Results and Analysis: Introduction
Please provide the information below to view the online Verizon Data Breach Investigations Report.
Thank you.
You will soon receive an email with a link to confirm your access, or follow the link below.
Thank you.
You may now close this message and continue to your article.
Hello, friends, and welcome to the “Results and analysis” section. This is where we cover the highlights we found in the data this year. This dataset is collected from a variety of sources, including our own VTRAC investigators, reports provided by our data contributors and publicly disclosed security incidents.1
Because data contributors come and go, one of our priorities is to make sure we can get broad representation on different types of security incidents and the countries where they occur. This ebb and flow of contributors obviously influences our dataset, and we will do our best to provide context on those potential biases where applicable.
This year we onboarded a good number of new contributors and reached an exciting milestone of more than 10,000 breaches analyzed in a single edition.2 It is an enormous amount of work to organize and analyze, but it is also incredibly gratifying to be able to present these results to you.
In an attempt to be more actionable, we would like to use this section to discuss some high-level findings that transcend the fixed structure of the Vocabulary for Event Recording and Incident Sharing (VERIS) 4As (Actor, Action, Asset and Attribute) and expand on some of the key findings we have been highlighting over the past few years
Ways into your sensitive data's heart
One of the actionable perspectives we have created has been the ways-in analysis, in which we try to make sense of the initial steps into breaches to help predict how to best avoid or prevent them. We still have plenty of unknown Actions and vectors dispersed throughout the dataset as investigation processes and disclosure patterns widely differ across our data contributors,3 but this view of what we know for sure has remained stable and representative over the years.
Figure 6 paints a clear picture of what has been the biggest pain point for everyone this year. This 180% increase in the exploitation of vulnerabilities as the critical path action to initiate a breach will be of no surprise to anyone who has been following the MOVEit vulnerability and other zero-day exploits that were leveraged by Ransomware and Extortion-related threat actors.
This was the sort of result we were expecting in the 2023 DBIR when we analyzed the impact of the Log4j vulnerabilities. That anticipated worst case scenario discussed in the last report materialized this year with this lesser known—but widely deployed—product. We will be diving into additional details of MOVEit and vulnerability exploitation in the “Action” and “System Intrusion” pattern sections.
To dig further into this concept of the ways in, we are presenting a new slice of the data, where we are overlaying those different types of Actions with their most popular vectors to help focus response and planning efforts. You can take a peek at those results in Figure 7.
Phishing attacks mostly having an Email vector is rather self-explanatory,4 so we would like to focus on the concentration of the Web application vector prevalence for both credentials and exploit vulnerability. The presence of Credentials in the graphic should not be surprising as it carries a large share of the guilt for our Basic Web Application Attacks pattern (i.e., getting unauthorized access to cloud-based email and collaboration accounts). But recency bias might make folks doubt the prevalence of exploitation of vulnerabilities. Because this report is being written in the beginning of 2024, the focus has been on zero-day (or near-zero-day) vulnerabilities in virtual private network (VPN) software.5
Naturally, the share of VPN vector in the exploit vuln variety will likely increase for our 2025 report to reflect those trends, but the bottom line is again self-evident and self-explanatory. Anything that adds to your attack surface on the internet can be targeted and potentially be the first foothold for an external threat actor, and as such, the focus should be to try to keep footholds to a minimum.
No matter how you feel about your VPN software right now, having as many of your web applications as possible behind it might be a better strategy than having to worry about emergency overnight patching of the software—and all the other dependencies that power the web applications themselves. This will not completely mitigate the risk and will not be the right fit for all organizations, but in the worst-case scenario, the Cybersecurity Infrastructure and Security Agency (CISA) might have you rip out only one tool from your network as opposed to several.
Anyway, all this nuance does not affect our opinion of having desktop sharing software directly connected to the internet. Go fix that pronto, please.
We are only human after all.
One other combined metric we have been tracking for a few years is related to the human element in breaches. There is a lot of focus on how fully automated attacks can ruin an organization’s day,6 but it is often surprising how much the people inside the company can have a positive effect on security outcomes.
This year, we have tweaked our human element metric a bit so its impact and action opportunities are clearer. You see, when DBIR authors (and the whole industry in general) would discuss this metric, it would be alongside an opportunity gap for security training and awareness. It is not perfect, but if you had a clear investment path that could potentially improve the outcomes of more than two-thirds of potential breaches, you might at least sit down and listen.
