Deconstructing the Verizon DBIR

By Stephen Lawton, Contributing Writer

Deciphering the ultimate messages from a major cybersecurity report can be a daunting task and the Verizon Data Breach Investigations (DBIR) Report of 2024 is no exception. While the numbers themselves can help CISOs, CIOs, boards, C-suite executives and other stakeholders track the trends of cyberattacks, understanding the nuanced actions of the bad actors requires a deeper dive.

Key findings show that roughly one-third of all breaches involved ransomware or some related form of extortion. While ransomware requires the victim to pay the attackers a fee, often in a digital currency, to either decrypt their data or eliminate the malware, the extortion attack requires the victim to pay either to stop the attacker from making data public or otherwise disseminating it. Many attacks have both components where an attacker will first charge the victim to decrypt malware, then charge them again not to release the data publicly. While pure ransomware attacks dipped slightly from their high in 2022, extortion-only attacks surged sharply from last year’s report.

More than two-thirds of all breaches, 68%, involved a human element, which includes phishing, business email compromises (BEC), social engineering, insider attacks, and similar breaches. A full 32% were ransomware or extortion, 28% were data breaches involving errors that may not have been malicious, while 15% involved a third party. This latter group also includes software vulnerabilities exploited by the attackers.

Phishing attacks also appear to be becoming more effective, as the victims do not need to click on the malware to become infected. Eight years ago, the delta between phishing attacks that did not require clicks and those that did was roughly 1%; in the current report, the difference is roughly 7%. The increase underscores the sophistication employed by attackers who do not require the victim to click on a compromised link—sometimes just opening the email without clicking on anything in the message is sufficient to launch the attack.

An Expert’s View of the DBIR

The report is raising eyebrows among some corporate executives and security pros, but the implications can provide insights beyond the report itself. Evie Manning, Senior Director of Threat Intelligence at Access Point Consulting, takes us through some of the salient points of the DBIR and what it means to those responsible for cybersecurity at both the executive and practitioner levels.

According to the DBIR, attackers are becoming craftier and far more successful at exploiting application vulnerabilities, she says, as witnessed by the fallout from the MOVEit and similar attacks. Attacks on credentials continued to lead in this category while the exploitation of vulnerabilities has caught up to phishing when it comes to non-error and non-misuse breaches over the past four years, she says.

Breaking it down deeper, credential attacks for web applications topped the subsets at roughly 50%, while email phishing and exploitation of vulnerabilities in web apps were nearly tied in the low 20% range.

Verizon noted that pure extortion attacks rose 9% over the past year in a shift from traditional ransomware attacks, which saw a decline of 23%. “However,” the report noted, “when combined, given that they share threat actors, they represent a strong growth to 32% of breaches. Ransomware was a top threat across 92% of industries.”

Another important point in the DBIR is the growth of risk in the supply chain/third-party risk management (TPRM) segment. While enterprises need to grapple with their own cybersecurity policies and procedures, they also have to worry about their supply chain, and their supply chain’s supply chain, Manning says. Organizations need to establish security requirements for their business partners at the outset of the relationship.

“They need to know who their partners are, who their vendors are, and who they are working with,” she continues, laying out the outline for a TPRM program. “What is their environment? What do they have access to, whether it be in their environment or not?” Manning says it is essential for your partners to know what their vendors’ own personal security practices and disaster recovery plans are. ?

Money Talks

Beyond the two biggest concerns––exploited vulnerabilities and third-party risk—Manning says organizations need to focus on attackers who are primarily motivated by financial gain. While we hear a lot in the media about state-sponsored threats and political posturing, financial gains are still the primary incentive for cyber criminals today.

“Financially motivated threat actors will typically stick to the attack techniques that will give them the most return on investment,” the report says. It cites two primary methods of monetizing cyberattacks: the ransomware/extortion duo (62%), and pretexting (24%), the practice of deceiving individuals into surrendering personal information for fraudulent purposes such as a business email compromise or other social engineering attacks.

“According to the FBI’s Internet Crime Complaint Center (IC3) ransomware complaint data,” the DBIR noted, “the median loss associated with the combination of Ransomware and other Extortion breaches has been $46,000, ranging between $3 (three dollars) and $1,141,467 for 95% of the cases. We also found from ransomware negotiation data contributors that the median ratio of initially requested ransom and company revenue is 1.34%, but it fluctuated between 0.13% and 8.30% for 80% of the cases,” it continued.

