2022 Verizon DBIR: 15 Years, 15 Takeaways

June 1, 2022 CyberArk Blog Team

2022 Verizon DBIR: 15 Years, 15 Takeaways

Since 2008, the Verizon Data Breach Investigations Report (DBIR) has provided the global cybersecurity community with valuable insights on the evolving threat landscape. Not only does the latest 2022 report dig deep into current trends, it also looks back over 15 years to show just how much has changed… and how some things, like identity compromise through credential theft, never do.

To commemorate 15 years, here are 15 takeaways and observations on the 2022 Verizon DBIR:

1. When it comes to credential theft, it’s Groundhog Day all over again. The use of stolen credentials was pervasive across the 23,896 security incidents and 5,212 confirmed breaches analyzed, and the first link in nearly 50% of attack chains. It’s a familiar story on repeat: As the 2009 DBIR noted years ago, “It is evident that many intrusions exploit the basic (mis)management of identity.”

2. And things only got worse from there. Since its 2017 analysis, the DBIR team has tracked an almost 30% increase in the use of stolen credentials. Today, credentials represent “one of the most tried-and-true methods to gain access to an organization” and are “the favorite data type of criminal actors because they are so useful for masquerading as legitimate users on the system,” noted the 2022 DBIR.

3. One thing that has changed dramatically is ransomware, which surged by 13% to 25% in one year — more than the past five years combined. Ransomware was present in almost 70% of all malware-related breaches, was one of the top tactics used by “capable threat actors” in system intrusions and supply chain attacks, and does not discriminate based on organization size.

4. Forty percent of all ransomware incidents involve desktop sharing software. With people working from everywhere, attackers found desktop sharing software such as remote desktop protocol (RDP) to be particularly useful — especially in launching ransomware attacks. Desktop sharing software was linked to 14% of all system intrusion incidents. “Unfortunately, if you can access the asset directly over the internet simply by entering the credentials, so can the criminals,” noted DBIR authors.

5. BUT… “Ransomware alone is simply a model of monetization of a compromised organization’s access that has become quite popular,” reminded the report authors. Reversing the ransomware rampage mostly comes down to blocking the most common paths to an organization’s estate, beginning with credential theft at the endpoint.

6. This year’s DBIR found 62% of system intrusion incidents came through an organization’s partner. In supply chain breaches, which the DBIR team classifies as a “sequence of one or more breaches chained together,” the use of stolen credentials was identified as a top action variety. Noted the DBIR team in its report announcement, “Compromising the right partner is a force multiplier for cyber criminals, and highlights the difficulties that many organizations face in securing their supply chain.” The findings corroborate those of the CyberArk 2022 Identity Security Threat Landscape Report, which found that 64% of security leaders admit an attack on their organization originating from a compromised software supplier could not be stopped.

7. While some sophisticated supply chain attacks involve many actions over lengthy periods of time, the 2022 DBIR found that a vast majority of attack chains (more than 75%) only include three steps. The most common were phishing, downloader and ransomware — likely made possible, in large part, to the surge in ransomware-as-a-service sold by highly organized criminal enterprises. Every step an attacker takes is an opportunity to get caught. So, report authors noted, “Our job as defenders is to lengthen that attack path.” In our CyberArk team’s view, following zero trust principles by implementing identity security controls such as multi-factor authentication (MFA) and privileged access management (PAM) can help minimize attackers’ movements, their access to sensitive systems and data, and ultimately, their chances of success.

8. Web application risks are the No. 1 attack vector… and 80% of these breaches can be attributed to, you guessed it, credential theft. No surprise here, since web apps are exposed to the internet and, in turn, to external attackers.

9. But what’s new is the addition of software updates to the list of top action vectors for web application attacks — coming in hot at 60%. With the landmark SolarWinds breach as their guide, attackers are increasingly distributing malware through software updates — and they’re targeting things like developer workstations, DevOps and automation tools that hold powerful privileges. In the words of the report authors, “One thing is certain, stolen creds and web apps go together like peanut butter and chocolate.”

10. When securing web applications, it’s important to consider privileged “insider” identities. Though the Verizon DBIR classifies them separately, it’s also important to consider how insider threats factor into the broader web application risk equation. According to CyberArk research, the average employee has access to more than 30 applications and accounts, and 52% of organizations’ workforces have access to sensitive corporate data. And 80% of organizations experienced employees misusing or abusing access to business applications in the past year — highlighting a widespread need for better visibility into user sessions and activities.

11. While we’re on the subject, are insider threat risks really that low? The 2022 Verizon DBIR found that an organization is about four times more likely to be attacked by an external actor than an insider. But take that with a grain of salt, as it’s likely more insider jobs go unreported and even undetected. A legitimate identity using legitimate credentials for the wrong reasons — especially someone with legitimate privileged access to sensitive resources — is hard to find unless you have ways to detect malicious or unusual behavior right away.

12. Based on the insider incidents analyzed in the Verizon DBIR, privilege misuse, defined as “the pattern where people use the legitimate access granted to them as employees,” is 2.5 times more likely to be accidental than malicious. But when it’s intentional, internal threat actors are most likely to go after personal data of customers, employees or partners, the report found. As in years past, healthcare remains the industry with the highest number of malicious internal actors, and 22% of privilege misuse-related breaches targeted medical data.

13. The report found that error is responsible for 13% of all breaches, with the bulk of them stemming from misconfigured cloud storage. Considering how many digital identities live in the digital stratosphere today, this isn’t surprising, but it raises a question: When does “human error” become “humanly impossible?” Keeping thousands or hundreds of thousands of permissions properly configured all the time isn’t something most IT teams can do manually, especially since securing access to and within cloud environments is a relatively new discipline. As cloud migrations continue, AI and automation will be key to curbing identity-centric security challenges.

14. Fifty-eight percent of mobile devices had at least one malicious URL clicked and 16% had at least one malware or riskware app installed. In the past few “contactless” years, people have become accustomed to using their phones for just about everything, from paying for goods to perusing restaurant menus. But remember, phishing is phishing — whether it’s a link in an email or a malicious QR code. And since “almost a fifth of phishing successes came from mobile devices, that should be good enough confirmation that it needs to be within your security estate,” cautioned report authors.

15. A whopping 82% of all analyzed breaches involved the human element when tallying up those due to human error, misuse of privilege (by legitimate identities) and social engineering. This highlights the need to approach cybersecurity holistically — not only emphasizing important technical security controls, but also people-centric initiatives. For instance, respondents in the CyberArk 2022 Identity Security Threat Landscape Report indicated cybersecurity awareness training was one of the top three most effective components of a defense-in-depth strategy to combat ransomware.

Read the entire 108-page 2022 Verizon DBIR to explore full findings, including industry- and region-specific attack patterns and trends. And to learn more about the role identity plays in almost every major cyberattack today, read our latest global research.

Previous Article
Step Away From the QR Code and Read These 7 Safety Tips
Step Away From the QR Code and Read These 7 Safety Tips

This post is authored by Len Noe, a technical evangelist and white hat hacker at CyberArk. Listen to his re...

Next Article
RPA and the Speed vs. Security Balancing Act
RPA and the Speed vs. Security Balancing Act

Robotic process automation, or RPA for short, is one of those hefty technical terms that can be tough to ex...