Verizon 2019 DBIR Shows Financially Motivated Attacks Increasing While Criminals Switch to Easiest Targets
The Verizon 2019 Data Breach Investigations Report (DBIR) was published just after midnight today. This is the 12th edition since its launch in 2008, and the most extensive to date, with 73 contributors and an analysis of 41,686 security incidents including 2,013 confirmed breaches. A breach is defined as an incident that results in the confirmed disclosure or exposure of data.
Purely from its detail and breadth of coverage, DBIR has become the breach bible for the security industry. Verizon does not speculate on the meaning of the data it provides, leaving that to independent security analysts. Like all surveys, it can only analyze and catalog the data it receives -- it knows nothing about that which it knows nothing. As a result, DBIR provides evidence of security trends across the greater part of industry, but little in terms of specific causes for specific trends.
An example of this can be seen in the relative trends for cyber espionage and financially motivated attacks (of which ransomware is probably the most visible and newsworthy example). The trend highlighted by the 2019 DBIR (PDF) is that financially motivated cyber-attacks are increasing across the board.
In the manufacturing sector, the commonly held perception has long been that the majority of cyber-attacks are for cyber espionage. "Last year's report showed financial as higher than espionage as motivation against the manufacturing sector for the first time," Alex Pinto, head of Verizon security research, told SecurityWeek. "We quite honestly thought it was a fluke, and we described it as such." But the distance between the two motivations has increased over the last year, with financially motivated attacks against manufacturing now standing at 68%. DBIR shows us this is happening, but doesn't tell us why.
"I won't speculate," said Pinto. "That's not the function of DBIR." It could simply be that financially motivated attacks have increased over the whole spectrum of industry -- which it has -- while cyber espionage has remained more static, "But we will be very careful about suggesting to manufacturing that the espionage attack is in decline."
On a personal basis, he continued, "there may be a bias in what is reported. Espionage is far more interesting than financially motivated attacks, so you may see more of those reported and in the news. It doesn't mean that money-motivated attacks aren't happening, but there is so much more of the run-of-the-mill financial stuff, it doesn't necessarily get reported."
But bias in reporting could go further. In July 2018, Sophos reported that the true number of SamSam infections was probably much higher than commonly thought. Although there had been a handful of high-profile infections, Sophos and Neutrino followed the bitcoin wallet trail and concluded that around 233 victims had, mostly quietly, paid the ransom and not reported the incident.
Here Pinto now pointed to the healthcare figures on ransomware, which is tracked by Verizon as the #2 malware type affecting all industries. "Healthcare is mandated to report any breach that occurs because of HIPAA regulations," he said. "Ransomware has to be reported as a breach. So, all healthcare ransomware infections are reported. In our dataset as a whole, ransomware accounts for 24% -- on healthcare it accounts for 70%." Again, Pinto declined to speculate on causes behind the figures -- but it is certainly possible that other industries are succumbing to ransomware attacks at a higher rate than they report simply because they don't have to report; and that would certainly fit with the trend of increasing financially motivated attacks highlighted by the DBIR.
It is possible, then, that the ransomware threat to industry is even greater than the DBIR figures suggest.
Asked to highlight two particular trends exposed by the 2019 DBIR, Pinto suggested a 'flight to ease' by the attackers, and an increasing phishing focus on senior management (which may be two aspects of the same trend). For the former, he said it's not a new phenomenon but one that has been widespread in 2018. "It's the game of security," said Pinto. "We make something harder, so the criminals switch to the next easiest thing that will keep their money flowing."
Bank fraud may be an example. The introduction of EMV bank cards (chip & pin) has made card-present fraud much harder. The criminals have responded by switching to card-not-present fraud. "From our aggregated data," said Pinto, "it looks like web application-based payment card fraud is going to overtake non-web application fraud pretty soon. Those two lines are about to cross."
Since 2015, point of sale breaches have decreased by a factor of ten, while web application breaches are now 13x more likely. Pinto added, "We have one partner, the National Cyber-Forensics and Training Alliance (NCFTA), based in the U.S., who is already suggesting, from its own data, that card-not-present is now more extensive than card-present fraud. We believe the reason for this shift -- and it's just speculation -- is that chip and pin is simply moving the criminals towards something that is easier."
The phishing focus on senior management is another example of cybercriminals focusing on the easiest route to the maximum return. Talking about the business email compromise (BEC) threat, Pinto commented, "why bother hacking companies when we can just email the CFO and get him to send us money?"
The BEC figures have come from a new DBIR partner this year -- the FBI, which highlighted figures from its Internet Crime Complaint Center (FBI IC3); with a few new twists. One piece of good news, says Verizon, "is that the median loss for a business email compromise is approximately the same as the average cost of a used car. The bad news is that the dollar axis isn't linear. There are about as many breaches resulting in the loss of between zero and the median as there are between the median and $100 million."
Of course, the FBI's role isn't simply to chart BEC losses, but to recover them where possible. In the last year, it introduced its Recovery Asset Team (RAT). "When the IC3 Recovery Asset Team acts upon BECs, and works with the destination bank," says Verizon, "half of all US-based business email compromises had 99% of the money recovered or frozen; and only 9% had nothing recovered."
Pinto suggests that the real narrative of this year's DBIR is that everything but nothing changes. "That's my take on the narrative of the report," he told SecurityWeek; "the more things change, the more they stay the same." The hackers still hack servers and still deliver phishing emails; but they move to the easier targets with greater returns. "Even though we see specific targets and attack locations change," adds Bryan Sartin, Verizon's executive director of security professional services, "ultimately the tactics used by the criminals remain the same."