed by several security vendors. This report is built upon analysis of 41,686 security incidents, of which 2,013 were confirmed data breaches. We will take a look at how results are chang
19、ing (or not) over the years as well as digging into the overall threat landscape and the actors, actions, and assets that are present in breaches. Windows into the most common pairs of threat actions and affected assets also are provided. This affords the reader with yet another means to analyze bre
20、aches and to find commonalities above and beyond the incident classification patterns that you may already be acquainted with. Fear not, however. The nine incident classification patterns are still around, and we continue to focus on how they correlate to industry. In addition to the nine primary pa
21、tterns, we have created a subset of data to pull out financially-motivated social engineering (FMSE) attacks that do not have a goal of malware installation. Instead, they are more focused on credential theft and duping people into transferring money into adversary- controlled accounts. In addition
22、to comparing industry threat profiles to each other, individual industry sections are once again front and center. Joining forces with the ever-growing incident/breach corpus, several areas of research using non-incident data sets such as malware blocks, results of phishing training, and vulnerabili
23、ty scanning are also utilized. Leveraging, and sometimes combining, disparate data sources (like honeypots and internet scan research) allows for additional data-driven context. It is our charge to present information on the common tactics used by attackers against organizations in your industry. Th
24、e purpose of this study is not to rub salt in the wounds of information security, but to contribute to the “light” that raises awareness and provides the ability to learn from the past. Use it as another arrow in your quiver to win hearts, minds, and security budget. We often hear that this is “requ
25、ired reading” and strive to deliver actionable information in a manner that does not cause drowsiness, fatigue, or any other adverse side effects. We continue to be encouraged and energized by the coordinated data sharing by our 73 data sources, 66 of which are organizations external to Verizon. Thi
26、s community of data contributors represents an international group of public and private entities willing to support this annual publication. We again thank them for their support, time, and, of course, DATA. We all have wounds, none of us knows everything, lets learn from each other. Excelsior! 2 “
27、The wound is the place where the light enters you.” Rumi 5 Summary of findings 43% of breaches involved small business victims 10% were breaches of the Financial industry 15% were breaches involving Healthcare organizations 16% were breaches of Public sector entities Breaches Figure 2. Who are the v
28、ictims? 0% 20% 40% 60% 80% 100% Physical actions were present in 4% of breaches 15% were Misuse by authorized users Errors were causal events in 21% of breaches 28% involved Malware 33% included Social attacks 52% of breaches featured Hacking Breaches Figure 3. What tactics are utilized? 0% 20% 40%
29、60% 80% 100% Actors identifi ed as nation-state or state- afliated were involved in 23% of breaches Organized criminal groups were behind 39% of breaches Breaches Figure 4. Whos behind the breaches? 5% featured Multiple parties 2% involved Partners 34% involved Internal actors 69% perpetrated by out
30、siders 0% 20% 40% 60% 80% 100% 56% of breaches took months or longer to discover 29% of breaches involved use of stolen credentials 32% of breaches involved phishing 25% of breaches were motivated by the gain of strategic advantage (espionage) 71% of breaches were fi nancially motivated Breaches Fig
31、ure 5. What are other commonalities? 0% 20% 40% 60% 80% 100% 6 The results found in this and subsequent sections within the report are based on a data set collected from a variety of sources such as publicly-disclosed security incidents, cases provided by the Verizon Threat Research Advisory Center
32、(VTRAC) investigators, and by our external collaborators. The year-to-year data set(s) will have new sources of incident and breach data as we strive to locate and engage with organizations that are willing to share information to improve the diversity and coverage of real-world events. This is a co
33、nvenience sample, and changes in contributors, both additions and those who were not able to participate this year, will influence the data set. Moreover, potential changes in their areas of focus can stir the pot o breaches when we trend over time. All of this means we are not always researching an
34、d analyzing the same fish in the same barrel. Still other potential factors that may affect these results are changes in how we subset data and large-scale events that can sometimes influence metrics for a given year. These are all taken into consideration, and acknowledged where necessary, within t
