The Data Breach Investigation Report (DBIR) published by Verizon is one of the most comprehensive cyber security reports published publicly online. Security practitioners use the DBIR to get real-world perspectives on potentially damaging data breaches and based on data-driven analysis. “the DBIR is an open forum for security practitioners to seek out data-driven, real-world insights on cybercrime and what commonly affects companies.” 1 Continuing in that same tradition, the 2022 report2 offers insight into what threats organizations are likely to face today, as well as a retrospective of how the threat landscape has evolved over the years.
In this article, I will summarize the 108 page data breach investigation report 2022 and provide my key takeaways.
Introduction
Change is a constant in life, and the past year has been especially memorable for the murky world of cybercrime. Throughout the past 12 months, financially motivated criminals and nefarious nation-states have come out swinging as they have rarely before. In the same way, as in years past, the DBIR have analyzed the data in order to find out more about these and similar types of attacks. Of the 23,896 incidents we looked at this year, 5,212 were confirmed breaches. Their generous assistance was vital to the production of the document. Let's get started with the details.
Key Takeaways
Credentials, Phishing, Exploiting vulnerabilities, and botnets are four key paths to your estate. Each of these four risks is present in each domain of the DBIR, and no organization can be secure without a plan to address each of them.
With a rise of almost 13% (for a total of 25% of breaches), ransomware has continued its upward trend. Ransomware, despite being ubiquitous and destructive, is at its core a way of monetizing the access of an organization. It is important to block the four paths mentioned above to protect your network from ransomware.
The year 2021 showed how a single breach of a supply chain can have widespread consequences. 61% of incidents involved the supply chain. Threat actors can multiply their effectiveness by compromising the right partner. Nation-state threat actors, unlike financially motivated actors, may simply exploit access to a system rather than compromise it.
The majority of breaches are caused by error, accounting for 14%. A large part of the reason for this is incorrectly configured cloud storage. There is a leveling out for this pattern in the second year in a row, but employees' fallibility should not be discounted.
Human error is a major cause of breaches. Human error accounted for 82% of breaches this year. People continue to play a very large role in incidents and breaches alike, whether it is using stolen credentials, phishing, misusing, or simply making an error.
Industry Highlights
It is important to remember that cybercrime can affect any organization regardless of its size, although the style, frequency, and location of the attacks can differ from one company to another. There are several prerequisites for the deployment of defenses efficiently and effectively. First and foremost, it is necessary not only to consider the broader picture related to the threat landscape but to also be very aware of what is going to affect your organization most directly. The report has once again provided 11 industry snapshots and, for the first time, they included a very small business section (employees of 10 or fewer).
Accommodation and Food Services Industry
Although there has been a decrease in System Intrusion since 2016, the Accommodation and Food Services Industry still faces threats from Malware through email and the use of stolen credentials against Web applications. System intrusions decreased in only a few industries, including Accommodation and Food Services. On the other hand, it exhibits similarities to other industries when it comes to Basic Web Application Attacks and Social Engineering.
These attacks have been on the rise over the last five years. They are now more in line with what is happening to other industries in terms of types of attacks. Over 80% of breaches in this sector include techniques not covered in the top five varieties, making it one of the few industries with long-tail attacks. Despite the intimidating nature of those numbers, bear in mind that the vectors are the usual suspects found in other fields, such as email, web applications, and desktop sharing.
Arts, Entertainment, and Recreation
Systems Intrusion and Basic Web Application Attacks both traded positions, but Miscellaneous Errors remained in 3rd place. Especially in the gambling sector, denial-of-service attacks continue to be a problem. Whether it's dance, theater, or sporting events, the industry focuses mostly on live performances without pre-recordings. It also covers gambling.
There is no way to imagine the disparate attack surfaces present for the various types of organizations included in this NAICS code. However, all of them rely on the internet for at least a part of their infrastructure, whether it is selling tickets or taking orders (or wagers). Regardless, Denial of Service attacks is unwelcome guests. However, it is a frequent occurrence in this sector (particularly within gaming organizations in APAC) and accounts for over 20% of all incidents. As soon as they get inside, the attackers can wreak havoc. Financially motivated attackers are the majority of attacks in this sector, although a small percentage are motivated by grudges as well. Basic Web Application Attacks are of particular concern, given their simplicity. As a result, attackers must work much harder in System Intrusion attacks to receive their prize, as ransomware is always a tool of choice. We all know that hackers love credentials. For as long as it takes to get what they want, they will use them to pretend to be a legitimate employee.
Educational Services
Ransomware attacks are on the rise significantly in the educational services sector (over 30% of breaches). Moreover, the industry must protect itself from credentials that can be stolen and from phishing attacks that may compromise the privacy of its employees and students. Incidents are caused most often by system penetration, social engineering, and denial of service attacks. Breach causes are mostly caused by system penetration and human error. The top two types of attacks, along with stolen credentials and ransomware, are also used in this industry, which is a very dangerous combination.
Since ransomware and stolen credentials don't play around, they quit school due to recess, so they don't waste their time. You might lose a few points in your homework due to an error in your calculation, but a user making a miscalculation could cause a data breach. In this industry, 40% of errors are caused by emails sent to the wrong person, or with the wrong attachment. The number of errors has decreased over the past three years, but they're still very common and should still be taken seriously, especially in light of the vast amounts of data that schools deal with.
Financial Insurance
The Financial sector is still targeted by criminals who are motivated by financial gain, often through the use of actions of social engineering (Phishing), hacking (using stolen credentials), and malware (Ransomware). The last pattern, Miscellaneous Errors, which often take the form of Misdelivery, has remained relatively consistent for the past three years in a row.
