As a follow up to the 2021 Application Protection Report, we analyzed and visualized attack chains for more than 700 data breaches to look for relationships between sectors or industries and the tactics and techniques attackers use against them. While there are some attack patterns that correspond to sectors, such as the prevalence of web exploits against ecommerce targets, the relationships appear indirect and partial, and counterexamples abound. The conclusion is that sectors can be useful for predicting an attack vector, but only in the absence of more precise information such as vulnerabilities or published exploits.
In both the 2021 Application Protection Report (APR) and the 2021 Credential Stuffing Report, we noted that industry sectors, or verticals, appear to have limited value in terms of predicting the precise vector attackers will use against a given target. This is because the types of data and vulnerabilities in the target environment, which determine an attacker’s approach, no longer tightly correlate with the nature of the business. Despite this, however, sector-based studies of information risk are common in security intelligence, and we frequently get requests to break down threats to a specific vertical.
With this in mind, we reexamined the 2020 U.S. data breaches that formed the foundation of the 2021 APR from the standpoint of sectors. The goal is both to look for clusters of sectors and attack vectors and to see if we can determine a more precise formulation for the relationship between lines of business and attacker approaches.
U.S. Breach Causes by Sector—Simple Model
We’ll start where we left off in the APR, with a sector breakdown of breaches based on the simplified, single-stage model we used in previous reports. Figure 1 shows the distribution of the 729 data breaches we examined by sector. The most notable thing about this view is that attackers focused on the retail sector less than in 2018 and 2019. The growth of breaches in the Professional, Scientific, and Technical services; Health Care and Social Assistance; Educational Services; and Finance and Insurance sectors reflects the growth of ransomware as a reliable way to extract value from stolen data that is not easy to sell within the attacker community.
Figure 2 shows how attacker techniques vary by sector. The clear targeting pattern that was present in 2019 was not seen in 2020; in 2019, web exploits constituted 87% of retail breaches, and nearly every other sector was characterized by access breaches and email compromise. However, the Retail sector still had a larger number of web exploits than any other sector, and it was the only sector in which web exploits were responsible for more than half of the known breaches. The Other Services sector was, for the purposes of our study, dominated by professional advocacy organizations, both white collar and blue collar, and the prevalence of web exploits against these organizations was made up largely of formjacking attacks against the membership renewal service on their web applications. The surprisingly large number of web exploits against the Educational Services sector was caused by a focused campaign against an e-learning platform that was hosting data for many secondary schools in the state of California.
If the vulnerability in that e-learning application hadn’t existed, the campaign of web exploits against secondary schools would not have happened, and instead the Educational Services sector would have been characterized by third-party data loss events, nearly all of which came from the Blackbaud cloud storage breach described in the APR. In this event, the Educational Services sector would have looked very similar to the Health Care and Social Assistance or Public Administration sectors, in that the breaches were (at least viewed through this model) all either ransomware or access breaches. Hold on to this anomalous finding—this is an important clue about what sectors can and can’t tell us, which we will return to in the Conclusion.
So far, it looks like some kind of pattern, but as noted, ransomware is even more difficult to characterize as a single event than most cyberattacks, so we also broke down our attack chain analysis by sector to get a sense of each sector’s characteristics. Note that we only explore those sectors that had a significant number of events.
Attack Chain Analysis by Sector
In the APR, we took pains to distinguish between tactics and techniques as laid out in the MITRE ATT&CK framework. The two most prevalent attack chains, formjacking and ransomware attacks, are dramatically different in the details but share many of the same tactical objectives, namely Initial Access, Execution, and Exfiltration. This is why the overall attack chain visualization, as shown in Figure 3, features two conspicuous threads that converge at the tactics level but diverge at the level of technique.
A tactics-level analysis by sector does not reveal much else of significance. These three tactics are the most frequent for nearly all sectors. The exceptions are the Impact tactic for those sectors hard hit by ransomware attacks, and the prevalence of third-party data loss in those sectors containing a large number of Blackbaud customers: Arts, Entertainment, and Recreation; Educational Services; Finance and Insurance; Health Care and Social Assistance; and to a lesser degree, Other Services.
One minor but potentially significant finding was that every occurrence of Persistence tactics occurred at organizations in the Information sector. However, only a handful of these tactics appeared in the entire data set, and the Information sector contains tech companies, telecommunications companies, and publishing companies, making it hard to determine if persistence is tied to a single kind of organization.
Attack Techniques by Sector
At the level of techniques, however, we can note some distinctions that have actionable value for organizations. We treat each sector in turn, showing the attack chains for those sectors and highlighting significant findings. This is also a good time to reiterate that many of the attack chains, particularly the ransomware breaches, left us with a decent understanding of tactics but completely in the dark about techniques.
Finance and Insurance
The Finance and Insurance sector experienced a comparatively wide group of attacker techniques, particularly if we include those attacks that are not web application-specific, such as insider threats, accidents, and losses of physical devices. Figure 4 shows the attack chains against the Finance and Insurance sector.
While finance and insurance organizations saw many of the most common techniques, including ransomware (Data Encrypted for Impact [T1486]) and a relatively high rate of both phishing and credential stuffing, they also had a significantly higher number of accidents, both from human errors and technological misconfiguration. The finance industry also had the highest rates of insider attacks and physical data breaches.