《Verizon:2024年数据泄露(DBIR)调查报告(英文版)(100页).pdf》由会员分享,可在线阅读,更多相关《Verizon:2024年数据泄露(DBIR)调查报告(英文版)(100页).pdf(100页珍藏版)》请在三个皮匠报告上搜索。
1、2024 Data BreachInvestigations ReportPhishingExploit vulnerabilitiesCredentialsWeb applicationsEmailVPNDesktop sharingAbout the coverThis year,the report is delving deeper into the pathway to breaches in an effort to identify the most likely Action and vector groupings that lead to breaches given th
2、e current threat landscape.The cracked doorway on the cover is meant to represent the various ways attackers can make their way inside.The opening in the door shows the pattern of our combined“ways-in”percentages(see Figure 7 for a more straightforward representation),and it lets out a band of light
3、 displaying a pattern of the Action vector quantities.The inner cover highlights and labels the quantities in a less abstract way.Hope you enjoy our art house phase.42024 DBIR Table of contentsTable of contents1 Introduction 5Helpful guidance 6Summary of findings 72 Results and analysis Results and
4、analysis:Introduction 11VERIS Actors 15VERIS Actions 18VERIS Assets 23VERIS Attributes 253 Incident Classification Patterns Incident Classification Patterns:Introduction 28System Intrusion 30Social Engineering 36Basic Web Application Attacks 42Miscellaneous Errors 47Denial of Service 49Lost and Stol
5、en Assets 51Privilege Misuse 534 Industries Industries:Introduction 56Accommodation and Food Services 60Educational Services 61Financial and Insurance 62Healthcare 64Information 66Manufacturing 67Professional,Scientific and Technical Services 69Public Administration 70Retail 725 Regions Regional ana
6、lysis 756 Wrap-up Year in review 817 Appendices Appendix A:How to read this report 86Appendix B:Methodology 88Appendix C:U.S.Secret Service 92Appendix D:Using the VERIS Community Database(VCDB)to Estimate Risk 94Appendix E:Contributing organizations 96152024 DBIR IntroductionIntroductionGreetings!We
7、lcome to Verizons 2024 Data Breach Investigations Report(DBIR).This year marks the 17th edition of this publication,and we are thrilled to welcome back our old friends and say hello to new readers.As always,the aim of the DBIR is to shine a light on the various Actor types,the tactics they utilize a
8、nd the targets they choose.Thanks to our talented,generous and civic-minded contributors from around the world who continue to stick with us and share their data and insight,and deep appreciation for our very own Verizon Threat Research Advisory Center(VTRAC)team(rock stars that they are).These two
9、groups enable us to examine and analyze relevant trends in cybercrime that play out on a global stage across organizations of all sizes and types.From year to year,we see new and innovative attacks as well as variations on tried-and-true attacks that still remain successful.From the exploitation of
10、well-known and far-reaching zero-day vulnerabilities,such as the one that affected MOVEit,to the much more mundane but still incredibly effective Ransomware and Denial of Service(DoS)attacks,criminals continue to do their utmost to prove the old adage“crime does not pay”wrong.The shifting landscape
11、of cyber threats can be confusing and overwhelming.When,in addition to the attack types mentioned above,one throws in factors such as the human element and/or poorly protected passwords,things become even more confused.One might be forgiven for viewing the current state of cybersecurity as a colorfu
12、l cyber Mardi Gras parade.Enterprise floats of all shapes and sizes cruising past a large crowd of threat actors who are shouting out gleefully“Throw me some creds!”Of course,human nature being what it is,all too often,the folks on the floats do just that.And,as with all such parades,what is left in
13、 the aftermath isnt necessarily pretty.The past year has been a busy one for cybercrime.We analyzed 30,458 real-world security incidents,of which 10,626 were confirmed data breaches(a record high!),with victims spanning 94 countries.While the general structure of the report remains the same,long-tim
14、e readers may notice a few changes.For example,the“first-time reader”section is now located in Appendix A rather than at the beginning of the report.But we do encourage those who are new to the DBIR to give it a read-through before diving into the report.It should help you get your bearings.Last,but
15、 certainly not least,we extend a most sincere thanks yet again to our contributors(without whom we could not do this)and to our readers(without whom there would be no point in doing it).Sincerely,The Verizon DBIR Team C.David Hylender,Philippe Langlois,Alex Pinto,Suzanne WidupVery special thanks to:
16、Christopher Novak for his continued support and insight Dave Kennedy and Erika Gifford from VTRAC Kate Kutchko,Marziyeh Khanouki and Yoni Fridman from the Verizon Business Product Data Science Team62024 DBIR Helpful guidanceHelpful guidanceAbout the 2024 DBIR incident datasetEach year,the DBIR timel
17、ine for in-scope incidents is from November 1 of one calendar year through October 31 of the next calendar year.Thus,the incidents described in this report took place between November 1,2022,and October 31,2023.The 2023 caseload is the primary analytical focus of the 2024 report,but the entire range
18、 of data is referenced throughout,notably in trending graphs.The time between the latter date and the date of publication for this report is spent in acquiring the data from our global contributors,anonymizing and aggregating that data,analyzing the dataset,and finally creating the graphics and writ
19、ing the report.The jokes,sadly,do not write themselves.Credit where credit is dueTurns out folks enjoy citing the report,and we often get asked how to go about doing it.You are permitted to include statistics,figures and other information from the report,provided that(a)you cite the source as“Verizo
20、n 2024 Data Breach Investigations Report”and(b)the content is not modified in any way.Exact quotes are permitted,but paraphrasing requires review.If you would like to provide people a copy of the report,we ask that you provide them a link to rather than the PDF.Questions?Comments?Concerns?Love to sh
21、are cute pet pictures?Let us know!Send us a note at ,find us on LinkedIn,tweet VerizonBusiness with#dbir.Got a data question?Tweet VZDBIR!If your organization aggregates incident or security data and is interested in becoming a contributor to the annual Verizon DBIR(and we hope you are),the process
22、is very easy and straightforward.Please email us at .7Figure 2.Ransomware and Extortion breaches over timeSummary of findingsOur ways-in analysis witnessed a substantial growth of attacks involving the exploitation of vulnerabilities as the critical path to initiate a breach when compared to previou
23、s years.It almost tripled(180%increase)from last year,which will come as no surprise to anyone who has been following the effect of MOVEit and similar zero-day vulnerabilities.These attacks were primarily leveraged by Ransomware and other Extortion-related threat actors.As one might imagine,the main
24、 vector for those initial entry points was Web applications.2024 DBIR Summary of findingsFigure 1.Select ways-in enumerations in non-Error,non-Misuse breaches(n=6,963)Roughly one-third of all breaches involved Ransomware or some other Extortion technique.Pure Extortion attacks have risen over the pa
25、st year and are now a component of 9%of all breaches.The shift of traditional ransomware actors toward these newer techniques resulted in a bit of a decline in Ransomware to 23%.However,when combined,given that they share threat actors,they represent a strong growth to 32%of breaches.Ransomware was
26、a top threat across 92%of industries.82024 DBIR Summary of findingsWe have revised our calculation of the involvement of the human element to exclude malicious Privilege Misuse in an effort to provide a clearer metric of what security awareness can affect.For this years dataset,the human element was
27、 a component of 68%of breaches,roughly the same as the previous period described in the 2023 DBIR.In this issue,we are introducing an expanded concept of a breach involving a third party that includes partner infrastructure being affected and direct or indirect software supply chain issuesincluding
28、when an organization is affected by vulnerabilities in third-party software.In short,those are breaches an organization could potentially mitigate or prevent by trying to select vendors with better security track records.We see this figure at 15%this year,a 68%increase from the previous year,mostly
29、fueled by the use of zero-day exploits for Ransomware and Extortion attacks.Our dataset saw a growth of breaches involving Errors,now at 28%,as we broadened our contributor base to include several new mandatory breach notification entities.This validates our suspicion that errors are more prevalent
30、than media or traditional incident response-driven bias would lead us to believe.Figure 3.Select key enumerations in breaches92024 DBIR Summary of findingsFinancially motivated threat actors will typically stick to the attack techniques that will give them the most return on investment.Over the past
31、 three years,the combination of Ransomware and other Extortion breaches accounted for almost two-thirds(fluctuating between 59%and 66%)of those attacks.According to the FBIs Internet Crime Complaint Center(IC3)ransomware complaint data,the median loss associated with the combination of Ransomware an
32、d other Extortion breaches has been$46,000,ranging between$3(three dollars)and$1,141,467 for 95%of the cases.We also found from ransomware negotiation data contributors that the median ratio of initially requested ransom and company revenue is 1.34%,but it fluctuated between 0.13%and 8.30%for 80%of
33、the cases.Similarly,over the past two years,we have seen incidents involving Pretexting(the majority of which had Business Email Compromise BEC as the outcome)accounting for one-fourth(ranging between 24%and 25%)of financially motivated attacks.In both years,the median transaction amount of a BEC wa
34、s around$50,000,also according to the FBI IC3 dataset.The overall reporting rate of Phishing has been growing over the past few years.In security awareness exercise data contributed by our partners during 2023,20%of users reported phishing in simulation engagements,and 11%of the users who clicked th
35、e email also reported.This is welcome news because on the flip side,the median time to click on a malicious link after the email is opened is 21 seconds and then only another 28 seconds for the person caught in the phishing scheme to enter their data.This leads to an alarming finding:The median time
36、 for users to fall for phishing emails is less than 60 seconds.Figure 4.Phishing email report rate by click statusFigure 5.Select action varieties in Financial motive over time2Results and analysis112024 DBIR Results and analysisResults and analysis:IntroductionHello,friends,and welcome to the“Resul
37、ts and analysis”section.This is where we cover the highlights we found in the data this year.This dataset is collected from a variety of sources,including our own VTRAC investigators,reports provided by our data contributors and publicly disclosed security incidents.1Because data contributors come a
38、nd go,one of our priorities is to make sure we can get broad representation on different types of security incidents and the countries where they occur.This ebb and flow of contributors obviously influences our dataset,and we will do our best to provide context on those potential biases where applic
39、able.This year we onboarded a good number of new contributors and reached an exciting milestone of more than 10,000 breaches analyzed in a single edition.2 It is an enormous amount of work to organize and analyze,but it is also incredibly gratifying to be able to present these results to you.In an a
