Results and analysis

Thank You.

Thank you.

You may now close this message and continue to your article.

  • The results found in this and subsequent sections within the report are based on a dataset collected from a variety of sources, including cases provided by the Verizon Threat Research Advisory Center (VTRAC) investigators, cases provided by our external collaborators, and publicly disclosed security incidents. The year-to-year data will have new incident and breach sources as we continue to strive to locate and engage with additional organizations that are willing to share information to improve the diversity and coverage of real-world events. This is a sample of convenience,6 and changes in contributors—both additions and those who were not able to contribute this year—will influence the data set. Moreover, potential changes in contributors’ areas of focus can shift bias in the sample over time. Still other potential factors, such as how we filter and subset the data, can affect these results. All of this means that we are not always researching and analyzing the same population. However, they are all taken into consideration and acknowledged where necessary within the text to provide appropriate context to the reader. Having said that, the consistency and clarity we see in our data year-to-year gives us confidence that while the details may change, the major trends are sound.

    Now that we have covered the relevant caveats, we can begin to examine some of the main trends you will see while reading through this report. When looking at Figure 6 below, let’s focus for a moment on the Trojan7 line. When many people think of how hacking attacks playout, they may well envision the attacker dropping a Trojan on a system and then utilizing it as a beachhead in the network from which to launch other attacks, or to expand the current one. However, our data shows that this type of malware peaked at just under 50% of all breaches in 2016, and has since dropped to only a sixth of what it was at that time (6.5%). Likewise, the trend of falling RAM-scraper malware that we first noticed last year continues. We will discuss that in more detail in the “Retail” section. As this type of malware decreases, we see a corresponding increase in other types of threats. As time goes on, it appears that attackers become increasingly efficient and lean more towards attacks such as phishing and credential theft. But more on those in the “Social” and “Hacking” subsections respectively. Other big players this year, such as Misconfiguration and Misdelivery, will be examined in the “Error” subsection.

  • Figure 6

  • Actors

    Let us begin by disabusing our readers of a couple of widely held, but (according to our data) inaccurate beliefs. As Figure 7 illustrates, in spite of what you may have heard through the grapevine, external attackers are considerably more common in our data than are internal attackers, and always have been. This is actually an intuitive finding, as regardless of how many people there may be in a given organization, there are always more people outside it. Nevertheless, it is a widely held opinion that insiders are the biggest threat to an organization’s security, but one that we believe to be erroneous. Admittedly, there is a distinct rise in internal actors in the dataset these past few years, but that is more likely to be an artifact of increased reporting of internal errors rather than evidence of actual malice from internal actors. Additionally, in Figure 8, you’ll see that Financially motivated breaches are more common than Espionage by a wide margin, which itself is more common than all other motives (including Fun, Ideology and Grudge, the traditional “go to” motives for movie hackers). There is little doubt that Cyber-Espionage is more interesting and intriguing to read about or watch on TV. However, our dataset indicates that it is involved in less than a fifth of breaches. But don’t let that keep you away from the cinema, just make sure to save us some popcorn.

    With regard to incidents, Figure 9 illustrates that Financial is still the primary motive, but it must be acknowledged that the Secondary motivation is not far behind. As a refresher (or fresher for our new readers), the compromised infrastructure in Secondary incidents is not the main target, but a means to an end as part of another attack. In fact, if we had included the Secondary Web application breaches (we removed this subset as mentioned in the "Incident classification patterns and subsets section"), the Secondary motive category would actually be higher than Financial.

    When we look at criminal forums and underground data, 5% refer to a “service”. That service could be any number of things including hacking, ransomware, Distributed Denial of Service (DDoS), spam, proxy, credit card crime-related or other illicit activities. Worse still, that “service” may just be hosted on your hardware. The simple fact is this: If you leave your internet-facing assets so unsecured that taking them over can be automated, the attackers will transform your infrastructure into a multi-tenant environment.

  • Figure 7
  • Figure 9
  • Figure 9
  • A good follow-up question might be “where are these unwanted occupants coming from?” Figure 10 shows that Organized crime8 is the top variety of actor for the DBIR. After that, we see a roundup of the usual suspects: State-aligned actors who are up to no good, internal End users and System admins making errors as though they were paid to do it, and, at the very bottom, the Unaffiliated. Although they may sound like the title of a book series for young adults, they are actually an interesting group. These are people from areas unknown and their motivation is not always readily apparent. One potential origin for these actors might be gleaned from looking at the criminal forum and marketplace data we referenced above. About 3% of the forum threads related to breach and incident cybercrime9 were associated with training and education.10 These are would-be hackers who are still serving out their apprenticeship, for lack of a better term. In fact, as noted by the United Kingdom’s National Crime Agency, “Offenders begin to participate in gaming cheat websites and ‘modding’ (game modification) forums and progress to criminal hacking forums without considering the consequences.”11 In other words, this is a group of individuals with a certain skill set but no clear sense of direction, who could perhaps, given the right amount of persuasion and incentive, be kept from the dark side and thereby added to the talent pool for our industry. Giving them a career and a future rather than a jail sentence is, in the long run, better for all concerned. Although it is handy to know a game cheat every now and again.


