Verizon has released the findings of its 17th-annual Data Breach Investigations Report (DBIR), which shows that security incidents doubled year over year in 2023 to a record-high 30,458 security events and 10,626 confirmed breaches.
The 100-page 2024 DBIR is a highly anticipated report, oft-cited throughout the entire year by analysts, vendors, channel partners, security experts, cybersecurity industry leaders and other players. Its data gathering, findings and analysis span 94 countries and encompasses the period from November 1, 2022 to October 31, 2023.
Here are five key takeaways from the report:
1. Zero-day attacks on unpatched systems and devices tripled in 2023.
Vulnerabilities as an initial point of entry accounted for 14% of all cyber break-ins, roughly tripling (180%) from the previous year. The main driver was the spike in zero day attacks that ransomware operatives exploited on unpatched systems and devices.
In particular, the MOVEit software breach, which exploited a vulnerability in Progress Software’s legitimate MOVEit file transfer software, orchestrated by the Cl0p syndicate, was a significant contributor to the boost in cyber attacks and widely seen as one of the largest hacks of the year.
The DBIR defines these as breaches occurring through a third-party "custodian," such as a managed service provider.
Vulnerability attacks were mainly executed by ransomware and other extortion cyber gangs, leveraging initial entry points via web applications.
“This 180% increase in the exploitation of vulnerabilities as the critical path action to initiate a breach will be of no surprise to anyone who has been following the MOVEit vulnerability and other zero-day exploits that were leveraged by ransomware and extortion-related threat actors,” the report reads.
2. Ransomware was a top threat among industries.
Ransomware was a top threat across 92% of industries. Roughly one-third of all breaches involved ransomware or some other extortion technique. “Pure” extortion attacks, in which a ransomware actor steals data and threatens to make it public unless a ransom is paid, have risen over the past year and now comprise 9% of all breaches.
The shift of traditional ransomware actors toward pure extortion attacks and other hijacking activity resulted in ransomware slipping to 23% of all attacks. However, given that extortionists often share threat actors, together they represent a strong growth to 32% of breaches.
“This indicates to us that it may be the same actors, and they are simply shifting tactics to best leverage the type of access they have. This combination did show a significant growth as part of breaches,” the report reads.
3. The human element continues to be the entry point for cyber criminals.
Social engineering involves compromising an individual that alters their behavior into taking an action or breaching confidentiality unintentionally.
Most breaches (68%), involve a non-malicious human element, whether they include a third party or not. It refers to a person making an error or falling prey to a social engineering attack. Phishing and business email compromise are examples of this type of intrusion.
“Over the past two years, we have seen incidents involving pretexting, the majority of which had business email compromise as the outcome, accounting for one-fourth (ranging between 24% and 25%) of financially motivated attacks,” the report reads.
Reporting practices have improved: Some 20% of users identified and reported phishing in simulation engagements, and 11% of users who clicked the email also reported it. But, the median time for users to fall for phishing emails is less than 60 seconds.
While external actors execute 65% of breaches, internal actors are tied to 35%. However, it is important to remember that 73% of those internal actor breaches were in the miscellaneous errors pattern. Overall, the social engineering percentage is about the same as last year.
4. Artificial intelligence is not a big player for cyber attackers just yet.
Verizon dedicated an entire page in the report to generative AI (GenAI) but was not too impressed, noting an “emphasis on ‘artificial,’ not ‘intelligence,’” calling its use by threat actors largely theoretical and experimental.
“We did keep an eye out for any indications of the use of the emerging field of generative artificial intelligence in attacks and the potential effects of those technologies, but nothing materialized in the incident data we collected globally,” the report reads.
The number of mentions of GenAI terms alongside tactics such as phishing, malware, vulnerability and ransomware was roughly only 100 times over the past two years, the report said.
Deepfakes are the exception, the report noted, in which hackers have already put forth a “great deal of reported fraud and misinformation anecdotes,” the report reads.
5. Supply chain attacks are a new weak link.
For the first time, the DBIR has included supply chain as a separate metric, at 15% of all attacks in 2023, a notable rise from last year when it stood at roughly 9%, for a 68% year-over-year growth.
Supply chain attacks range from entry via a business partner, physical breaches in a partner facility, hijacked software development processes and updates, and vulnerabilities in open source or third-party software.
“Every time a choice is made on a partner (or software provider) by your organization and it fails you, this metric goes up. We recommend that organizations start looking at ways of making better choices so as to not reward the weakest links in the chain," the report reads.
