"We're still writing about ransomware?" If the first half of 2021 has a theme, this question posed in the Verizon 2021 Data Breach Investigations Report (DBIR) would be it. In May, we passed the four-year anniversary of WannaCry, around the same time that the DarkSide pipeline attack made cyber ransom a national talking point once again. The Verizon 2021 DBIR was released shortly after these landmark events, offering insights into a year of data breaches and cybercrime trends. Among other important takeaways, it should be no surprise that they confirmed ransomware to be on the rise.
Beyond ransomware trends, the release of the 2021 report fell roughly a year after global stay-at-home orders were implemented as a result of the COVID-19 pandemic. The timing of the report gives us valuable insight into how global stay-at-home orders may have affected cybersecurity.
It's cliché to say that a lot has changed in the last year, but for those working or even interested in the subject of cybersecurity, the ability to track, understand, and react to these changes is critical to keeping one step ahead of the adversary. We've broken down what we think are some of the most important takeaways from the 2021 DBIR, with tips on how to defend yourself.
Trend 1: Attackers Are Using Tactics that Evade the Perimeter
As the rest of us became homebodies, attackers were getting social. This year marked a rise in stolen credentials and social engineering tactics, making it far and away the top hacking tactic used in basic web application attacks.
While the term social engineering encompasses a range of tactics, it's notable that among them, phishing is now a component of 36% of breaches—a huge leap from last year when it was used in 25% of breaches. The DBIR authors connect the dots to the pandemic, saying, "this increase correlates with our expectations given the initial rush in phishing and COVID-19-related phishing lures as the worldwide stay-at-home orders went into effect."
Stolen credentials and social engineering tactics are virtually undetectable at the perimeter. Attackers who access legitimate credentials or trick someone into letting them into a system can easily bypass firewalls, activity logging, and intrusion detection systems (IDS), which is presumably why they're on the rise.
When an authentic set of credentials falls into the wrong hands, behavior monitoring is the best way to detect abuse. Given the scale and dynamism that most enterprises operate at, this can only be accomplished through machine learning—that is, real-time detection with forensics that drill all the way down to the packet level to aid fast investigations and response times.
Trend 2: Ransomware is Multifaceted Extortion
The DBIR echoes and validates the frustrating findings that FireEye Mandiant released in their annual M-Trends Report, notably the fact that ransomware is on the rise, and increasingly paired with additional extortion tactics (what Mandiant coined as multifaceted extortion) to generate more leverage from victims.
According to Verizon's research, "The novel fact is that 10% of all breaches now involve ransomware. This is because Actors have adopted the new tactic of stealing the data and publishing it instead of just encrypting it."
This is an unfortunate trend, but the good news is, security teams aren't helpless. Gathering and exfiltrating data before encrypting it for ransom is extra work for ransomware groups. More importantly, it leaves them with an increased risk of getting caught. For them, entering the network, finding and staging the data, then exfiltrating it all leave detectable signals that can be detected by a network detection and response (NDR) solution. Thanks to this visibility, ExtraHop customers have successfully stopped both DarkSide and REvil attacks using Reveal(x) 360.
Trend 3: It's (Even More) About the Money
Given the rise of ransomware and extortion tactics, it follows that financial motivations continue to be the top motivator according to the DBIR. While cyberespionage hasn't gone away, its share of breaches is minimal in comparison, and organized crime leads the list of threat actors, who have undoubtedly profited even more from the pandemic.
Cybercrime is an industry, and industries thrive on creating demand. As with any industry, cybercrime is also innovating to increase their profits, as demonstrated by the trend of multifaceted extortion—and it seems to be working.
While the clearest path to cutting off the ransomware industry is for organizations to stop paying ransom, for victims, the benefits of payment are immediate and tangible—especially true should business operations, patient care, or say, a major portion of a nation's infrastructure be shut down. Anyone with a hint of empathy can see why non-payment comes with complications.
The most cost-effective and painless way to cut off cybercrime's income stream is detection and prevention. Reports like the DBIR help business leaders and security experts understand what they're up against. We know that traditional endpoint security tools can't hold up to the tactics they use today, but next-generation, machine learning-based solutions like NDR empower organizations to detect attacks and stop them before they have to even consider paying ransom.
If you want to see how ExtraHop detects threats like ransomware, you can test out the full product, running on sample data in our online demo.