  • Figure 10
  • Another thing you might be wondering is where the attackers are coming from. Based off of computer data breach and business email compromise complaints to the FBI Internet Crime Complaint Center (IC3), 85% of victims and subjects were in the same country, 56% were in the same state and 35% were even in the same city. In part, this is driven by many of the complaints coming from high-population areas such as Los Angeles, CA and New York City, NY. So, the proverbial call is almost coming from inside the building.

  • Actions

    When we analyzed the high-level actions on Figure 11, we found that it mirrors Figure 6. The only action type that is consistently increasing year-to-year in frequency is Error. That isn’t really a comforting thought, is it? Nevertheless, there is no getting away from the fact that people can, and frequently do, make mistakes and many of them probably work for you.

    Physical breaches have stayed relatively level and infrequent, but Misuse, Hacking, Malware and Social have all decreased since last year’s report. While Hacking and Social are down as a percent, they have remained close to the levels we have seen for the past few years. On the other hand, Malware has been on a consistent and steady decline as a percentage of breaches over the last five years. Why is this? Has malware just gone out of fashion like poofy hair and common courtesy? No, we think that other attack types such as hacking and social breaches benefit from the theft of credentials, which makes it no longer necessary to add malware in order to maintain persistence. So, while we definitely cannot assert that malware has gone the way of the eight-track tape, it is a tool that sits idle in the attacker’s toolbox in simpler attack scenarios.

    It is important to keep in mind that the points made above are in reference to breaches and not incidents. The incidents tell us a somewhat different story. Ransomware—which in our dataset rarely results in a confirmed breach12 unless paired with credential use—is on the rise. Still, as malware tools continue to evolve and improve, there appears to be a sense that malware prevalence is decreasing somewhat, as this causes fewer instances that rise to the status of “incident” for our data contributors. This seems to have the effect on our dataset of a polarization: malware being either part of advanced attacks or the simpler (yet still effective) smash-and-grab compromises.

  • Figure 11
  • Threat action varieties

    Taking a peek at threat action varieties allows us to dig a bit deeper into the bad guy’s toolbox. Figure 12 provides an idea of what action varieties drive incident numbers and, shocker, Denial of Service (DoS) plays a large part. We also see a good bit of phishing, but since data disclosure could not be confirmed, they remain incidents and do not graduate to breach status (but maybe they can if they take a couple of summer classes). In sixth overall, we see ransomware popping up like a poor relation demanding money—which, in many cases, they get.

    When we again switch back to looking at the top Action varieties for breaches in Figure 13, we see our old foes, Phishing, Use of stolen credentials and Misconfiguration in the top five. Misdelivery is making an impressive showing (mostly documents and email that ended up with the wrong recipients) this year. While we don’t have data to prove it, we lean toward the belief that this is an artifact of breach disclosure becoming more normalized (and increasingly required by privacy laws around the world), especially for errors.

    Finally, you’ll notice “Other” in the mix. As we mentioned in the "DBIR Cheat sheet" section at the very beginning of this report, “Other” represents any enumeration not represented by one of the categories in the figure. It turns out there are a lot of breaches (675 to be specific) that didn’t contain any of the top varieties. Breaches (like people and problems) come in many shapes and sizes and are never too far away from your front door. 

  • Figure 12
  • Figure 13
  • Error

    Errors definitely win the award for best supporting action this year. They are now equally as common as Social breaches and more common than Malware, and are truly ubiquitous across all industries. Only Hacking remains higher, and that is due to credential theft and use, which we have already touched upon. In Figure 14 you can see that since 2017, Misconfiguration errors have been increasing. This can be, in large part, associated with internet-exposed storage discovered by security researchers and unrelated third parties. While Publishing errors appear to be decreasing, we wouldn’t be surprised if this simply means that errors formerly attributed to publishing a private document on an organization’s infrastructure accidentally, now gets labeled Misconfiguration because the system admin set the storage to public in the first place.

    Finally, it is also worth noting what isn’t making the list. Loss is down among the single digits this year. Disposal errors are also not really moving the needle. Errors have always been present in high-ish numbers in the DBIR in industries with mandatory reporting requirements, such as Public Administration and Healthcare. The fact that we now see Error becoming more apparent in other industries could mean we are getting better at admitting our mistakes rather than trying to simply sweep them under the rug.

