Highlights of Verizon's 2014 Data Breach Investigations Report

April 2014

Verizon has published the new Annual Data Breach Investigations Report (DBIR) with significant structural changes this time. Former DBIRs focus on the elements of incidents separately; i.e., organising them around actors, actions, assets, timelines, etc. (see my previous review here for this structure). They provide extensive amount of information but were quite long and difficult to digest within a short period of time. In the new DBIR, incidents with similar elements are grouped within incident classification patterns and Verizon team managed to group 94% of the incidents within nine basic patterns. This approach brings many benefits such as easy correlation of these patterns to industries and recommendation of specific security controls for each incident pattern. The report is also easier to browse thru each incident pattern that might be of particular interest for an industry or speciality. I tried to highlight major findings of the report below. The complete report is also available here to download for further reading.

  • "Web application attacks" is one of the nine incident patterns and covers the biggest slice -over one third- of the total breaches reported (similar reports on the market reveal similar facts). "POS intrusions" and "cyber-espionage" are the other remarkable incident patterns observed in 2013.
  • Financial motives has driven most of the incidents. Cyber-espionage has been on the rise over the last few years as well.
  • Certain business sectors are more visible in the count of incidents -due to their attractiveness to financially motivated attackers-, nevertheless the data set concludes that any sector is a potential target. 
  • Hacking is the top threat action category and continue rising over time. This category includes activities such as exploiting a backdoor, use of stolen credentials or brute force techniques, etc. Malware is another category on the rise -thanks to better automated attack tools and DIY malware kits. Social tactics such as phishing and scams still hold their position within threat actions.
  • Servers are the top targets for attackers as they host data. User device attacks have been growing over time as being easy targets compared to other systems.
  • Attackers spend less time to breach systems compared to previous years' data. Discovery times for defenders are also improving but not scaling well with the attacker "improvement".
  • Unrelated third parties, like Computer Security Incident Response Teams (CSIRTs), are the leading discoverers of the incidents reported. This is clearly visible especially in espionage cases.

DBIR provides basic recommendations of security controls for each of the nine incident patterns. Density of impacted industries are also listed for each incident pattern, therefore evaluation of risks and controls are facilitated. There is also a very useful table shown in the end for the prioritisation of critical security controls (CSCs) by industry. CSCs are consolidated from the Top-20 security controls from the SANS Institute. Practitioners can simply browse through this table to evaluate their status for the security control in question.

DBIR should be beneficial for any information security professional at any level in any industry. Extracting information from the report is easier with incident pattern classifications, incident pattern & industry correlations, pattern specific security control recommendations and their prioritisation based on industries. Furthermore, DBIR provides more trend analysis of incidents and breaches for guidance of researchers and other parties. The complete report is available here to download for further reading.