Contributed by Verizon Business
Written by John Grim, Verizon Threat Research Advisory Center

Since the 2014 Data Breach Investigations Report (DBIR) (and even prior), Financial and Espionage motives for threat actors have been the top two motives in data breaches. For the 2014-2020 DBIR timeframe, the Financial motive was tops (76%) followed by Espionage (18%) across all breaches (n=9,863).

Financial breaches occurred significantly in several industries, to include Accommodation and Food Services (100%), Financial and Insurance (97%), Retail Trade (97%), Information (77%), Health Care and Social Assistance (72%), Educational Services (71%) and Professional, Scientific, and Technical Services (66%).

This article serves as a reference guide to understand the cyber threat landscape as well as a (wakeup) call to action for cyber defenders to lean forward in their threat hunting, incident detection and breach response efforts to better defend, detect and respond to financially motivated threat actors. We used the Vocabulary for Event Recording and Incident Sharing (VERIS) A4 (Actors, Actions, Assets, Attributes) Threat Model to illustrate the key data breach insights and the Center for Internet Security (CIS) Controls to highlight key cyber defender countermeasures.

Now, let us look at the data and see what we can learn…

Attacker timelines

Attacker timelines vary greatly and depend on myriad factors. These factors include attacker motives and objectives, tradecraft, and skill in avoiding or delaying detection.

For Financial breaches with a known timeline, threat actors took seconds to minutes (90%) to compromise assets (Figure 1) and minutes to days (89%) to exfiltrate data.

Figure 1. Time to Compromise within
Financial breaches (2014-2020 DBIR; n=2,360)

Defender timelines

Defender timelines also vary greatly and depend on various factors. These factors include defender knowledge and capabilities, technical toolsets and detection approaches.

For Financial breaches with a known timeline, cyber defenders took days to months (83%) to discover (Figure 2) and hours to months (91%) to contain (and resolve) breaches.

Figure 2. Time to Discovery within
Financial breaches (2014-2020 DBIR; n=1,896)

Discovery methods

For Financial data breaches, Discovery methods (Figure 3) included external and internal varieties.

Top Discovery method varieties centered on external entities and activities – and generally speaking – non-technical ones: Law enforcement (40%), Fraud detection (28%) and Customer (11%).

Figure 3. Discovery method varieties within
Financial breaches (2014-2020 DBIR; n=4,747)


Historically, across all breaches, External actors (75%) dominated with Internal actors (26%) coming in at a distant second.

Top Actor varieties (Figure 4) were Organized crime (84%) (External) followed distantly by Unaffiliated (6%) (External) and End-user (3%) (Internal).


Figure 4. Actor varieties within Financial breaches
(2014-2020 DBIR; n=6,056)


For Financial breaches, top Actions were Hacking (66%), Malware (57%) and Social (35%).

Top Action varieties (Figure 5) were Use of stolen creds (Hacking) (43%), Phishing (Social) (30%) and Export data (Malware) (27%).

Figure 5. Action varieties within Financial breaches
(2014-2020 DBIR; n=7,113)


Top compromised Asset varieties (Figure 6) for Financial breaches were Web application (Server) (33%), Desktop or laptops (User device) (32%) and Desktop (User device) (25%), followed closely by POS (point of sale) controller (Server) (25%) and POS terminal (User device) (23%).

Figure 6. Compromised Asset varieties within
Financial breaches (2014-2020 DBIR; n=6,917)


Compromised Attributes within Financial breaches (n=7,498) broke down as follows:  Confidentiality (100%), Integrity (80%) and Availability (8%).

Top compromised Availability varieties were Loss (6%) and Obscuration (2%) and top compromised attribute Integrity varieties (Figure 7) were Software installation (59%), Alter behavior (36%) and Fraudulent transaction (25%).

Figure 7. Compromised Integrity varieties within
Financial breaches (2014-2020 DBIR; n=7,337)

Top compromised data varieties (Figure 8) were Payment (PCI data) (42%), Credentials (36%), Personal (PII data) (18%) and Bank (10%).

Figure 8. Compromised Data varieties within
Financial breaches (2014-2020 DBIR; n=6,936)

In conclusion

Financial actors moved fast to compromise assets (seconds to minutes) and exfiltrate data (minutes to days). Cyber defenders involved in Financial breaches were much slower to discover (days to months) and contain breaches (hours to months).

The top discovery methods for Financial breaches were Law enforcement, Fraud detection and Customer, each generally non-technical and external to the victim organization cyber defenders.

Organized crime actors dominated Financial breaches with Financial actors heavily relying on Phishing (Social), Use of stolen creds (Hacking) and C2 (Malware) and Export data (Malware) to accomplish their objectives.

Financial actors targeted Web application (Server), Desktop or laptop (User Dev) as well as POS controller (Server) and POS terminal (User Dev). Top compromised Integrity varieties were Software installation, Alter behavior and Fraudulent transactions, while top compromised Data varieties were highly monetizable ones: Payment (PCI), Credentials and Personal (PII).

Leveraging the CIS Controls and in doing so, taking a 6-step approach, building (or assessing) from incident out can be done to better secure the enterprise environment and detect and respond to financially motivated threat actors.

Key CIS Controls tackle Financial threats.

Step 1: Data and Assets.
Secure sensitive data and secure critical assets storing, processing and transmitting data:

·        CIS-3: Data Protection

·        CIS-4: Secure Configuration of Enterprise Assets and Software

Step 2: Applications and Malware.
Secure applications on critical assets and counter malware attacks:

·        CIS-16: Application Software Security

·        CIS-10: Malware Defenses

Step 3: Accounts and Access.
Control and monitor accounts accessing sensitive data and critical assets:

·        CIS-5: Account Management

·        CIS-6: Access Control Management

Step 4: Network and Traffic.
Secure and monitor network devices transmitting sensitive data:

·        CIS-12: Network Infrastructure Management

·        CIS-13: Network Monitoring and Defense

Step 5: Employees and Providers.
Train internal employees and evaluate external service providers:

·        CIS-14: Security Awareness and Skills Training

·        CIS-15: Service Provider Management

Step 6: Testing and Response.
Periodically test cyber defenses and incident response posture:

·        CIS-18: Penetration Testing

·        CIS-17: Incident Response Management


VERIS Framework
VERIS is a set of metrics providing a common language for describing security incidents.


CIS Controls
CIS Controls are cybersecurity best practices for defense against common threats.


Contact Verizon

John Grim
Head | Research, Development, Innovation
Verizon Threat Research Advisory Center