    Of course, it could also mean that since so many of them are caught by security researchers and third parties, the victims have no choice but to utter “mea culpa.” Security researcher has become the most likely Discovery method for an Error action breach by a significant amount (Figure 15), being over six times more likely than it was last year. However, we here on the DBIR team are of an optimistic nature, so we will go with the former conclusion. 

  • Figure

  • Malware

    Our Malware findings further reinforce the trends of phishing and obtaining credentials with regard to breaches. As Figure 16 illustrates, Password dumper (used to get those sweet, sweet creds) has taken the top spot among breach Malware varieties. Email (usually associated with Phishing) and Direct install (an avenue generally—but not always—requiring credentials) are the top vectors.

    Ransomware is the third most common Malware breach variety and the second most common Malware incident variety. Downloaders follow closely behind Ransomware, and they are clearly doing their jobs, not only moving Ransomware, but also Trojans13. It is perhaps worth noting that Cryptocurrency mining doesn’t even make the top 10 list, which we know is sure to disappoint all our HODL readers.

    However, it is important to acknowledge that the relative percentage of Malware that we see present in breaches and incidents may not correspond to your experiences fighting, cleaning and quarantining malware throughout your own organization. With that in mind, we would like to spend some time talking about bias, more precisely survivorship bias regarding those varieties.

    Password dumper (used to get those sweet, sweet creds) has taken the top spot among breach Malware varieties.

  • Figure 16
  • Figure 17
  • Survivorship bias

    We talk about survivorship bias (or more formally selection bias) in the "Methodology" section, but this is a good place for a call out. You, us, everyone looks at a lot of malware data. Our incident corpus suffers from the opposite of survivorship bias. Breaches and incidents are records of when the victim didn’t survive. On the other hand, malware being blocked by your protective controls is an example of survivorship bias where the potential victim didn’t get the malware. Since we have both types of data at our disposal in the DBIR, we can highlight four possible situations:

    1. Large numbers in both blocks and incidents: This is something big. It’s being blocked but also happening a lot
    2. Large numbers in incidents but not blocks: This is potentially happening more than it’s being caught
    3. Large numbers in blocks but not in incidents: We’re doing well at this. It’s getting caught more than it’s getting through
    4. Small numbers in both blocks and incidents: This just ain’t happening much
  • Ransomware
    Traditionally, Ransomware is categorized as an incident in the DBIR and not as a breach, even though it is considered a breach in certain industries for reporting purposes (such as Healthcare) due to regulatory guidance. The reason we consider it only an incident is because the encryption of data does not necessarily result in a confidentiality disclosure. This year, however, ransomware figures more prominently in breaches due in large part to the confirmed compromise of credentials during ransomware attacks. In still other cases, the “breach” designation was due to the fact that personal information was known to have been accessed in addition to the installation of the malware.

    Ransomware accounted for 3.5% of unique malware samples submitted for analysis, not such a big number overall. At least one piece of ransomware was blocked by 18% of organizations through the year,14 even though it presented a fairly good detection rate of 82% in simulated incident data. However, it shows up heavily in actual incidents and breaches, as discussed previously. This indicates that it falls into category #2 in the survivorship bias callout. It’s a big problem that is getting bigger, and the data indicates a lack of protection from this type of malware in organizations, but that can be stopped. Part of its continued growth can be explained by the ease with which attackers can kick off a ransomware attack. In 7% of the ransomware threads found in criminal forums and market places, “service” was mentioned, suggesting that attackers don’t even need to be able to do the work themselves. They can simply rent the service, kick back, watch cat videos and wait for the loot to roll in.

    It's a big problem that's continuing to get bigger.

    Droppers and Trojans
    As we pointed out earlier, Trojans, although still in the top five malware varieties, have been decreasing over time. However, their backdoor and remote-control capabilities are still a key functionality for more advanced attackers to operate and achieve their objectives in more intricate campaigns. Downloaders are a common way to get that type of malware on the network, and they made up 19% of malware samples. Nineteen percent were classified as backdoors and 12% were keyloggers.

    Droppers and Trojans seem to fall into category #3 in the survivorship bias callout. We see them quite frequently in malware, but they do not necessarily appear in a large number of incidents and breaches. One possible explanation for this is that we might be simply getting better at blocking the cruder and more commoditized versions of this type of malware, thereby pushing unsophisticated attackers increasingly to smash-and-grab tactics. Additionally, the shift to web interfaces for most of our services may simply mean Trojans have a smaller attack surface to exploit.

    Malware with vulnerability exploits
    If Droppers and Trojans are examples of category #3, then Malware that exploits vulnerabilities falls under category #4. It ranks at the bottom of malware varieties in Figure 16. Figure 25 (ahead in the "Hacking" section) shows that exploiting vulnerabilities in Malware is even more rare than in Hacking (where it’s already relatively scarce). While successful exploitation of vulnerabilities does still occur (particularly for low-hanging fruit as in Figure 22—also in the "Hacking" section), if your organization has a reasonable patch process in place, and you do not have a state-aligned adversary targeting you, then your time might be better spent attending to other threat varieties.

