SecureState Blog

Read SecureState's award winning blog.

Incident Classification Patterns

The second half of the 2015 Verizon Data Breach Incident Report is dedicated to the nine basic incident patterns that were originally identified in the 2013 DBIR. Over 96% of the data breaches examined for this report fell into one of these categories (in order of most frequency to least):


• Point of sale (POS) intrusions
• Crimeware
• Cyber-espionage
• Insider misuse
• Web app attacks
• Miscellaneous errors
• Physical theft/loss
• Payment card skimmers
• Denial of service

The report also ties each pattern to one of four classes of threat actors (activist, organized crime, state-affiliated, or unaffiliated threat actors). Activist threat actors focused mostly on web applications, with some focus on denial of service. Organized crime overwhelmingly focused on crimeware, with some focus on web applications. To the surprise of no one, cyber-espionage is most associated with state affiliated actors. Finally, unaffiliated actors spread out over all nine patterns.Threat Actors DBIR 2015

Additionally, Verizon mapped the numbers of each attack pattern to each of 13 industries, showing which attack patterns connected most to which of these industries.Incident Patterns DBIR 2015

Point of Sale (POS) Intrusions

Most Affected Industries:
Accommodation, Entertainment, and Retail

Point of sale intrusions grew in scope in 2014, with both large and small organizations becoming the victims of attacks. The attacks themselves are developing in terms of complexity, moving from simple storage scraping into more advanced RAM skimming attacks. For smaller organizations, the POS device itself is often the target of the attack. However, larger organizations tend to be the victims of multi-stage attacks that being with the breach of a secondary system with the eventual goal being access to the POS system. Gaining access through third party vendors was also a common method for attack.
Many of these attacks are tied to the use of social engineering to get employees of the company to grant attackers access unknowingly. The methods used to actually perform POS intrusions are becoming more varied, indicating a high amount of adaptation among the people looking to take advantage of this kind of attack.

Advice: Find out what monitoring solutions exist for your particular POS systems, and take full advantage of them. If at all possible, implement two factor authentication. Monitor regular activity to keep track of any out of the ordinary patterns occurring.

Payment Card Skimmers

Most Affected Industries:
Financial Services and Retail

Compared to previous years, the actual pattern of payment card scanners has actually changed very litte. The threat actors are still mostly Eastern European and are targeting US victims through skimmers places on gas pumps and ATMs. The positive change on this front is that detection efforts are becoming quicker and more effective.
Upcoming efforts to protect consumers from these kind of attacks include the October 2015 rollout of the EMV chip-and-PIN mandate. While this may offer some increased protections, poor implementations of EMV technology don’t actually protect information much better than the current systems, and many countries that have implemented this technology before have seen traditional cards still being widely used. Essentially, while this technology can help, it can only make people more secure if used properly.

Advice: Work with your payment card providers to choose the best option for the EMV upgrade. Monitor the physical card environments actively and implement a tamper monitoring program to make sure devices aren’t being altered.


Most Affected Industries:
Public, Information, and Retail

Crimeware is used by Verizon to refer to all malware that doesn’t fit under any of the other classification patterns. There are many of these attacks, and very few are completely investigated. This past year saw a big jump in the use of malware to launch Denial of Service (DoS) attacks, which is not surprising as this type of malware is not particularly sophisticated, nor does it need command and control as extensively as other types. Most of these malware attacks focused on gathering banking information and login credentials (which are often then used to gain banking information)

Advice: Implement a variety of malware detection and prevention tools. Capture and track any and all malware incidents that occur at your organization, and as much as possible, attempt to determine the coals and actions of the malware. This type of work can guide further work into prevent malware from taking hold and damaging your company.

Web App Attacks

Most Affected Industries:
Information, Financial Services, and Public

This year, the most frequently identified threat actor for web app attacks in the DBIR became organized crime. Additionally, secondary attacks (which are attacks that focus on a target with the intent of using that targets resources to attack a primary goal) made up nearly two-thirds of all web app attacks. Most attacks in this area are opportunistic, and tend to be aimed at the easiest targets. Also, most of the attacks make use of stolen credentials, often from phishing attacks

Advice: Tack users on your web application and establish a fraud detection program. Actively monitoring any logging of behavior can help identify suspicious activity while it is occurring, allowing you to stop threat actors mid-attack. Maintaining a regular patch cycle for your entire web presence can also strengthen that first line of defense. As always, consider using two factor authentication as much as possible.

