Incident Classification
Patterns: Introduction

2023

Please provide the information below to view the online Verizon Data Breach Investigations Report.

Submit View only

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

One of the greatest gifts that evolution has granted the human race is a pattern-seeking brain. Was that just some swaying foliage in the jungle, or is a striped tiger sneaking around to pounce on us? The fact that humans are still around tells us we got that question right more often than we didn’t. Thankfully, we can also use our pattern-seeking superpowers to try to organize and make sense of all the different ways in which computers remind us they were a mistake.²⁷

Our incident patterns are, in a nutshell, a way to cluster similar incidents into an easy-to-remember shorthand. As we mentioned before, incidents are characterized by the 4As of VERIS, and we can avoid a long descriptive paragraph every time by classifying our incidents in this way.²⁸ Our eight patterns and how they are defined can be found in Table 1.

This year, we are showcasing a detailed breakdown of ATT&CK Techniques²⁹ and Center for Internet Security (CIS) Critical Security Controls³⁰ related to certain patterns, as those are the places that make sense so we don’t repeat ourselves throughout this report. We are proud of the ATT&CK mappings release, as they represent the culmination of a multiyear collaboration with MITRE.

CTID in creating and maintaining a working relationship between its standard and VERIS. You can read more about this in our Appendix B.

So, enjoy the cognitive load we just removed from your (pattern-seeking) grey matter as we deep dive into specific results and detailed analysis for each pattern.

As we have in prior years, here we present our Incident Classification Patterns (patterns) and show how they fared year over year. Figure 25 shows the patterns over time for incidents, and you can see that Denial of Service is top of the heap, as it has been for several years.

When you contrast this graphic with Figure 26, you can see how different the environment looks when we are focused on those incidents where there was confirmed data loss.

The System Intrusion pattern—with its more complex attacks—has been an overachiever and includes multistep attacks that feature ransomware. But we’re getting ahead of ourselves. Let’s move into the detailed pattern sections for the full story.

Basic Web Application Attacks		These attacks are against a Web application, and after the initial compromise, they do not have a large number of additional Actions. It is the “get in, get the data and get out” pattern.
Denial of Service		These attacks are intended to compromise the availability of networks and systems. This includes both network and application layer attacks.
Lost and Stolen Assets		Incidents where an information asset went missing, whether through misplacement or malice, are grouped in this pattern.
Miscellaneous Errors		Incidents where unintentional actions directly compromised a security attribute of an information asset fall into this pattern. This does not include lost devices, which are grouped with theft instead.
Privilege Misuse		These incidents are predominantly driven by unapproved or malicious use of legitimate privileges.
Social Engineering		This attack involves the psychological compromise of a person that alters their behavior into taking an action or breaching confidentiality.
System Intrusion		These are complex attacks that leverage malware and/or hacking to achieve their objectives, including deploying Ransomware.
Everything Else		This “pattern” isn’t really a pattern at all. Instead, it covers all incidents that don’t fit within the orderly confines of the other patterns. Like that container where you keep all the cables for electronics you don’t own anymore: Just in case.