2021年数据泄露调查报告（英文版）.pdf

About the cover There are eight pendulums on the cover. Each pendulum represents one of the new patterns in the DBIR. The weight of the pendulum represents how often the pattern occurs. The length of the pendulum is how often they are breaches, as opposed to simply incidents. Just like in security, its difficult to predict where theyll be in the future3 T able of contents 01 DBIR Masters Guide 4 Introduction 6 Summary of findings 7 02 Results and Analysis 8 Actor 12 Action 15 Assets 19 Attribute 22 Timeline 24 Impact 25 03 Incident Classification Patterns 29 Denial of Service 35 Lost and Stolen Assets 41 Miscellaneous Errors 43 Privilege Misuse 46 Social Engineering 49 System Intrusion 54 Basic Web Application Attacks 58 Everything Else 62 04 Industries 64 Introduction to industries 65 Accommodation and Food Services 69 Arts, Entertainment and Recreation 71 Educational Services 73 Financial and Insurance 75 Healthcare 76 Information 77 Manufacturing 79 Mining, Quarrying, and Oil its your run-of-the-mill DBIR chart with all the slanted bar-charted goodness, courtesy of our Misuse action varieties. 5 We have a few big things up top, and a lot of stuff near the end. One valid way to interpret this is that the top bar or two are the norm of what may happen, namely in this example “Privilege abuse” and “Data mishandling.” Those are the Action varieties that are understood to be so common that, if they were to cause a breach, someone (most likely on a bird website) would say, “That organization should have known better!” 3 Convenience sampling is a type of nonrandom sampling that involves the sample being drawn from that part of the population that is close at hand or available. More details can be found in our “Methodology” section. 4 Though we do suggest you put your money on “Trail Blazer” in the third. 5 Where are my insider threat fans at? Whoop whoop! Figure 9. Misuse varieties in breaches (n=178) The DBIR is not in the business of prediction,4 but it can go a long way to help you shape your response strategy in the face of an uncertain future. 2021 DBIR Results and Analysis10 Suffice it to say, theres a great deal of inequality in the frequencies of the varieties shown. Those small bars are the extraordinary and uncommon attacks that could happen but are unlikely. If they were to cause a breach the victim would claim, “It was an advanced attack. There was nothing that anyone could have done.”6 However, if you take all those small bars on the Action varieties and add their breach frequencies together, you get Figure 10. Now it doesnt look quite so uncommon anymore, does it? In fact, in this example it appears that a breach is just as likely to be caused by one of our myriad exceptions as it is to be caused by our second most likely Action variety. But does breach data always behave like this? Rather than show you lots of bar charts,7 were going to condense that concept down into a single number. Figures 11 and 12 show some data with different levels of inequality. We use the word “inequality” not by chance, but to introduce the fact that we can calculate the Gini coefficient8 to represent this long tail behavior. The Gini coefficient is a measure of statistical dispersion most commonly used to represent the income or wealth inequality within a nation or other group of people. 9 While it uses a lot of math none of us can be bothered with, it ultimately represents a completely equal outcome, where everyone has the same income (in other words, the “income per person” chart is a horizontal line), as a 0, and a world where one individual has all the income (in other words all we have on the chart is a huge vertical spike somewhere) as a 1. Lets bring this closer to our subject matter by looking at some security- related data, like how often your SIEM generates a group of critical alerts that need immediate review. Anecdotally, you could attest that happens exactly “every time you are on-call,” but humor us for a moment. In Figure 11, we generated some simulated example data that is perfectly smooth and looks horizontal on the chartthis one has an equality score of 0 (perfectly equal). Figure 12 has actual data representing the time interval between critical SIEM events, and it is extremely spikey. 10 It has a Gini equality score of 0.95, demonstrating a huge variation time between events. Its not just you: critical SIEM events fall into everyones laps indiscriminately. 6 This report makes no claim about the validity of such a statement. Please refer to our official spokesperson and legal counsel. The data privacy of our readers is of the utmost importance to us. 7 And completely obliterate our page count budget. 