Northern America (NA)

Summary

Northern American organizations continue to be the target of Financially motivated actors searching for money or easily monetizable data. Social Engineering, Hacking and Malware continue to be the favored tools utilized by these actors.

Frequency

13,256 incidents, 1,080 with confirmed data disclosure

Top Patterns

Social Engineering, System Intrusion and Basic Web Application Attacks represent 92% of breaches

Threat Actors

External (82%), Internal (19%), Multiple (2%), Partner (1%) (breaches)

Actor Motives

Financial (96%), Espionage (3%), Grudge (2%), Fun (1%) (breaches)

Data compromised

Credentials (58%), Personal (34%), Other (27%), Internal (11%) (breaches)

When viewing data regarding incidents and breaches in North America, it is important to realize the influence of the regulatory environment on the numbers shown.

Data breach disclosure laws in this region are prevalent and far reaching with the result that our visibility into cybercrime is better than in areas where such laws are not in place. Healthcare and Public Administration are among the more strongly regulated industries; therefore, we see a corresponding prevalence in these industries. In addition to the aforementioned laws, one must keep in mind that we also have more contributors in this geographical area than in others.

There seem to be two very distinct competitions with regard to Northern America’s data (Figure 131). The first of these is a tight race between Social Engineering and System Intrusion (approximately 35% each). The second struggle is between Basic Web Application Attacks and Miscellaneous Errors for a smaller piece of the action. The confidence intervals overlap to such a degree between those groups that it is very difficult to call a clear winner. Therefore, when looking at the statistics from these patterns, keep in mind what we are really seeing are two sets of partners dancing together.

Our brand-new Social Engineering pattern is largely comprised of Pretexting and Phishing actions (Figure 129). Usually, we see more of the simple type of phishing activities than we do people going to the trouble of inventing a scenario. As a rule, criminals tend to be efficient in their efforts and the basics usually bring success, so why put in more work than necessary? One possible answer is that the end goal of the Pretexter is not the same as that of the standard Phisher. Pretext attacks are frequently an attempt to get a direct route to the money: The most common goal is to influence the target to send them money (under false pretenses, of course). These invented scenarios vary somewhat, but examples include the substitution of banking information, or the payment of fictitious invoices. A phisher, in contrast, may be going for data rather than cash, and their aim may ultimately be either to monetize the data stolen in the phish (Credentials), or to gain a foothold into the organization. The System Intrusion pattern (also newly minted) most often tells the story of a Hacking action paired with a Malware action. We typically see the Use of stolen creds to gain access, followed by the actor dropping Malware to further their aims in the organization. In North America, this most commonly means the deployment of Ransomware. As mentioned in last year’s report, we saw Ransomware groups begin pivoting to take a copy of the data for use as leverage against their victims prior to triggering the encryption. This began with the Maze Group, and as they enjoyed success, other groups jumped onto the bandwagon. Now it has become commonplace, with many of the Ransomware groups having developed infrastructure specifically to host these data dumps. 

All of these Social and Malware actions share one characteristic — they cause Integrity violations in the CIA triad. For the Social attacks, Alter behavior shows up to account for the change in the behavior of the victim affected by the Social action. For the Pretexting attacks that were successful, you can see the Fraudulent transaction Integrity attribute when the criminal managed to get someone to send them cash. Malware, of course, results in Software installation as a violation, and Misrepresentation is another side effect of Phred the Phisherman and Patti the Pretexter both pretending to be someone they aren’t (like most everyone else), and attempting to gain more victims in the organization (more followers, if you will). 

Given the prevalence of the Phishing attacks, this is where the Credentials frequently come into play (Figure 133). Personal data is a prime target as well, since that includes such data elements as Social Security/ Insurance numbers paired with other bits of information that allow criminals to commit further financial fraud.

Looking at our Discovery timeline, you can see a significant percentage are discovered in Days or less (Figures 134 and 135 respectively). However, over half of these cases were discovered by the threat actor disclosing the breach— this is typically the way Ransomware is discovered, when the ransom note flashes up on the screen. We would expect to see that happen soon after the encryption is triggered. While we would rather see internal detective controls be responsible for finding the majority of the breaches, at least when that ransom note appears, organizations can start to contain the breach and get the actors out of their network.

Wrap-up

Here we are at last, at the conclusion of the 14th installment of the Verizon Data Breach Investigations Report.

Give yourselves, and each other, a pat on the back, or even better, a big virtual hug.⁷⁵ All will be well. Thank you, readers, for spending time here with us yet again. We hope that the information contained in these pages has been of assistance to you and that you found it both informative and easy to ingest. As we mentioned at different points in this year’s report, it is not always easy to see what is coming at us around the next bend. But one thing we do know is that if we meet whatever it may be with reason, with compassion, caring⁷⁶ and most importantly, with each other, we can handle it.

Of course, we can’t close out a report without thanking our contributors who freely give their time, their expertise and, most importantly, their data to make this report a reality each year. On behalf of the DBIR Team, we thank you all. We encourage you, our readers, to reach out to us with your questions, comments and thoughts, or just to say hi. Here is hoping that we will find you all with us next year for number 15. Stay safe, and be happy! 

⁷⁵ Or a real one if you have really long arms.

⁷⁶ As Dan Kaminsky would do.