2020年数据泄露调查报告（英文版）.pdf

Data Breach Investigations Report 2020 That is what you are seeing. Each of these squares is organized by the 16 dierent industries and four world regions we cover in this years report. Each square represents roughly one breach (1.04 to be more exact), for a total of 4,675 squares since breaches can be displayed in both their industry and region. We also analyzed a record total of 157,525 incidents, 32,002 of which met our quality standards. The data coverage this year is so comprehensive that it shines through the monochromatic front cover, reinforcing the mission of the DBIR as being a data-driven resource. Turn the page to dig into the findings.T able of contents 01 DBIR Cheat sheet 4 Introduction 6 Summary of findings 7 02 Results and analysis 8 Actors 10 Actions 12 Threat action varieties 13 Error 14 Malware 15 Ransomware 16 Hacking 19 Social 24 Assets 26 Attributes 29 How many paths must a breach walk down? 31 Timeline 34 Incident classification patterns and subsets 35 03 Industry analysis 39 Accommodation and Food Services (NAICS 72) 44 Arts, Entertainment and Recreation (NAICS 71) 46 Construction (NAICS 23) 48 Educational Services (NAICS 61) 50 Financial and Insurance (NAICS 52) 52 Healthcare (NAICS 62) 54 Information (NAICS 51) 57 Manufacturing (NAICS 3133) 59 Mining, Quarrying, and Oil & Gas Extraction + Utilities (NAICS 21 + 22) 62 Other Services (NAICS 81) 64 Professional, Scientific and T echnical Services (NAICS 54) 66 Public Administration (NAICS 92) 69 Real Estate and Rental and Leasing (NAICS 53) 71 Retail (NAICS 4445) 73 T ransportation and Warehousing (NAICS 4849) 76 04 Does size matter? A deep dive into SMB breaches 78 05 Regional analysis 83 Northern America (NA) 86 Europe, Middle East and Africa (EMEA) 90 Asia-Pacific (APAC) 93 Latin America and the Caribbean (LAC) 97 06 Wrap-up 100 CIS Control recommendations 101 Year in review 104 07 Appendices 107 Appendix A: Methodology 108 Appendix B: VERIS Common Attack Framework (VCAF) 112 Appendix C: Following the money the key to nabbing the cybercriminal 114 Appendix D: State of Idaho enhances incident response program with VERIS. 116 Appendix E: Contributing organizations 118 2020 DBIR Table of contents 3DBIR Cheat sheet Variety: More specific enumerations of higher-level categories, e.g., classifying the external “bad guy” as an organized criminal group or recording a hacking action as SQL injection or brute force. Learn more here: github/vz-risk/dbir/tree/gh- pages/2020 includes DBIR facts, figures and figure data. veriscommunity features information on the framework with examples and enumeration listings. github/vz-risk/veris features the full VERIS schema. github/vz-risk/vcdb provides access to our database on publicly disclosed breaches, the VERIS Community Database. veriscommunity/ veris_webapp_min.html allows you to record your own incidents and breaches. Dont fret, it saves any data locally and you only share what you want. Incident vs breach We talk a lot about incidents and breaches and we use the following definitions: Incident: A security event that compromises the integrity, confidentiality or availability of an information asset. Breach: An incident that results in the confirmed disclosurenot just potential exposureof data to an unauthorized party. Hello, and welcome to the 2020 Data Breach Investigations Report (DBIR)! We have been doing this report for a while now, and we appreciate that all the verbiage we use can be a bit obtuse at times. We use very deliberate naming conventions, terms and definitions and spend a lot of time making sure we are consistent throughout the report. Hopefully, this section will help make all of those more familiar. VERIS resources The terms “threat actions,” “threat actors” and “varieties” will be referenced a lot. These are part of the Vocabulary for Event Recording and Incident Sharing (VERIS), a framework designed to allow for a consistent, unequivocal collection of security incident details. Here is how they should be interpreted: Threat actor: Who is behind the event? This could be the external “bad guy” that launches a phishing campaign or an employee who leaves sensitive documents in their seat-back pocket. Threat action: What tactics (actions) were used to affect an asset? VERIS uses seven primary categories of threat actions: Malware, Hacking, Social, Misuse, Physical, Error and Environmental. Examples at a high level are hacking a server, installing malware and influencing human behavior through a social attack. Industry labels We align with the North American Industry Classification System (NAICS) standard to categorize the victim organizations in our corpus. The standard uses two- to six-digit codes to classify businesses and organizations. Our analysis is typically done at the two-digit level. We will specify NAICS codes along with an industry label. For example, a chart with a label of Financial (52) is not indicative of 52 as a value. “52” is the NAICS code for the Finance and Insurance sector. The overall label of “Financial” is used for brevity within the figures. Detailed information on the codes and classification system is available here: census.gov/cgi-bin/ sssd/naics/naicsrch?chart=2012 Dotting the charts and crossing the confidence Last year, we introduced our now (in)famous slanted bar charts to show the uncertainty due to sampling bias.1 One tweak we added this year was to roll up an “Other” aggregation of all the items that do not make the cut on our “Top (whatever)” charts. This will give you a better sense of the things we left out. Not to be outdone this year, our incredible team of data scientists decided to try dot plots2 to provide a better way to show how values are distributed. The trick to understanding this chart is that the dots represent organizations. So if there are 100 dots (like in each chart in Figure 1), each dot represents 1% of organizations. 1 Check “New chart, who dis?” in the “A couple of tidbits” section on the inside cover of the 2019 DBIR if you need a refresher on the slanted bar charts. 