Findings from the 2020 Verizon Data Breach Investigations Report
Introduction
The 2020 edition of Verizon Data Breach Investigations Report (DBIR) is out now. This edition is based on 32,000 incidents and 4,000 data breaches across sixteen industries. For the first time, DBIR uses the standard controls from CIS and MITRE ATT&CK frameworks making this report quite special for InfoSec professionals and security vendors alike. This blog is a quick analysis of DBIR from an application security perspective.
Analysis
The very first finding in the report related to top tactics employed by adversaries caught our attention. Hacking and social attacks have leapfrogged malware as the top attack tactic. The authors of DBIR believe that credentials & secrets leak combined with theft of credentials mean that sophisticated malware is no longer necessary to perform an attack. While there isn’t enough substantiation for this conclusion it sounds logical and matches our observation based on our internal customer survey.
Progressing further, at number 4, errors has led to 17% of breaches. What is interesting here is the fact that misconfiguration rather than runtime exceptions has contributed to most of the errors.
An example for a misconfiguration is inadvertently making the s3 bucket public or insecure ingress configuration allowing any traffic from any port to access a resource. It is possible to detect credentials leaks and cloud misconfigurations using modern static analysis security testing tools and is a must-have for any CI/CD pipelines.
Use of stolen credentials continues to be the top hacking variety employed by threat actors. However, this is closely followed by exploitation of vulnerabilities which is also an OWASP top ten category (A9). In terms of the attack vector, web applications continue to be at the top across all geographic regions.
SQL, PHP, and File-based injection attacks are the most common type of web application attacks (based on the data from Retail industry).
Just like credentials leaks, it is entirely possible to identify such injection attacks using static analysis tools.
Developers and QA engineers who develop and test web applications are best placed to make their product secure and would benefit the most from automated security testing tools and security processes that integrate with their workflow.
Closing thoughts
The full DBIR report has a wealth of information over one hundred pages. While the target audience for such reports are usually InfoSec professionals, we believe that developers and DevOps personnel are one of the weakest links in the chain and would benefit the most from information regarding breaches and remediation techniques.