The Verizon Data Breach Investigations Report (DBIR) is an annual dissection of the data breach landscape. The DBIR provides a deep analysis using data from thousands of incidents collated over the year of interest and the previous 15 years. The 2023 DBIR analyses more than 16,000 security incidents, of which over 5,000 are confirmed data breaches. These data span six continents and 20 industries. The DBIR 2023 incident data set describes the latest trends in cybersecurity incidents from November 1, 2021, to October 31, 2022.
This post breaks down some of the main findings of the DBIR 2023 to offer insights and recommendations into cybersecurity threats, tactics, and vulnerabilities.
Historical Data Breaches and Trends Over Time
Verizon is a temporal study as well as documenting the current threat landscape. Because the company has collected security incidents since 2008, the data corpora now contain 953,894 incidents, of which 254,968 are confirmed data breaches. This provides a deep insight into the trends and development of security incidents that lead to data breaches over time. This temporal data means that the DBIR can show how cybersecurity attack tactics, vectors, and methods develop and how tactics evolve. Being able to look back provides the insights needed to look forward. One thing is sure: cybercriminals focus on the tools of the trade that work. As you will see, one of the most successful tools is manipulating and exploiting human beings.
The Human in the Machine
According to the DBIR findings, humans are involved in 74% of all breaches. The leading human-related causes of breaches are:
- Error
- Privilege Misuse
- Use of stolen credentials
- Social Engineering.
While incidents caused by error may only involve insiders, such as an employee, many breaches are based on manipulating people so that external attackers can exploit a system. While 74% of incidents involve a human element, e.g., clicking a phishing link, the DBIR found that 83% of breaches involved external attackers; in other words, attackers use human-centric attack methods.
Human-centric cyber-attacks are a successful strategy for cybercriminals, with phishing a core method used to execute an attack plan; 44% of social engineering attacks use phishing.
The primary motivation for attacks is money; 95% of breaches are financially motivated.
So, how do these external attackers break into our systems? The main ways that organizations are attacked are via:
- Stolen credentials
- Phishing
- Exploitation of vulnerabilities.
The Three Significant Security Concerns
The 2023 DBIR focuses on three pillars of concern:
Social Engineering and Pretexting
The DBIR study highlights social engineering as a successful and lucrative way for cybercriminals to exploit employees and other individuals. Scams such as Business Email Compromise (BEC) rely on successfully manipulating human behavior; the DBIR data shows that pretexting, a technique used in BEC, has doubled since the DBIR started.
Social engineering covers a gamut of harm. When an individual is socially engineered, a cybercriminal attempts to manipulate that person into handing over sensitive information, most often in the form of login credentials or carrying out a process to send a payment to the cybercriminal's bank account, etc. The study presents ample evidence that social engineering focuses on stolen credentials used to gain access to resources. In the case of web application attacks, 86% of attacks start with stolen credentials. Notably, of these types of attacks, 41% of breaches involve mail servers. Stolen credentials are often the result of a series of steps that include impersonation, social engineering, spear phishing, look-alike domains, and usually malware.
What About Ransomware?
According to the DBIR data, ransomware is not increasing but is still one of the most prevalent forms of attack. Almost one-quarter (24%) of all breaches come from a ransomware attack; this remains a cause for concern. Understandably, this insidious and damaging threat means that most industries (91%) believe that ransomware is one of their biggest concerns.
System intrusion is a complex and multi-step attack, with ransomware being the result 94% of the time. The multi-steps typically include stolen credentials and privilege escalation. DBIR breaks these multi-step attacks into three parts:
- Initial access
- Breach escalation
- Results
The DBIR researchers have identified three core vectors for ransomware infection: Email, desktop-sharing software, and web applications. However, as they state, "Email as a vector isn't going away soon. The convenience of sending your malware and having the user run it for you makes this technique timeless."
Exploitation of Vulnerabilities
Attack chains typically have some element of vulnerability exploitation, such as a flaw in software or a process. The third source of breach is the exploitation of vulnerabilities. The 2023 DBIR data shows that while only 5% of breaches involved a system exploit, Log4j or CVE-2021- 44228 was seen as the culprit by 90% of DBIR data contributors. DBIR researchers noted this action as critical in helping to prevent even bigger disasters.
Recommendations Based on the DBIR 2023 Insights
The Verizon Data Breach Investigations Report is sober reading for anyone working in or researching security. For several years, the DBIR has pulled out the human element as a focus of cybercriminal attention. As stated above, Email is the go-to vector for ransomware. Our employees and broader supply chain are targets, with stolen credentials the golden chalice of breaches.
With this in mind, there are several fundamental security recommendations based on the findings from the 2023 DBIR:
Train Your Employees
Employ behavior-driven security awareness training to build the confidence and security knowledge employees need to prevent social engineering and phishing. SAT solutions such as SafeTitan are designed to work with the specific behaviors of each employee. Role-based phishing simulations and training can ensure that employees at high risk of BEC scams are trained to understand the tricks used during social engineering and phishing.
Advanced and Intelligent Email Security
Email as a vector is "going nowhere," as the researchers from the DBIR state. In this case, having an advanced email security solution is a vital part of a layered approach to security. TitanSecure is a multi-layered security solution that uses advanced detection and prevention technology, including AI.
Patch and Vulnerability Management
Patching is essential to combat vulnerability exploitation. But cybercriminals exploit zero-day flaws as they have yet to be patched. Therefore, it is vital to use patching alongside other measures such as email security solutions and security awareness training.
Multi-Factor Authentication (MFA):
MFA is used as an additional authentication layer for username and password. MFA can help protect against cyber-attacks, but it is not enough to stop them altogether.
Identity and Access Management
Controlling access to sensitive information can be helped by assigning privileged access rights. These rights must be regularly managed and updated to take account of employee role changes. Using the above five recommendations as a multi-layered approach to security, can de-risk the chance of your organization being breached.
Contact TitanHQ to find out how your organization can protect itself against the type of human-centered cyber-attacks identified by the 2023 DBIR.