威瑞森電信（Verizon）：2017年數據泄露（DBIR）調查報告（76頁）.pdf

1、2017 Data Breach Investigations Report 10th Edition OFXPB U2FsdGVkX19xySK0fJn+xJH2VKLfWI8u+gK2bIHpVeoudbc5Slk0HosGiUNH7oiq CNjiSkfygVslq77WCIM0rqxOZoW/qGMN+eqKMBnhfkhWgtAtcnGc2xm9vxpx5quA Incidents vs breaches We talk a lot about incidents and breaches and we use the following definitions: Incident:

2、 A security event that compromises the integrity, confidentiality or availability of an information asset. Breach: An incident that results in the confirmed disclosurenot just potential exposureof data to an unauthorized party. In the 2009 report, we wrote: “These findings relate specifically to the

3、 occurrence (likelihood) of security breaches leading to data compromise not attacks, not impact, not general security incidents and not risk.” The study has since evolved to include security incidents and not just breaches for many findings, but the rest of the statement holds true to this day. The

4、 information, provided in aggregate, is filtered in many ways to make it relevant to you (e.g., by industry, actor motive). It is a piece of the information security puzzlean awesome corner piece that can get you startedbut just a piece nonetheless. The rest is filled in by you. You (hopefully) know

5、 the controls that you do or do not currently have to mitigate the effectiveness of the threat actions most commonly taken against your industry. You know the assets that store sensitive data and the data flow within your environment. If you dont get on that. You also know your own incident and data

6、-loss history. Use your own knowledge combined with the data from our report; they complement each other. First-time reader? Dont be shywelcome to the party. As always, this report is comprised of real-world data breaches and security incidentseither investigated by us or provided by one of our outs

7、tanding data contributors. The statements you will read in the pages that follow are data-driven, either by the incident corpus that is the foundation of this publication, or by non-incident datasets contributed by several security vendors. We combat bias by utilizing these types of data as opposed

8、to surveys, and collecting similar data from multiple sources. We use analysis of non-incident datasets to enrich and support our incident and breach findings. Alas, as with any security report, some level of bias does remain, which we discuss in Appendix D. Tips on Getting the Most from This Report

9、 1 Cybercrime case studies This report doesnt focus on individual eventsif you want to dive deeper into breach scenarios check out the cybercrime case studies collected in the Verizon Data Breach Digest1. This is a collection of narratives based on real-world investigations and from the perspective

10、of different stakeholders involved in breach response. 60 300 Kcal Data Breach Digest 60 Perspective is Reality. Read now VERIS resources VERIS is free to use and we encourage people to integrate it into their existing incident response reporting, or at least kick the tires. features information on

11、the framework with examples and enumeration listings. features the full VERIS schema. provides access to our database on publicly disclosed breaches, the VERIS Community Database. ii Contents Introduction 2 Executive Summary 3 Breach Trends 4 Introduction to Industries 9 Accommodation and Food Servi

12、ces 14 Educational Services 17 Financial and Insurance 19 Healthcare 22 Information 24 Manufacturing 26 Public Administration 28 Retail 30 Attack the Humans! 32 Ransom Notes are the Most Profitable Form of Writing 35 Introduction to Incident Classification Patterns 38 Crimeware 39 Cyber-Espionage 42

13、 Denial of Service 44 Insider and Privilege Misuse 48 Miscellaneous Errors 50 Payment Card Skimmers 52 Point of Sale Intrusions 54 Physical Theft and Loss 56 Web Application Attacks 57 Everything Else 59 Wrap Up 60 Appendix A: Countering an Evolving Transnational Cybercrime Threat 62 Appendix B: The

14、 Patch Process Leftovers 64 Appendix C: Year in Review 67 Appendix D: Methodology 69 Appendix E: Contributing Organizations 72 2017 Data Breach Investigations Report 1 Welcome to the 10th anniversary of the Data Breach Investigations Report (DBIR). We sincerely thank you for once again taking time t

15、o dig into our InfoSec coddiwomple that has now culminated in a decade of nefarious deeds and malicious mayhem in the security world. 2016 was an extremely tumultuous year, both in the United States and abroad. Political events, such as a divisive presidential election and the United Kingdom Europea