Denial of Service

Most Affected Industries:
Public, Retail, Financial Services

Denial of Service attacks involve the use of servers and devices for amplification/reflection attacks. By taking advantage of improperly secured devices, attackers are able to send out millions (if not billions) of tiny request packets, which can take down services if properly targeted. Of the attacks observed for the report, the attacks seem to cluster around two specific bandwidths, 15 and 59 Gbps, though Verizon doesn’t know why this is happening, and needs to do more research into that topic.

Advice: Secure all your services, using strong passphrases and disabling default credentials. Block access to known command and control botnet servers. Patch all your devices as soon as possible. All pretty basic steps, but they can greatly improve your defenses against this type of attack.

Physical Theft/Loss

Most Affected Industries:
Public, Healthcare, and Financial Services

Most physical theft/loss occurs within the victim’s work area (55%), but employee-owned vehicles are also a significant point of compromise (22%). People steal things, especially electronic devices, and companies should prepare ahead of time for this eventuality.

Advice: Track who has what at your company, and track the overall timing and size of losses to determine if any pattern exists. Make is as easy as possible for employees to report losses. Full disk encryption, locking down the use of USB devices, increased password protections, and implementing remote wiping capabilities are recommended to prepare for these types of efforts.

Insider misuse

Most Affected Industries:
Public, Healthcare, and Financial Services

Insider misuse occurs when a person within an organization with access to systems and services misuses those for some reason or another. The most common form of insider misuse was privilege abuse, which occurs in almost every industry. Financial gain was the most common motivator (40%), though convenience was often a motivator as well. While convenience is not often intended as malicious, it is still misuse. End users were the biggest source of misuse incidents at 37.6%.

Advice: Insider misuse is a pain to catch. Begin by identifying the dependencies within your company’s critical processes, then look for any core activities to track within those processes. Any additional audit or fraud-detection capabilities you can implement could assist here as well. Verizon notes that many incidents were detected using forensic examinations of former employee hardware. While this type of detection doesn’t protect against the attack, it can give a company insight into the attacks that have occurred, and ideas on what to look for in the future.

Miscellaneous errors

Most Affected Industries:
Public, Information, and Healthcare

Errors can lead to data breaches in a variety of ways. The most common include sensitive data reaching the wrong people (30%), nonpublic data getting accidentally published publically (17%), and the insecure depositing of personal and medical data (12%). One other common error is the shortage of capacity, wherein someone at a company underestimates the demand that will be placed on a server or application, and the server or application fails.

Advice: Track the errors in your organization, and gain an understanding of where simple mistakes can cause major issues. Track how often human error causes incidents, and measure the effectiveness of the controls you have in place to prevent these kinds of problems. Establish what your acceptable level of risk is with regards to human error, as nothing can make it fully disappear. When mistakes to occur, try to learn from them as much as possible.


Most Affected Industries:
Manufacturing, Public, and Professional

Two-thirds of all cyber-espionage attacks have no attribution at all, so trying to determine where these attacks originate is largely impossible. The results skew heavily towards the most affected industries, so most other industries would do well to not worry too much about this incident pattern. Social Engineering style attacks, with malicious email links or attachments that cause breaches, are by far the most common cyber-espionage methods. The vast majority of these attacks target secrets held by the victims, far more so than credentials or personal information.

Advice: While state-sponsored malware is hard to fight, that doesn’t mean it shouldn’t be fought at all. Monitoring email transaction logs, records of attachments, and links in e-mails are your first line of defense in this area. Logging all DNS web-proxy requests is also helpful, as is having some sort of software to help you analyze all of this data. If nothing else, these tools can help determine the effects of an attack after the event, even if they can’t prevent it.


The Incident Classifications Patterns offer a useful tool for considering incidents, as well as a convenient way for companies to determine areas to focus security efforts on and the types of behavior to be on the lookout for. In analyzing the breaches of each year, Verizon highlights typical attack patterns, the goals of the attacks, and the common actors.