    Cryptocurrency mining

    The cryptocurrency mining malware variety falls squarely into category #4. It accounted for a mere 2.5% of malware among breaches and only 1.5% of malware for incidents. Around 10% of organizations received (and blocked) Cryptocurrency mining malware at some point throughout the course of the year.15

    The breach simulation data clues us in on what might be happening, as it indicates that the median block rate for cryptocurrency mining malware was very high. Another valid theory is that cryptomining occurrences rarely rise to the level of “reported incident” unless we are talking about instances running on stolen cloud infrastructure. These cost your organization a lot of money while generating less loose change than the threat actor could have found in their couch cushions.

  • Figure 18
  • Malware delivery
    Finally, this year we’ve dug a bit deeper into the malware delivery methods. Office documents and Windows® apps still tend to be the malware file-type of choice; however, the “Other” category has also grown relatively large. Most malware is still delivered by email, with a smaller amount arriving via web services, and almost none by other services (at least when detected).

    One take-away from Figure 18 is that the “average” really doesn’t represent a great many companies. For example, approximately 22% of organizations got almost none of their malware via email, while about 46% got almost all of theirs that way. If you look at the Office documents part of the malware filetypes chart, other than a spike of organizations near 0%, all the other dot piles are almost the same—meaning that type of delivery is almost uniformly distributed. When attempting to determine what percentage of malware your organization would receive as an Office document, you would be as likely to be correct by throwing a dart at that figure16 as by basing it on data. This is not to indicate that it is low, just that it is simply all over the map.

    Speaking of maps, Figure 19 provides a glimpse at the other file-types of malware organizations typically see. It lacks the detail of Figure 18, but still serves as an adequate visual reminder that malware comes in a variety of types, most of which apparently look like lengths of hard-wood flooring. Thankfully, as we stated previously, malware is not showing up as frequently in incidents and breaches. So, if you obtain a good tool to block it where possible you can focus your attention on more pressing matters.17

  • Figure 19
  • Hacking

    At a high-level, Hacking can be viewed as falling into three distinct groups: 1) those utilizing stolen or brute-forced credentials; 2) those exploiting vulnerabilities; and 3) attacks using backdoors and Command and Control (C2) functionality.

    However, it must be said that Hacking and even breaches in general (at least in our dataset) are driven by credential theft. Over 80% of breaches within Hacking involve Brute force or the Use of lost or stolen credentials. These Hacking varieties (Figure 20 below), along with exploitation of a vulnerability (of which SQLi is a part), are associated in a major way with web applications as illustrated in Figure 21. We have spent some time on this over the last year, and it is important to reassert that this trend of having web applications as the vector of these attacks is not going away. This is associated with the shift of valuable data to the cloud, including email accounts and business-related processes.

    Over 80% of breaches within Hacking involve Brute force or the Use of lost or stolen credentials.

    Use of backdoor or C2 (checking in at third place) are both associated with more advanced threats, since for more intricate campaigns and data exfiltration missions there is nothing quite like the human touch. For better or worse, the promise of fully autonomous Artificial Hacking Intelligence (AHI) is still at least 15 years away,18 along with flying cars.

  • Figure 20
  • Figure 21

  • Using and abusing credentials
    Criminals are clearly in love with credentials, and why not since they make their jobs much easier? If you refer back to Figure 6 at the very beginning of the "Results and Analysis" section, it is apparent that use of credentials has been on a meteoric rise. Figure 22 represents connection attempts by port over time based on contributor honeypot data, and provides another take on the topic. As it depicts, SSH (port 22) and Telnet (port 23) connection attempts are two orders of magnitude19 above the next cluster of services. Let’s explore credential stuffing and then move on to exploiting vulnerabilities.

  • Figure 22
  • Additional contributor data sheds light onto the credential stuffing attacks criminals are attempting. Figure 2320 shows the number of attempts orgs who had any credential stuffing attempts typically received. As you will notice, it is a relatively smooth bell curve with a median of 922,331. Granted, a good number of those login/password combos attempted will be as complex as “admin/admin” or “root/hunter2” but those sustained attacks over time are succeeding according to our incident dataset.

  • Figure 23
  • Something you might be wondering is “Do credential leaks lead to more credential stuffing?” We took a look at a dataset of credential leaks and compared it to the credential stuffing data we had. You can see in Figure 24 that the answer is no.21 We found basically no relationship between a credential leak and the amount of credential stuffing that occurred the week after. Instead it appears to be a ubiquitous process that moves at a more or less consistent pace: Get a leak, append to your dictionary, continue brute forcing the internet. Rinse, repeat.