It turns out that our original formula for what was included in the human element metric built in Privilege Misuse pattern breaches, which are the cases involving malicious insiders. Having those mixed with honest mistakes by employees did not make sense if our aim was to suggest that those could be mitigated by security awareness training.7
Figure 8 showcases the new human element over time (with malicious insiders removed) to provide a better frame of reference for our readers going forward. It is present in more than two-thirds of breaches as foreshadowed two paragraphs ago, more precisely in 68% of breaches. It is statistically similar to our findings last year, which means that in a certain way, the increases we had across the board in the Miscellaneous Errors pattern (human-centric) and as a result of the MOVEit vulnerability (automated) were similar in scope as far as this metric is concerned.
Fans of the “original flavor” human element are not missing much because the inclusion of the Misuse action would have brought the percentage to 76%, statistically only slightly more than the previous report’s 74%. Still, we prefer the clearer definition going forward, and we will leave the analysis of those bothersome insiders and their misdeeds to the “Privilege Misuse” pattern section.
The weakest links in the chain of interconnection
Finally, as we review the big picture of how the threat landscape changed this year,8 we would like to introduce a new metric that we will be tracking going forward. As the growth of exploitation of vulnerabilities and software supply chain attacks make them more commonplace in security risk register discussions, we would like to suggest a new third-party metric where we embrace the broadest possible interpretation of the term.9 Have a peek at Figure 9, where we calculated a supply chain interconnection influence in 15% of the breaches we saw, a significant growth from 9% last year. A 68% year-over-year growth is really solid, but what do we mean by this?
For a breach to be a part of the supply chain interconnection metric, it will have taken place because either a business partner was the vector of entry for the breach (like the now fabled heating, ventilating and air-conditioning [HVAC] company entry point in the 2013 Target breach) or if the data compromise happened in a third-party data processor or custodian site (fairly common in the MOVEit cases, for instance). Less frequently found in our dataset, but also included, are physical breaches in a partner company facility or even partner vehicles hijacked to gain entry to an organization’s facilities.10
So far, this seems like a pretty standard third-party breach recipe, but we are also adding cases, such as SolarWinds and 3CX, in which their software development processes were hijacked and malicious software updates were pushed to their customers to be potentially leveraged in a second step escalation by the threat actors. Those breaches are ultimately caused by the initial incident in the software development partner, and so we are adding those to this tab.
Now for the controversial part: Exploitation of vulnerabilities is counted in this metric as well. As much as we can argue that the software developers are also victims when vulnerabilities are disclosed in their software (and sure, they are), the incentives might not be aligned properly for those developers to handle this seemingly interminable task. These quality control failures can disproportionately affect the customers who use this software. We can clearly see what powerful and wide-reaching effects a handful of zero-day or mismanaged patching rollouts had on the general threat landscape. We stopped short of adding exploitation of misconfigurations in installed software because, although those could be a result of insecure defaults, system admins can get quite creative sometimes.
Figure 10 shows the breakdown of VERIS actions in the supply chain metric and, as expected, it is driven by Exploit vuln, which ushers Ransomware and Extortion attacks into organizations.
This metric ultimately represents a failure of community resilience and recognition of how organizations depend on each other. Every time a choice is made on a partner (or software provider) by your organization and it fails you, this metric goes up. We recommend that organizations start looking at ways of making better choices so as to not reward the weakest links in the chain. In a time where disclosure of breaches is becoming mandatory, we might finally have the tools and information to help measure the security effectiveness of our prospective partners.
We will keep a close watch on this one and seek to improve its definition over time. We welcome feedback and suggestions of alternative angles, and we believe the only way through it is to find ways to hold repeat offenders accountable and reward resilient software and services with our business.
1 Have you checked out the VERIS Community Database (VCDB) yet? You should, it’s awesome! (https://verisframework.org/vcdb.html)
2 We also passed our cumulative 1 million incident milestone as we forecast in the 2023 DBIR, but we are only mentioning this here in the footnote to not aggravate the report; it was very disappointed that 1 million is not enough to retire on in this economy.
3 We’re not throwing shade—different types of contributing organizations focus on what is most relevant for them, as well they should.
4 And an incredible L for the *ishing portmanteau enthusiasts
5 Unless by now we have successfully ripped them out of our networks entirely and are back to our smoke signals and carrier pigeon ways.
6 We ourselves were just talking about the growth of exploitation of vulnerabilities as a pathway into breaches.
7 We dread to think what “awareness training” for malicious insiders would look like.
8 Number of times the word “MOVEit” is mentioned in this report: 25
9 In a surprising role reversal, as we are often very pedantic in our definitions
10 We should stop watching those Mission: Impossible movies during DBIR writing season.