Verizon DBIR: Threat Actors Leveraged the Human Element to Steal Corporate Data in 2022
Log4j is used in millions of software applications around the world, so when news broke that there was a vulnerability in the open-source software, security practitioners went into overdrive.
Teams assessed where Log4j was in their systems and worked to expedite their patching practices, a process that typically takes 49 days, which helped many of them avoid being exploited by the vulnerability.
“This was a real, cohesive, and organized response to this,” said C. David Hylender, senior manager of threat intelligence at Verizon, in a webinar on Tuesday. “People were patching quicker. They did a great job. It was a huge success from a good guys versus bad guys point of view.”
Hylender’s finding comes from the annual Verizon Data Breach Investigation Report (DBIR), which he coauthored and was released earlier this week. While Log4j was the culprit in 90 percent of data breaches where there was a documented vulnerability exploited, the “patch response by the industry mitigated what could have been a much bigger disaster,” Hylender said.
This marked a rare bright spot for security teams, who continue to maintain systems and operations amidst an ever-growing and changing set of challenges: increased vulnerabilities, rising ransomware threats, and an expanding threat landscape.
Some of these challenges were detailed in the 16th edition of the DBIR. It included information collected between 1 November 2021 and 31 October 2022 from 81 countries on 16,312 incidents and 5,199 data breaches. The DBIR defines the two terms as follows:
- Incident. “A security event that compromises the integrity, confidentiality, or availability of an information asset.”
- Breach. “An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.”
To gain access to corporate networks, external actors mainly used stolen credentials (49 percent), phishing (12 percent), and vulnerability exploits (5 percent). They also sometimes took advantage of miscellaneous errors—often made by developers and system administrators—in 9 percent of the incidents examined. Overall, 74 percent of the breaches analyzed in the report included the human element (errors, privilege misuse, stolen credentials, and social engineering).
“Globally, cyber threat actors continue their relentless efforts to acquire sensitive consumer and business data,” said Craig Robinson, research vice president at IDC in a press release on the DBIR. “The revenue generated from that information is staggering, and it’s not lost on business leaders, as it is front and center at the board level.”
Ransomware Rises
While the number of ransomware incidents did not grow considerably—holding steady from the 2022 DBIR to the 2023 DBIR at being responsible for 24 percent of data breaches—it is now present in nearly one-fourth of all breaches, Hylender said.
Ransomware is present in small and large organizations, across industries and geographic regions, and remains “a huge threat across the board for any organization that has an Internet presence,” he added.
While the number of ransomware incidents did not grow exponentially, the median cost per ransomware incident did—growing from $11,500 to $26,000, with a range of losses in most cases between $1 and $2.25 million.
“What this suggests is that the overall costs of recovering from a ransomware incident are increasing even as the ransom amounts are lower,” according to the 2023 DBIR. “This fact could be suggesting that the overall company size of ransomware victims is trending down.”
Pre-Texting Props Up BEC
Business email compromise (BEC), a threat tactic where threat actors pretend to be a trusted business partner to persuade people to transfer money to them, continues to be a successful attack method. The 2023 DBIR analyzed 1,700 BEC incidents, with 928 confirmed data disclosures stemming from the method.
A trend that helped BEC continue to be effective is a rise in pre-texting, a form of social engineering that is critical to a successful BEC compromise and almost doubled during the DBIR analysis period. An attacker will use a false pre-text, such as a fake story or scenario, to gain trust and get their target to share information with them.
“Because this pattern is largely based on human-targeted attacks, it makes sense that the very first action in this pattern will be some form of phishing or pre-texting email,” according to the report. “In fact, email alone makes up 98 percent of the vector for these incidents, with the occasional sprinkling of other communication methods, such as phone, social media, or some internal messaging app that some folks might be Slacking off on.”
Who’s Responsible
While insider threats remain a major security concern, 83 percent of the data breaches analyzed in the 2023 DBIR were carried out by external actors. These include lone individuals, former employees, nation-state actors, and organized criminal groups.
“We’re not talking about the Sopranos,” Hylender said. “We’re talking about threat actors who act with a certain degree of organization when they go about these attacks.”
These threat actors were mostly motivated by financial gain (95 percent of breaches), followed by espionage (around 10 percent of breaches).
Other Trends of Note
One area that caught DBIR researchers’ eyes was a “fourfold increase” in the breaches involving cryptocurrency compared to the 2022 report.
“These types of breaches fall between the actual coin networks or exchanges being breached via their applications and application programming interfaces (APIs), or phishing and pretexting activity on chat platforms (like Discord) of the coin communities, where after a simple click on a link, suddenly your wallet is not yours anymore,” according to the 2023 report.
Another area highlighted in the report is that lost and stolen devices are one way external actors can gain access to corporate data, especially for small businesses. Lost and stolen assets led to 2,091 incidents with 159 confirmed data disclosures, compromising mainly personal (87 percent), medical (30 percent), and banking (13 percent) data.
“What is going missing, you may ask? Unsurprisingly, it’s the portable user devices such as laptops and mobile phones,” according to the report. “In fact, phones have become quite the commodity. Considering the fact that no one ever seems to put them down, it’s hard to believe so many are lost.”
For more insights into how the trends in the 2023 DBIR compared to 2022, read “Verizon 2022 DBIR Reveals Rise in Ransomware Attacks and Organized Crime Activity.”