Incident classification
patterns and subsets

Thank You.

Thank you.

You may now close this message and continue to your article.


    For the uninitiated, VERIS and the DBIR may seem overwhelming when you consider both the amount of data we possess (now over 755,000 incidents over the years) and the depth of that data (over 2,400 values we are able to track on each incident). To help us better understand and communicate this vast arsenal of information, we started to leverage what we call “Patterns” in 2014, which are essentially different clusters of “like” incidents. We won’t go too much into the data science-y aspect38,  but the outcome was the identification of nine core clusters, our Incident Classification Patterns. This allows us to abstract upward and discuss the trends in the patterns rather than the trends in each of our different combinations: Actions, Assets, Actors and Attributes.

    Looking over our 409,000 security incidents and almost 22,000 quality data breaches since the inception of the report, the numbers reveal that 94% of security incidents and 88% of data breaches fall neatly in one of the original nine patterns. However, when we focus our lenses on just this year’s data, the percentages drop to 85% of security incidents and 78% of data breaches.

    Nothing better demonstrates this than our category of “Everything Else,” effectively designed to be our spare-USB-cable drawer of breaches, have risen to one of the top patterns due to the rise of Phishing, while some of the other patterns having drastically fallen since their initial inception. It seems that time waits for no pattern, and the only breach constant is breaches changing over time.

    The patterns will be referenced more in the "Region" and "Industry" sections, but to get acquainted with them or to rekindle a prior relationship, they are defined here.

  • Figure 46
  • Figure 47
  • Patterns

    One of the oldest games in town, Crimeware includes all the malware that doesn’t fall into the other patterns. Think of these as the common type of commodity malware that everyone has probably seen on some email claiming to be a fax or a missed delivery package. These incidents and breaches tend to be opportunistic and financially motivated.

    Notable findings: This year has continued the trend of modest increases in incidents and breaches involving Crimeware, now up to about 400, which is higher than last year and roughly matches the highest levels that were reached in 2015. Unsurprisingly, these types of attacks normally propagate through email, either as a link or as an attachment, dropping something nasty like a downloader, password dumper, Trojan or something that’s got C2 functionality.

    This pattern consists of espionage, enabled via unauthorized network or system access, and largely constitutes nation-states or state-affiliated actors looking for those oh-so-juicy secrets.

    Notable findings: This is one of our patterns that has decreased this year, both in raw numbers and also as a percentage from 13.5% of breaches in 2018 to 3.2% of breaches in 2019. The drop in raw numbers could be due to either under-reporting or failure to detect these attacks, but the increase in volume of the other patterns is very much responsible for the reduction in percentage. These types of attacks rely heavily on Social and Malware combined vectors, using Phishing in 81% of the incidents and some form of malware in 92%.

    Denial of Service
    These attacks are very voluminous (see what we did there) in our dataset at over 13,000 incidents this year. Attacks within this pattern use differing tactics, but most commonly involve sending junk network traffic to overwhelm systems, thereby causing their services to be denied. The system can’t handle both the incoming illegitimate traffic and the legitimate traffic.

    Notable findings: While the amount of this traffic is increasing as mentioned, in DDoS, we don’t just look at the number of attacks that are conducted. We also look at the bits per second (BPS), which tells us the size of the attack, and the packets per second (PPS), which tells us the throughway of the attack. What we found is that, regardless of the service used to send the attacks, the packet-to-bit ratio stays within a relatively tight band and the PPS hasn’t changed that much over time, sitting at 570 Mbps for the most common mode (Figure 48). When it comes to defending against DDoS, a layered approach is best, with some of the attacks being mitigated at the network level by internet service providers and the others being handled at the endpoint or a content delivery network (CDN) provider. These attacks are prevalent because of their ease of use and the fact that internet-facing infrastructure can be targeted; however the impact to your organization and the decision of whether to mitigate will be based entirely on your business.

  • Figure 48
  • Privilege Misuse
    This pattern consists of “Misuse” actions, which are intentional actions undertaken by internal employees that result in some form of security incident.

    Notable findings: Misuse is down as a percentage of incidents, as the other patterns increase by association. However, that could be attributed to lower granularity data this year and may rise back to previous levels in 2021. On the other hand, breaches are showing a legitimate drop, which appears to be associated with less misuse of databases to access and compromise data.

    Miscellaneous Errors

    Life is full of accidents and not to disappoint Bob Ross, but not all of them are happy little trees. This pattern captures exactly that, the unintentional (as far as we know) events that result in a cybersecurity incident or data breach.

