VERIS Actors
Please provide the information below to view the online Verizon Data Breach Investigations Report.
Thank you.
You will soon receive an email with a link to confirm your access, or follow the link below.
Thank you.
You may now close this message and continue to your article.
Hey, you, don’t skip this section this year! We know we keep repeating, “It’s always external criminals wanting your money” alongside dated pop culture references, but we have some interesting data points to discuss this year. Does this mean External actors are not the most prevalent? No, of course they are, silly. But since we got your attention, please read on.
This year, in part because of improved breach collection processes11 and the onboarding of new data contributors documenting mandatory breach disclosures, it is finally time for Internal actors to shine. After all, why rely on outside help if you have the talent in-house?
We still have the External actors as the top catalyst for breaches at 65%, but we have Internal at a whopping 35%—a significant increase from last year’s 20% number. Figure 11 showcases this development over the last few years.
However, before we call an emergency meeting and start pointing fingers at each other trying to figure out who the impostor is, it’s important to realize that 73% of those Internal actor breaches were in the Miscellaneous Errors pattern, and we shouldn’t really be holding their feet to the fire.12 We will be discussing more about this Error renaissance13 in the respective pattern section, but it showcases one long-standing suspicion of the team that mandatory breach disclosure at scale will help us better understand how mundane and preventable some of those incidents can be.
And speaking of disclosure, the numerous Extortion attacks used by ransomware actors have caused an influx of the numbers of external actor incidents we review each year because they tip the hands of their victims and force them to notify their customers of the breach. This helped us keep our dataset balanced. Further mandatory disclosure regulation trends in the world will help us all understand the causal landscape better.14
Before anyone gets excited by more groundbreaking changes in the “Actor” section, Figure 12 is pleased to inform you that the Actor motive ranking remains the same. Financial has the clear lead, but it is interesting to note that the Espionage motive has increased slightly over last year, from 5% to 7%. As was the case in the prior report, this motive is mostly concentrated in Public Administration breaches.
We can find the same expected results when we consider the varieties of threat actors with which we are dealing. Figure 13 illustrates the lead that Organized crime-affiliated actors enjoy over their State-sponsored counterparts, as our analysis has shown for many years. Please don’t misunderstand: This in no way means that the threat from those Actors should be taken lightly. State-sponsored actors are unusually resourceful and capable of adapting their tactics. Luckily for the average organization, they are less likely to target run-of-the-mill enterprises as often as your everyday, garden-variety criminal.
On a different note, End-user (in VERIS parlance, an average employee or contractor of an organization) has grown a lot, more than doubling from 11% to 26%. Those were mostly involved in Misdelivery errors and were part of the same growth in the Miscellaneous Errors pattern we discussed above. All in all, it’s been an upsetting year for all detail-oriented perfectionists15 out there.
Actor categories16
External (ext): External threats originate from sources outside of the organization and its network of partners. Examples include criminal groups, lone hackers, former employees and government entities. This category also includes God (as in “acts of”), “Mother Nature” and random chance. Typically, no trust or privilege is implied for external entities.
Internal (int): Internal threats are those originating from within the organization. This encompasses company full-time employees, independent contractors, interns and other staff. Insiders are trusted and privileged (some more than others).
Partner (prt): Partners include any third party sharing a business relationship with the organization. This includes suppliers, vendors, hosting providers and outsourced IT support. Some level of trust and privilege is usually implied between business partners. Note that an attacker could use a partner as a vector, but that does not make the partner the Actor in this case. The partner has to initiate the incident to be considered the responsible party.
Artificial general intelligence threat landscape, emphasis on “artificial,” not “intelligence”
Despite the pressure from a vocal minority of the cybersecurity community,17 it seems that the DBIR team will not be adding “Evil AGI”18 to the VERIS actor enumerations in 2024. However, it is still a very timely topic and one that has been occupying the minds of technology and cybersecurity executives worldwide.19
We did keep an eye out for any indications of the use of the emerging field of generative artificial intelligence (GenAI) in attacks and the potential effects of those technologies, but nothing materialized in the incident data we collected globally.20
After performing text analysis alongside our criminal forums data contributors, we could obviously see the interest in GenAI (as in any other forum, really), but the number of mentions of GenAI terms alongside traditional attack types and vectors such as “phishing,” “malware,” “vulnerability” and “ransomware” were shockingly low, barely breaching 100 cumulative mentions over the past two years. Most of the mentions21 involved the selling of accounts to commercial GenAI offerings or tools for AI generation of non-consensual pornography. Figure 14 illustrates our findings.
If you extrapolate the commonly understood use cases of GenAI technology, it could potentially help with the development of phishing, malware and the discovery of new vulnerabilities in much the same way it helps your 10th grader write that book report for school or your average AI social media influencer pretend to create a website by taking a picture of a drawing on a napkin.
But would this kind of assistance really move the needle on successful attacks? One can argue, given our Social Engineering pattern numbers from the past few years, that Phishing or Pretexting attacks don’t need to be more sophisticated to be successful against their targets, as we have seen with the growth of BEC-like attacks. Similarly, malware, especially of the Ransomware flavor, does not seem to be lacking in effectiveness, and threat actors seem to have a healthy supply of zero-day vulnerabilities for initial infiltration into an organization.
From our perspective, the threat actors might well be experimenting and trying to come up with GenAI solutions to their problems. There is evidence being published22 of leveraging such technologies in “learning how to code” activities by known state-sponsored threat actors. But it really doesn’t look like a breakthrough is imminent or that any attack-side optimizations this might bring would even register on the incident response side of things. The only exception here has to do with the clear advancements on deepfake-like technology, which has already created a good deal of reported fraud and misinformation anecdotes.
Incidentally, we did ask one of those GenAI tools what threats this nascent technology could amplify, and it ended up suggesting the same things as above.23 It made it seem like it already had an outsize influence in those subjects and that “organizations must adapt their defense strategies to keep pace with the evolving sophistication of GenAI-driven threats.”24 This little experiment seems to indicate that even GenAI has a tendency toward beefing up its resume via the use of well-placed exaggeration.
Turns out it’s really hard to escape the hype no matter where you sit on the natural vs. artificial divide.
11 Doubling the number of breaches we analyzed was no easy feat. We feel sorry for the poor DBIR authors who will have to outdo that number for the 2025 edition.
12 Unless carelessness and inattention to detail are wrong.
13 Errorssance? Age of Enerrorment?
14 This will also give threat actors new opportunities to be tattletales and report material breaches to organizations like the US Securities and Exchange Commission (SEC).
15 Just imagine what it would be like to work for one of those people. [Editor’s note: We resent that!]
16 https://verisframework.org/actors.html
17 Strange spelling for “unhinged marketing hype”
18 Artificial general intelligence. You know, HAL 9000, Skynet, Cylons, M3GAN …
19 Just like real impactful technologies such as blockchain and the metaverse
20 But if we had been taken over by an evil AI technology, that is what we would say. Makes you think.
21 It is worth pointing out that while we were writing this section, Kaspersky came up with similar research that is worth a look: https://usa.kaspersky.com/about/press-releases/2024_new-kaspersky-study-examines-cybercrimes-ai-experimentation-on-the-dark-web
23 And when we asked it to do it again but in the voice of the DBIR, it seemed unhealthily fixated in circus and theater jokes and puns. Is that what we sound like?
24 We certainly know where we’re getting marketing copy for our next cybersecurity startup.