Old Hacks Die Hard: Ransomware, Social Engineering Top Verizon DBIR Threats – Again

  • Deja-Vu data from this year’s DBIR report feels like we are stuck in the movie ‘Groundhog Day.’

    Ransomware and social engineering continue to dominate challenges facing cybersecurity professionals, according to Verizon’s 15th annual Data Breach Investigations Report (DBIR).

    In general, the results of DBIR merely confirm well-established trends, such as the growing threats of ransomware – up 13% this year – and the inescapability of the “human element”, which was tied to 82% of all breaches.

    DBIR data is based on 23,896 reported security incidents, including 5,212 verified breaches.

    Ransomware is Still Rising

    The number of ransomware incidents increased this year by nearly 13%, which the analysts noted is “an increase as large as the last five years combined.” Ransomware now plays a role in one out of every four breaches.

    Though the prevalence of ransomware has been rising, the nature of these attacks have remained surprisingly consistent. Verizon first wrote about ransomware in their 2013 report, where they explained how:

    When targeting companies, typically SMBs, the criminals access victim networks via Microsoft’s Remote Desktop Protocol (RDP) either via unpatched vulnerabilities or weak passwords. – DBIR 2013.

    Nine years later, the most common vector for ransomware attackers is still desktop sharing software – used in around 40% of attacks. The overwhelming majority of those instances involve stolen credentials.

    “Had we known that what was true nine years ago would still be true today,” the researchers concluded, “we could have saved some time by just copying and pasting some text.”

    Hackers are Targeting Us

    There are all kinds of technical mechanisms by which attackers can obtain initial access into a target organization. But they usually don’t need to try all that. The much simpler solution, usually, is to just trick people.

    According to Verizon, 82% of this year’s data breaches involved the “human element” – “the Use of stolen credentials, Phishing, Misuse, or simply an Error.”

    Phishing, as expected, is still the hackers’ go-to. Well over 60% of this year’s breaches began that way. Phishers are still using all the same tricks, like pretexting – inventing a story to convince targets to divulge sensitive information – leading to business email compromise (27% of all attacks).

    That doesn’t necessarily mean that targets are still so unaware, so naive as to click on any wayward link or smooth-talking email. “Only 2.9% of employees may actually click on phishing emails,” the researchers noted. It’s just that 2.9% is “more than enough for criminals to continue to use it” as a method for intrusion.

    It’s the Same Old Story

    Whenever human error arises in cybersecurity discourse, someone’s bound to mention training. But, as the authors of DBIR noted, “Most training takes twice as long to complete than was expected, with 10% taking three times as long.” Additionally, “while getting training is easy, proving it’s working is a bit harder.”

    It may just be that the cyber threat landscape is in a holding pattern, as it has been for some time now. Every year, it seems, we’re facing the same kinds of attacks, and offering variations of the same solutions that haven’t entirely worked before. John Gunn, CEO of Token, summed it up best in an email to Threatpost:

    “The most important research by and for the cybersecurity industry is out, and it feels like the movie Groundhog Day. We are waking up to the same results year after year since the first report in 2008,” Gunn wrote.