  • Figure 24
  • Exploiting vulnerabilities
    Vulnerabilities occupy a huge amount of mind-share in information security. Yet, harkening back to that bit about survivorship bias in the "Malware" section, it’s more of situation #3 than situation #1. There are lots of vulnerabilities discovered, and lots of vulnerabilities found by organizations scanning and patching, but a relatively small percentage of them are used in breaches, as you can see in Figure 25. Although exploiting vulnerabilities is in second place in breach Hacking varieties, it has not played a major role within incidents found in the DBIR over the last five years. In fact, it reached its peak at just over 5% as a Hacking variety in 2017. In our security information and event management (SIEM) dataset, most organizations had 2.5% or less of alerts involving exploitation of a vulnerability.22

  • Figure 24
  • But that doesn’t mean that the attackers don’t give it a try anyway. Clearly, the attackers are out there and if you leave unpatched stuff on the internet, they’ll find it and add it to their infrastructure.23 We hear a lot about new vulnerabilities and their prevalence both on the internet and within organizations. Does the internet as a whole become more vulnerable with every new vulnerability that gets discovered?24 And are those unpatched vulnerabilities that are adding to the problem likely to be present on your systems?

    To test whether that25 is true, we conducted a little investigation this summer. We looked at two sets of servers hosted on public IP addresses: ones vulnerable to an Exim vulnerability discovered in 201926 and randomly chosen IPs. As we see in Figure 26, hosts that were vulnerable to the EXIM vulnerability were also vulnerable to 10-year-old SSH vulnerabilities27 much more frequently than the random sample.

    The takeaway is that it wasn’t just the Exim vulnerability that wasn’t patched on those servers. NOTHING was patched. For the most part, no, the internet as a whole does not seem to be getting less secure with each new vulnerability, at least not after the short window before organizations that are on top of their patch management update their systems.28 You can just as easily exploit those vulnerable servers with that l33t 10-year-old exploit you got from your h4x0r friend on Usenet.

  • Figure 26
  • But what about the second question: Are those likely to be your systems that are vulnerable?29 To test this, we took two samples from vulnerability scan data: organizations with the Eternal Blue vulnerability30 present on their systems and those without. In Figure 27,31 we see the same thing as in Figure 26. The systems that were vulnerable to Eternal Blue were also vulnerable to everything from the last decade or two. Once again, no, each new vulnerability is not making you that much more vulnerable. Organizations that patch seem to be able to maintain a good, prioritized patch management regime.

    Still, we’re not in the fourth survivorship bias situation here. Attackers will try easy-to-exploit vulnerabilities if they encounter them while driving around the internet. Since you just came from the "Credentials" section, you may remember that Figure 22, which illustrates that once you get below the SSH and Telnet lines on the chart, the next three services that we conveniently highlighted are port 5555 (Android Debug Bridge, or adb—really popular lately), port 7547 (common router RPC port) and port 37777 (popular with IP cameras and DVRs). If you will allow us a mixed metaphor, there is no outrunning the bear in this case, because the bears are all being 3D-printed in bulk and automated to hunt you.

    So, carry on my wayward son and keep doing what you’re doing (you know, patching), and perhaps skip over to the "Assets" section to get an inkling of what you might be missing.

  • Figure 27
  • Social

    If action types were people, you would probably give Hacking, Malware and Error a wide berth because they just sound like they would be less than friendly. But Social sounds as though it would be much more happy-go-lucky. More likely to house-sit for you, invite you to play bunko and include you in neighborhood barbecues. You’d be wrong though. Social comes with a devious attitude and a “take me to your manager” haircut. Figure 28 shows Social broken down into two types of incidents: Phishing and Pretexting.32 When it comes to breaches, the ratio remains quite similar, only with slightly lower numbers.

  • Figure 28
  • Social actions arrived via email 96% of the time, while 3% arrived through a website. A little over 1% were associated with Phone or SMS, which is similar to the amount found in Documents. If you take a glance at Figure 29, you’ll notice that while credentials are by far the most common attribute compromised in phishing breaches, many other data types are also well represented. Phishing has been (and still remains) a fruitful method for attackers. The good news is that click rates are as low as they ever have been, (3.4%) and reporting rates are rising, albeit slowly (Figure 30).

  • Figure 29 and 30
  • Financially Motivated Social Engineering
    Financially Motivated Social Engineering (FMSE) keeps increasing year-over-year (Figure 31), and although it is a small percentage of incidents, in raw counts, there were over 500 in our dataset this year. These attacks typically end up in our Everything Else pattern, as they are purely social in nature. There is no malware component, as you would see in the more advanced nation-state scenario, nor is there any effort to gain a foothold and remain persistent in the victim’s network. These are simply a “get what you can when you can” kind of attack.

