Arm Yourself: Key Findings from The Crypsis 2020 Incident Response and Data Breach Report

Author: Crypsis June 26, 2020

Crypsis 2020 Incident Response and Breach Report Key Findings

In a world rife with security risk, threats, and continually shifting threat tactics, information is one of the best tools we have to mitigate risks and arm our responses. Recently, The Crypsis Group released our first annual Incident Response and Data Breach Report to help organizations understand how threat actors are able to compromise data assets and learn what they can do about it. As we were compiling the data and assessing the results, we were struck by how much—and how little—have changed in the realm of cybersecurity.

What has evolved are the tactics, techniques, and procedures threat actors use to continuously evade the defensive armor of organizations—whatever that armor is, and how it, itself, is evolving. What has not changed is that these criminals continue to find vulnerabilities missed in a checklist of ordinary best practices. Certainly, many attacks are more creative and leverage little-seen techniques; but countless others prey on well-understood and everyday vulnerabilities, such as unpatched software. These best practices are becoming harder for organizations to address, not because each is necessarily complicated, but, rather, because the organizational IT landscape is getting more diverse, complex, distributed, and expansive. At the same time, skilled security professionals are getting harder to find.

Our report has very detailed information to understand the vulnerabilities threat actors capitalize on most frequently, the tactics they are using, as well pro tips specifically targeted to avoid them. We offer some of our key takeaways below.

Ransomware attacks and Business Email Compromise (BEC) were the two most pervasive and impactful cyber threats in 2019 in terms of business disruption and monetary loss

One of our top conclusions was that organizations were most likely to be hacked by ransomware or BEC in 2019. Ransomware monetary demand amounts continue to trend up, threat actors are employing more sophisticated tactics, and they have been adding data exfiltration and extortion to the mix. Since 2018, threat actors have evolved from deploying mass-distributed phishing campaigns with lower ransom demands to highly targeted, well-researched attacks on larger enterprises with deeper pockets. We found that requested ransom amounts rose nearly 200% from 2018 to 2019, averaging $115,123 in 2019. The Healthcare sector was the most affected (22% of our 2019 ransomware matters), with the Manufacturing sector coming in second (13%).

More incidents have included the deletion or disablement of backups, as well as the threat of releasing sensitive data publicly. The threat actor group known for deploying the Maze ransomware is leading the way in extortionate tactics, but others are getting into the game. We believe these new methods represent a tactical shift in response to stronger enterprise security defenses and an associated reduction in organizations’ willingness to pay.

Within the realm of ransomware, we see that threat actor tactics and techniques are evolving; but they are still heavily leveraging many common vulnerabilities, such as insecure remote desktop protocol or unwary humans (through phishing tactics} as elements within their arsenal.

BEC threat actors continue to capitalize on organizations' migration of enterprise email to the cloud​.​ ​BEC attacks primarily leverage phishing​ ​to harvest cloud-based email passwords​ ​with the intent of committing wire fraud. Here, too, however, attackers are researching their victims more and getting more targeted. Across all incident types, 34% of our overall matters in 2019 were BEC attacks. The average theft of wired funds per incident in 2019 was $264,117. Financial Services and Healthcare sector organizations were the hardest hit, due, we believe, to their high volume of financial transactions and reliance on email to conduct them. 

The top targeted industries were Healthcare and Financial Services

Compared to other industry sectors, Healthcare and Financial Services organizations store, transmit, and process high volumes of monetizable sensitive information, which disproportionately attracts threat actors. (Sixteen percent of all incident response matters we handled in 2019 were within Healthcare, and 14% were in Financial Services.) Ransomware was the attack type of choice against healthcare organizations in 2019—they suffered more ransomware attacks than any other kind and represent a significant 22% of all our ransomware cases in 2019.

Our Financial Services customers suffered most from BEC attacks: nearly 18% of all BEC cases in 2019 were within this sector. Threat actors target these organizations because of the access their employees have to large sums of money. For organizations like title companies, the risk goes beyond the firm and can affect customers who are preparing to wire large payments to purchase houses, for example.

Insider threats were the dark horse cyber risk of 2019

While nation state and e-crime threat groups garner the headlines, malicious insiders are silently grabbing our sensitive data. Our insider threat investigations continue to grow: they rose approximately 70% year over year. In terms of motive, 57% of attacks were waged by employees looking to advance their careers and who were departing the victim organization, whether or not the organization was aware of the employee’s impending departure. For example, we have seen individuals stealing source code with the apparent intent to aid a competitor’s software development project (where the individual was leaving to begin a new career); as well as employees stealing electronic engineering diagrams and digital photographs of whiteboards containing sensitive intellectual property for similar purposes.

In our observation, the IT security function within organizations often focuses more time and resources on external threats than on internal ones, leaving sensitive data exposed.

Attackers capitalizing on organizations’ inadvertent disclosure of data was the source of the largest volume of sensitive data compromise

Inadvertent disclosure​—​such as accidental cloud misconfigurations​—​often results in highly impactful sensitive data compromise. Inadvertent disclosure incidents often involve high-volume databases, exposing large repositories of sensitive data. These events exposed 713,000 individuals’ records on average per incident (vs. 9,400 on average per incident in BEC cases). 45% of our inadvertent disclosure investigations involved sensitive data. We believe that complexities of emerging cloud technologies, together with an organizational inability to manage that complexity, is fueling this trend.

The More You Know, The Better You Can Respond

Organizations have much to consider in their cybersecurity defenses, including routine security best practice management, as well as staying on top of new threat actor tactics, techniques, and procedures to continuously evolve defensive approaches. Information is key in the war against cyber actors. If you’d like a more detailed view of our 2019 data findings as well as in-depth pro tips to secure against threats, download our 2020 Incident Response and Data Breach Report.

Topics: Security Insights