Inside the 2017 Verizon DBIR

Paul Pratley, Associate Director, Head of Investigations and Incident Response
May, 2017
5 mins read

It’s that time of year again when we reflect back, comb through the data in the Verizon Data Breach Investigations Report and see what we can garner to combat emerging trends in data breach incidents .


  • 81% of hacking-related breaches leveraged stolen and/or weak passwords
  • 43% were social attacks
  • 62% of breaches featured hacking
  • 51% of breaches included malware
  • 66% of malware was installed via malicious email attachments
  • 73% of breaches were financially motivated
  • 27% of breaches were discovered by third parties
  • 93% of breaches involved either financial or espionage related motivations


How to get the most from the report?

The DBIR is seen by many as a fascinating insight into what really goes on in data breaches, but the real value is in using it as a means to direct investment in security controls that have the greatest impact on mitigating real world threats to your business.


Incident patterns, the naturally forming clusters identified first in 2014 when comparing the spread of incident metrics, are key to unlocking this value. This year’s report, more than ever, has an industry specific focus. As such, there is something for everyone and valuable insights into what the causes of and motivations are for breaches in each industry vertical. For this, figure 9 is your key to getting the most from the report, showing which incident patterns are associated most prominently within each industry vertical. Diving into the details of incident patterns that affect your corner of the security world is the best way to begin using the data most effectively.


The big threats

All the passwords

Over a billion credentials are known to have been stolen in the last year, particularly from web portals and sites that exclude online retail. If you run an online service where users authenticate, it’s time to brace yourselves for the script kiddie account checker scripts and start thinking multi-factor authentication if you haven’t already.


Verizon DBIR 2017 number of records per data variety over time

Figure 6 – Number of records per data variety over time



Whether associated with economic, political or military advantage, and whether actually carried out by nation states or others, espionage is proportionately trending up in the breach data. 


Verizon DBIR 2017 graph of threat actor motives

Figure 3 – Threat actor motives over time


Certain industries are bearing the brunt of this threat. With almost half of the data breaches in the public administration vertical linked to state affiliated actors, these are unsurprisingly the playground of intelligence agencies.


If you happen to be in manufacturing and didn’t know it already, industrial espionage is your biggest threat. Amazingly in this vertical, 91% of data compromised was classed as secrets, 93% of threat actors were classified as external and 94% of breaches were associated with espionage as a threat actor motivation. The good news is that while these attacks are often quite advanced, they are also long running with over half of these taking years to discover. This means there is genuinely an opportunity to apply modern attack detection techniques such as threat hunting to pick up and contain these attacks early.


With social engineering through email phishing still being a key factor to the success of espionage incidents, good user behavior programs and tooling to detect or allow reporting of phishing are key controls to focus on.



Ransomware continues onward and upward in its prevalence and is the fifth most common form of malware in this year’s report. While progress is being made combatting the commodity variants and dealing with the growing “Ransomware as a Service” threat, attackers have moved from single endpoints towards interactive attacks that target organizations. This is reflected in this year’s report and is certainly reflected inF-Secure Consulting’s caseload, which saw a 250% increase in ransomware cases last year, compared with 2015.


Perhaps the most significant change to ransomware in 2016 was the swing away from infecting individual consumer systems toward targeting vulnerable organizations.”

- 2017 Verizon DBIR


In 2016, the US-CERT observed a 300 % year-on-year growth in infections, and this trend continues into 2017. How does this stack up with what we are seeing? F-Secure Consulting conducts the majority of its incident response casework across Europe and Africa. As we have seen, the ransomware threat continues to evolve, with the prevalence of organized crime groups targeting corporate networks rapidly increasing due to the profitability of such attacks.


While there has been a rapid expansion in capabilities of ransomware to target network shares, encrypting vast amounts of corporate data, attackers soon learned that large organizations were willing and capable of paying much more than individual users. This in turn has pushed forward the ransomware capabilities and delivery techniques to replicate those of espionage type attacks effecting widespread domain compromise, ransoms in the million dollar ranges, online backup destruction and enterprise wide infection.


With this in mind, F-Secure Consulting has developed an anti-ransomware agent, RansomFlare, which uses a combination of machine learning and behavioral analysis to identify ransomware as soon as it runs on a computer system with rapid remote incident response and containment.


To get your incident readiness where it needs to be, find out more about F-Secure Consulting’s Ransomware Prevention and Incident Response offerings.

Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs