Features 11.07.2023
If you don’t have time to read all 89 pages of the Verizon’s DBIR, Assured Intelligence has pulled out the highlights in a five-minute read
In a world of uncertainty, business and tech leaders crave trustworthy information to help them make better decisions. But where do they source this intelligence? When it comes to the cyber threat landscape, the market is flooded with vendor reports. To be candid, some are little more than marketing vehicles designed to highlight a small part of the landscape to promote their products and services indirectly (but unsubtly).
Others take a more expansive and thought leadership-type approach. Of these, few have the heritage, or indeed respect, of Verizon’s Data Breach Investigations Report (DBIR), now in its 16th year.
The report takes a rigorous, analytical approach to a large data set of thousands of incidents and data breaches. ‘Incidents’ entail any “security event that compromises the integrity, confidentiality or availability of an information asset”, while ‘breaches’ are incidents that result in confirmed disclosure of data to an unauthorised party. The DBIR covers both, ensuring the report details activity like DDoS attacks and business email compromise (BEC), which do not result in actual data exposure, but which can cause victim organisations significant financial and reputational damage.
The volume of BEC cases recorded by Verizon doubled year on year
Incidents are recorded by Verizon forensic investigators and the firm’s partners and converted into the VERIS (Vocabulary for Event Recording and Incident Sharing) framework to create a standardised, anonymous dataset. Among the categories analysed are ‘threat actions’ like phishing or use of stolen credentials, actors, attributes, and incident classification patterns such as social engineering, basic web app attacks and miscellaneous errors.
The report also dives heavily into detail for multiple verticals, peppering the text with various visual aids, including dot plots, pictograms, slanted bar charts and spaghetti charts—which aim to convey the uncertainty around some data points. It’s worth a look on a long train journey or a lunch hour in the sun.
Incidents are collected for analysis in the year before the report is published. Thus, the 2023 report is a snapshot of threat activity between November 1, 2021, and October 31, 2022.
Whilst the DBIR is an excellent source of threat intelligence, it can be a heavy lift for executives with plenty of other priorities to tackle. This year’s report delivers an analysis of 16,312 incidents, of which 5,199 were breaches. Let us cut through that noise to present the main trends detected this past year.
Financially motivated third-party attacks dominated:
External actors accounted for 83% of breaches, and financial motivation was linked to almost all (95%) breaches. This is clear from the number one threat actor type linked to breaches: organised crime.
Ukraine war had a limited impact on breach sources:
Although there have been many stories in the media about Russian hacktivists and state-sponsored attacks on allied country assets since Russia invaded Ukraine, the truth is more muted. In fact, more breaches stemmed from end users than nation-states over the past year, the report finds.
Servers were the most targeted assets:
Servers were the main target in over 80% of breach incidents recorded by Verizon—specifically web app servers, followed by mail servers.
Stolen credentials were the primary access method:
The main way threat actors sought to enter victim networks last year was stolen credentials (49%), followed by phishing (12%) and then exploitation of vulnerabilities (5%). The first two illustrate employee risk, while credentials were also the main way web applications were compromised.
The human element was vital:
As mentioned, human-shaped risk was a critical factor in cybersecurity strategies, playing a part in three-quarters (74%) of breaches. Among these risk factors were stolen credentials, social engineering techniques, unapproved use of legitimate privileges, or user errors like misconfiguration or misdelivery of sensitive information.
Business email compromise (BEC) attacks doubled:
Pretexting (creating a false pretext or scenario to manipulate someone into disclosing confidential data) is far less well-known than phishing. But when it comes to social engineering, it’s now a more common tactic in incidents, thanks to the surge in BEC attacks of late. The volume of BEC cases recorded by Verizon doubled year on year, while the median amount stolen in these attacks increased to $50,000.
Ransomware was a top threat:
Ransomware accounted for a quarter (24%) of breaches. Although the figure was up only slightly from last year, ransomware is now a serious threat to organisations of all shapes and sizes, the report warns. Median costs stemming from attacks more than doubled to $26,000 (£20,000), although the actual figure is likely to be much higher.
DoS dominated incidents:
Denial of service (DoS) remained the biggest cause of incidents, present in 6,248 (38%) of attacks. Just four of these incidents featured confirmed data disclosure. As CPU and bandwidth costs come down, the size of attacks is increasing. The median grew 57% from 1.4 gigabytes per second (Gbps) in last year’s report to 2.2 Gbps today. However, if organisations ensure their DDoS mitigation partner can clear this bar, there shouldn’t be too much to worry about.
Web apps continued to expose organisations:
Applications remained a major target for attack. They accounted for 1,404 incidents (9%) last year, most of which had confirmed data disclosure. The incident pattern accounted for around a quarter of breaches, with stolen credentials (86%) the main way threat actors compromise apps, followed by vulnerability exploitation (10%) a distant second.
The public sector accounted for 3,270 cyber incidents and 582 confirmed breaches in this year’s report. Here, nation-state actors are most likely to be a threat. Espionage was a factor in 30% of breaches in this sector versus just 3% across all verticals. This is up significantly from 18% in the previous report, perhaps due to the war in Ukraine. It’s also important to recognise the high share of breaches (16%) labelled as carried out by “multiple” actors, something unseen for two years. This means threats where external attackers have colluded with partners or government employees to achieve their aims. Internal actors were pegged for 30% of breaches, up from 22% last year. Government IT teams had better be on the lookout for disaffected colleagues.
Among small and mid-sized businesses (SMBs), there’s further cause for concern. Over half (54%) of the 699 incidents analysed in this grouping resulted in data disclosure, versus just 32% across all sectors and 45% for large businesses. That may be down to the perennial challenge of limited resources. But it’s a challenge that needs to be addressed given another trend highlighted by Verizon: attacks on SMBs increasingly look the same as those on larger counterparts.
Why? Because the use of cloud services has made their respective attack surfaces much more alike than in previous years. Thus, most SMB attacks are external, financially motivated, and aimed at stealing credentials and internal data more than any other data type. Like attacks on large organisations, the triumvirate of system intrusion (sophisticated attacks using malware/hacking), social engineering and basic web application attacks accounted for most SMB breaches.
Rob Rosiello, SVP at Vectra AI, singles out the ransomware threat as the key takeaway from this year’s report.
“This year’s DBIR should act as a stark reminder that organisations cannot afford to fall into the trap of ransomware fatigue, as attacks become more frequent and costly,” he tells Assured Intelligence. “When it comes to ransomware, time is of the essence. Organisations must arm themselves with the ability to spot potential attacks at the earliest possible stage. Otherwise, they will face significant reputational and financial damage.”
Internal actors were pegged for 30% of breaches
Rafe Pilling, director of CTU Threat Research at security specialist Secureworks, argues that lessons from the report should focus on people, processes and technology.
“Empower your people. Train them continuously and create a security culture where people can raise their concerns and ask for help. Ensure your processes are rooted in cyber fundamentals, such as patching your systems regularly. And invest in technology that reduces complexity and gives your business the insights it needs into the threats faced and associated cyber risks,” he explains to Assured Intelligence.
“Ultimately, there is no single way to prevent cyber attacks,” he continues. “To optimise security posture and mitigate threats, organisations must ensure they have good basic security hygiene as well as comprehensive visibility and intelligence-driven detection across their host, network, and cloud environments.”
Financial motivation was linked to almost all (95%) breaches
BH Consulting CEO, Brian Honan, adds that the DBIR data highlights the importance of mitigating the human threat, through tighter access controls and multi-factor authentication, amongst other tactics.
“The key advantage that the DBIR has over many other reports is that it is very much not aligned with any vendors and that the data set is not confined to any specific vendor’s customer base,” he says. “This year, the DBIR has aligned its findings with the Center for Internet Security Controls and outlines which controls are applicable in preventing, detecting and responding to the various types of threats outlined in the report.”
With practical steps to guide them, it’s becoming easier for security teams to turn insight into action and further their organisation’s risk management goals.
You can download the full report here.
Features 23.04.2024
After KNP declared bankruptcy following a ransomware attack last year, we investigate the top cyber risks facing the logistics sector.
Features 18.04.2024
A Microsoft developer recently discovered one of the most sophisticated software supply chain attacks ever conceived.
Interviews 16.04.2024
Eleanor Dallaway ticks off another bucket list interviewee: the enigma that is @cybersecuritymeg