16、n Union membership referendum (aka Brexit), raised many a blood pressure reading, while memes focused on getting through the year without the loss of another beloved celebrity flooded social media. Despite the tumult and clamor, cybercrime refused to take a year off, and added to the feelings of unc

17、ertainty with numerous breaches being disclosed to the publicthereby debunking the “no such thing as bad publicity” myth. Why the “hope” quote you ask? Isnt this report about doom and gloom and when things go wrong with real-world consequences? There is no doubt that you can view this report, throw

18、up your arms in despair, and label us (the risk management and information security community) as “losing.” All of us (authors, analysts and readers alike) must take a realistic approach to this and similar reports by our peers and acknowledge that we can do better. Yet we do firmly believe there is

19、 great cause for hope. It is true that the DBIR will never be blank aschoose your clich“there is no such thing as 100% secure” or “perfection is the enemy of good enough”. It is also true that due to the nature of the report we admittedly have a lack of success stories. After all, this is at its cor

20、e a report about confirmed data breaches. However, we are aware that there are numerous success stories out thereit is not all bad news for the good guys. Our hope comes from the fact that we have been able to present these findings to the public for 10 years running. Our hope comes from how we have

21、 grown this publication from only one organization to include contributions from 65 sources, providing a solid corpus sample of security incidents and data breaches from which to learn. Our hope is that while this report will not be able to definitively answer the macro-level question of “are we get

22、ting better?” you the readers, can leverage the combined efforts (thank you again data contributors!). Use the results of this study as a platform to improve your organizations awareness of tactics used by the adversary, to understand what threats are most relevant to you and your industry, and as a

23、 tool to evangelize and garner support for your information security initiatives. So what is new in the 2017 publication? One of our favorite evolutions in the DBIR series was the definition of nine incident classification patterns and the ability to map them against industry. We felt, and still fee

24、l, that it was a boost that made the DBIR more actionable. The report goes one step further this year and includes sections that are specific to key industries. These sections dive deeper into who targets specific verticals, how they go about reaching their goal and discuss why particular industries

25、 are in the crosshairs of certain threat actors. We examine what is unique about each industry and how that influences the results we find in our dataset. It is our hope (theres that word again) that these industry sections will resonate with the security professionals and will provide a lens into o

26、ur data that is beneficial to you personally. So the report will follow this path: It starts off with an executive summary comprised of high-level findings in this years data. As in other reports, we will then look back into history and discuss what has (and hasnt) changed over the years. Next, we w

27、ill hop to the aforementioned industry sections, and then focus on the human element in information security and this ransomware thing all the kids are talking about. The nine incident classification patterns make their annual appearance, and we will wrap this party up with a review of the good, the

28、 bad and the ugly of 2016. Hope is the pillar of the world Pliny the Elder 2017 Data Breach Investigations Report 2 Executive Summary Whos behind the breaches? 75% perpetrated by outsiders. 25% involved internal actors. 18% conducted by state-affiliated actors. 51% involved organized criminal groups

29、. 3% featured multiple parties. 2% involved partners. What else is common? 66% of malware was installed via malicious email attachments. 73% of breaches were financially motivated. 21% of breaches were related to espionage. 27% of breaches were discovered by third parties. Who are the victims? 12% P

30、ublic sector entities were the third most prevalent breach victim at 12%. 15% Retail and Accommodation combined to account for 15% of breaches. 24% of breaches affected financial organizations. 15% of breaches involved healthcare organizations. What tactics do they use? 81% of hacking-related breach

31、es leveraged either stolen and/or weak passwords. 43% were social attacks. 51% over half of breaches included malware. 62% of breaches featured hacking. 8% Physical actions were present in 8% of breaches. 14% Errors were causal events in 14% of breaches. The same proportion involved privilege misuse

32、. 3 In 2014, we pointed out that “were not very good at maintaining the status quo. The sources of data grow and diversify every year. The focus of our analysis shifts. The way we visualize data and organize results evolves over time.” There are changes, both in addition and subtraction, of external

33、 organizations that are able to provide data year to year (as well as shifts in the types of incidents investigated by the community). These can influence the results as much, if not more, than changes in threat actor behavior. We will disclose when changes or findings of interest are a product of t

34、he former. For example, a spike in data received associated with Dridex botnet breaches in last years report was responsible for several spikes in certain enumerations. This year we will see many of those come down to levels seen in prior years. However, in 2014 we also said “measuring deltas has va

