2019年数据泄露调查报告.pdf

2019 Data Breach Investigations Report 2 0% 20% 40% 60% 0% 00% Before we formally introduce you to the 2019 Data Breach Investigations Report (DBIR), let us get some clarifications out of the way first to reduce potential ambiguity around terms, labels, and figures that you will find throughout this study. VERIS resources The terms “threat actions,” “threat actors,” “varieties,” and “vectors” will be referenced a lot. These are part of the Vocabulary for Event Recording and Incident Sharing (VERIS), a framework designed to allow for a consistent, unequivocal collection of security incident details. Here are some select definitions followed by links with more information on the framework and on the enumerations. Threat actor: Who is behind the event? This could be the external “bad guy” that launches a phishing campaign, or an employee who leaves sensitive documents in their seat back pocket. Threat action: What tactics (actions) were used to affect an asset? VERIS uses seven primary categories of threat actions: Malware, Hacking, Social, Misuse, Physical, Error, and Environmental. Examples at a high level are hacking a server, installing malware, and influencing human behavior. Variety: More specific enumerations of higher level categories - e.g., classifying the external “bad guy” as an organized criminal group, or recording a hacking action as SQL injection or brute force. Learn more here: github/vz-risk/dbir/tree/gh-pages/2019 DBIR figures and figure data. v er i s c o m m u ni t y . n e t features information on the framework with examples and enumeration listings. github/vz-risk/veris features the full VERIS schema. github/vz-risk/vcdb provides access to our database on publicly disclosed breaches, the VERIS Community Database. veriscommunity/veris_webapp_min.html allows you to record your own incidents and breaches. Dont fret, it saves any data locally and you only share what you want. Incident vs. breaches We talk a lot about incidents and breaches and we use the following definitions: Incident: A security event that compromises the integrity, confidentiality or availability of an information asset. Breach: An incident that results in the confirmed disclosurenot just potential exposureof data to an unauthorized party. Industry labels We align with the North American Industry Classification System (NAICS) standard to categorize the victim organizations in our corpus. The standard uses 2 to 6 digit codes to classify businesses and organizations. Our analysis is typically done at the 2-digit level and we will specify NAICS codes along with an industry label. For example, a chart with a label of Financial (52) is not indicative of 52 as a value. 52 is the NAICS code for the Finance and Insurance sector. The overall label of “Financial” is used for brevity within the figures. Detailed information on the codes and classification system is available here: census.gov/cgi-bin/sssd/naics/naicsrch?chart=2017 This year were putting it in the bar charts. The black dot is the value, but the slope gives you an idea of where the real value could be between. In this sample figure weve added a few red bars to highlight it, but in 19 bars out of 20 (95%), 1the real number will be between the two red lines on the bar chart. Notice that as the sample size (n) goes down, the bars get farther apart. If the lower bound of the range on the top bar overlaps with the higher bound of the bar beneath it, they are treated as statistically similar and thus statements that x is more than y will not be proclaimed. Questions? Comments? Brilliant ideas? We want to hear them. Drop us a line at dbirverizon, find us on LinkedIn, tweet VZEnterprise with the #dbir. Got a data question? Tweet VZDBIR! A couple of tidbits Figure 1. Top asset variety in breaches 1 en.wikipedia/wiki/Confidence_interval New chart, who dis? You may notice that the bar chart shown may not be as, well, bar- ish as what you may be used to. Last year we talked a bit in the Methodology section about confidence. When we say a number is X, its really X +/- a small amount.3 T able of contents Introduction 4 Summary of findings 5 Results and analysis 6 Unbroken chains 20 Incident classification patterns and subsets 24 Data breaches: extended version 27 Victim demographics and industry analysis 30 Accommodation and Food Services 35 Educational Services 38 Financial and Insurance 41 Healthcare 44 Information 46 Manufacturing 49 Professional, Technical and Scientific Services 52 Public Administration 55 Retail 58 Wrap up 61 Year in review 62 Appendix A: Transnational hacker debriefs 65 Appendix B: Methodology 68 Appendix C: Watching the watchers 71 Appendix D: Contributing organizations 754 Introduction 2 If you didnt expect a Stan Lee reference in this report, then you are certainly a first-time reader. Welcome to the party pal! Welcome! Pull up a chair with the 2019 Verizon Data Breach Investigations Report (DBIR). The statements you will read in the pages that follow are data-driven, either by the incident corpus that is the foundation of this publication, or by non-incident data sets contributed by several security vendors. This report is built upon analysis of 41,686 security incidents, of which 2,013 were confirmed data breaches. We will take a look at how results are changing (or not) over the years as well as digging into the overall threat landscape and the actors, actions, and assets that are present in breaches. Windows into the most common pairs of threat actions and affected assets also are provided. This affords the reader with yet another means to analyze breaches and to find commonalities above and beyond the incident classification patterns that you may already be acquainted with. Fear not, however. The nine incident classification patterns are still around, and we continue to focus on how they correlate to industry. In addition to the nine primary patterns, we have created a subset of data to pull out financially-motivated social engineering (FMSE) attacks that do not have a goal of malware installation. Instead, they are more focused on credential theft and duping people into transferring money into adversary- controlled accounts. In addition to comparing industry threat profiles to each other, individual industry sections are