40、ttempt to be more actionable,we would like to use this section to discuss some high-level findings that transcend the fixed structure of the Vocabulary for Event Recording and Incident Sharing(VERIS)4As(Actor,Action,Asset and Attribute)and expand on some of the key findings we have been highlighting
41、 over the past few years.1 Have you checked out the VERIS Community Database(VCDB)yet?You should,its awesome!(https:/verisframework.org/vcdb.html)2 We also passed our cumulative 1 million incident milestone as we forecast in the 2023 DBIR,but we are only mentioning this here in the footnote to not a
42、ggravate the report;it was very disappointed that 1 million is not enough to retire on in this economy.3 Were not throwing shadedifferent types of contributing organizations focus on what is most relevant for them,as well they should.Ways into your sensitive datas heart One of the actionable perspec
43、tives we have created has been the ways-in analysis,in which we try to make sense of the initial steps into breaches to help predict how to best avoid or prevent them.We still have plenty of unknown Actions and vectors dispersed throughout the dataset as investigation processes and disclosure patter
44、ns widely differ across our data contributors,3 but this view of what we know for sure has remained stable and representative over the years.Figure 6 paints a clear picture of what has been the biggest pain point for everyone this year.This 180%increase in the exploitation of vulnerabilities as the
45、critical path action to initiate a breach will be of no surprise to anyone who has been following the MOVEit vulnerability and other zero-day exploits that were leveraged by Ransomware and Extortion-related threat actors.This was the sort of result we were expecting in the 2023 DBIR when we analyzed
46、 the impact of the Log4j vulnerabilities.That anticipated worst case scenario discussed in the last report materialized this year with this lesser knownbut widely deployedproduct.We will be diving into additional details of MOVEit and vulnerability exploitation in the“Action”and“System Intrusion”pat
47、tern sections.Figure 6.Select ways-in enumerations in non-Error,non-Misuse breaches over time122024 DBIR Results and analysisTo dig further into this concept of the ways in,we are presenting a new slice of the data,where we are overlaying those different types of Actions with their most popular vect
48、ors to help focus response and planning efforts.You can take a peek at those results in Figure 7.Phishing attacks mostly having an Email vector is rather self-explanatory,4 so we would like to focus on the concentration of the Web application vector prevalence for both credentials and exploit vulner
49、ability.The presence of Credentials in the graphic should not be surprising as it carries a large share of the guilt for our Basic Web Application Attacks pattern(i.e.,getting unauthorized access to cloud-based email and collaboration accounts).But recency bias might make folks doubt the prevalence
50、of exploitation of vulnerabilities.Because this report is being written in the beginning of 2024,the focus has been on zero-day(or near-zero-day)vulnerabilities in virtual private network(VPN)software.5Naturally,the share of VPN vector in the exploit vuln variety will likely increase for our 2025 re
51、port to reflect those trends,but the bottom line is again self-evident and self-explanatory.Anything that adds to your attack surface on the internet can be targeted and potentially be the first foothold for an external threat actor,and as such,the focus should be to try to keep footholds to a minim
52、um.No matter how you feel about your VPN software right now,having as many of your web applications as possible behind it might be a better strategy than having to worry about emergency overnight patching of the softwareand all the other dependencies that power the web applications themselves.This w
53、ill not completely mitigate the risk and will not be the 4 And an incredible L for the*ishing portmanteau enthusiasts5 Unless by now we have successfully ripped them out of our networks entirely and are back to our smoke signals and carrier pigeon ways.6 We ourselves were just talking about the grow
54、th of exploitation of vulnerabilities as a pathway into breaches.7 We dread to think what“awareness training”for malicious insiders would look like.right fit for all organizations,but in the worst-case scenario,the Cybersecurity Infrastructure and Security Agency(CISA)might have you rip out only one
55、 tool from your network as opposed to several.Anyway,all this nuance does not affect our opinion of having desktop sharing software directly connected to the internet.Go fix that pronto,please.We are only human after all.One other combined metric we have been tracking for a few years is related to t
56、he human element in breaches.There is a lot of focus on how fully automated attacks can ruin an organizations day,6 but it is often surprising how much the people inside the company can have a positive effect on security outcomes.This year,we have tweaked our human element metric a bit so its impact
57、 and action opportunities are clearer.You see,when DBIR authors(and the whole industry in general)would discuss this metric,it would be alongside an opportunity gap for security training and awareness.It is not perfect,but if you had a clear investment path that could potentially improve the outcome
58、s of more than two-thirds of potential breaches,you might at least sit down and listen.It turns out that our original formula for what was included in the human element metric built in Privilege Misuse pattern breaches,which are the cases involving malicious insiders.Having those mixed with honest m
59、istakes by employees did not make sense if our aim was to suggest that those could be mitigated by security awareness training.7Figure 7.Select ways-in variety and vector enumerations in non-Error,non-Misuse breaches(n=2,770)138 Number of times the word“MOVEit”is mentioned in this report:259 In a su
60、rprising role reversal,as we are often very pedantic in our definitions2024 DBIR Results and analysisFigure 8 showcases the new human element over time(with malicious insiders removed)to provide a better frame of reference for our readers going forward.It is present in more than two-thirds of breach
61、es as foreshadowed two paragraphs ago,more precisely in 68%of breaches.It is statistically similar to our findings last year,which means that in a certain way,the increases we had across the board in the Miscellaneous Errors pattern(human-centric)and as a result of the MOVEit vulnerability(automated
62、)were similar in scope as far as this metric is concerned.Fans of the“original flavor”human element are not missing much because the inclusion of the Misuse action would have brought the percentage to 76%,statistically only slightly more than the previous reports 74%.Still,we prefer the clearer defi
63、nition going forward,and we will leave the analysis of those bothersome insiders and their misdeeds to the“Privilege Misuse”pattern section.The weakest links in the chain of interconnectionFinally,as we review the big picture of how the threat landscape changed this year,8 we would like to introduce
64、 a new metric that we will be tracking going forward.As the growth of exploitation of vulnerabilities and software supply chain attacks make them more commonplace in security risk register discussions,we would like to suggest a new third-party metric where we embrace the broadest possible interpreta
65、tion of the term.9 Have a peek at Figure 9,where we calculated a supply chain interconnection influence in 15%of the breaches we saw,a significant growth from 9%last year.A 68%year-over-year growth is really solid,but what do we mean by this?Figure 9.Supply chain interconnection in breaches over tim
66、eFor a breach to be a part of the supply chain interconnection metric,it will have taken place because either a business partner was the vector of entry for the breach(like the now fabled heating,ventilating and air-conditioning HVAC company entry point in the 2013 Target breach)or if the data compr
67、omise happened Figure 8.Human element enumeration in breaches over time14in a third-party data processor or custodian site(fairly common in the MOVEit cases,for instance).Less frequently found in our dataset,but also included,are physical breaches in a partner company facility or even partner vehicl
68、es hijacked to gain entry to an organizations facilities.10So far,this seems like a pretty standard third-party breach recipe,but we are also adding cases,such as SolarWinds and 3CX,in which their software development processes were hijacked and malicious software updates were pushed to their custom
69、ers to be potentially leveraged in a second step escalation by the threat actors.Those breaches are ultimately caused by the initial incident in the software development partner,and so we are adding those to this tab.Now for the controversial part:Exploitation of vulnerabilities is counted in this m
70、etric as well.As much as we can argue that the software developers are also victims when vulnerabilities are disclosed in their software(and sure,they are),the incentives might not be aligned properly for those developers to handle this seemingly interminable task.These quality control failures can
71、disproportionately affect the customers who use this software.We can clearly see what powerful and wide-reaching effects a handful of zero-day or mismanaged patching rollouts had on the general threat landscape.We stopped short of adding exploitation of misconfigurations in installed software becaus
72、e,although those could be a result of insecure defaults,system admins can get quite creative sometimes.10 We should stop watching those“Mission:Impossible”movies during DBIR writing season.2024 DBIR Results and analysisFigure 10.Action varieties in selected supply chain interconnection breaches(n=1,
73、075)Figure 10 shows the breakdown of VERIS actions in the supply chain metric and,as expected,it is driven by Exploit vuln,which ushers Ransomware and Extortion attacks into organizations.This metric ultimately represents a failure of community resilience and recognition of how organizations depend
74、on each other.Every time a choice is made on a partner(or software provider)by your organization and it fails you,this metric goes up.We recommend that organizations start looking at ways of making better choices so as to not reward the weakest links in the chain.In a time where disclosure of breach
75、es is becoming mandatory,we might finally have the tools and information to help measure the security effectiveness of our prospective partners.We will keep a close watch on this one and seek to improve its definition over time.We welcome feedback and suggestions of alternative angles,and we believe
76、 the only way through it is to find ways to hold repeat offenders accountable and reward resilient software and services with our business.15Hey,you,dont skip this section this year!We know we keep repeating,“Its always external criminals wanting your money”alongside dated pop culture references,but
77、 we have some interesting data points to discuss this year.Does this mean External actors are not the most prevalent?No,of course they are,silly.But since we got your attention,please read on.This year,in part because of improved breach collection processes11 and the onboarding of new data contribut
78、ors documenting mandatory breach disclosures,it is finally time for Internal actors to shine.After all,why rely on outside help if you have the talent in-house?We still have the External actors as the top catalyst for breaches at 65%,but we have Internal at a whopping 35%a significant increase from