2 T o find out more about dot plots, check out Matthew Kays paper: /mjskay/papers/chi2018-uncertain-bus-decisions.pdf 2020 DBIR Cheat sheet 4In Figure 1, we have three different charts, each representing common distributions you may find in this report. For convenience, we have colored the first half and the second half differently so its easier to locate the median. In the first chart (High), you see that a lot of companies had a very large value3 associated with them. The opposite is true for the second one (Low), where a large number of the companies had zero or a low value. On the third chart (Medium), we got stuck in the middle of the road and all we can say is that most companies have that middle value. Using the Medium chart, we could probably report an average or a median value. For the High and Low ones, an average is statistically undefined and the median would be a bit misleading. We wouldnt want to do you like that. 3 Dont worry about what the value is here. We made it up to make the charts pretty. And dont worry later either, well use a real value for the rest of the dot plots. Questions? Comments? Still mad because VERIS uses the term “Hacking”? Let us know! Drop us a line at dbirverizon, find us on LinkedIn, tweet VerizonBusiness with the #dbir. Got a data question? T weet VZDBIR! 2020 DBIR Cheat sheet 56 2020 DBIR Introduction 4 cisecurity/ 5 attack.mitre/Introduction Here we are at another edition of the DBIR. This is an exciting time for us as our little bundle of data turns 13 this year. That means that the report is going through a lot of big changes right now, just as we all did at that age. While some may harbor deeply rooted concerns regarding the number 13 and its purported associations with mishap, misadventure and misfortune, we here on the team continue to do our best to shine the light of data science into the dark corners of security superstition and dispel unfounded beliefs. With that in mind, we are excited to ask you to join us for the reports coming- of-age party. If you look closely, you may notice that it has sprouted a few more industries here and there, and has started to grow a greater interest in other areas of the world. This year, we analyzed a record total of 157,525 incidents. Of those, 32,002 met our quality standards and 3,950 were confirmed data breaches. The resultant findings are spread throughout this report. This year, we have added substantially more industry breakouts for a total of 16 verticals (the most to date) in which we examine the most common attacks, actors and actions for each. We are also proud to announce that, for the first time ever, we have been able to look at cybercrime from a regional viewpointthanks to a combination of improvements in our statistical processes and protocols, and, most of all, by data provided by new contributorsmaking this report arguably the most comprehensive analysis of global data breaches in existence. We continue to use the VERIS framework to classify and analyze both incidents and breaches, and we have put additional focus on this Experience is merely the name men gave to their mistakes. Oscar Wilde, The Picture of Dorian Gray process in order to improve how VERIS connects and interacts with other existing standards. We also aligned with the Center for Internet Security (CIS) 4Critical Security Controls and the MITRE ATT&CK 5framework to improve the types of data we can collect for this report, and to map them to appropriate controls. A huge “thank you” is in order to each and every one of our 81 contributors representing 81 countries, both those who participated for the first time in this years report, and those tried-and- true friends who have walked this path with us for many years. This document, and the data and analysis it contains, would not be possible without you, and you have our most sincere thanks and heartfelt gratitude. And while we are on that topic, the way to continue to grow and improve is to have more quality organizations like yours join us in this fight against the unknown and the uncertain. Therefore, we urge you to consider becoming a data contributor and help us to continue to shed light into dark places. Finally, thank you, our readers, for sticking with us these many years and for sharing your expertise, advice, encouragement and suggestions so that we can continue to make this report better each year. Sincerely, The DBIR Team (in alphabetical order) Gabriel Bassett C. David Hylender Philippe Langlois Alexandre Pinto Suzanne WidupSummary of findings gz gw55 7 Ex A) E v 5 Hg 17vv 86 y 2020 DBIR Summary of findings 7Results and analysis Section title pulled into footer Results and analysis The results found in this and subsequent sections within the report are based on a dataset collected from a variety of sources, including cases provided by the Verizon Threat Research Advisory Center (VTRAC) investigators, cases provided by our external collaborators and publicly disclosed security incidents. The year- to-year data will have new incident and breach sources as we continue to strive to locate and engage with additional organizations that are willing to share information to improve the diversity and coverage of real-world events. This is a sample of convenience,6 and changes in contributorsboth additions and those who were not able to contribute this yearwill influence the dataset. Moreover, potential changes in contributors areas of focus can shift bias in the sample over time. Still other potential factors, such as how we filter and subset the data, can affect these results. All of this means that we are not always researching and analyzing the same population. However, they are all taken into consideration and acknowledged where necessary within the text to provide appropriate context to the reader. Having said that, the consistency and clarity we see in our data year-to-year gives us confidence that while the details may change, the major trends are sound. Now that we have covered the relevant caveats, we can begin to examine some of the main trends you will see while reading through this report. When looking at Figure 6 below, lets focus for a moment on the Trojan7 line. When many people think of how hacking attacks play out, they may well envision the attacker dropping a Trojan on a system and then utilizing it as a beachhead in the network from which to launch other attacks, or to expand the current one. However, our data shows that this type of malware peaked at just under 50% of all breaches in 2016, and has since dropped to only a sixth of what it was at that time (6.5%). Likewise, the trend of falling RAM- scraper malware that we first noticed last year continues. We will discuss that in more detail in the “Retail” section. As this type of malware decreases, we see a corresponding increase in other types of threats. As time goes on, it appears that attackers become increasingly efficient and lean more toward attacks such as phishing and credential theft. But more on those in the “Social” and “Hacking” subsections respectively. Other big players this year, such as Misconfiguration and Misdelivery, will be examined in the “Error” subsection. 6 Convenience sampling is a type of nonrandom sampling that involves the sample being drawn from that part of the population that is close to hand or available. Mor