VERIS Actions
Please provide the information below to view the online Verizon Data Breach Investigations Report.
Thank you.
You will soon receive an email with a link to confirm your access, or follow the link below.
Thank you.
You may now close this message and continue to your article.
A wise person25 once said, “We are what we repeatedly do,” and wouldn’t they be impressed by the stoicism of how some of our top VERIS Actions keep showing up year after year? In all fairness, it does seem more an exercise of “if it ain’t broke don’t fix it” than any classical philosophical principle. But it highlights that we defenders have a lot of work to do, as usual.
Figure 15 has our top Action varieties in breaches, and it brings a lot to talk about. As we mentioned in the “Introduction” section, a big shift this year was the reduction of the Use of stolen credentials as a percentage of initial actions in breaches. It is still our top action at 24%, although it just barely passes statistical testing when compared to our good old Ransomware in the second spot, with 23%.
Ransomware is less representative than last year, although its common style of financially motivated breach is being complemented by Extortion, which now represents 9% of our action distribution. If you count Ransomware breaches and breaches with Extortion from ransomware actors as just two sides of the same coin,26 we show a combined activity of 32% from those action varieties.
You can also see Extortion hand in hand with Exploit vuln at 10% of breaches, and the pair of them headline MOVEit’s (and other similar vulnerabilities’) impact, along with some other malware- and hacking-related varieties, such as Backdoor or C2 (command and control). That is double the exploitation of vulnerabilities of last year, and that obviously has had an impact in our ways-in metric as discussed in the introduction. Readers can find more details about this remarkable event in our “System Intrusion” pattern section.
One other thing worth noting is the clear overtaking of Pretexting as a more likely social action than Phishing. If you have been tracking our chronicle of the rise of BEC attacks, you know this is a viable and scalable way to address threat actor monetization anxieties.27
Action categories28
Hacking (hak): attempts to intentionally access or harm information assets without (or exceeding) authorization by circumventing or thwarting logical security mechanisms.
Malware (mal): any malicious software, script or code run on a device that alters its state or function without the owner’s informed consent.
Error (err): anything done (or left undone) incorrectly or inadvertently.
Social (soc): employ deception, manipulation, intimidation, etc., to exploit the human element, or users, of information assets.
Misuse (mis): use of entrusted organizational resources or privileges for any purpose or manner contrary to that which was intended.
Physical (phy): deliberate threats that involve proximity, possession or force.
Environmental (env): not only includes natural events such as earthquakes and floods but also hazards associated with the immediate environment or infrastructure in which assets are located.
Moving on to Figure 16, we have a chance to look into top Action varieties for incidents. It should not surprise any returning reader of the prevalence of DoS attacks in the top spot, being present in 59% of our recorded incidents. There is very little we can say about this Action variety that we haven’t said before29 as its lead has been quite stable over the years.
We can also observe the same phenomena in Ransomware that we saw in breaches. It is overall lower than last year, being present in 12% of incidents, but when you combine it with Extortion, we hit a similar ratio to last year’s 15% of “Ramstortion.”30
Figure 17 showcases the Action vectors in breaches, and the results are in line with what we have been discussing in the “Introduction” and “Actors” sections. There was considerable growth of Carelessness due to the increase in error breaches and an uptick in Email as a vector driven by the increase in pretexting. Web applications is hanging in there, though, and as we discussed in the introduction, it goes hand in hand alongside use of stolen credentials and exploitation of vulnerabilities to infiltrate your defenses.
Speaking of ways in, it might also be interesting to explore a handful of goals and outcomes of those attacks.31 Figure 18 describes the prevalence of ransomware/extortion and pretexting action varieties under the Financial actor motive. As we frequently point out, those are two of the most successful ways of monetizing a breach. The ransom duo has been hovering around the two-thirds mark (62%) for some time, while Pretexting made up nearly a quarter (24%) of goal actions over the past two years.
Jen Easterly
Director, Cybersecurity and Infrastructure Security Agency (CISA)
Over the past year, CISA has been leading the secure by design software development revolution. We have issued alerts documenting foreign intelligence agencies penetrating hundreds of critical infrastructure entities and establishing a foothold, possibly to be used in a future conflict. We have also published blueprints for what we need to change in order to establish a culture of technology development that puts security first without sacrificing innovation. These two efforts are different and necessary approaches to the same problem.
Today, the software industry is focused on the malicious actors and how they work. As a community, we talk about signature adversary moves, the amount of money made and the vulnerabilities that were exploited. But it’s that last point—vulnerabilities that were exploited—that doesn’t get nearly enough focus. Most software vulnerabilities are not unknown, unique or novel. Instead, they fall into well-known classes of vulnerabilities, and unfortunately, we continue to see the same classes of vulnerabilities that have been identified for decades.
Our goal should be to shift away from focusing on individual vulnerabilities and to instead consider the issue from a strategic lens. By focusing on recurring classes of software defects, we can inspire software developers to improve the tools, technologies, and processes and attack software quality problems at the root. I hope that a deeper understanding of how attackers get in will be the catalyst to demand that our technology be secure by design starting today.
Exploitation moving swiftly in the threat landscape
The DBIR is entering its Vulnerability Era. One of the most critical findings we had this year was the growth of the Exploit vuln action variety. We have emphasized the fact that credential abuse is the big thing to focus on for several years now,32 and even the most obtuse of us can see a trend when it is smacking us in the face.