35、he text to provide appropriate context to the reader. With those cards on the table, a year-to-year view of the actors (and their motives), 3 followed by changes in threat actions and affected assets over time is once again provided. A deeper dive into the overall results for this years data set wit
36、h an old-school focus on threat action categories follows. Within the threat action results, relevant non-incident data is included to add more awareness regarding the tactics that are in the adversaries arsenal. Defining the threats Threat actor is the terminology used to describe who was pulling t
37、he strings of the breach (or if an error, tripping on them). Actors are broken out into three high-level categories of External, Internal, and Partner. External actors have long been the primary culprits behind confirmed data breaches and this year the trend continues. There are some subsets of data
38、 that are removed from the general corpus, notably over 50,000 botnet related breaches. These would have been attributed to external groups and, had they been included, would have further increased the gap between the External and Internal threat. Financial Other Espionage 0% 25% 50% 75% Breaches Fi
39、gure 7. Threat actor motives in breaches over time 2011201720132015 External Internal Partner 0% 20% 40% 60% 80% Breaches Figure 6. Threat actors in breaches over time 2011201720132015 Results and analysis 3And we show the whole deck in Appendix B: Methodology. 7 State-afliated Activist System Admin
40、 Cashier Organized crime 0% 20% 40% 60% 80% 2011201320152017 Breaches Figure 8. Select threat actors in breaches over time Financial gain is still the most common motive behind data breaches where a motive is known or applicable (errors are not categorized with any motive). This continued positionin
41、g of personal or financial gain at the top is not unexpected. In addition to the botnet breaches that were filtered out, there are other scalable breach types that allow for opportunistic criminals to attack and compromise numerous victims. 4 Breaches with a strategic advantage as the end goal are w
42、ell-represented, with one-quarter of the breaches associated with espionage. The ebb and flow of the financial and espionage motives are indicative of changes in the data contributions and the multi-victim sprees. This year there was a continued reduction in card-present breaches involving point of
43、sale environments and card skimming operations. Similar percentage changes in organized criminal groups and state-affiliated operations are shown in Figure 8 above. Another notable finding (since we are already walking down memory lane) is the bump in Activists, who were somewhat of a one-hit wonder
44、 in the 2012 DBIR with regard to confirmed data breaches. We also dont see much of Cashier (which also encompasses food servers and bank tellers) anymore. System administrators are creeping up and while the rogue admin planting logic bombs and other mayhem makes for a good story, the presence of ins
45、iders is most often in the form of errors. These are either by misconfiguring servers to allow for unwanted access or publishing data to a server that should not have been accessible by all site viewers. Please, close those buckets! 4In Appendix C: “Watching the Watchers”, we refer to these as zero-
46、marginal cost attacks. 8 20132018 0 10 16 17 17 30 56% 0 4 14 21 35 29 53% 0 -6 -2 +5 +18 -1 -3 DIFF Environmental Physical Misuse Error Social Malware Hacking Breaches Figure 9. Threat actions in data breaches over time n=2,501 (2013), n=1638 (2018) 20132018 0 7 17 19 28 65% 1 1 9 39 30 63% +1 -5 -
47、8 +20 +2 -2 DIFF Network Kiosk/Term Media Person User Dev Server Breaches Figure 10. Asset categories in data breaches over time n=2,294 (2013), n=1,513 (2018) Figures 9 and 10 show changes in threat actions and affected assets from 2013 to 2018. 5,6 No, we dont have some odd affinity for seven-year
48、 time frames (as far as you know). Prior years were heavily influenced by payment card breaches featuring automated attacks on POS devices with default credentials, so 2013 was a better representative starting point. The rise in social engineering is evident in both charts, with the action category
49、Social and the related human asset both increasing. Threat action varieties When we delve a bit deeper and examine threat actions at the variety level, the proverbial question of “What are the bad guys doing?” starts to become clearer. Figure 11 shows Denial of Service attacks are again at the top of action varieties associated with security incidents, but it is still very rare for DoS to feature in a confirmed data breach. Similarly, Loss, which is short for Lost or misplaced assets, incidents are not labeled as a data breach if