    This is not to say that they cannot be sophisticated in the lengths the adversary is willing to go to for success. In prior years, they would impersonate CEOs and other high- level executives and request W-2 data of employees. They have largely changed their tactics to just asking for the cash directly— why waste time with monetizing data? It’s so inefficient. Their inventiveness in the pretext scenario to lend a level of believability to their attempt is a measure of how good these people are at their jobs.

  • Figure 31
  • Last year, we looked at the median impact cost for incidents reported to the FBI IC3. With regard to business email compromises (BEC), we noticed that most companies either lost $1,240 or $44,000 with the latter being slightly more frequent (Figure 32).

    Also, last year we stated that when “the IC3 Recovery Asset Team acts upon BECs, and works with the destination bank, half of all U.S.-based business email compromise victims had 99% of the money recovered or frozen; and only 9% had nothing recovered." They continued to record that metric and this year it improved slightly, indicating that 52% recovered 99% or more of the stolen funds and only 8% recovered nothing.

  • Figure 32
  • Assets

    Figure 33 provides an overview of the asset landscape. Servers are the clear leader and they continue to rise. This is mainly due to a shift in industry toward web applications (the most common asset variety in Figure 34) with system interfaces delivered as a software as a service (SaaS), moving away from that seven-year-old spreadsheet with those great macros that Bob from accounting put together. Person33 holds second place for the second year in a row, which is not surprising given how Social actions have stayed relevant throughout this period.

    Kiosks and Terminals continued to decline as they did last year. This is primarily due to attackers transitioning to “card not present” retail as the focus of their efforts, rather than brick-and-mortar establishments.

  • Figure 33
  • Head in the clouds
    Cloud assets were involved in about 24% of breaches this year, while on-premises assets are still 70%34 in our reported breaches dataset. Cloud breaches involved an email or web application server 73% of the time. Additionally, 77% of those cloud breaches also involved breached credentials. This is not so much an indictment of cloud security as it is an illustration of the trend of cybercriminals finding the quickest and easiest route to their victims.

  • Figure 34
  • Information Technology vs. Operational Technology
    Last year we started tracking embedded assets, but that turned out to be less insightful than we anticipated. So, this year we began tracking Information Technology (IT) vs Operational Technology (OT) for assets involved in incidents instead. We hope to be able to do a more comprehensive analysis in the following years, but for now our findings were not particularly surprising: 96% of breaches involved IT, while 4% involved OT. Although 4% might not sound like a lot, if you happen to be in an industry that relies on OT equipment in your means of production, it’s certainly adequate cause for concern.

    Mobile devices
    This year we were minding our own business, eating some plums we found in the icebox, when over a thousand cases of Loss involving Mobile Devices showed up in our dataset. We would make this incredible spike in incidents one of our key findings, but we are pretty sure “forgetting your work mobile phone in a hipster coffee shop” is not a new technique invented in 2019. Turns out data collection is partially to blame here. We updated the collection protocols with a few of our contributors, and voilà, there they were. Those Error cases made up roughly 97% of the incidents we had on Mobile Devices.

    The other 3% are very interesting, though. Those incidents are split almost evenly between Espionage and Financial motives, which is incredibly significant when our overall breakdown of motives is of 64% Financial and only 5% Espionage. And while the financially motivated ones vary from Theft to the use of the device as a vessel for Pretexting, the espionage-related cases are exclusively Malware-based compromises of mobile devices to further persistence and exfiltration of data by advanced State-affiliated actors.

    Asset management
    We mentioned back in the "Hacking" section that hosts susceptible to major new vulnerabilities tend to also still be defenseless against many older vulnerabilities. That finding is a bit of a double-edged sword in that, while it seems to suggest that patching is working, it also suggests that asset management may not be. We found that it was most often the case that organizations have approximately 43% of their internet-facing IPs in one network35. However, the most common number of networks that an organization occupies is five, and half of all organizations are present on seven or more (Figure 35). If you don’t know what all those networks are, you might have an asset management problem. Therefore, it might not just be an asset management problem, but also a vulnerability management problem on the assets you did not realize were there.

  • Figure 35
  • In over 90% of organizations, less than 10% of their internet-facing hosts had any significant vulnerabilities. In half of all orgs, less than 1% of hosts had internet-facing vulnerabilities (Figure 36). That suggests that the vulnerabilities are likely not the result of consistent vulnerability management applied slowly, but a lack of asset management instead.

  • Figure 35
  • Attributes

    The compromise of the Confidentiality of Personal data leads the pack among attributes affected in breaches, as shown in Figure 37. But keep in mind that this contains email addresses and is not just driven by malicious data exfiltration, but also by “benign” errors. The one-two punch of Hacking and Error puts email addresses (and by extension personal information) at the front of the pack. Certainly, Personal information goes way beyond just email addresses, but that is the designation where those reside.

