Verizon Data Breach Investigations Report Reveals Ransomware Surge

While some numbers have shifted, a Verizon researcher says that, year-over-year, little has actually changed and the same types of attacks continue to be successful.

Verizon 2017 DBIR

Verizon has released its 10th annual Data Breach Investigations Report (DBIR), providing insight into how cyber-attackers are exploiting organizations. Among the key trends that Verizon observed in 2016 is the growing use of ransomware, though overall, the techniques used in past years to exploit organizations are still being used.

The 2017 DBIR report doesn't measure everything in quite the same way as past DBIR reports, which can make some year-over-year comparisons difficult. For starters, the official press release for the 2017 DBIR states that 42,068 incidents were analyzed in the new report, of which 1,935 were breaches. In contrast, eWEEK reported last year that the 2016 DBIR report was based on an analysis of 100,000 security incidents, of which 2,260 were confirmed data breaches.

Gabe Bassett, senior information security data scientist at Verizon Enterprise Solutions, explained that Verizon filters the data set it receives. For 2016, the actual filtered data set used by Verizon was in fact approximately 60,000 incidents—still some 20,000 more incidents than what Verizon is including in the 2017 report. There are several reasons for the lower incident count, including fewer point-of-sale and botnet-related incidents, Bassett said.

The other big change in the 2017 DBIR report is increased detail around specific industry verticals.

"It turns out that the attacks that target organizations can be different from industry to industry," Bassett told eWEEK. "For example, manufacturing has the lowest median DDoS [distributed denial-of-service] attack level, but the highest level of espionage-related breaches."

Financial services organizations, on the other hand, are more likely than other industry verticals to have botnet-related breaches, he said. While different industries experience different types of attacks, Bassett said one thing that doesn't change is why hackers attack any type of organization.

"The majority of attacks are financially motivated," he said, "with espionage representing the majority of the non-financial attacks."

One key takeaway from the DBIR report is that over the years the ways attackers are exploiting organization haven't changed much.

"If you have read the last 10 reports, it will be obvious to you that things like phishing, malware and credential theft still work," Bassett said. "The same attacks that worked last year worked this year."

The unfortunate reality of the modern threat landscape is that there are a lot of easy targets for attackers. "It's like shooting fish in a barrel," he said. "That's where a security strategy can help organizations—it can move them out of the barrel."

One thing that has changed over time is how organizations detect breaches. In past years, third-party discovery of breaches was a growing trend, but that's not the case in the 2017 report. Increasingly, internal resources at organizations are the first to discover breaches, which is a good trend, according to Bassett.

"If the goal is to detect breaches faster, the internal detection rate is important," he said.

In past years, Verizon also looked specifically at actual vulnerabilities, but that isn't a core focus in the 2017 report. Bassett said the actual vulnerabilities are immaterial; what's more impactful is understanding vulnerable conditions, which he explained as being attacks like phishing.

"This year, less than 10 percent of breaches can be attributed to any new technical vulnerability," Bassett said. 

In contrast, 31 percent of breaches in the 2017 DBIR across industries that have mandatory breach reporting requirements were due to some form of user error, he said.

Verizon, like many other security vendors, did notice a significant rise in the volume ransomware in 2016. The 2017 DBIR reports a 50 percent increase in ransomware over the 2016 report. Phishing was identified as the root cause of 43 percent of breaches analyzed in the report. Weak or stolen user credentials were a common component in 81 percent of breaches in the 2017 DBIR.

Hope for 2017

"The attacks that occurred last year—phishing, ransomware and credential theft—are not going away," Bassett said. "There has been a decrease in point-of-sale attacks, and I hope that will continue."

Bassett expects to see more creativity in ransomware over the course of 2017 as cyber-attackers aim to generate more revenue.

There are things that users and organizations can and should do to help limit risk of exploitation. Bassett said that many IT security professionals have the impression that many cyber-attackers are some form of super-human elite hacker.

"The reality is that most hackers are just going to work, with their own quotas, trying to make a buck," he said. "You might not be able to beat the elite hacker that won the DefCon Capture the Flag competition, but you can certainly beat the attacker that is phishing your organization."

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.