Healthcare
As they began collecting and reporting data in healthcare, internal actors have figured prominently in breaches. Despite the change in the composition of insider breaches from malicious exploitation to more benign (but still reportable) misuse, they have always been able to reach insider threats through this industry. Those inside actors no longer hold sway in this vertical, as the Basic Web Application Attacks pattern has risen in popularity. It's time for the big dogs to take the lead. Don't be mistaken (no pun intended) your employees are still misusing their access, but they are 2.5 times more likely to make an error than to maliciously abuse the privilege. Almost no one can tell the difference between Delivery and Loss (the difference is so close that a photo finish would determine the outcome).
Information
It was System Intrusion that took the top spot in breaches this year over Errors and Basic Web Application Attacks. At the same time, DDoS continues to be the top incident type. Errors, on the other hand, have dropped since their rise five years ago. Malware has been growing over the past two years.
Manufacturing
While manufacturers continue to be an attractive targets for Espionage, they are also increasingly being targeted by other criminals through Denial of Service attacks, credential attacks, and Ransomware attacks.
Mining, Quarrying, and Oil & Gas Extraction + Utilities
Mining and Utilities are vulnerable to similar types of attacks as the other industries we examined, such as credentials attacks and ransomware attacks. Phishing attacks, on the other hand, are also common among them.
Professional, Scientific, and Technical Services
This industry is subject to Denial of Service attacks, which rarely result in a data breach but can still have a significant impact. As in previous years, System Intrusion attacks again topped the list this year, while Social attacks fell to third place, but remain prominent.
Public Administration
This sector has risen to the top with the System Intrusion pattern. In this vertical, employees are still responsible for breaches, but they are seven times more likely to commit a mistake than to do maliciously. Miscellaneous Errors remains in the top three patterns and holds the same position as last year.
Retail
This year, retail has experienced the same types of attacks as last year: Theft of credentials, Phishing, and Ransomware attacks. There are a variety of threat actors targeting organizations in this industry, including Malware that is used to steal credit cards being entered into web forms and more common tactics like Phishing.
Very Small Businesses
In most cases, cybercrime makes the news when a large organization is hacked. Although small organizations may seem unattractive to criminals, they are actually enticing in certain ways, and in some cases, even more so.
When it comes to cybercrime, cyber threat actors have the philosophy of "we'll take anything we can get." Small businesses have been destroyed by these attacks. Because of this, even a very small business (10 or fewer employees) should take precautions to prevent becoming a victim. Thus, even very small businesses (10 or fewer employees) should ensure they have adequate security measures in place to avoid becoming targets.
In ransomware, data is encrypted in such a way that it cannot be viewed or used, and once triggered, an (often large) amount is demanded to unlock it. Second, on the list is the use of stolen credentials. Attackers can get your credentials (username and password) via many different methods:
An attacker can steal your credentials (username and password) using different methods: brute force attacks (where an attacker uses a program to try numerous combinations of letters, symbols, and numbers to guess your password), malware (therefore the value of an up-to-date antivirus program), along with reused passwords from another website.
Other social threats include Phishing and/or Pretexting.
These attacks can look quite convincing for instance, a bill from the same supplier but with a different account number. Most criminals contact their targets via email, but they have also used the telephone to convince them that their request is genuine.
Regional Findings
We are now in our third year of analyzing incidents from a macro-regional perspective for the DBIR. With this more global view of cybercrime, we hope that our readers will find it informative and helpful. Based on factors such as contributors' presence, disclosure regulations in each region, our caseload, and so on, we have greater or lesser visibility within a given region.
Asia-Pacific
There are many social and hacking-related attacks in APAC, but many fewer ransomware cases. These attacks persist in this region in terms of basic web application attacks and social engineering attacks.
Europe, Middle East, and Africa (EMEA)
This region is experiencing a rise in Social Engineering attacks, illustrating the need for early detection tools. Additionally, the Basic Web Application Attacks pattern continues to persist in EMEA, as evidenced by the high prevalence of credential theft.
4 patterns have rearranged themselves in order, but the top three remain the same. In most cases, external actors are the culprits in the region.
Northern America (NA)
This region has become known for its System Intrusion pattern. System intrusion gave way to Social Engineering, but social actions like Phishing remain a significant problem in Northern America. There are also continuing problems with Web Application Attacks.
Best Practices
DBIR data has once again been mapped to the Critical Security Controls from the Center for Internet Security, providing you with a way to integrate it into your security efforts. We have listed the top controls our data suggest are important for most organizations.
Data Protection
It aims to identify, classify and secure organizational data in all forms using processes and technical controls. It protects the organization's data from accidental exposure through email or configuration errors.
Secure Configuration of Enterprise Assets & Software
Not only does this Control sound fancy, but it also provides safeguards focused on creating solutions that are secure from the outset, as opposed to adding them later. Having remote wiping capabilities on portable devices can reduce Error-based breaches like Misconfiguration and the loss of assets, as well as reduce error-based breaches.
Account Management
Organizations can use this control to manage access to accounts instead of brute-forcing or stuffing credentials.
Access Control Management
Multi-factor authentication is enforced on key components of the environment and manages the rights and privileges of users, ensuring against the use of stolen credentials.
Security Awareness & Skill Training
As a classic control, hopefully, there is not much to explain. It is clear that security awareness and technical training are great places to spend some dollars for your team to help shield them against cognitive hazards in an increasingly hazard-filled world.
1. “DBIR Data Breach Investigations Report.” 2008. https://www.verizon.com/business/resources/reports/2022/dbir/2022-dbir-data-breach-investigations-report.pdf.
2. “DBIR Data Breach Investigations Report.” 2008. https://www.verizon.com/business/resources/reports/2022/dbir/2022-dbir-data-breach-investigations-report.pdf.