79、last years 20%number.Figure 11 showcases this development over the last few years.However,before we call an emergency meeting and start pointing fingers at each other trying to figure out who the impostor is,its important to realize that 73%of those Internal actor breaches were in the Miscellaneous
80、Errors pattern,and we shouldnt really be holding their feet to the fire.12 We will be discussing more about this Error renaissance13 in the respective pattern section,but it showcases one long-standing suspicion of the team that mandatory breach disclosure at scale will help us better understand how
81、 mundane and preventable some of those incidents can be.And speaking of disclosure,the numerous Extortion attacks used by ransomware actors have caused an influx of the numbers of external actor incidents we review each year because they tip the hands of their victims and force them to notify their
82、customers of the breach.This helped us keep our dataset balanced.Further mandatory disclosure regulation trends in the world will help us all understand the causal landscape better.14Before anyone gets excited by more groundbreaking changes in the“Actor”section,Figure 12 is pleased to inform you tha
83、t the Actor motive ranking remains the same.Financial has the clear lead,but it is interesting to note that the Espionage motive has increased slightly over last year,from 5%to 7%.As was the case in the prior report,this motive is mostly concentrated in Public Administration breaches.11 Doubling the
84、 number of breaches we analyzed was no easy feat.We feel sorry for the poor DBIR authors who will have to outdo that number for the 2025 edition.12 Unless carelessness and inattention to detail are wrong.13 Errorssance?Age of Enerrorment?14 This will also give threat actors new opportunities to be t
85、attletales and report material breaches to organizations like the U.S.Securities and Exchange Commission(SEC).2024 DBIR Results and analysisFigure 11.Threat actors in breaches over timeFigure 12.Threat actor motives in breaches(n=5,632)VERIS Actors1615 Just imagine what it would be like to work for
86、one of those people.Editors note:We resent that!16 https:/verisframework.org/actors.htmlFigure 13.Threat actor varieties in breaches(n=7,921)2024 DBIR Results and analysisWe can find the same expected results when we consider the varieties of threat actors with which we are dealing.Figure 13 illustr
87、ates the lead that Organized crime-affiliated actors enjoy over their State-sponsored counterparts,as our analysis has shown for many years.Please dont misunderstand:This in no way means that the threat from those Actors should be taken lightly.State-sponsored actors are unusually resourceful and ca
88、pable of adapting their tactics.Luckily for the average organization,they are less likely to target run-of-the-mill enterprises as often as your everyday,garden-variety criminal.On a different note,End-user(in VERIS parlance,an average employee or contractor of an organization)has grown a lot,more t
89、han doubling from 11%to 26%.Those were mostly involved in Misdelivery errors and were part of the same growth in the Miscellaneous Errors pattern we discussed above.All in all,its been an upsetting year for all detail-oriented perfectionists15 out there.Actor categories16External:External threats or
90、iginate from sources outside of the organization and its network of partners.Examples include criminal groups,lone hackers,former employees and government entities.This category also includes God(as in“acts of”),“Mother Nature”and random chance.Typically,no trust or privilege is implied for external
91、 entities.Internal:Internal threats are those originating from within the organization.This encompasses company full-time employees,independent contractors,interns and other staff.Insiders are trusted and privileged(some more than others).Partner:Partners include any third party sharing a business r
92、elationship with the organization.This includes suppliers,vendors,hosting providers and outsourced IT support.Some level of trust and privilege is usually implied between business partners.Note that an attacker could use a partner as a vector,but that does not make the partner the Actor in this case
93、.The partner has to initiate the incident to be considered the responsible party.172024 DBIR Results and analysisArtificial general intelligence threat landscape,emphasis on“artificial,”not“intelligence”Despite the pressure from a vocal minority of the cybersecurity community,17 it seems that the DB
94、IR team will not be adding“Evil AGI”18 to the VERIS actor enumerations in 2024.However,it is still a very timely topic and one that has been occupying the minds of technology and cybersecurity executives worldwide.19We did keep an eye out for any indications of the use of the emerging field of gener
95、ative artificial intelligence(GenAI)in attacks and the potential effects of those technologies,but nothing materialized in the incident data we collected globally.20After performing text analysis alongside our criminal forums data contributors,we could obviously see the interest in GenAI(as in any o
96、ther forum,really),but the number of mentions of GenAI terms alongside traditional attack types and vectors such as“phishing,”“malware,”“vulnerability”and“ransomware”were shockingly low,barely breaching 100 cumulative mentions over the past two years.Most of the mentions21 involved the selling of ac
97、counts to commercial GenAI offerings or tools for AI generation of non-consensual pornography.Figure 14 illustrates our findings.If you extrapolate the commonly understood use cases of GenAI technology,it could potentially help with the development of phishing,malware and the discovery of new vulner
98、abilities in much the same way it helps your 10th grader write that book report for school or your average AI social media influencer pretend to create a website by taking a picture of a drawing on a napkin.But would this kind of assistance really move the needle on successful attacks?One can argue,
99、given our Social Engineering pattern numbers from the past few years,that Phishing or Pretexting attacks dont need to be more sophisticated to be successful against their targets,as we have seen with the growth of BEC-like attacks.Similarly,malware,especially of the Ransomware flavor,does not seem t
100、o be lacking in effectiveness,and threat actors seem to have a healthy supply of zero-day vulnerabilities for initial infiltration into an organization.From our perspective,the threat actors might well be experimenting and trying to come up with GenAI solutions to their problems.There is evidence be
101、ing published22 of leveraging such technologies in“learning how to code”activities by known state-sponsored threat actors.But it really doesnt look like a breakthrough is imminent or that any attack-side optimizations this might bring would even register on the incident response side of things.The o
102、nly exception here has to do with the clear advancements on deepfake-like technology,which has already created a good deal of reported fraud and misinformation anecdotes.Incidentally,we did ask one of those GenAI tools what threats this nascent technology could amplify,and it ended up suggesting the
103、 same things as above.23 It made it seem like it already had an outsize influence in those subjects and that“organizations must adapt their defense strategies to keep pace with the evolving sophistication of GenAI-driven threats.”24 This little experiment seems to indicate that even GenAI has a tend
104、ency toward beefing up its resume via the use of well-placed exaggeration.Turns out its really hard to escape the hype no matter where you sit on the natural vs.artificial divide.17 Strange spelling for“unhinged marketing hype”18 Artificial general intelligence.You know,HAL 9000,Skynet,Cylons,M3GAN
105、19 Just like real impactful technologies such as blockchain and the metaverse20 But if we had been taken over by an evil AI technology,that is what we would say.Makes you think.21 It is worth pointing out that while we were writing this section,Kaspersky came up with similar research that is worth a
106、 look:https:/ https:/ And when we asked it to do it again but in the voice of the DBIR,it seemed unhealthily fixated in circus and theater jokes and puns.Is that what we sound like?24 We certainly know where were getting marketing copy for our next cybersecurity startup.Figure 14.Cumulative sum of G
107、enAI in criminal forums18Action categories28Hacking(hak):attempts to intentionally access or harm information assets without(or exceeding)authorization by circumventing or thwarting logical security mechanisms.Malware(mal):any malicious software,script or code run on a device that alters its state o
108、r function without the owners informed consent.Error(err):anything done (or left undone)incorrectly or inadvertently.Social(soc):employ deception,manipulation,intimidation,etc.,to exploit the human element,or users,of information assets.Misuse(mis):use of entrusted organizational resources or privil
109、eges for any purpose or manner contrary to that which was intended.Physical(phy):deliberate threats that involve proximity,possession or force.Environmental(env):not only includes natural events such as earthquakes and floods but also hazards associated with the immediate environment or infrastructu
110、re in which assets are located.2024 DBIR Results and analysisA wise person25 once said,“We are what we repeatedly do,”and wouldnt they be impressed by the stoicism of how some of our top VERIS Actions keep showing up year after year?In all fairness,it does seem more an exercise of“if it aint broke d
111、ont fix it”than any classical philosophical principle.But it highlights that we defenders have a lot of work to do,as usual.Figure 15 has our top Action varieties in breaches,and it brings a lot to talk about.As we mentioned in the“Introduction”section,a big shift this year was the reduction of the
112、Use of stolen credentials as a percentage of initial actions in breaches.It is still our top action at 24%,although it just barely passes statistical testing when compared to our good old Ransomware in the second spot,with 23%.Ransomware is less representative than last year,although its common styl
113、e of financially motivated breach is being complemented by Extortion,which now represents 9%of our action distribution.If you count Ransomware breaches and breaches with Extortion from ransomware actors as just two sides of the same coin,26 we show a combined activity of 32%from those action varieti
114、es.You can also see Extortion hand in hand with Exploit vuln at 10%of breaches,and the pair of them headline MOVEits(and other similar vulnerabilities)impact,along with some other malware-and hacking-related varieties,such as Backdoor or C2(command and control).That is double the exploitation of vul
115、nerabilities of last year,and that obviously has had an impact in our ways-in metric as discussed in the introduction.Readers can find more details about this remarkable event in our“System Intrusion”pattern section.VERIS ActionsOne other thing worth noting is the clear overtaking of Pretexting as a
116、 more likely social action than Phishing.If you have been tracking our chronicle of the rise of BEC attacks,you know this is a viable and scalable way to address threat actor monetization anxieties.27Figure 15.Top Action varieties in breaches(n=9,982)25 Since every quote on the Internet is misattrib
117、uted,lets just save some time and take the easy way out.26 Which we kind of do in this issue of the report because it is exhausting to argue with people all the time about things like threat actor methodology details or tactics,techniques and procedures(TTPs)when everyone else seems to be doing it.2
