Breaches due to system intrusion have ratcheted up dramatically since 2019, according to Verizon’s "2022 Data Breach Investigations Report." While system intrusion, which includes hacking, malware, and ransomware, was the most common type of data breach in 2021, it didn’t even make the top three in 2019.
The researchers analyzed 23,896 security incidents, of which 5,212 were confirmed data breaches. Similar incidents are grouped together into “patterns.”
To clarify, DBIR looks at eight patterns:
- Basic Web application attacks: Attacks against Web applications where the attacker is after the data.
- Denial-of-service attacks: Network and application-layer attacks compromising the availability of networks and systems.
- Lost and stolen assets: Assets that went missing, either maliciously or by mistake.
- Miscellaneous errors: Unintentional actions compromised an asset’s security.
- Privilege misuse: Involves unapproved or malicious use of legitimate privileges.
- Social engineering: Tricking an individual into compromising the security of a device or data.
- System intrusion: Attacks depending on malware (including ransomware) or hacking to compromise systems.
- “Everything else.”
The second and third most common types of data breach in 2021 were basic Web application attacks and social engineering. In 2020, social engineering was the most common, followed by Web application attacks and then system intrusion. The top three in 2019 were Web application attacks, social engineering, and miscellaneous errors. System intrusions were the fourth most common pattern observed in Verizon’s dataset, the researchers said.
Where the Threats Are
System intrusions tend to be one of the more complex breaches because they consist of multiple different actions, such as social engineering, malware, and hacking. One reason for the spike for system intrusion may be the fact that supply chain and ransomware attacks increased dramatically this year, the researchers say. The most common actions -- how attackers are carrying out their activities -- for data breaches (grouped under system intrusions) included use of command-and-control servers to execute commands, stolen credentials, malware deploying backdoors, and ransomware. The five most common attack vectors were third-party software, software updates (SolarWinds, anyone?), desktop sharing software, email, and Web applications.
In contrast, Web application attacks in Verizon's dataset consist of two groups of actions: ways to access the server and the payload itself. Ways to access the server include actions such as stealing credentials, exploiting vulnerabilities, and brute-forcing passwords. While the majority of the attacks focus on the Web application, breaches in this group, attackers also relied on backdoors, remote injection, and accessing desktop sharing software to compromise the server.
The system intrusions in Verizon's dataset primarily targeted manufacturing (14.4%) and public-sector (13.9%) organizations. For Web applications, manufacturing remained the primary target, at 16.1%, and financial services was the second most popular target, at 15.8%. The list looks different for social engineering, where retail organizations (16.6%) were the most common target, followed by professional (13.8) organizations.
While most breaches were the result of attacks by external adversaries, 14% of breaches were due to errors such as misconfigured cloud storage and exposed cloud servers. People are fallible – and it’s not just about configuration errors, as the report notes that 82% of breaches involved the human element. “Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches alike,” researchers wrote.