    In second place, we see Credentials, which should come as no surprise since we have covered that topic sufficiently already. Alter behavior appears next and is a result of Social breaches affecting the Integrity of our victims’ Person assets. Finally, we see Malware-related breaches causing the integrity violation of Software Installation.

    One other notable observation from Figure 37 is that Bank and Payment data are almost equal. Five years ago, Payment information was far more common, but while compromise of bank information has stayed relatively level, Payment has continued to decline to an equivalent level.

  • Figure 36
  • Email address compromises
    Given that email addresses are Personally Identifiable Information (PII) and that Personal is the most common variety of data to be breached in this year’s report, we looked a bit more closely at some of the email leaks we have seen over the last 10 years. Figure 38 gives you a feel for what email top-level domains (TLDs) are being compromised the most. The “Other” category includes TLDs with less than 1% of emails, by the way.

    Since .com accounts for approximately 59% of leaked emails, we focused in on that a bit. The first 150 domains that we looked at showed that most were mail registration services. That accounted for about 97% of the breaches, and provides hope that most emails compromised aren’t your employees’ corporate addresses. However, the little matter of the remaining 3% was comprised of tens of millions of addresses. 

    What’s that attribute going to cost you?
    As reported in FBI IC3 complaints, the most common loss was $32,200 this year, up from about $29,300 last year. That’s still basically in the preowned car range, and while no one wants to lose that much money, it could certainly be much worse.

  • Figure 37
  • Figure 39
  • How many paths must a breach walk down?

    We tend to think about incidents and breaches as a point in time. You snap your fingers and all the attacker actions are complete, the stolen data is in the attacker’s saddlebags and they are off down Old Town Road and away into the sunset. Still, we all know that is not quite what actually happens. Many of the attacks studied in this report fall somewhere between a stickup and the Great Train Robbery in terms of complexity. The good news is that defenders can use this to their advantage.

    As you can see in Figure 40, attacks come in numerous forms and sizes, but most of them are short, having a small number of steps (you can notice that by how the volume of line segments thin out between the four and six steps markers). The long ones tend to be Hacking (blue) and Malware (green) breaches, compromising Confidentiality (the middle position) and Integrity (the lower position) as the attacker systematically works their way through the network and expands their persistence. The benefit in knowing the “areas” (threat actions—colors/compromising specific attributes—positions) attackers are more likely to pass through in their journey to a breach gives you first advantage, because you can choose where to intercept them. You may want to stop their initial action or their last. You may not want to go near them, so you don’t have to listen to “Old Town Road.” All of these options are understandable in accordance with your response strategy.36

  • Figure 40
  • OK, take a deep breath and look at Figure 40. No, a butterfly did not just vomit on your report. Don’t worry about trying to understand all the graphic has to tell. Instead, let us convey the concept of what you are seeing here. This abstract work of art contains a line (a “path”) for each of several hundred breaches. In the way a bar chart summarizes numbers, this graph summarizes paths taken by the attacker.

    Each colored line segment (a “step”) represents an action taken by the threat actor along with the associated attribute that was compromised. The color of each step represents the VERIS threat action of the step, and the position where the step ends represents the attribute compromised. But the real trick to understanding this chart is that the paths start from the left and move to the right—the first step on a path will either come from the top of the chart or the bottom (because they have to come from somewhere) and “land” on the appropriate attribute.

    So, if you pick any yellow step coming from the top of the chart starting at 4 on the horizontal axis and ending on the lower position of the chart, you just found yourself at the beginning of a four-step incident that started with a Social action that compromised the Integrity attribute. Also, notice how Error actions (the dark blue lines coming from the bottom of the chart) are usually part of very short paths and land on the Confidentiality attribute.

    There’s a small amount of noise put into the positions of the lines, since otherwise the same lines would be exactly on top of each other and we wouldn’t be able to see a lot here. But mostly we did it for the art.

  • Figures 41 and 42 provide us with our next defensive advantage. Attackers prefer short paths and rarely attempt long paths. This means anything you can easily throw in their way to increase the number of actions they have to take is likely to significantly decrease their chance of absconding with the data. Hopefully by now we have driven home the significance and prevalence of credential theft and use. While we admit that two-factor authentication is imperfect, it does help by adding an additional step for the attacker. The difference between two steps (the Texas two-step) and three or four steps (the waltz) can be important in your defensive strategy.

    The difference between two steps (the Texas two-step) and three or four steps (the waltz) can be important in your defensive strategy.