118、7 Unfortunately,everyone has to hit their quotas each quarter.28 https:/verisframework.org/actions.html1929 We do try in the“Denial of Service”pattern section regardless.30“Extorware”?What would be the best couples name for this pair?2024 DBIR Results and analysisMoving on to Figure 16,we have a cha
119、nce to look into top Action varieties for incidents.It should not surprise any returning reader of the prevalence of DoS attacks in the top spot,being present in 59%of our recorded incidents.There is very little we can say about this Action variety that we havent said before29 as its lead has been q
120、uite stable over the years.We can also observe the same phenomena in Ransomware that we saw in breaches.It is overall lower than last year,being present in 12%of incidents,but when you combine it with Extortion,we hit a similar ratio to last years 15%of“Ramstortion.”30Figure 17 showcases the Action
121、vectors in breaches,and the results are in line with what we have been discussing in the“Introduction”and“Actors”sections.There was considerable growth of Carelessness due to the increase in error breaches and an uptick in Email as a vector driven by the increase in pretexting.Web applications is ha
122、nging in there,though,and as we discussed in the introduction,it goes hand in hand alongside use of stolen credentials and exploitation of vulnerabilities to infiltrate your defenses.Figure 17.Top Action vectors in breaches(n=7,248)Figure 16.Top Action varieties in incidents(n=28,625)2031 The obviou
123、s“ways-out”pun doesnt make sense here.Maybe if we had cyber getaway cars.2024 DBIR Results and analysisOver the past year,CISA has been leading the secure by design software development revolution.We have issued alerts documenting foreign intelligence agencies penetrating hundreds of critical infras
124、tructure entities and establishing a foothold,possibly to be used in a future conflict.We have also published blueprints for what we need to change in order to establish a culture of technology development that puts security first without sacrificing innovation.These two efforts are different and ne
125、cessary approaches to the same problem.Today,the software industry is focused on the malicious actors and how they work.As a community,we talk about signature adversary moves,the amount of money made and the vulnerabilities that were exploited.But its that last pointvulnerabilities that were exploit
126、edthat doesnt get nearly enough focus.Most software vulnerabilities are not unknown,unique or novel.Instead,they fall into well-known classes of vulnerabilities,and unfortunately,we continue to see the same classes of vulnerabilities that have been identified for decades.Our goal should be to shift
127、away from focusing on individual vulnerabilities and to instead consider the issue from a strategic lens.By focusing on recurring classes of software defects,we can inspire software developers to improve the tools,technologies,and processes and attack software quality problems at the root.I hope tha
128、t a deeper understanding of how attackers get in will be the catalyst to demand that our technology be secure by design starting today.Jen EasterlyDirector Cybersecurity and Infrastructure Security Agency(CISA)Speaking of ways in,it might also be interesting to explore a handful of goals and outcome
129、s of those attacks.31 Figure 18 describes the prevalence of ransomware/extortion and pretexting action varieties under the Financial actor motive.As we frequently point out,those are two of the most successful ways of monetizing a breach.The ransom duo has been hovering around the two-thirds mark(62
130、%)for some time,while Pretexting made up nearly a quarter(24%)of goal actions over the past two years.Figure 18.Select action varieties in Financial motive over time212024 DBIR Results and analysis32 DBIR guided visualization:Picture blue team folks in jerseys at the Super Bowl chanting,“MFA!MFA!MFA
131、!”33 https:/www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a34 Vegetas power Scouter is still intact.35 And just like a consultant will say,“It depends,”our data scientists will say,“Its the sampling bias.”36 Hat tip to Jay Jacobs of Cyentia on the methodology:https:/ https:/www.cisa.gov/
132、known-exploited-vulnerabilities-catalog38 Such as the one in https:/www.cisa.gov/sites/default/files/publications/CISAInsights-Cyber-RemediateVulnerabilitiesforInternetAccessibleSystems_S508C.pdfBut before organizations start pointing at themselves saying,“Its me,hi,Im the problem,”we must remind ou
133、rselves that after following a sensible risk-based analysis,38 enterprise patch management cycles usually stabilize around 30 to 60 days as the viable target,with maybe a 15-day target for critical vulnerability patching.Sadly,this does not seem to keep pace with the growing speed of threat actor sc
134、anning and exploitation of vulnerabilities.Exploitation moving swiftly in the threat landscapeThe DBIR is entering its Vulnerability Era.One of the most critical findings we had this year was the growth of the Exploit vuln action variety.We have emphasized the fact that credential abuse is the big t
135、hing to focus on for several years now,32 and even the most obtuse of us can see a trend when it is smacking us in the face.We knew that the MOVEit vulnerability was trouble when it first entered the room,and we were able to identify 1,567 breach notifications that related to MOVEit by a combination
136、 of(very vague)breach descriptions and the timing of the breach itself.Reports from CISA33 state that the Cl0p ransomware team had compromised more than 8,00034 global organizations from a handful of zero-day vulnerabilities being exploited.It is important to mention this high number even if our sam
137、pled incident dataset does not account for all of that in either breach notifications or ransomware victim listings scraped from the threat actors own notification websites.35This love story between zero-day vulnerabilities and ransomware threat actors puts us all in a concerning place.By doing a su
138、rvival analysis36 of vulnerability management data and focusing on the vulnerabilities in the CISA Known Exploited Vulnerabilities(KEV)catalog,37(arguably an area of priority focus in vulnerability management),we found that it takes around 55 days to remediate 50%of those critical vulnerabilities on
139、ce their patches are available.As Figure 19 demonstrates,the patching doesnt seem to start picking up until after the 30-day mark,and by the end of a whole year,around 8%of them are still open.Figure 19.Survival analysis of CISA KEV vulnerabilities22Figure 20.Time from publication of vulnerability t
140、o first scan seen(from 2020 onward)Non CISA KEVCISA KEVDays until first scan2024 DBIR Results and analysis39 Eat your heart out,CVSS(Common Vulnerability Scoring System).40 Have a look at the“Introduction”subsection in this“Results and analysis”section.41 https:/www.cisa.gov/resources-tools/resource
141、s/secure-by-designWe recommend that folks who are involved in both software development and software procurement take the time to review the recently updated“Secure by Design”41 report by CISA and 17 U.S.and international partners.It shows how software can be made to have better security outcomes an
142、d what to look for as a buyer.The DBIR does not intend to foster any bad blood with software providers that might be falling short of their goals in keeping their products safe,but if there ever was a clear time to make a statement by prioritizing this elegant solution to a growing threat,this is it
143、.We can see the costs of not acting all too well.This is not enough to shake the risk off.As we pointed out in the 2023 DBIR,the infamous Log4j vulnerability had nearly a third(32%)of its scanning activity happening in the first 30 days of its disclosure.The industry was very efficient in mitigating
144、 and patching affected systems so the damage was minimized,but we cannot realistically expect an industrywide response of that magnitude for every single vulnerability that comes along,be it zero-day or not.In fact,if you look at the distribution of when vulnerabilities have their first scan seen in
145、 internet honeypots on Figure 20,the median time for that to happen for a Common Vulnerabilities and Exposures(CVE)registered vulnerability in the CISA KEV is five days.On the other hand,the median time for non-CISA KEV vulnerabilities sits at 68 days.There is an obvious“no true Scotsman”fallacy com
146、ment to be made here because when exploitation starts running rampant,vulnerabilities get added to the KEV.There are few hindsight metrics as powerful as this one to guide what you should be patching first.39 In summary,if it goes into the KEV,go fix it ASAP.Even though this survival analysis chart
147、looks bleak,this is the optimists view of the situation.We must remind ourselves that these are companies with resources to at least hire a vulnerability management vendor.That tells us that they care about the risk and are taking measures to address it.The overall reality is much worse,and as more
148、ransomware threat actors adopt zero-day and/or recent vulnerabilities,they will definitely fill the blank space in their notification websites with your organizations name.If we cant patch the vulnerabilities faster,it seems like the only logical conclusion is to have fewer of them to patch.We reali
149、ze this is the stuff of our wildest dreams,but at the very least,organizations should be holding their software vendors accountable for the security outcomes of their product,even if there is no regulatory pressure on those vendors to do better.The DBIR will emphasize this point going forward by exp
150、anding our third-party involvement in breaches metric to also account for the exploitation of vulnerabilities.40 This helps illustrate that when choosing a vendor,software that is secure by design would make a difference.Figure 20.Time from publication of vulnerability to first scan seen(from 2020 o
151、nward)232024 DBIR Results and analysis42 Who would win in a fightan email server or a file server with prep time?43 Perhaps not in maturity,as some people assets will have their security attributes compromised to avoid going to therapy.44 The DBIR authors pickleball team name45 This is likely too mu
152、ch VERIS Standard inside baseball for the average reader,but we are amused very easily by things like this.46 Just keep it on your file server.It should be fine,right?(Not really)Analyzing the VERIS Assets helps us understand where all those attacks we keep harping on are focused,and everyone sure n
153、eeds help in prioritizing how to defend those assets.Even though those results might not be surprising as they have a good correlation with the VERIS Actions we just discussed,it is worthwhile to understand the year-to-year trends in the threat landscape.Our asset power ranking42 has not changed a l
154、ot from last year,but there are a handful of changes that are worth pointing out in Figure 21.Even though the order from the 2023 DBIR is the same and the prevalence of Server assets is roughly the same as well,we find substantial growth in both Person43 and Media assets.Person as an asset has becom
155、e more involved this year because of the growth of pure Extortion action-based breaches in our dataset.As a social action,Extortion demands a Person as the direct victim,and the dataset gnomes44 are happy to oblige.What is interesting here is that the Ransomware action,where pure Extortion got its s
156、pin-off from,implied that there was an extortion phase where the money was requested without being connected to a Person asset.45Thus,this growth in Person also makes sense as a more representative truth of the mechanics of such breaches.Your employees need to be aware of how to handle a ransom or e