once again front and center. Joining forces with the ever-growing incident/breach corpus, several areas of research using non-incident data sets such as malware blocks, results of phishing training, and vulnerability scanning are also utilized. Leveraging, and sometimes combining, disparate data sources (like honeypots and internet scan research) allows for additional data-driven context. It is our charge to present information on the common tactics used by attackers against organizations in your industry. The purpose of this study is not to rub salt in the wounds of information security, but to contribute to the “light” that raises awareness and provides the ability to learn from the past. Use it as another arrow in your quiver to win hearts, minds, and security budget. We often hear that this is “required reading” and strive to deliver actionable information in a manner that does not cause drowsiness, fatigue, or any other adverse side effects. We continue to be encouraged and energized by the coordinated data sharing by our 73 data sources, 66 of which are organizations external to Verizon. This community of data contributors represents an international group of public and private entities willing to support this annual publication. We again thank them for their support, time, and, of course, DATA. We all have wounds, none of us knows everything, lets learn from each other. Excelsior! 2 “The wound is the place where the light enters you.” Rumi5 Summary of findings 6 8 1 % 2% 4% 6% 8% 1% P I y 0% 20% 40% 60% 80% 100% 4 6 8 16 The results found in this and subsequent sections within the report are based on a data set collected from a variety of sources such as publicly-disclosed security incidents, cases provided by the Verizon Threat Research Advisory Center (VTRAC) investigators, and by our external collaborators. The year-to-year data set(s) will have new sources of incident and breach data as we strive to locate and engage with organizations that are willing to share information to improve the diversity and coverage of real-world events. This is a convenience sample, and changes in contributors, both additions and those who were not able to participate this year, will influence the data set. Moreover, potential changes in their areas of focus can stir the pot o breaches when we trend over time. All of this means we are not always researching and analyzing the same fish in the same barrel. Still other potential factors that may affect these results are changes in how we subset data and large-scale events that can sometimes influence metrics for a given year. These are all taken into consideration, and acknowledged where necessary, within the text to provide appropriate context to the reader. With those cards on the table, a year-to-year view of the actors (and their motives), 3followed by changes in threat actions and affected assets over time is once again provided. A deeper dive into the overall results for this years data set with an old-school focus on threat action categories follows. Within the threat action results, relevant non-incident data is included to add more awareness regarding the tactics that are in the adversaries arsenal. Defining the threats Threat actor is the terminology used to describe who was pulling the strings of the breach (or if an error, tripping on them). Actors are broken out into three high-level categories of External, Internal, and Partner. External actors have long been the primary culprits behind confirmed data breaches and this year the trend continues. There are some subsets of data that are removed from the general corpus, notably over 50,000 botnet related breaches. These would have been attributed to external groups and, had they been included, would have further increased the gap between the External and Internal threat. Results and analysis 3 And we show the whole deck in Appendix B: Methodology.7 Financial gain is still the most common motive behind data breaches where a motive is known or applicable (errors are not categorized with any motive). This continued positioning of personal or financial gain at the top is not unexpected. In addition to the botnet breaches that were filtered out, there are other scalable breach types that allow for opportunistic criminals to attack and compromise numerous victims. 4Breaches with a strategic advantage as the end goal are well-represented, with one-quarter of the breaches associated with espionage. The ebb and flow of the financial and espionage motives are indicative of changes in the data contributions and the multi-victim sprees. This year there was a continued reduction in card-present breaches involving point of sale environments and card skimming operations. Similar percentage changes in organized criminal groups and state-affiliated operations are shown in Figure 8 above. Another notable finding (since we are already walking down memory lane) is the bump in Activists, who were somewhat of a one-hit wonder in the 2012 DBIR with regard to confirmed data breaches. We also dont see much of Cashier (which also encompasses food servers and bank tellers) anymore. System administrators are creeping up and while the rogue admin planting logic bombs and other mayhem makes for a good story, the presence of insiders is most often in the form of errors. These are either by misconfiguring servers to allow for unwanted access or publishing data to a server that should not have been accessible by all site viewers. Please, close those buckets! 4 In Appendix C: “Watching the Watchers”, we refer to these as zero-marginal cost attacks.8 c M u S c Mw Hck g T c d b c =, (), = () P n U v S v A cg n b ch v n=,4 (), n=, () Figures 9 and 10 show changes in threat actions and affected assets from 2013 to 2018. 5,6No, we dont have some odd affinity for seven-year time frames (as far as you know). Prior years were heavily influenced by payment card breaches featuring automated attacks on POS devices with default credentials, so 2013 was a better representative starting point. The rise in social engineering is evident in both charts, with the action category Social and the related human asset both increasing. Threat action varieties When we delve a bit deeper and examine threat actions at the variety level, the proverbial questio