35、lue and we know readers appreciate some level of continuity between reports.” And this section is an attempt to do so. Figure 1: Countries represented in combined caseload Breach Trends Country represented 4 Figure 2 shows a downtick in the percentage of breaches involving external actors, which cau

36、ses a corresponding increase in internal actors. In absolute numbers, however, breaches driven by internal parties have remained relatively constant, with an increase of around 12%. In other words, we will not be making any proclamations about internal threats on the rise and would not bet the farm

37、that this line will continue to trend upward. The convergence of the two lines in 2016 is due to a decrease of two types of external attack that commonly feature a high actor-to-victim ratio: password-stealing botnets and opportunistic point-of- sale (POS) intrusions. Breaches involving multiple par

38、ties and/or business partners2 exist but are much less frequent and have maintained their lower profile year to year. In 2016, financial and espionage were still the top two motives combining to account for 93% of breaches. Fun, Ideology and Grudge are motives we have combined and labeled as FIG in

39、Figure 3, and other graphs throughout the report. The rise in espionage is partially due to the simple fact that we featured more of these breaches in our dataset this year, but also due to the previously discussed drop in banking Trojan botnets and POS. Organized criminal groups continue to utilize

40、 ransomware to extort money from their victims, and since a data disclosure in these incidents is often not confirmed, they are not reflected in Figure 3. Figure 4: Percentage of breaches per threat action category over time For many of us, 2016 was a year in which we were afraid to even accept dinn

41、er invitations due to the fear that someone would demand we discuss current events. So much upheaval and change on a global scale is difficult to take in. For that reason, Figure 4 above is oddly comforting. The triple threat of hacking, malware and social has been on top and trending upward for the

42、 last few years, and it does not appear to be going away any time soon. It represents a potent mixture for cyber-attacks, but at least it is something we can all agree on. We actually did see a decrease in numbers of these three actions in this years dataset, due (yet again) to the reduction of POS

43、and botnet-driven breaches. 0% 20% 40% 60% 80% 10161514131211 External Internal Multiple Actors Partner Breaches Financial Espionage FIG Everything else 0% 25% 50% 75% 100% 16101112131415 Breaches 0% 20% 40% 60% Hacking Malware Social Error Misuse Physical 16 Breach frequency 151413121110 2 Note: fo

44、r Partner to be selected as a threat actor, they need to be behind the action(s) that are causal to the breach. If a business partner is hacked and it affects an upstream organization in the chain, we still apply the actor tag to the party that is behind the hacking. Figure 2: Threat actor categorie

45、s over time Figure 3: Threat actor motives over time 2017 Data Breach Investigations Report 5 The actions taken and assets compromised are influenced heavily by the actors and their motives. Numerous areas of concentration are quickly observable in Figure 5 (e.g., use of keylogging malware by financ

46、ially motivated actors). The associations between actors, their motives, and their modus operandi are found in several industry and incident pattern sections throughout this report. The specific actors and motives represented in Figure 5 are: FIG (Fun, Ideology, Grudge motives OR activist group thre

47、at actors), ESP (Espionage motive OR state-affiliated OR nation-state actors), FIN (Financial motivation OR organized criminal group actors). 321755 74 184 33 651325 011254 23 9 5 918613 108 5 7 5 84311 6 77 31 39 16 570532 26 19 VarietyVector FIG Backdoor or C2(hacking) Desktop sharing(hacking) Dir

48、ect install (malware) Download by malware (malware) Email(social) Email attachment(malware) Email link(malware) Email unknown(malware) In-person(social) LAN access(misuse) Partner(hacking) Partner facility(physical) Personal vehicle(physical) Phone(social) Physical access(misuse) Public facility(phy

49、sical) Remote access(misuse) Victim grounds(physical) Victim public area(physical) Victim work area(physical) Web application(hacking) Web drive-by(malware) Website(social) 53 21112 8 73 911955 8 49 61225 23 835 6 94154 18 721 361094 6929 39 714773 191 14 60 83755 14 21 27 39 121755 728956 Adminware(malware) Backdoor(malware) Bribery(social) Brute force(hacking) C2(malware) Capture app data(malware) Capture stored data(malware) Data mishandling(misuse) Disabled controls (physical) Downloader(malware) Exploit vulnerabilities(malware) Export data(malware) Fo