157、xtortion demand and follow whatever procedures were established by your organization to handle those.By the way,make sure you have those documented46 just in case.Figure 21.Assets in breaches(n=8,910)VERIS Assets242024 DBIR Results and analysis47 Believe it or not,this is not the 1994 Data Breach In
158、vestigations Report.48 https:/verisframework.org/assets.htmlAsset categories48 Server(srv):a device that performs functions of some sort supporting the organization,commonly without end-user interaction.Where all the web applications,mail services,file servers and all that magical layer of informati
159、on is generated.If someone has ever told you“the system is down,”rest assured that some Servers had their Availability impacted.Servers are common targets in almost all of the attack patterns,but especially in our System Intrusion,Basic Web Application Attacks,Miscellaneous Errors and Denial of Serv
160、ice patterns.Person(per):the folks(hopefully)doing the work at the organization.No AI chat allowed.Different types of Persons will be members of different departments and will have associated permissions and access in the organization stemming from this role.At the very least,they will have access t
161、o their very own User device and their own hopes and dreams for the future.Person is a common target in the Social Engineering pattern.User device(usr):the devices used by Persons to perform their work duties in the organization.Usually manifested in the form of laptops,desktops,mobile phones and ta
162、blets.Common target in the System Intrusion pattern but also in the Lost and Stolen Assets pattern.People do like to take their little computers everywhere.Network(net):not the concept but the actual network computing devices that make the bits go around the world,such as routers,telephone and broad
163、band equipment,and some of the traditional in-line network security devices,such as firewalls and intrusion detection systems.Hey,Verizon is also a telecommunications company,OK?Media(med):precious distilled data in its most pure and crystalline form.Just kidding,mostly thumb drives and actual print
164、ed documents.You will see the odd full disk drive and actual physical payment cards from time to time,but those are rare.The Media growth is intrinsically tied with the progression in the Miscellaneous Errors pattern discussed previously.Some of those Misdelivery errors happen via physical documents
165、 and fax machines47 which might limit their scope but does not make them any less breachworthy to regulators.Digging deeper in Figure 22,we get a better sense of the Server asset breakdown.While the Web application and Mail servers are mostly involved Figure 22.Top Asset varieties in incidents(n=6,6
166、06)in credential-theft breaches,the File server has been almost dominated by the MOVEit breaches,which explains why more than 95%of breached assets are servers.All in all,a pretty standard year in the VERIS Assets world.We will be discussing more on how to help keep these assets safe in the“System I
167、ntrusion,”“Social Engineering”and“Basic Web Application Attacks”pattern sections.252024 DBIR Results and analysis49 Especially bad actions.Benevolent ones often go unnoticed.50 Threat actors should also be sent to bed without TV if they misbehave.As we often need to remind our very young children an
168、d grandchildren,actions have consequences.49 Incidents and data breaches are no different,50 and said consequences will often materialize as data leaks(confidentiality issue),unauthorized changes on your assets(integrity issue)or a loss of access to your data(availability issue).More frequently than
169、 not,all of them can take a hit over the course of a multistep breach.Figure 23 demonstrates how often those three pillars were compromised over time in one of our charts with the most“DBIR charts do not add up to 100%because events are non-exclusive”energy thus far.Roughly a third of the incidents
170、we reviewed this year were data breaches where the Confidentiality of data was compromised.Figure 24 has the breakdown of data varieties that were leaked in breaches this year,and Personal data is unsurprisingly at the top of the list.Figure 24.Top Confidentiality data varieties in breachesFigure 23
171、.Attributes over time in incidentsThis continuous prevalence of Personal data in the top spot is in a way a self-fulfilling curse because the breaches that get more frequently disclosed will be the ones involving customer data where regulation requires the affected victims to be notified.Furthermore
172、,customer data is so prevalent and hoarded without need or proper care that it will often be collateral damage in any sort of attack that might not even be specifically targeting it.Internal company data(such as emails and business documents)and System-specific data also overshadow more exclusive ta
173、rgets such as Payment,Bank,Medical and Secrets.We have often described how the Ransomware(and now pure Extortion)breaches mean that the threat actors dont need to care about the data they are stealing because they will always have the victim organization as the main buyer.We dig into ransomware,rans
174、om amounts and extortion economics in the“System Intrusion”pattern section later in the report.VERIS Attributes26People need to be assured their information will be kept safe so they can participate in society,including having the confidence to share their data to access services and use products.Ou
175、r security incident trend data,which we have contributed to this report,shows cyber threats not only continue to exist but increase year on year.It is important to remember that there is no single solution to security,but organizations can improve their cybersecurity through our guidance and tools t
176、o better protect peoples information.We are also encouraging organizations to be transparent when a cyber incident happens,seeking early support and sharing information so the cyber threat landscape is improved for everyone.The ICO will soon publish a review of past security incidents to help organi
177、zations continue to improve their cyber resilience.Stephen Bonner Deputy Commissioner Regulatory Supervision,U.K.Information Commissioners Office(ICO)2024 DBIR Results and analysis51 https:/verisframework.org/attributes.html52 https:/en.wikipedia.org/wiki/Parkerian_HexadIn addition,we are observing
178、a decline in the Credentials data type from a percentage point of view.This is because the percentage of breaches caused by Error actions is rising(again as a result of our sample)as opposed to external actors who are exploiting weak credentials though credential stuffing or brute force attacks.As a
179、 final curiosity,another side effect of the growth of extortion non-encrypting attacks has resulted in a significant bump in the Alter behavior variety under integrity.This is the integrity violation we get when Persons are influenced by external threat actors,and it is also a common outcome from a
180、Phishing or Pretexting social action.To see it overcome the Obscuration variety(the usual outcome of the Ransomware action)in such a sharp way in Figure 25 could be a harbinger of things to come.The consequence of which is that System Intrusion pattern attacks become more prevalent in the long run.F
181、igure 25.Select Attribute varieties over time in breachesAttribute categories51Confidentiality(cp):refers to limited observation and disclosure of an asset(or data).A loss of confidentiality implies that data were actually observed or disclosed to an unauthorized actor rather than endangered,at-risk
182、 or potentially exposed(the latter fall under the attribute of Possession or Control52).Short definition:limited access,observation and disclosure.Integrity(ia):refers to an asset(or data)being complete and unchanged from the original or authorized state,content and function.Losses to integrity incl
183、ude unauthorized insertion,modification and manipulation.Short definition:complete and unchanged from original.Availability(au):refers to an asset(or data)being present,accessible and ready for use when needed.Losses to availability include destruction,deletion,movement,performance impact(delay or a
184、cceleration)and interruption.Short definition:accessible and ready for use when needed.3Incident Classification Patterns282024 DBIR Incident Classification Patterns53 We are pretty sure the toast face is real,though.54 You did read it,right?You are not just skimming the report,are you?Incident Class
185、ification Patterns:IntroductionPareidolia is a fancy word for seeing patterns in natureclouds that look like bunnies,a face in your toast looking back at you from your breakfast plate,etc.As we have said before in this report,the human mind looks for patterns even when they are not actually there.53
186、 People simply need patterns to make sense of their world,and the realm of cybersecurity is no different.Several years ago,we realized that certain incidents appear to happen over and over again in clusters that share certain similar characteristics.From that realization,we devised our incident patt
187、erns that we have featured in our report for the last several years.These incident patterns serve to cluster similar incidents into categories that make them easier to understand and recall.They are based on the 4As of VERIS(Actor,Action,Asset,Attribute),which you can read more about in the“Results
188、and analysis”section earlier in this report.54 The incident classification patterns,of which there are eight,are defined in Table 1,and Figure 26 below shows how they have changed over time in incidents.Figure 26.Patterns over time in incidents29We are once again featuring relevant ATT&CK techniques
189、55 and Center for Internet Security(CIS)Critical Security Controls56 relevant to certain patterns.Figure 27 illustrates how the various patterns have ebbed and flowed over the last few years in breaches.As you can see,System Intrusion continues to be the top pattern from a breach perspective(as oppo
190、sed to incidents,where DoS attacks are still king).Both the Social Engineering and Miscellaneous Errors patterns have risen appreciably,particularly the latter,since last year.Conversely,the Basic Web Application Attacks pattern has fallen dramatically from its place in the 2023 DBIR.We get to delve
191、 into the reasons for these fluctuations further along in this section.2024 DBIR Incident Classification PatternsBasic Web Application AttacksThese attacks are against a Web application,and after the initial compromise,they do not have a large number of additional Actions.It is the“get in,get the da
192、ta and get out”pattern.Denial of ServiceThese attacks are intended to compromise the availability of networks and systems.This includes both network and application layer attacks.Lost and Stolen AssetsIncidents where an information asset went missing,whether through misplacement or malice,are groupe
193、d into this pattern.Miscellaneous ErrorsIncidents where unintentional actions directly compromised a security attribute of an information asset fall into this pattern.This does not include lost devices,which are grouped with theft instead.Privilege MisuseThese incidents are predominantly driven by u
194、napproved or malicious use of legitimate privileges.Social EngineeringThis attack involves the psychological compromise of a person that alters their behavior into taking an action or breaching confidentiality.System IntrusionThese are complex attacks that leverage malware and/or hacking to achieve
195、their objectives,including deploying Ransomware.Everything ElseThis“pattern”isnt really a pattern at all.Instead,it covers all incidents that dont fit within the orderly confines of the other patterns.Like that container where you keep all the cables for electronics you dont own anymorejust in case.
