F5 Labs researched 433 breach cases spanning 12 years, 37 industries, and 27 countries to discover patterns in the initial attacks that lead to the breach.
We can only know about a small fraction of what’s really going on, as companies often don’t know when they have been breached. There’s always a complicated mix of visibility, logging, monitoring and alerting, and communication that has many opportunities to fail.
We also analyzed the primary root causes of the breaches, how that varied in breach remediation costs by industry, and the impact of these breaches on each data type breached on the global scale. The purpose of our analysis was to identify where organizations are most likely to be attacked in a way that will result in a breach so that efforts to mitigate attacks can be appropriately aligned.
These challenges result in only a small fraction of incidents being investigated and an even smaller amount of incidents being reported. That said, we think there are still valuable insights to be gained from these cases. Of the reported cases we analyzed, 79% of them had breach counts publicized, but only 49% had enough data to determine the initial attack vector, and only 40% a root cause. Finding a root cause can be tough. If you don’t have enough of the visibility and logging controls in place, you may never know how an attacker got in, what they took, and how much. If a company doesn’t know this information for a fact, there are many legal loopholes that excuse them from disclosing the incident at all. In some cases, this information is also held confidential due to law enforcement investigation—which is why we also reviewed the detailed court records of recent major breach cases.
Nevertheless, the number of breaches we know about, the types of data breached, and the total record counts and their impact is staggering. Here’s a summary of the most impactful findings:
- Applications were the initial targets in 53% of breaches.
- Identities were the initial targets in 33% of breaches.
- Breaches that start with application attacks account for 47% of the breach costs but only 22% of the total breached records, making application attacks the costliest.