    Notable findings: The majority of these errors are associated with either misconfigured storage or misdelivered emails, committed by either system admins or end users. We’ll let you figure out which actor is associated with which action. In terms of discovery, these are often found by trawling security researchers and unrelated third parties who may have been on the receiving end of those stray emails. The Results and Analysis Error section goes into even more detail for those of you with this unique predilection.

    Payment Card Skimmers
    This pattern is pretty self-explanatory: These are the incidents in which a skimmer was used to collect payment data from a terminal, such as an ATM or a gas pump.

    Notable findings: Our data has shown a continuous downward trend of incidents involving Point of Sale (PoS) Card Skimmers, which are now down to 0.7% of our breach data. At approximately 30 incidents, it is showing a relatively marked decline from its peak of 206 back in 2013. This decrease could be attributed to a variety of different causes, such as less reporting to our federal contributors or shifts in the attacker methodology.

    Point of Sale (PoS)

    This pattern includes the hacking and remote intrusions into PoS servers and PoS terminals environments for the purpose of stealing payment cards.

    Notable findings: Much like the Payment Card Skimmers, this pattern has received a notable decrease in the last few years, making up only 0.8% of total data breaches this year. The majority of these incidents include the use of RAM scrapers, which allow the adversaries to scrape the payment cards directly from the memory of the servers and endpoints that run our payment systems. However, the majority of payment card crime has moved to online retail.

    Lost and Stolen Assets

    These incidents include any time where an asset and/or data might have mysteriously disappeared. Sometimes we will have confirmation of theft and other times it may be accidental.

    Notable findings: This pattern tends to be relatively consistent over the years with approximately 4% of breaches this year (the previous two years fluctuating from 3% to 6% of breaches). These types of incidents occur in various different locations, but primarily occur from personal vehicles and victim-owned areas. Don’t forget to lock your doors.

    Web Applications

    Incidents in this pattern include anything that has a web application as the target. This includes attacks against the code of the actual web application, such as exploiting code-based vulnerabilities (Hacking—Exploit Vuln) to attacks against authentication such as Hacking—Use of Stolen Creds.

    Notable findings: In the data provided by contributors who monitor attacks against web applications (Figure 49), SQL injection vulnerabilities and PHP injection vulnerabilities are the most commonly exploited. This makes sense since these types of attacks provide a quick and easy way of turning an exposed system into a profit maker for the attacker. However, in vulnerability data, cross-site scripting (XSS), the infamous ding popup vulnerability, is the most commonly detected vulnerability and SQLi attacks are only half as common as XSS.

  • Figure 49

  • Everything Else
    This pattern is our graveyard of lost incident souls that don’t fall into any of the previously mentioned patterns.

    Notable findings: The majority of these incidents are Phishing or Financially Motivated Social Engineering where attackers try to commit fraud via email. Rather than go into detail here, we’ll point you to the "Results and Analysis -  Social" section, which goes into great detail on Financially Motivated Social Engineering and Phishing.



    In addition to the main nine Patterns, there is another level of patterns that we examine separately due to different factors that might skew our results and analysis, such as an extremely high volume of low-detailed incidents. This year, like the previous one, the subpatterns we examined separately are divided into the Botnet subset and Secondary motives.

    Botnet subset
    This subset consists of 103,699 incidents from various occurrences of Trojans and malware being installed on desktops and servers. The majority of these incidents tend to be low quality and limited in detail, coming from multiple incident sources.

    Notable findings: In Figure 50, we see that botnets primarily affect the Financial, Information and Professional Services verticals. All these industries should focus on their customers’ security as well as their own. The absolute numbers on this subset have more or less doubled from the previous year. Also, be mindful that these types of incidents impact everyone, with 41% of victims originating outside North America.

  • Figure 50

  • Secondary webapp subset

    This subset examines those security incidents in which the victim web application was a means to an end for a different attack. This is often seen in the form of servers being compromised and used as part of a botnet or to DDoS other systems.

    Notable findings: The Secondary subset represents a total of 5,831 incidents, with greater than 90% of them involving some form of hacking, malware and impacting servers. As we point out in the Actor section of Results and Analysis, if you give the bad guy the opportunity to add your infrastructure to theirs, they won’t hesitate.


38 We recommend taking a glance at the 2014 report if you are curious about the nerdy stuff.