196、Table 1.Incident classification patterns55 https:/attack.mitre.org56 https:/www.cisecurity.org/controlsFigure 27.Patterns over time in breaches30System IntrusionFrequency5,175 incidents,3,803 with confirmed data disclosureThreat actorsExternal(100%)(breaches)Actor motivesFinancial(95%),Espionage(5%)
197、(breaches)Data compromisedPersonal(50%),Other(34%),System(26%),Internal(22%)(breaches)SummaryWhile shifts in tactics leveraged by Actors have modified some of the top Actions,the overall effect of these Actors continues to be felt by the majority of industries and organizations of all sizes.What is
198、the same?Ransomware attacks continue to drive the growth of this pattern as they now account for 23%of all breaches.System of an IntrusionIn the world of our attack patterns,its been a competitive year,and there have been a lot of contenders vying for the first-place prize of MFB:most frequent breac
199、h(granted,not as prestigious as the MVP,but you work with what you have).System Intrusion,for the third year in a row,leads the pack with 36%of breaches.Not sure exactly what theyre winning(our guess would be a good bit of cash),but we can certainly tell you who is losing,and thats all of us.Lets di
200、ve into what is driving the continued success of this pattern.2024 DBIR Incident Classification PatternsRelevant ATT&CK techniquesExecution:TA0002Persistence:TA0003Privilege Escalation:TA0004Defense Evasion:TA0005Credential Access TA0006Exploit vuln(VERIS)Exploit Public-Facing Application:T1190 Expl
201、oitation for Credential Access:T1212 Exploitation for Defense Evasion:T1211 Exploitation for Privilege Escalation:T1068 Exploitation of Remote Services:T1210 External Remote Services:T1133 Vulnerability Scanning:T1595.002Use of stolen creds(VERIS)Compromise Accounts:T1586 Social Media Accounts:T1586
202、.001 Email Accounts:T1586.002 External Remote Services:T1133 Remote Services:T1021 Remote Desktop Protocol:T1021.001 Use Alternate Authentication Material:T1550 Web Session Cookie:T1550.004 Valid Accounts:T1078 Default Accounts:T1078.001 Domain Accounts:T1078.002 Local Accounts:T1078.003 Cloud Accou
203、nts:T1078.00431The makeup of this pattern hasnt changed much.It is where our more sophisticated attacks57 are found.They still largely consist of breaches and incidents in which the threat actor leverages a combination of Hacking techniques and Malware to penetrate the victim organizationmore or les
204、s what one might expect from an unauthorized penetration test.However,rather than providing a helpful written report at the conclusion of the exercise,they typically deploy Ransomware and provide the victim with a much less helpful extortion note.These Ransomware attacks account for 70%of the incide
205、nts within System Intrusion,as seen in Figure 28.The other often seen actions in the System Intrusion pattern tend to be those that provide the actor access to the environment,such as Exploit vulnerabilities and Backdoors.We also saw Extortion creeping into this space,primarily due to a large and im
206、pactful event that we will discuss later in the reportso stay tuned.58Ransomhow?With regard to vectors(Figure 29),we saw a great deal of Direct install.This is when threat actors use their existing system access to install malware,such as Ransomware or Backdoors.The vector of Web applications,which
207、is a favored target of exploits,also appeared frequently,as we discussed in the ways-in analysis in the“Results and analysis”section.Of course,we still see threat actors leveraging Email to reach users and Desktop sharing software to gain entry into systems.Because these threat actors use a plethora
208、 of tools and techniques,this data is longer tailed,which is why Other shows up relatively often in our top five.Within the category of Other are vectors such as VPNs,Software updates and a whole bunch of Unknowns(our bet is that it is most likely split among the tactics discussed above,just not exp
209、licitly reported to us).Therefore,when prioritizing your efforts at protecting yourself,dont neglect addressing malware infections,stolen credentials or unpatched systems as it may lead you to break out in Ransomware.59Ransomwho?Much like Sisyphus with his never-ending task,it seems that the hardwor
210、king people in IT must continue to contend with the evolving threat of Ransomware.Ransomware has again dominated the charts,accounting for 11%of all incidents,making it the second most common incident type.Ransomware(or some type of Extortion)appears in 92%of industries as one of the top threats.202
211、4 DBIR Incident Classification PatternsFigure 28.Top Action varieties in System Intrusion incidentsWhen we remove the Ransomware groups from this dataset,60 were left with a pretty even split of 44%run-of-the-mill types of criminals and 40%State-affiliated actors.It shouldnt be too surprising to fin
212、d out that the tactics used by criminals are very closely aligned to those used by Actors working on the behalf of their country.Figure 29.Top Action vectors in System Intrusion incidents(n=1,789)57 If these attacks were people,they would drink fine wine in restaurants,pontificate loudly on the vint
213、age and drive cars made in Scandinavia.58 And if you could hit the Like and Subscribe buttons,wed appreciate it.Oh,wait,wrong platform.59 And a visit to the dermatologist wont help.60 Ah,wouldnt that be nice?Just the thought of it improved my mood.Ransomware(or some type of Extortion)appears in 92%o
214、f industries as one of the top threats.32Figure 30.95%and 80%confidence intervals of adjusted incident cost for RansomwareFigure 31.95%and 80%confidence intervals of ransoms as a percentage of victim revenue2024 DBIR Incident Classification Patterns61 Cant tell you what,though.It is strictly confide
215、ntial information.62 https:/www.ic3.gov63 Note that the source of this data is from ransomware negotiators,which might be a self-selecting sample.Those who can afford to employ a negotiator in this kind of incident may also be targeted with higher ransom demands since they are likely to be higher re
216、venue organizations.demand percentage.There were a few within the top 10%of cases reaching up to 24%of total revenue.Hopefully these ranges assist organizations in running risk scenarios with an eye toward potential direct costs associated with a ransomware attack.Of course,there are many other fact
217、ors that should also be considered,but this is a good starting point.Clearly,the major difference is what they do with that access.The subset of criminals in this pattern who arent doing Ransomware/Extortion are quietly siphoning off Payment data from e-commerce sites and account for 57%of breaches
218、involving stolen Payment cards,while the State-affiliated actors look to pivot and steal other types of data.61Ransomwhat?Understanding the cost associated with Ransomware is a bit complex as there are several primary and secondary costs to consider,not to mention the possible soft costs associated
219、with reputational impacts.While we try our best to capture these costs,its worth noting that the result isnt a full picture but simply our best approximation using the data we have.One of the easier costs to capture is the amount associated with paying the actual ransom.Analyzing the FBI IC362 datas
220、et this year,we found that the median adjusted loss(after law enforcement worked to try to recover funds)for those who did pay was around$46,000 as shown in Figure 30.This is a significant increase from the previous years median of$26,000,but you should also take into consideration that only 4%of th
221、e complaints had any actual loss this time,as opposed to 7%last year.Another way we can slice the data is by looking at ransom demands as a percentage of the total revenue.63 The median amount of the initial ransom demand was 1.34%of the victim organizations total revenuewith 50%of the demands being
222、 between 0.13%and 8.30%(Figure 31).We know this is quite a spread for the initial ransom 332024 DBIR Incident Classification PatternsCIS Controls for considerationBearing in mind the breadth of activity found within this pattern and how actors leverage a wide collection of techniques and tactics,the
223、re are a lot of safeguards that organizations should consider implementing.Below is a small subset of all the things an organization could do.They should serve as a starting point for building out your own risk assessments to help determine what controls are appropriate to your organizations risk pr
224、ofile.Protecting devices Secure Configuration of Enterprise Assets and Software 4 Establish and Maintain a Secure Configuration Process 4.1 Establish and Maintain a Secure Configuration Process for Network Infrastructure 4.2 Implement and Manage a Firewall on Servers 4.4 Implement and Manage a Firew
225、all on End-User Devices 4.5Email and Web Browser Protections 9 Use DNS Filtering Services 9.2Malware Defenses 10 Deploy and Maintain Anti-Malware Software 10.1 Configure Automatic Anti-Malware Signature Updates 10.2Continuous Vulnerability Management 7 Establish and Maintain a Vulnerability Manageme
226、nt Process 7.1 Establish and Maintain a Remediation Process 7.2Data Recovery 11 Establish and Maintain a Data Recovery Process 11.1 Perform Automated Backups 11.2 Protect Recovery Data 11.3 Establish and Maintain an Isolated Instance of Recovery Data 11.4Protecting accountsAccount Management 5 Estab
227、lish and Maintain an Inventory of Accounts 5.1 Disable Dormant Accounts 5.3Access Control Management 6 Establish an Access Granting/Revoking Process 6.1,6.2 Require MFA for Externally-Exposed Applications 6.3 Require MFA for Remote Network Access 6.4Security awareness programs Security Awareness and
228、 Skills Training 143464 Widely attributed to be the Cl0p ransomware group(https:/www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a)2024 DBIR Incident Classification Patternsspeculation.What it did accomplish,however,was to slightly confound the differences that exist between the System Int
229、rusion and Social Engineering patterns by introducing a big chunk of data that neatly fits in both categories.After it stole the data,Cl0p used Extortion as a means of separating the victims from their hard-earned money.MOVEit or dont.Over the summer,we were teased with the idea of a great crossover
230、,one involving the father of the atomic bomb and a plastic doll.For this years report,we have a similar type of crossover but perhaps a bit less entertaining.In the hope of continuing to increase their shareholders affiliates profits,ransomware groups have demonstrated a remarkable ability to evolve
231、 their tactics.One such recent evolution was snapshotted in the MOVEit incident,where threat actors64 used a zero-day attack(a previously unknown and unpatched vulnerability)in file management software and went on a spree appropriating whoevers data they could get their hands on and holding it hosta
232、ge.While the attack affected organizations from a variety of sectors,Education was by far the largest impacted(Figure 32),accounting for more than 50%of the breached organizations,according to our breach notification dataset.While this seems like pretty standard e-criminal stuff,it was a shift in ta
233、ctics worth discussing.For starters,the group didnt actually deploy Ransomware in all of these cases,even though it was previously partial to that tactic.There could have been myriad reasons as to why the group didnt choose this option,and anything wed suggest would be Figure 32.Top industries found
