The 2022 Verizon Data Breach Investigations Report has been released and the study provides an analysis on security breaches and attack vectors from the last year.
Here are Key findings:
- This year Ransomware has continued its upward trend with an almost 13% increase–a rise as big as the last five years combined (for a total of 25% this year).
- 2021 illustrated how one key supply chain breach can lead to wide-ranging consequences. Supply chain was responsible for 62% of System Intrusion incidents this year. Unlike a Financially motivated actor, Nation-state threat actors may skip the breach and keep the access.
- Error continues to be a dominant trend and is responsible for 13% of breaches. This finding is heavily influenced by misconfigured cloud storage. While this is the second year in a row that we have seen a slight leveling out for this pattern, the fallibility of employees should not be discounted.
- The human element continues to drive breaches. This year 82% of breaches involved the human element. Whether it is the Use of stolen credentials, Phishing, Misuse, or simply an Error, people continue to play a very large role in incidents and breaches alike.
The continuing rise in ransomware attacks is the headline that many will take from the Verizon 2022 DBIR report today but the company itself has rightly put the emphasis on the four ‘key paths’ into organisation’s networks: credentials, phishing, exploiting vulnerabilities and botnets. Defending against these has become especially important as cybercrime has professionalised, with cybercriminals selling these access points online for others to exploit. These ‘access brokers’ monetise the foothold they have within organisations, without having to take any of the risk themselves. At the same time, they make defence much harder for organisations by potentially sharing a vulnerability in their network or supply chain with multiple adversaries.
One way organisations can look to combat the cyber criminals that are selling access to their systems and facilitating attacks is to find them where they operate: on the deep and dark web. By monitoring marketplaces and forums for company credentials and vulnerabilities – or those of organisations in their supply chain – businesses can identify when and where they are at risk of attack. They can also monitor potential phishing sites or dark web traffic going to their organization, which may indicate insider threat. Identifying the early warning signs of when your organisation is at risk will ultimately be more effective at stopping attacks like a ransomware attack than waiting for when the criminals have already gained or bought access to your systems.
The DBIR showed that threat actors continue to gain access to networks using a relatively small number of high-level techniques. Once in a network however, threat actors most often reuse the same set of post-exploitation procedures to perform system reconnaissance, privilege escalation, and lateral movement in the target environment. While organizations can\’t realistically expect to keep all threat actors out of their networks, through CTI-led adversary emulation and detection engineering, they can ensure that threat actors are detected as early in the intrusion as possible. When threat actors gain a foothold in their network, organizations should be able to ensure it never expands beyond that.
The most important research by and for the cybersecurity industry is out and it feels like the movie GroundHog Day where we are waking up to the same results year after year since the first report in 2008. Compromised user credentials and the \”human element\” are still the direct cause of ~80% of breaches. We can collectively wake up from this problem by implementing more secure authentication and going passwordless – biometric and wearable authentication is more secure and more convenient and would almost instantly mitigate a massive amount of cybersecurity vulnerability.
Supply chain becoming the #1 attack vector is evidence of the cyber industry’s overreliance on single point vendor products to protect the enterprise. In practice, stacking multiple products not only adds cost and complexity but also gives rise to supply chain vulnerability that Verizon DBIR has correlated to 62% of system intrusions this year. While richness of features is always appealing, what is even more crucial for most mid-market customers is a simplified approach encompassing both network and endpoint security. Such a solution can consolidate zero trust, cloud access and firewall rules with converged network security such as SD-WAN and VPN eliminating the need for multiple solutions thereby drastically cutting supply chain vulnerabilities in the first place.
The Verizon DBIR provides further evidence around the dangers credentials present to organisations. Not only are they the root cause of most data breaches, but they are also a top target for cybercriminals to steal when carrying out attacks. The reasons for this are simple. When attackers have credentials, they have access, and with that access they can monetise.
When it comes to combating the threat, enforcing better password practices and running training on phishing and cybercrime are all valid methods, but they very rarely remove the problem entirely. Some employees will still use weak passwords, while others will continue to recycle the same password they have been using for years. The bad news is it only takes one set of valid credentials to breach an organisation.
Eliminating potential attack vectors through passwordless security and removing passwords from the hands of users where they are still required is a great way to combat this risk. This means credentials can’t be stolen, leaked or socially engineered out of victims, which offers immense security benefits to all businesses, while reducing their vulnerability to data breaches and ransomware.