- 2020 DBIR
- DBIR Cheat sheet
- Summary of findings
- Results and analysis
- Incident classification patterns and subsets
- Industry analysis
- Does size matter? A deep dive into SMB Breaches
- Regional analysis
- CIS Control recommendations
- Year in review
- Appendices (PDF)
- Download the full report (PDF)
The APAC region is being targeted by financially motivated actors deploying ransomware to monetize their access. This region is also beset by phishing (often business email compromises), internal errors and has a higher than average rate of cyber-espionage related breaches. Web application infrastructure is being targeted both by Denial of Service attacks affecting the availability of the assets, and by hacking attacks leveraging stolen credentials.
4,055 incidents, 560 with confirmed data disclosure
Web Applications, Everything Else and Miscellaneous Errors represent 90% of breaches
External (83%), Internal (17%), Partner (0%) (breaches)
Financial (63%), Espionage (39%), Fun (4%) (breaches)
Credentials (88%), Internal (14%), Other (9%), Personal (6%) (breaches)
The Asia-Pacific (APAC) region includes a vast amount of territory, including most of Asia, what many refer to as Oceania (e.g., Australia and New Zealand), and numerous island nations in and around the Pacific.
An incident does not a breach make…or does it?
In Figure 128, we can see the major patterns that account for the majority of incidents in this region. It is important to note that some of those patterns, while prevalent, do not usually result in a confirmed breach. For instance, in the Crimeware pattern, the second most common malware variety is Ransomware incidents. These are both an Integrity violation (Software Installation) and an Availability violation (Obscuration) as they encrypt the data, but instances where the data is known to be viewed and stolen (Confidentiality) remain relatively rare. However, our data collection for next year’s report48 is surfacing cases in which certain groups of actors are using the tactic of “naming and shaming” their victims in an attempt to exert additional pressure on them to pay the ransom. And, in other cases, the actors will copy some or all of the data prior to encrypting it, and then post excerpts on their websites49 in order to further incentivize their victims to pay up.
Web application attacks were the top pattern for both incidents and confirmed breaches in APACs. These attacks are most frequently someone testing their trusty store of stolen credentials against your web-facing infrastructure and crossing their fingers they will see success. Not surprisingly, with the problem of credential reuse and the vast treasure trove of resulting credential dumps, there are a fair number of hackers laughing all the way to the bank. If that strategy does not work for our hoodie clad friends, the use of social engineering will frequently gain them the keys to the kingdom they are questing for. Clearly, something is working, since Credentials were the top stolen data type in the region’s breaches.
The second most common pattern was Everything Else (Figure 130). This serves as a category for breaches that don’t fit the criteria for the other attack patterns. There are a couple of common attacks that live within this pattern. One of them, the business email compromise (BEC), is an attack that starts with a phishing email. The attacker is frequently masquerading as someone in the executive suite of the company, and is trying to influence the actions of someone who would not normally be comfortable challenging a request from them. For example, a payroll clerk believes they are being told to reroute deposits to a different account by the CEO of the organization and so they do as instructed—only to find later that the request did not actually come from that executive.
Sometimes this comes in the form of a pretext (an invented scenario). One common example is asking for a money via a wire transfer to a specific (never before used) account. In either case, unless there is a process in place to handle these kinds of unusual requests from someone in high authority, the organization will likely see an incident.
Oops, did I do that?
A word of warning: What you are about to hear may shock you, but people are not perfect. Yes, we know, we didn’t believe it at first either. But our dataset certainly indicates that it is the case, and neither organization type nor region seems to make much difference. In fact, the Miscellaneous Errors pattern comes in third in the APAC regional data. What are these errors? Why are they happening to me? Hop in and we will take you on a tour of the many ways the people who make up an organization can cause a breach without actually meaning to.
Figure 130 shows the bulk of these are Misconfiguration errors, and are due to Carelessness. Misconfiguration errors have long been a boon companion of this report. They occur when an employee—typically a system administrator or some other person with significant access to scads (yes that is a technical term) of data—stands up a database in the cloud without the usual security controls. “This will be fine. Surely nobody will locate this here,” they think to themselves. Or perhaps the lunch special ends at two and they leave with the intention of putting those controls in place at the very next convenient moment. But often that moment only arrives after a security researcher, or much worse an attacker, has already found them. Yes, believe it or not there are truly a sizeable number of people who are employed (and some who are freelance) to find these nuggets of data strewn about on the internet just waiting to be unearthed. What comes next depends on the motives of the person who found the data. Most security researchers will notify the organization (if they can figure out who it belongs to). However, sometimes it isn’t a person with motivations of notification, but rather an intention to monetize this tasty find on the dark web.
48 Sisyphus has nothing on us!
49 Some examples from publicly disclosed incidents: https://github.com/vz-risk/VCDB/issues?q=is%3Aopen+is%3Aissue+label%3ARansomeware-N%26S