8 en.wikipedia/wiki/Gini_coefficient 9 A less well-known fact is that the wish for wealth redistribution led to the phrase “Gini in a bottle.” Not really, but it would have been cool if it did. 10 A technical term of art in Data Science, we assure you. Figure 10. T op Misuse varieties in breaches (n=178) Figure 11. Simulated time between SIEM events (n=1,335,343) Figure 12. Time between SIEM events (n=1,335,343) The Gini coefficient is a measure of statistical dispersion most commonly used to represent the income or wealth inequality within a nation or other group of people. 9 2021 DBIR Results and analysis11 This complicated mathematical setup is to convey the reality that the DBIR data (incident and non-incident alike) is very unequal, 11 but at least we can measure it. Figure 13 shows the equality scores for Action, Actor, Asset, and Attribute varieties and vectors over the last seven years. The scores range from about 0.73 to 0.94, or as we would say here, “high.” Breach data may seem likely to always be the same, but some varieties are more equal than others. The reality is you dont need a crystal ball, a neural network or next-gen AI to tell you what the norm 12 is. You can do that for yourself and plan accordingly. On the other hand, you cant solution your way out of the long tail. It is made up of a legion of little things that happen only rarelythey are the exceptions to the norm. Well, maybe you can if you have enough money. And some organizations that are in critical roles to our society have no choice but to try to do so. But from a purely monetary value, if you look at what breaches cost in the Impacts section, its not a wise use of your organizations resources to engineer solutions for every single possible exception. 13 Armed with the knowledge of what is the norm and what is the exception, an ideally optimized solution would be to engineer solutions for the norm, and train your security operation teams to handle the exceptions. Turns out humans are very flexible problem- solvers, and most love a good challenge occasionally. 11 We deeply apologize to the junior U.S. senator from Vermont for the fact that the top 3% of varieties are responsible for 87% of the breaches. 12 Y oure reading the DBIR, and that is a great step in the right direction, if we may say so. 13 This argument does not consider potential incidents where loss of life or the security of individuals is concerned, as it would make no sense to assign a monetary value to that, and would, in fact, be callous and cruel. Figure 13. Inequality of enumerations in DBIR varieties and vectors for last 7 years The next time we are up against a paradigm-shifting breach that challenges the norm of what is most likely to happen, dont listen to the ornithologists on the blue bird website chirping loudly that “We cannot patch manage or access control our way out of this threat,” because in fact “doing the basics” will help against the vast majority of the problem space that is most likely to affect your organization. Read on to learn what the normal actor has been up to for the last year, and pick out the areas where you can improve, against both the norm and the exception. Because the only way to predict the future is to change it yourself. 2021 DBIR Results and analysis12 Actor 14 As Y ou Like It, William Shakespeare. 15 Anyone know if the Cyber+ trademark is available? Figure 14. Threat actor over time in breaches Figure 15. T op threat actor motive over time in breaches Figure 16. T op threat actor varieties in breaches (n=2,277) as they continue year after year to dominate the Actor types in breaches as illustrated in Figure 14. As a reminder to our readers, the Internal type shown here will include breaches in which both Misuse actions (where the mythical winged internal threats live in our taxonomy) and Error actions (the oopsies) occurred. Of course, an External actor breaking into an organization by leveraging illicitly obtained credentials or other illegal access to pivot internally may initially resemble an internal threat before detailed incident forensics are engaged. But even though the call may be coming from inside the house, there is still a stranger on the line. As in past years, financially motivated attacks continue to be the most common (Figure 15), likewise, actors categorized as Organized crime continue to be number one (Figure 16). “All the worlds a stage,” and our threat actors “all have their exits and their entrances.” We must admit that they seem to know their cues very precisely. However, at this point the analogy breaks down a bit, as rather than “playing their many parts” 14 we seem to keep viewing the same performance repeated ad infinitum, as if forced to endlessly re-watch a recorded musical theater presentation on a streaming service. 15 It seems clear that our External actors are not giving up their close-ups, As in past years, financially motivated attacks continue to be the most common (Figure 15), likewise, actors categorized as Organized crime continue to be number one (Figure 16). 