234、 in the MOVEit breach notification dataset(n=1,567)352024 DBIR Incident Classification Patterns65 And pop culture references66 Even though,as 2024 begins,the focus seems to be on VPN and remote Desktop sharing software.When we look at Ransomware breaches over time(Figure 33),we notice a dip in the c
235、ases;however,when we combine it with Extortion,we see that it follows pretty much the same trend line.This indicates to us that it may be the same actors,and they are simply shifting tactics to best leverage the type of access they have.This combination did show a significant growth as a part of bre
236、aches,as we touched on in the second entry of our“Summary of findings”section.The DBIR team looks at numbers,65 not code,so this report isnt the best place to explain all the technical elements.Nevertheless,what the vulnerability essentially did was to allow the attackers to upload a backdoor throug
237、h a crafty SQL injection attack.This backdoor allowed the attackers to perform several different tasks such as downloading data and manipulating the applications legitimate users.Unfortunately,because of the nature of the platform,file transfer systems need to be on the internet,and the fact that th
238、is was an unknown vulnerability at the time of exploit ensured that there was nothing victims could have done to prevent it.There can be no doubt that this was a large-scale and impactful attack;however,it wasnt without precedent.In fact,just a few months before,in January 2023,the same group had ta
239、rgeted another file hosting platform resulting in a rather busy month for Ransomware claims.As we gaze into our crystal ball,we wouldnt be surprised if we continue to see zero-day vulnerabilities being widely leveraged by ransomware groups.If their preference for file transfer platforms continues,66
240、 this should serve as a caution for those vendors to check their code very closely for common vulnerabilities.Likewise,if your organization utilizes these kinds of platformsor anything exposed to the internet,for that matterkeep a very close eye on the security patches those vendors release and prio
241、ritize their application.Figure 33.Ransomware and Extortion breaches over time362024 DBIR Incident Classification PatternsRelevant ATT&CK techniquesCompromise Accounts:T1586 Email Accounts:T1586.002Establish Accounts:T1585 Email Accounts:T1585.002External Remote Services:T1133Internal Spearphishing:
242、T1534Phishing:T1566 Spearphishing Attachment:T1566.001 Spearphishing Link:T1566.002 Spearphishing via Service:T1566.003Phishing for Information:T1598 Spearphishing Service:T1598.001Use Alternate Authentication Material:T1550 Application Access Token:T1550.001Valid Accounts:T1078 Domain Accounts:T107
243、8.002Social EngineeringFrequency3,661 incidents,3,032 with confirmed data disclosureThreat actorsExternal(100%)(breaches)Actor motivesFinancial(95%),Espionage(5%)(breaches)Data compromisedCredentials(50%),Personal(41%),Internal(20%),Other(14%)(breaches)SummaryPretexting continues to be the leading c
244、ause of cybersecurity incidents,with actors targeting users with existing email chains and context.Extortion also grew dramatically because of the large-scale MOVEit incident.What is the same?Phishing and Pretexting via email continue to be the leading cause of incidents in this sector,accounting fo
245、r 73%of breaches.37Figure 35.Top Action vectors in Social Engineering breaches(n=2,961)*ishing in the windIn the cybersecurity world,or“the cyber biz,”as we call it,we certainly love our catchy terminology.Terms such as whaling,smishing,quishing,tishing,vishing,wishing,pharming,snowshoeing67 and pla
246、in old phishing are ever-present in the Social Engineering pattern.This makes sense because there are a lot of vectors on which we need to educate our employees and end users,and were positive that in another five years,there will be new ones that we will have to add to our list.However,even with th
247、e growth of these new vectors and types of attacks,we tend to see the core social tactics such as Pretexting and Phishing still being used often(Figure 34).More than 40%of incidents involved Pretexting,and 31%involved Phishing.Other tried-and-true tactics such as attacks coming in via email,text and
248、 websites(Figure 35)arent necessarily the most exciting,but any security professionals who have been around for any length of time have probably seen these contenders in some capacity over their careers.Regardless of the exact method that attackers use to reach organizations,the core tactic is the s
249、ame:They seek to exploit our human nature and our willingness to trust and be helpful for their own gain.While these attacks all share that commonality,one rather significant difference is the scale and pervasiveness of these tactics.First,the good news.We have not seen a dramatic rise in Pretexting
250、 like we did last year.However,it is also true that it hasnt decreased but instead has maintained its position as the top type of Social Engineering incident.As a quick reminder,when we talk about Pretexting,largely consider this as a stand-in for BEC,where attackers leverage existing email chains t
251、o convince victims to do something,such as update an associated bank account with a deposit.2024 DBIR Incident Classification PatternsFigure 34.Top Action varieties in Social Engineering incidents(n=3,647)67 At the time of writing,one of these was fake.38Figure 36.Median transaction size for BECsLow
252、 tech,high costUnfortunately,the bad news comes next,which is that BECs continue to have a substantial financial impact on organizations.Figure 36 captures the growth in terms of costs associated with BEC since early 2018.As we mentioned above,there isnt any growth this year as compared to last year
253、,but neither has it decreased,with the median transaction hovering around$50,000.One of the best things you can do when you realize you are a victim of BEC fraud is to promptly work with law enforcement.Figure 37 shows the distributions of outcomes from the cases our data contributors at the FBI IC3
254、68 have worked.In half of the cases,they were able to recoup 79%or more of the losses.On the less fortunate side,18%of the incidents had nothing frozen and potentially lost everything that was sent to the criminals.2024 DBIR Incident Classification PatternsFigure 36.Median transaction size for BECs6
255、8 https:/www.ic3.govFigure 37.Percent of losses frozen for recovery39I hope this threat finds you well.Our introvert selves were already weary of all these social“interactions”even before these extortion-based attacks from ransomware groups busted through the door into the Social Engineering pattern
256、.Social attacks,such as those involving Phishing,have long played their part in ushering in a ransomware deployment,as typified by the leveraging of those techniques in the ALPHV breach of MGM Resorts and other entertainment groups.But given the shift in tactics by some groups,along with the Extorti
257、on action being the final result of the breach as opposed to an initial one,this seemingly“System intrusion-y”attack now also shows up in this pattern.Keep in mind,however,that Extortion isnt anything new in this pattern.Weve seen various iterations of it from the empty threats(“Weve hacked your pho
258、ne and caught you doing NSFW stuff.”)to somewhat credible threats(“Look us up.Were super-duper hackers thatll DDoS you.”)to very credible threats(“Well leak the data we took.Here are samples for you to validate.”).This year,however,Extortion showed up in spades as a result of the MOVEit breach,which
259、 affected organizations on a relatively large scale and in an extremely public fashion.2024 DBIR Incident Classification PatternsThis is plainly visible in the steps to breaches chart(Figure 38).As you can see,there has been a dramatic increase in compromising servers via Hacking.Given the prevalenc
260、e of these types of attacks,we recommend discussions with leadership to determine what the course of action should be if they occur in your organization.Figure 38.Steps in Social Engineering incidents402024 DBIR Incident Classification PatternsSchool of phishesThis is probably clich at this point,bu
261、t were believers that the first line of defense for any organization isnt the castrametation69 of their systems but the education of their key staff,including end users.70 Fortunately,this isnt simply us standing on our“user-awareness”soapbox.We have both figures and hard numbers to help quantify ou
262、r stance.The first lesson to learn is that Phishing attacks happen fast.The median time to click on a malicious link after the email is opened is 21 seconds,and then it takes only another 28 seconds to enter the data(Figure 39).That leads to a frightening finding:The median time for users to fall fo
263、r phishing emails is less than 60 seconds.Some good news is that,as an industry,we seem to be getting better with regard to phishing test reporting.More than 20%of users identified and reported phishing per engagement,including 11%of the users who did click the email.As Figure 40 illustrates,this is
264、 another impressive improvement and one that we desperately need in order to catch up with the previous years increases in Phishing and Pretexting.Figure 40.Phishing email report rate by click statusThat leads to a frightening finding:The median time for users to fall for phishing emails is less tha
265、n 60 seconds.69 There is a very obvious Maginot Line joke to be made here,so we will leave it as an exercise for the readers.70 Perhaps we should say,“especially end users.”Figure 39.Time between email clicked and data entered412024 DBIR Incident Classification PatternsCIS Controls for consideration
266、There are a fair number of controls to consider when confronting this complex threat,and all of them have pros and cons.Due to the strong human element associated with this pattern,many of the controls pertain to helping users detect and report attacks as well as protecting their user accounts in th
267、e event that they fall victim to a phishing attack.Lastly,due to the importance of the role played by law enforcement in responding to BECs,it is key to have plans and contacts already in place.Protect accountsAccount Management 5 Establish and Maintain an Inventory of Accounts 5.1 Disable Dormant A
268、ccounts 5.3Access Control Management 6 Establish an Access Granting/Revoking Process 6.1,6.2 Require MFA for Externally-Exposed Applications 6.3 Require MFA for Remote Network Access 6.4Security awareness programsSecurity Awareness and Skills Training 14Although not part of the CIS Controls,a specia
269、l focus should be placed on BEC and processes associated with updating bank accounts.Managing incident responseIncident Response Management 17 Designate Personnel to Manage Incident Handling 17.1 Establish and Maintain Contact Information for Reporting Security Incidents 17.2 Establish and Maintain
270、an Enterprise Process for Reporting Incidents 17.3 42Basic Web Application AttacksFrequency1,997 incidents,881 with confirmed data disclosureThreat actorsExternal(100%),Internal(1%),Multiple(1%)(breaches)Actor motivesFinancial(85%),Espionage(15%)(breaches)Data compromisedCredentials(71%),Personal(58
271、%),Other(29%),Internal(17%)(breaches)SummaryThreat actors continue to take advantage of assets with default,simplistic and easily guessable credentials via brute forcing them,buying them or reusing them from previous breaches.What is the same?Financially motivated external actors continue to target
272、credentials and personal information.Relevant ATT&CK techniquesBrute Force:T1110 Credential Stuffing:T1110.004 Password Cracking:T1110.002 Password Guessing:T1110.001 Password Spraying:T1110.003Compromise Accounts:T1586 Email Accounts:T1586.002Exploit Public-Facing Application:T1190External Remote S