While ransomware and pretexting are well understood and aggressively defended by security professionals, there are some attack vectors that tend to slide by with minimal scrutiny, she notes. These include “zombie processes” and service accounts. Zombie processes often run in the background without providing any business value. Processes spun up on virtual machines running test applications could provide an accidental attack vector through a poorly secured cloud instance, for example. A process still running for an unused application is another example. Service accounts often are spun up with credentials that are set and forgotten, sometimes for years. If a service account is compromised, it often is difficult to identify because these accounts are designed to be hands-off, automated systems.

One major challenge companies face is how long it can take to identify and remediate a breach, she says. The DBIR says that 30 days after a vulnerability breach, 85% of the vulnerabilities are unremediated. After two months (60 days), nearly half, 47%, were unremediated. At the six-month point (180 days), a full 28% were unremediated. Even after a year, 8% of vulnerabilities were unremediated.

Proactive vs. Reactive

While the DBIR goes into extensive detail on remediating problems after an attack—a reactive approach to cybersecurity—it fails to mention mitigating threats beforehand, a proactive approach, Manning says. This likely is due to the report focusing on defending against attacks rather than advising its readers on how to stop an attack before it occurs.

Verizon did note that it “did keep an eye out for any indications of the use of the emerging field of generative artificial intelligence (GenAI) in attacks and the potential effects of those technologies, but nothing materialized in the incident data we collected globally.”

Mitigating threats before they enter your network generally is the most effective way to overcome both sophisticated attacks and brute force attacks Taking a proactive posture to cyber defenses can be cost-effective and often enterprises already have much of the necessary technology already in place, Manning notes. For SMBs currently using a managed security services provider (MSSP) or managed services provider (MSP), there likely is an optional service to provide threat hunting and threat intelligence services.

Companies can use such services to see what attackers are doing on the web and then take that intelligence, align it with a MITRE framework, then go hunting within the corporate systems and logs for any behaviors that might have evaded the existing security controls, she adds.

Manning notes that AI and GenAI both are likely to increase in significance when it comes to both cyberattacks and defense, especially proactive cyber defenses. Currently, AI is finding success as a threat hunting and threat intelligence tool and often is found in managed detection and response (MDR) and extended detection and response (XDR) tools used internally by enterprises and by MSPs and MSSPs. GenAI, while a popular topic of potential value for some time in the future, is not yet ready for use as a standard cybersecurity tool.

“I personally think that [GenAI is] not there yet,” she says, while acknowledging that it will have its place when the technology matures. The hallucinations and bias in today’s versions of GenAI make it inappropriate for use in cybersecurity at this time.

Insider Attacks

While the DBIR noted that insider attacks increased dramatically from 20% to 35%, it also noted that a large percentage of those insiders were employees who made errors or accidentally exposed data, thus triggering an “insider attack.” Manning did not think the increase was significant per se, but what was significant were the kinds of attacks that might trigger the accidental exposure of data.

“Attackers are only getting craftier” says Manning, “and then they add AI to the mix as a resource to improve their skills. It’s becoming more difficult to detect phishing emails; we’re not seeing the spelling and errors we used to see. The emails are looking more and more realistic as time goes on. They utilize techniques like clone phishing, where attackers clone real emails with attachments and send it like they are the original sender or use the pharming technique where they exploit the DNS process that turns the website name into an IP address instead of trying to get the victim click on a link or fill out a form.”

“While there's been a focus recently on that security awareness training piece and [employees] are getting better, you see it in the DBIR statistics that people are still increasingly failing,” she says. That is one of the largest risks. She characterizes employees’ email usage as “just scary,” given the human element of people being willing to open emails from people they don’t know, and the way attackers are constantly improving their phishing and ransomware email attacks.

Ultimately, Manning says, enterprises need to be more proactive in their threat hunting and threat intelligence operations rather than simply responding to attacks.

Attacks moving through supply chains and application vulnerabilities can be devastating, she notes. “I think people need to look at themselves [and their defenses] internally and then build out proactively. I’d like to see the DBIR include those kinds of proactive recommendations.”

?