Cybercriminals are way ahead of the game against defenders without having to try anything new, according to the latest edition of Verizon's benchmark survey of security breaches.

The study shows that miscreants have no need to switch up, because the same old tactics are still working fine. Security defenders are still performing poorly in their attempts to defend against hacking or malware-based attacks. This isn't for a lack of trying or skills on their part, but almost completely down to the fact that the game is rigged against them.

Verizon's ninth annual Data Breach Investigations Report (DBIR) provides an analysis of over 100,000 security incidents and 2,260 confirmed data breaches last year, drawing on real-world data breach caseloads handled by either Verizon or around 50 other contributing organisations.

Those involved include the US Secret Service, the European Cyber Crime Center (EC3), UK CERT and the Irish Reporting and Information Security Service (IRISS CERT), amongst others.

Hackers are getting faster whilst defenders are treading water. Over 99 per cent of attacks compromise systems within days (four out of five do it within minutes), and two-thirds of those siphon off data within days (a fifth do it in minutes). Whilst there was an improvement in the number of breaches detected in 'days or less' noted in the last DBIR, that turned out to be a temporary blip. This year, less than a quarter of breaches were detected within the same timeframe – meaning attackers have almost always gotten away with the goods before anyone notices.

Worse yet, it's usually not the victim that notices the breach, but a third party (normally either a security researcher or law enforcement).

Nearly two-thirds of all breaches are still traced back to weak or stolen passwords – a basic security failure.

"People are not sitting in front of consoles, looking for SQL Injections before running a manual attack," Dave Ostertag, global investigation manager at Verizon told El Reg. "They are stealing credentials, planting malware, pivoting and exfiltrating data."

Hackers have begun using multiple exfiltration points to avoid detection, Ostertag added.

Phishing lures

Phishing (which "is efficient and works really well," according to Ostertag) remains a huge problem and a major factor in most breaches. The DBIR found that nearly a third of phishing emails get opened, and more than one in ten recipients open the attachments, a significant rise from last year. The main perpetrators of these attacks are organised crime syndicates, but nearly one in ten can be attributed to a state-affiliated actor. China accounts for more than half of all cyber-espionage attacks by volume last year, according to Ostertag, who nonetheless welcomed the recent US/China no hack pact as a positive development.

Public sector, manufacturing and professional services firms top the hit list of targets for cyber-espionage. Attackers are using phishing scams and pilfered passwords to open up a backdoor onto enterprise networks. This foothold is used to smuggle malware into targeted networks. Corporate networks would be far harder to attack – even with access credentials – in cases where enterprises had applied two-factor authentication. However, failure in this area was yet another security shortcoming identified during Verizon's study.

"Many victims have single-factor access into parts of their network even if they think otherwise," according to Ostertag.

On the cybercrime-for-profit front, ransomware is a problem across the board in manufacturing, the public sector and healthcare, Verizon reports. Cybercrooks, like cyber-spies, often rely on phishing.

"Hackers do their homework using social media like LinkedIn and other sources to know who to target, and what sort of content is likely to be opened," Ostertag explained.

"Cybercrooks are going after people who initiate or manage financial transactions."

Older threats such as phishing, malware and weak passwords predominate in breaches. By contrast, the much-discussed security risks from the Internet of Things and mobile phones barely register in Verizon's breach study. ®