2021 DBIR Results and analysis13 However, since 2015 it is relatively common for State-sponsored actors to also crave that cold hard cash 16 as the Financial motives for those actors have fluctuated between 6% and 16% of recorded breaches. Given this result, it should come as no surprise when you glance at Figure 17 and find that the two most common cybercrime terms found on criminal forums are bank account and credit card related. Even as awareness of supply chain attacks has increased over the last few months, the overall percentage of incidents with a Secondary motive where the ultimate goal of an incident was to leverage the victims access, infrastructure or any other asset to conduct other incidentshas decreased slightly as a percentage from last year. There are two caveats here that should be kept in mind: The associated growth 16 Or the hot ethereal cryptocurrency. Fi g u re 17. T erms over time in criminal forums and marketplaces year-over-year of Financially motivated breaches, and that most Secondary motive breaches reported to us are simple in nature (which suggests the catastrophic ones on everyones minds are still very much the exception). 2021 DBIR Results and analysis14 However, Secondary is still in second place (fittingly enough) as a top Actor motive, as Figure 18 demonstrates. So, if you are a software developer or service provider that has assets that could be repurposed in that manner, please make sure you are paying the proper attention to the operational parts of your organization. In the same way automation may be helping you scale up your defensive operations, it can also help attackers scale up their offense. Figure 19 illustrates the relative occurrence of attack types in honeypot data. Near the top of the attackers opportunistic sales funnel, we see scanners. Down near the bottom are where the Remote Code Execution (RCE) attacks reside. Regardless of their placement in the figure, automation is likely to assist attackers in moving potential victims from the top of the funnel to the bottom. As such, its important to limit your public facing attack surface, through asset management, defensive boundaries and intelligent patching. Figure 18. T op Actor motives in incidents (n=5,085) Figure 19. Ratio of days of high to low detection in honeypot data In the same way automation may be helping you scale up your defensive operations, it can also help attackers scale up their offense. Secondary motive subset In the Secondary Motive subset, we had an additional 24,913 incidents of which only one was a known breach. In all of these incidents, web apps were attacked with a secondary motive by External actors. Beyond that, we know very little. 2021 DBIR Results and analysis15 Action Do we have an action-packed section for you, folks! Step right up, make room in the back so everyone can see! Figures 20 and 21 will reveal all you need to know about the frequency of Action varieties for the past year. We do not want to divert all of your attention from the brand-new incident patterns. So we saved additional details on how those Actions manifested in the wild for you to dig your teeth into there. Figure 20. T op Action varieties in breaches (n=4,073) Figure 21. T op Action varieties in incidents (n= 24,362) T alking the talk and acting the action It would be impolite on our part not to address the virulent elephant 17 in the room, so we have centered this initial analysis of Actions on evaluating how adapting to life in a pandemic- stricken world has impacted the threat landscape. The DBIR team released a COVID-19 Threat Landscape Trends article 18 in the middle of last year, and it is only fair that we revisit how our speculations (see how we avoided the word predictions?) fared. 17 Viruphant? Eleplent? 18 2021 DBIR Results and analysis16 Figure 22 shows how the Actions we highlighted in that article varied in relation to last years report. We highlighted Phishing, Use of stolen creds, Ransomware and Errors as Action varieties that could possibly increase. Even in a year as unexpected as 2020, there are some things we can trust to stay the same. Phishing remains one of the top Action varieties in breaches and has done so for the past two years. Not content to rest on its scaly laurels, however, it has utilized quarantine to pump up its frequency to being present in 36% of breaches (up from 25% last year). This increase correlates with our expectations given the initial rush in phishing and COVID-19-related phishing lures as the worldwide stay-at-home orders went into effect. Phishing continues to walk hand-in- hand with Use of stolen credentials in breaches as it has in the past. Admittedly, we expected to see an increase here due to a larger remote workforce. However, the numbers have remained in the region of 25% of breaches, which is still a significant number. The major change this year with regard to action types was Ransomware coming out like a champ and grabbing third place in breaches (appearing in 10% of them, more than doubling its frequency from last year). This is also something we discussed, but this may have less to do with the changes in working arrangements than it does the shift in