Verizon DBIR 2022: What’s Worth Acting On?

When I was a corporate employee running security teams, I looked forward to Verizon DBIR Report every spring, as it was an essential tool to validate my strategy and investments. Often, the report’s insights on the latest trends and attacker actions provided guidance on where to deploy resources, helping improve our effectiveness.

In reviewing the latest findings, these are the headlines worth acting on.

The Barrier to Entry is Lower Than Ever for Attackers

Credentials are the favorite data type of criminal actors because they are so useful for masquerading as legitimate users on the system. As dark web marketplaces mature and credentials are bought and sold, the barrier to entry is increasingly low for attackers. Add the spread of SaaS, applications and dependence on Identity as the new perimeter, and it is more challenging than ever for defenders.

If you have a portal, website or any web-based application that is internet connected and requires authentication, protect the authentication mechanism—use CAPTCHA, require multi-factor authentication and attempt to rate-limit logins.

1 in 4 Attacks are Ransomware Related

Ransomware effects have nearly doubled year over year, now accounting for 25% of business impacts of breaches. This isn’t news. Cyber insurance companies have known this for some time and have adjusted their policies accordingly. Many are increasing premiums significantly and some are even including special carveouts—Ransomware Coinsurance—requiring the organization to pay a portion of the ransom.

Ransomware is the easy button for an attacker—they don’t need to find your data and figure out how to monetize it, they can just encrypt it, make it unavailable for you, your suppliers and customers. This creates mounting pressure that businesses will often comply with a ransom. The increasing effect of ransomware continues to have a downward effect on dwell time for attackers. We aren’t necessarily getting better at finding them as Actor Disclosure is more than 50% of the discovery methods.

Although the market is responding, companies are often slow to develop or test process for ransomware response. Now is the time to start. Review your backup controls, technology and recoverability. Review your email filtering technology’s effectiveness and your endpoint’s ability to detect and response to ransomware.

Because ransomware is primarily deployed through phishing attacks or stolen credentials, you should also look to improve email filtering. Improve credential protections, deploy multi-factor everywhere and take advantage of conditional access.

Supply Chain: A Force Multiplier for Attackers

If an attacker can successfully target a service provider, the downstream impacts may be very significant on partner organizations. In fact, partners are now involved in 39% of breaches.

Surprising? Unlikely. In our interconnected world, we cannot manufacture, transact, sell, collect cash, manage inventory or ship product without partners. Manufacturers are most often relying on supply chain for components rather than raw material. We rely on service providers for marketing, sales, financing, credit card processing, communications and every business function you can imagine. Every business in every industry has supply chain risk, whether we acknowledge it or not.

Targeting supply chain partners also increases the attack surface, while oftentimes lowering the difficulty. From the attacker’s perspective, why go after a mature, well-funded organization when I can breach a smaller organization that works within the security boundaries of that larger organization? The smaller supply chain partner may have credentials, or as a trusted partner may allow for access to spread ransomware, command-and-control or simple wire fraud.

When evaluating supply chain partners and various service providers, don’t forget to also evaluate their security program and be wary of any red flags.

Where Should You Put Your Focus?

As with every DBIR, updating software and operating systems as much as possible is a critical control. Many companies are patching more and faster, but there are still opportunities for improvement. For example, some cloud-based tools can improve patching efficacy.

With instances of ransomware increasing, businesses need to review backup controls, technology and recoverability. Because ransomware is primarily deployed through phishing attacks or stolen credentials, it is also important to improve credential protections, deploy multi-factor, take advantage of conditional access and review your email filtering technology’s effectiveness.

The best course of action will also vary based on the size of your organization. Here’s a high-level recommendation to keep in mind as you plan next steps:

• For most industries and organizations: Focus on preventing Basic Web Application Attacks, System Intrusion and Social Engineering.
• For larger organizations: Do all the above, then add Denial of Service to the list.
• For mature organizations already doing the fundamentals: Develop an Insider Threat program. Breaches that have an insider element have a tenfold increase in compromised records and can do more damage than external threat actors.

All in all, analyze the data, review your capabilities and invest in areas that will reduce risk—whether it be people, process or technology.