Key Takeaways from the 2020 Verizon Data Breach Investigations Report (DBIR)

Another year has brought us another Verizon DBIR. The Verizon 2020 Data Breach Investigations Report has loads of insightful commentary and telling statistics for its readers and shouldn’t be missed by anyone in the InfoSec community. However, this year’s DBIR sits at 119 total pages, and 119 pages is a lot to read and digest. Luckily for our readers, we have read the document and aim to provide a “key takeaways” resource to reinforce what you’ve read or provide those without time to dedicate to the reading with an executive summary.

What is the Verizon DBIR?

The Verizon Data Breach Investigations Report (DBIR) is a yearly cybersecurity report published by Verizon. This report includes information on 32,002 data breach-related incidents, 3,950 of which were confirmed breaches. This report aims to aggregate this data and pick out key themes, tactics, and stories used by attackers to breach security defenses. This large breadth of information is why the report can be daunting for even long time security professionals, let alone those new to the industry.

The purpose of the DBIR is to “keep your team informed of danger and/or help stakeholders throughout your organization understand the need for improved security.” This report allows readers to “get the executive-level view of the latest threats” all in one location. The report breaks down to a more granular level as well, allowing you to view insightful data “by the slice.” This detail allows readers to take a look at the breaches categorized by geographics, trends, actions, breach events, data types, patterns, and even industries.

A Quick Tip - Use the Cheat Sheet Provided in the DBIR

Like previously stated, we recommend actually reading the Verizon DBIR, regardless of whether it’s all at once or in bite-sized chunks. With this being said, the reading is filled with industry-specific jargon. This jargon isn’t always universal in the field, and especially isn’t for readers who aren’t full-time security pros. Be sure to read over this cheat sheet provided at the beginning of the DBIR before reading and reference it whenever you are unfamiliar with a specific term or section of the report.

Without further delay, the following are some of the key takeaways from the 2020 Verizon Data Breach Investigations Report:

People Are Often the Weakest Link in an Organization

Most people envision their cyber adversaries as hooded geeks wielding an arsenal of zero-day exploits to bypass even the most complex controls. This vulnerability allows said individual to hack into an uber-complex system and secure valuable loot. While this is a real aspect of cybersecurity, the most common way hackers infiltrate systems in 2020 is through people themselves. According to the DBIR, in 2020 “67% of all confirmed breaches analyzed in this report came from user credentials being leaked, misconfiguration in cloud assets and web apps, and social engineering attacks.” Of that total, 43% of the breaches came with the primary attack vector being a web application.

These statistics show that while maintaining strong code and limiting attack vectors are vital, it’s just as vital to invest in educating your employees on safe use of their accounts and devices in order to minimize your cybersecurity risk. 

The top 4 weakest links for organizations are listed below:

  1. People
  2. Improperly developed web applications
  3. Misconfigurations
  4. Lack of defense in depth

Reducing Dwell Time is not Enough to Ensure Data Security

Dwell time (in cybersecurity): The total time duration from when a threat actor has first obtained undetected access in a network until they’re completely removed.

Dwell time is a metric that many cybersecurity teams aim to cut down on. The logic behind this is that the less time an attacker has in a network, the less damage they can do to the company. And some good news from an otherwise gloomy report is that cybersecurity pros have cut down on the average dwell time for breaches. However, this statistic will likely cause a change in behavior by attackers as opposed to a widespread decrease in data theft. 

So while we in the cybersecurity industry have gotten better at detection, this dwell time improvement is tied and aligned to the large increase in ransomware attacks in the past year. Ransomware attacks do not take a long time to inject into organizations and can cause significant damage to a company in a short timeframe. This is all to say that while key metrics like dwell time are important to monitor and improve, they are not the end-all-be-all of cybersecurity.

External Actors are Still Your Arch Enemy

While there is growing belief that inside threats are “public enemy #1” in the industry, Verizon included telling statistics to combat this theory. Verizon states that “external actors still carry out 70% of the breaches.” Verizon goes on to state that “external actors are considerably more common in our data than are internal attackers, and always have been.” These attacks by external parties are also typically financially motivated. The report states that 86% were financially motivated and 55% were carried out by organized cybercrime groups. 

While external attacks are just as common as they’ve always been, attackers are often very close to their victims. This report states that 85% of attackers were from the same country as their prey, 56% were in the same state, and 35% were actually stationed in the same city. These numbers are likely due to an increase in access points and an ability to learn more about the company and its security operations.

Zombie Credentials Tend to Live Forever

It seems like there is a new data breach everyday – and unfortunately, attackers are often taking the easy way through the front door. Humans love to re-use their usernames and passwords for multiple web applications and systems.. This trend isn’t due to a constant breaking of defenses and discovery of new password data, but rather a new leak or vulnerability from previously obtained credential data. Attackers have a pre-existing credential base of millions of account passwords to try and use on your website, VPN gateway, remote desktop, and more. These credentials are used, stored, then used again. The result is a set of information that dies and then rises again and again as a “zombie.”

The takeaway point here is that once credentials die in a breach they won’t stay dead for long. Because of this fact, it’s vital to establish multi-factor authentication on as many accounts and devices as possible.

Closing Thoughts

The 2020 Verizon DBIR has an extensive amount of insightful data and commentary. We at PlexTrac strongly recommend checking it out, because there simply is too much information to condense into one blog post.

We are also curious to read the 2021 DBIR, as it will inevitably show a large shift in data content given there will be  plenty of time to see the lasting impact of the global COVID-19 pandemic.

Check Out Our Latest Posts