What the Latest Verizon Data Breach Report Tells Us About the Threat Landscape
Industry trends come and go. but one staple of the cybersecurity landscape over the past 17 years has been the Verizon Data Breach Investigations Report (DBIR). It’s a rigorous analysis of real-world data breaches and incidents by Verizon and partners which provides one of the best and most detailed snapshots of the current threat landscape. Verizon alone claims to process 34 trillion logs each year.
So what’s the story for 2023? It’s both reassuring and somewhat depressing to see that – despite concerns over the role of AI in cybercrime – it is the usual suspects of vulnerability exploitation, supply chain risk and human error that continue to plague firms. Depressing, because organisations still haven’t got to grips with tackling these challenges, but reassuring because best practice frameworks and standards offer a readymade pathway to mitigating such risks.
New Report, Same Old Breaches
This year, the report is based on analysis of 30,458 security incidents and 10,626 confirmed breaches – double the number of a year ago. That’s not an indication that there were more breaches per se; simply that the report contains more data and is therefore likely to be a more accurate representation of what is really going on out there. So what does it reveal? Three interconnected themes stand out:
1) Vulnerabilities are soaring
The DBIR notes a 180% increase in vulnerability exploitation as a root cause of data breaches. They now account for 14% of all breaches, according to Verizon. The increase was driven mainly by the growing exploitation of zero-day bugs by ransomware actors: think MOVEit. That campaign last year led to the compromise of nearly 3,000 organisations and 95 million downstream customers – many of which were in the education, finance and insurance sectors.
It’s true on the one hand that system administrators have a thankless task. A record number of CVEs has been published to the National Vulnerability Database (NVD) for the past seven years. In 2023 it numbered over 29,000 vulnerabilities. And threat actors are targeting these vulnerabilities with increasing speed. A quarter are exploited on the day of their publication. Yet network defenders must do better. Verizon finds that it takes around 55 days to remediate 50% of critical vulnerabilities listed on the Cybersecurity Infrastructure and Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalogue, once patches are available. The median time for detected mass exploitation of these bugs is five days.
Organisations are clearly still not running automated risk-based patch management programmes, which would help them prioritise updates and enhance the resilience of critical systems. Zero-day bugs, on the other hand, are more difficult to block outright. But mitigations can be put in place to reduce their impact, including network segmentation and continuous detection and response.
2) Third parties are a major attack vector
Part of the reason why vulnerability exploitation is surging as an initial access vector is because of buggy products. This brings us to the second theme: risk involving third parties. Here Verizon counts business partners (such as law firms or cleaning companies), third-party data processors or custodians like managed service providers, and software suppliers (including open source). It finds a 68% increase in breaches involving third parties like this, so that they now account for 15% of the total – driven mainly by extortionists using zero-day exploits in attacks.
“We recommend that organisations start looking at ways of making better choices so as to not reward the weakest links in the chain,” the report argues. “In a time where disclosure of breaches is becoming mandatory, we might finally have the tools and information to help measure the security effectiveness of our prospective partners.”
These findings are echoed by a new study from ISMS.online, The State of Information Security Report 2024. It reveals that the vast majority (79%) of information security professionals admit that supply risk has translated into at last one material security incident over the past 12 months.
3) Humans remain a top risk factor
Perhaps the most unsurprising finding this year is that employees are arguably the biggest cause of data breaches – whether directly or indirectly. Most (68%) breaches analysed involve a “non-malicious human element”, which means someone made an error or fell victim to a social engineering attack. That figure is virtually unchanged from the previous year. Social engineering means either phishing or, more likely, pretexting – which is linked to business email compromise (BEC). That latter now accounts for around a quarter of financially motivated incidents, unchanged from a year ago.
Social engineering also contributes to a standout finding from EMEA: that half (49%) of all breaches now stem from within organisations, rather than external actors. Social engineering is also behind the continued number one ranking of “credentials” as an initial action type in breaches (24%). Credentials are compromised in half (50%) of social engineering attacks. And although they’re sometimes stolen via third parties through no fault of the individual, on other occasions weak credentials are exploited by brute-force attackers in breaches. This chimes once again with the ISMS.online report, which finds that a third (32%) of respondents experienced social engineering attacks over the past 12 months. Some 28% cite insider threats.
There’s a little cause for optimism that user awareness is improving – in that users appear to be getting better at reporting phishing. Verizon finds that 20% of users identify and report phishing in simulation engagements, and 11% of those who click through also report. However, the fact that the 68% figure for non-malicious human error has not shifted in a year shows that there’s still much work to do.
Time for Action
Cassius Edison, head of professional services at Closed Door Security, warns that the five-day median detection time for widely exploited vulnerabilities is still too long.
“A five-day median detection time does pose significant risks, potentially providing malicious actors ample time to exploit vulnerabilities,” he tells ISMS.online. “While the solutions to improve detection speed, such as enhanced threat intelligence and real-time monitoring, would incur costs, conducting a thorough risk assessment can help prioritise these investments effectively.”
Barrier Networks managing CISO, Jordan Schroeder, adds that 55 days to remediate is also way too slow for organisations serious about containing cyber risk.
“Systems that are part of the set that are massively exploited should be updated as soon as possible,” he tells ISMS.online. “An OT/ICS system that has no internet access is at a lower risk of exploitation. So, a risk-based assessment of what needs to be updated, and how quickly that needs to be carried out, needs to be undertaken.”
Schroeder also backs the use of best practice standards and frameworks, as long as CISOs accept that they aren’t a panacea.
“They provide a very important foundation for any organisation to build a security programme that works for them, and to ensure that important factors are considered,” he argues. “I always start designing or improving a security strategy or plan with existing frameworks. I do not always end up with a strategy or plan that matches perfectly with those frameworks. But by the end of the process, the organisation will have carefully considered each point and created something that has accounted for everything.”
A mix of standards may help to fill any gaps that exist in individual offerings, he says.
“An organisation can dramatically improve its ability to mitigate the common issues that are highlighted in this report by mindfully and intelligently leaning on a mix of frameworks and standards that are a good fit for the organisation, and further mindfully refined to create a powerful standard that fits the organisation best,” Schroeder concludes.