We knew that the MOVEit vulnerability was trouble when it first entered the room, and we were able to identify 1,567 breach notifications that related to MOVEit by a combination of (very vague) breach descriptions and the timing of the breach itself. Reports from CISA33 state that the Cl0p ransomware team had compromised more than 8,00034 global organizations from a handful of zero-day vulnerabilities being exploited. It is important to mention this high number even if our sampled incident dataset does not account for all of that in either breach notifications or ransomware victim listings scraped from the threat actor’s own notification websites.35
This love story between zero-day vulnerabilities and ransomware threat actors puts us all in a concerning place. By doing a survival analysis36 of vulnerability management data and focusing on the vulnerabilities in the CISA Known Exploited Vulnerabilities (KEV) catalog,37 (arguably an area of priority focus in vulnerability management), we found that it takes around 55 days to remediate 50% of those critical vulnerabilities once their patches are available. As Figure 19 demonstrates, the patching doesn’t seem to start picking up until after the 30-day mark, and by the end of a whole year, around 8% of them are still open.
But before organizations start pointing at themselves saying, “It’s me, hi, I’m the problem,” we must remind ourselves that after following a sensible risk-based analysis,38 enterprise patch management cycles usually stabilize around 30 to 60 days as the viable target, with maybe a 15-day target for critical vulnerability patching. Sadly, this does not seem to keep pace with the growing speed of threat actor scanning and exploitation of vulnerabilities.
This is not enough to shake the risk off. As we pointed out in the 2023 DBIR, the infamous Log4j vulnerability had nearly a third (32%) of its scanning activity happening in the first 30 days of its disclosure. The industry was very efficient in mitigating and patching affected systems so the damage was minimized, but we cannot realistically expect an industrywide response of that magnitude for every single vulnerability that comes along, be it zero-day or not.
In fact, if you look at the distribution of when vulnerabilities have their first scan seen in internet honeypots on Figure 20, the median time for that to happen for a Common Vulnerabilities and Exposures (CVE) registered vulnerability in the CISA KEV is five days. On the other hand, the median time for non-CISA KEV vulnerabilities sits at 68 days. There is an obvious “no true Scotsman” fallacy comment to be made here because when exploitation starts running rampant, vulnerabilities get added to the KEV. There are few hindsight metrics as powerful as this one to guide what you should be patching first.39 In summary, if it goes into the KEV, go fix it ASAP.
Even though this survival analysis chart looks bleak, this is the optimist’s view of the situation. We must remind ourselves that these are companies with resources to at least hire a vulnerability management vendor. That tells us that they care about the risk and are taking measures to address it. The overall reality is much worse, and as more ransomware threat actors adopt zero-day and/or recent vulnerabilities, they will definitely fill the blank space in their notification websites with your organization’s name.
If we can’t patch the vulnerabilities faster, it seems like the only logical conclusion is to have fewer of them to patch. We realize this is the stuff of our wildest dreams, but at the very least, organizations should be holding their software vendors accountable for the security outcomes of their product, even if there is no regulatory pressure on those vendors to do better. The DBIR will emphasize this point going forward by expanding our third-party involvement in breaches metric to also account for the exploitation of vulnerabilities.40 This helps illustrate that when choosing a vendor, software that is secure by design would make a difference.
We recommend that folks who are involved in both software development and software procurement take the time to review the recently updated “Secure by Design”41 report by CISA and 17 U.S. and international partners. It shows how software can be made to have better security outcomes and what to look for as a buyer. The DBIR does not intend to foster any bad blood with software providers that might be falling short of their goals in keeping their products safe, but if there ever was a clear time to make a statement by prioritizing this elegant solution to a growing threat, this is it. We can see the costs of not acting all too well.
25 Since every quote on the Internet is misattributed, let’s just save some time and take the easy way out.
26 Which we kind of do in this issue of the report because it is exhausting to argue with people all the time about things like threat actor methodology details or tactics, techniques and procedures (TTPs) when everyone else seems to be doing it.
27 Unfortunately, everyone has to hit their quotas each quarter.
28 https://verisframework.org/actions.html
29 We do try in the “Denial of Service” pattern section regardless.
30 “Extorware”? What would be the best couples name for this pair?
31 The obvious “ways-out” pun doesn’t make sense here. Maybe if we had cyber getaway cars.
32 DBIR guided visualization: Picture blue team folks in jerseys at the Super Bowl chanting, “MFA! MFA! MFA!”
33 https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a
34 Vegeta’s power Scouter is still intact.
35 And just like a consultant will say, “It depends,” our data scientists will say, “It’s the sampling bias.”
36 Hat tip to Jay Jacobs of Cyentia on the methodology: https://www.cyentia.com/why-your-mttr-is-probably-bogus
37 https://www.cisa.gov/known-exploited-vulnerabilities-catalog
38 Such as the one in https://www.cisa.gov/sites/default/files/publications/CISAInsights-Cyber-RemediateVulnerabilitiesforInternetAccessibleSystems_S508C.pdf
39 Eat your heart out, CVSS.
40 Have a look at the Introduction subsection in this Results and nalysis section.
41 https://www.cisa.gov/resources-tools/resources/secure-by-design