The data in the new Verizon "Data Breach Investigations Report" (DBIR) offers critical insights into the current state of cybersecurity. After a year of data breaches and cyberattacks consistently dominating headlines, this year's report closely examines what adversaries are looking for when they're trying to infiltrate businesses and organizations. This year's DBIR, the 15th edition, confirms what we assumed: Cyber threats are on the rise and we must work together to better our security posture. The findings collected in the report are timely for the trained security researcher, but here are three takeaways I think are the most important.
Conducting the Symphony of Disruption
The most common action that adversaries are taking to disrupt their target's IT ecosystem is launching denial-of-service (DoS) attacks that effectively flood a network with traffic or information in the pursuit of crashing it. The 2022 DBIR says that 46% of all incidents were DoS attacks, followed by remote access–led attacks, including backdoor and command-and-control-based attacks. Distracting and disrupting the IT and security teams in this way can help obfuscate and bury the other adversarial activities in their toolkit as they look for their initial access.
Ransomware, phishing, stolen credentials, and several other types of attacks round out the list, but one attack vector stands out from the rest. More than 60% of security incidents over the past year were conducted through a Web application, consistent with data collected by Verizon in past years.
Because Web applications — closely followed by email — are where your organization most frequently connects to the Internet, it makes sense that they'd be the primary vectors for threat actors trying to breach your environment. While a Web application may fall victim to a hacker proficient with SQL or with an exploit handy, email is the domain of virtually every employee at every organization. That's why social engineering played a role in nearly all 5,212 breaches recorded in the 2022 DBIR.
Is Your Human Secure?
The 2022 DBIR highlights the importance of maintaining a strong security awareness program, which I believe is a critical element of securing an organization. Just about 82% of all breaches recorded last year involved social engineering in some form, with threat actors preferring to phish their targets via email more than 60% of the time.
Though the DBIR found just 2.9% of employees actually clicked on phishing emails last year, that's more than enough for hackers to work with, especially if they're able to steal credentials or dump their malware of choice following the phish. For me, the important point is that there is a continuing trend for staff to report more phishing attempts – and even more importantly, to report them after they have responded to a phishing email.
Building an organizational culture that allows staff to be comfortable admitting they were duped is a difficult task because security awareness traditionally is a stick used to punish people and a metric to cover the company's compliance checkboxes.
Security leaders need to create a program that goes of their organization and doesn't just shame them for failing. For example, we need to create programs that don't automatically "fail" someone for clicking a link, because that's why links exist! A program that seeks to trick their own colleagues into failing is generally unproductive in the educational process and does almost nothing for the company's security posture.
A good security awareness training program is consistent, targeted, and limited in scope to allow employees to learn and practice one security skill at a time. Avoiding information overload will keep employees engaged and ready for emerging threats.
And lastly, security awareness is not just a corporate project. Strong awareness and education will help staff be more aware of digital risks in their personal lives as well. Well-implemented security awareness programs take advantage of this blurring to encourage their staff to care about security.
The Ransomware Business Is Booming
Ransomware, to nobody's surprise, is increasing in frequency by 13% over the prior year, with almost 70% of malware breaches involving some form of it. The dramatic increase in ransomware attacks — as large as the increases of the last five years combined, according to the report — makes sense, as hackers looking to make a quick buck need only encrypt their target's data rather than seek out specific financial information or credentials within their environment.
The report also states that 40% of ransomware incidents last year involved the use of desktop-sharing software. For example, cybercriminals used this tactic when exploiting vulnerabilities in Microsoft RDP, or just weak or stolen user credentials. On the other hand, 35% of ransomware incidents involved the use of email, leading to researchers recommending that organizations lock down their RDP and ensure their emails are scanned for potential phishing attempts. How we are in 2022 and still suffering from attacks over such a well-known attack vector as email is surely one of the biggest questions to come out of this report.
The DBIR is an excellent resource for the cybersecurity community to evaluate a tumultuous past 12 months, and the data within can be evaluated to predict the trends in attack types, vectors, and the motivations of hackers throughout the next year. In 2021, adversaries made it clear they were more focused on money than anything else, and with vulnerability exploits doubling from the previous year, it's a safe bet to say that once again the fundamentals of cybersecurity – across both IT hygiene and human engagement – will be the key to reducing the risk of damage and loss.