  • Figure 41
  • Figure 42
  • Finally, take a look at Figure 43. It shows what actions happen at the beginning, middle and end of both incidents and breaches. It is not what is on top that’s interesting (we already know “Social—Phishing” and “Hacking—Use of stolen creds” are good ways to start a breach and “Errors” are so short that the beginning of the path is also the end). The interesting bit is what’s near the bottom. Malware is rarely the first action in a breach because it obviously has to come from somewhere. Conversely, Social actions almost never end an attack. In the middle, we can see Hacking and Malware providing the glue that holds the breach together. And so, our third defensive opportunity, is to guess what you haven’t seen based on what you have. For example, if you see malware, you need to look back in time for what you may have missed, but if you see a social action, look for where the attacker is going, not where they are.

    All in all, paths can be hard to wrap your head around, but once you do, they offer a valuable opportunity not just for understanding the attackers, but for planning your own defenses.

  • Figure 43
  • Timeline
    As we analyze how breach timelines have evolved over time, Discovery in days or less is up (Figure 44) and Containment in that same timeframe has surpassed its historic 2017 peak (Figure 45). However, before you break out the bubbly, keep in mind that this is most likely due to the inclusion of more breaches detected by managed security service providers (MSSPs) in our incident data contributors’ sampling, and the relative growth of breaches with Ransomware as collateral damage, where Discovery is often close to immediate due to Actor disclosure. 37

    Discovery in Months or more still accounts for over a quarter of breaches. We are obligated to point out that since this is a yearly report, this is usually a trailing indicator of the actual number, as there are potentially a significant number of breaches that occurred in 2019 that just have not been discovered yet.

    All in all, we do like to think that there has been an improvement in detection and response over the past year and that we are not wasting precious years of our life in a completely pointless battle against the encroaching void of hopelessness. Here, have a roast beef sandwich on us.

  • Figure 44
  • Figure 45

6 Convenience sampling is a type of nonrandom sampling that involves the sample being drawn from that part of the population that is close to hand or available. More details can be found in our "Methodology" section.

7 This year, we added a Trojan category to Malware. This is a combination of Malware RAT, Malware C2 and Backdoor, Hacking Use of backdoor or C2, and Malware Spyware/Keylogger.

8 When we say “Organized crime” we mean “a criminal with a process,” not “the mafia.”

9 Cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber, cyber.

10 Matched a search for guide, tutorial, learn or train in the title or body.

11 Pathways into Cyber Crime, NCA, 2017 (

12 We are aware of reports of ransomware families that are now capturing data before encrypting so the actors can threaten to also expose the data if the ransom is not paid. However, the cases logged were documented after October 31, 2019, the close date of the data scope for this issue.

13 A combination of multiple malware varieties: RAT, Trojan, C2, Backdoor and Spyware/keylogger

14 Please bear in mind that incidents that would result in a Ransomware attack can also be stopped before the malware even manifests itself, so this is maybe an underestimation.

15 The potential underestimation from incidents being stopped before the malware manifests itself is also valid here.

16 Other than zero obviously. And please exercise caution with sharp objects around coworkers, family members and pets if you attempt this.

17 Credential theft and use, Phishing and Errors.

18 [citation needed] I read this in some vendor marketing copy somewhere, I’m sure. OK, I didn’t, but doesn’t it sound like something I would?

19 They may seem close, but that is a log scale (

20 If this figure is confusing, see the dot plot explanation in the "DBIR Cheat sheet" section.

21 Where are my negative result experiment fans? A toast to science, my colleagues!

22 Caveat emptor, to do this we used existing contributor mappings to MITRE ATT&CK and traced to our VCAF mapping as discussed in Appendix B.

23 Granted, I don’t have any studies that show that stealing CPU cycles is a lot cheaper than traditional infrastructure as a service (IaaS), but given my last cloud services bill, I don’t see how it couldn’t be.

24 TL;DR: Mostly no. Not for long anyway.

25 Does the internet as a whole get more vulnerable with each new vulnerability?

26 CVE-2019-16928

27 And basically, every vulnerability since then

28 Shout-out to our summer intern Quinnan Gill who did this research for us. You’re awesome!

29 TL;DR: Again, probably not. If you are patching, of course.

30 CVE-2017-0144

31 We use Eternal Blue here and the Exim vulnerability in Figure 26 because the analysis for Figure 26 came from the summer while Figure 27 data is from last year, potentially before CVE-2019-16928.

32 Often business email compromises (BECs), but given that it works even if you don’t compromise an email address, you might see us referring to Financially Motivated Social Engineering or FMSE.

33 I know it is weird, maybe even dehumanizing, to think of a Person as an asset but this is meant to represent the affected party in an attack that has a social engineering component. People have security attributes too!

34 The remainder were breaches where cloud was not applicable, such as where the asset is a Person.

35 By “network,” we mean an autonomous system, represented by an autonomous system number (ASN):

36 Or to how susceptible you are to ubiquitous earworms.

37 Nothing quite like a rotating flaming skull asking for cryptocurrency on your servers to help you ”discover” a breach.