273、ervices:T1133Valid Accounts:T1078 Default Accounts:T1078.001 Domain Accounts:T1078.002Use Alternate Authentication Material:T1550 Application Access Token:T1550.001Active Scanning:T1595 Vulnerability Scanning:T1595.0022024 DBIR Incident Classification Patterns43Figure 42.Top Action varieties since 2
274、013(n=35,970)What if we were to tell you there is perhaps no pattern that is as complex,multifaceted and,quite frankly,riveting to read about as the Basic Web Application Attacks pattern?Wed be pulling your leg,thats what.This pattern is basically just like it sounds:typically uncomplicated attacks
275、against either unprotected or(more often)poorly protected web applications that grant the criminal a foothold into an organizations environment.If the System Intrusion pattern can be thought of as a sophisticated bank71 heist,72 this pattern presents us with a good visualization of Occams razor in a
276、ction.It has fewer steps and is possibly the simplest and shortest path from point A to point B.Like many things that are not overly complicated,it works extremely well.Last year,this type of attack accounted for one-quarter of all breaches.This year,however,our dataset shows just over 8%of breaches
277、 in the Basic Web Application Attacks pattern.As is always the case in this pattern,the attacker gains access via hacking by the Use of stolen credentials(77%),Brute force(usually easily guessable passwords)(21%)or the Exploit vuln action(13%)(Figure 41).Beware devs bearing crypto.Interestingly,appr
278、oximately 20%of the malware in this pattern consists of cryptocurrency mining Malware.Upon further inspection,we found a small cluster of Nation-state actors that were leveraging known vulnerabilities and cryptocurrency mining malware(and Ransomware)to make a few extra dollars for their country.Not
279、something particularly revolutionary but always interesting to see tactics that are more than a decade old still hold up.Like a one-size-fits-all gas station baseball cap(“Keep on Truckin”),any organization can fit into the Basic Web Application Attacks pattern,but it wont look too good on you.The F
280、inancial and Insurance(18%);Information(14%);and Professional,Scientific and Technical Services(13%)industries make up the top three verticals affected by Basic Web Application Attacks,but we see these attacks in most other industries as well.There is also no substantial difference between large org
281、anizations(55%)and small organizations(47%)in the Basic Web Application Attacks pattern.71 For more bank heist content,please review the Financial vertical in the“Industries”section.72 We probably shouldnt mention movies such as“Oceans Eleven”or“The Great Train Robbery”or we may need to pay royaltie
282、s.73 And we hope you are.74 Or will it just continue to spice up our daily lives with mystery?Attack of the stolen credentialsIf youre a regular reader,73 you may have realized by now that there are a great many incidents in our dataset that leverage stolen credentials.Over the past 10 years,stolen
283、credentials have appeared in almost one-third(31%)of breaches(Figure 42).Ergo,credentials are a core component of compromising organizations.However,while we know this to be a fact,there are a lot of things we dont know about these credentials:Where do they come from,how did they get here and will w
284、e ever know the full story?742024 DBIR Incident Classification PatternsFigure 41.Top Hacking actions in Basic Web Application Attacks breaches(n=713)44If we are to understand where stolen credentials come from,we must consider the different types of credential attacks that exist.Unsurprisingly,Phish
285、ing is the most common credential-related attack that we see in our dataset and accounts for 14%of breaches involving Credentials.Social Engineering is extremely common and remarkably effective because it targets individuals versus systems.Its much easier to harden a system than it is to harden an i
286、ndividual,75 as our Social Engineering section illustrated.Another basic type of credential attack is Brute force(guessing all the passwords),and while it is an effective tool in the attackers arsenal,it appears in only 2%of breaches this year.This technique is most successful when individuals or ap
287、plications use weak or,even worse,default credentials.A silver lining here is that Brute force attacks have existed as long as there has been a login option,so a multitude of mitigations are commonly available,such as enforcing password complexity(ick)and length(slightly less ick)as well as limiting
288、 how quickly and how often logins can be attempted.No country for old credentialsCredential stuffing is Brute forces more hip cousin.76 While these attacks have a lot in common,credential stuffing affords the attacker a greater chance of success.Thats because rather than guessing all possible combin
289、ations,credential stuffing leverages combinations of usernames/emails and passwords that are already known to exist because they were harvested from previous breaches.Recent high-profile cases have occurred in which attackers leveraged this technique to gain access to highly personal user data.These
290、 types of attacks are more insidious because they spread the attack across various accounts and IP addresses,thus making them more difficult to prevent.If your organization has a high number of customers,especially consumer-facing web applications and application programming interfaces(APIs),you sho
291、uld consider instituting robust protections before attackers use a tool and a free list of proxies to attempt combinations they found in a chat site.75 The former becomes more secure,while the latter simply becomes jaded.76 Aviator sunglasses are involved.77 Not unlike Bigfoot(No DBIR would be compl
292、ete without at least one Sasquatch reference.)2024 DBIR Incident Classification PatternsSpeaking of APIs,we can examine the prevalence of those types of attacks in sampled detection data from our API firewall data partners in Figure 43.As expected,credential stuffing is the most commonly identified
293、attack,but it is often commingled with Brute force.Another interesting result from this dataset was that the prevalence of credential abuse-like attacks amounted to only 15%of attacks,less than half of what we see in Use of stolen credentials in the incident dataset.This makes sense because there is
294、 much more to try to exploit on APIs than just credentials.But what if you dont have consumer facing web applications or APIs?What if you already enforce strict password policies,such as a monthly rotation of 24-character passwords?Surely such a fate could not befall you,right?Unfortunately,password
295、 stealers can still snatch your data.While we admittedly do not see password dumpers too often in our dataset(2%of breaches),it is important to keep in mind that we can only report on those things into which we have visibility,and this type of Malware likes to reside in places where theres limited v
296、isibility77(such as personal computers,not work-related ones).To get an idea of how pervasive this issue might be,we took a look at the marketplaces dedicated to selling and reselling credentials and cookies collected from these password stealers.Our sample was only two days from one market;neverthe
297、less,we found more than a thousand credentials per day being posted for sale with an average price of$10.Figure 43.Distribution of web application attack types45After examining these postings,we found that 65%of these credentials were posted for sale less than one day from when they were collected.7
298、8 They are often purchased by attackers who leverage them as a beachhead for other attacks,against either individuals or their employers.Oftentimes these product offerings not only list what credentials or cookies are available but also give information regarding the associated region.We wanted to d
299、etermine whether these credentials are coming from organizationally managed assets or personal computers.On average,more than 30%of postings had no social media credentials listed,which could be an indication that many of the systems arent for personal use.Figure 44 shows the percentage of postings
300、by stealer family name without social media accounts listed.Another source of password stealers are libraries posted on public repositories.For the non-developers of the world,writing code is incredibly tedious,and our“if its not easy,Im not doing it”society has led to people creating libraries that
301、 other developers can import simply by saying“pip install library-of-my-choice”or“install.packages(library-of-my-choice)”79 and download the library they find posted.Needless to say,a very real risk with this approach is that youre taking it on faith that the libraries youre downloading are free fro
302、m malware.Human nature being what it is,that is often not the case,and the libraries act as a means of distributing malware.Fortunately,there are numerous companies that actively scan the uploaded libraries to identify possible malware.When malicious packages are found,they often consist of informat
303、ion stealers(shocker).Of course,simply uploading a package is not enough,it still requires someone to download it.80 Figure 45 captures some of the more popular approaches found in an npm repository.81 The most common type we found in the JavaScript ecosystems were malicious packages that would adve
304、rtise themselves as free video game currency generators.These target the folks who are clever enough to know how to install and download the code but not sufficiently clever to realize that if it sounds too good to be true,it usually is.82In addition,there were malicious packages that leveraged typo
305、squatting.This is when the developer of the malware posts the package with a similar name as a popular package in the hopes that someone would accidentally mistype the package name when attempting to install the legitimate package.As a group of authors who collectively would be unemployed if it were
306、 not for the existence of spell-check,we can see this being a relatively effective tactic.2024 DBIR Incident Classification PatternsFigure 45.Malicious npm packages by Social Engineering techniqueFigure 44.Percentage of stealer postings without major social media accounts listed78 If these creds wer
307、e doughnuts,the“hot and fresh”sign would still be on.79 Bet you cant guess what coding environments the DBIR team uses:p80 Same as this report:If you got this PDF or printed issue from a friend,please go to and download a copy for yourself.Download early,download often!81 https:/ Were afraid there a
308、re no cheat codes to get money.Microtransactions for live-service games function the other way around.4683 Be sure to read all sections of the report to unlock custom cover skins from our DBIR Battle Pass.CIS Controls for considerationMitigating against stolen credentialsAccount Management 5 Establi
309、sh and Maintain an Inventory of Accounts 5.1 Disable Dormant Accounts 5.3Access Control Management 6 Establish an Access Granting/Revoking Process 6.1,6.2 Require MFA for Externally-Exposed Applications 6.3 Require MFA for Remote Network Access 6.4Mitigating against vulnerability exploitationContinu
310、ous Vulnerability Management 7 Establish and Maintain a Vulnerability Management Process 7.1 Establish and Maintain a Remediation Process 7.2 Perform Automated Operating System Patch Management 7.3 Perform Automated Application Patch Management 7.4Lastly,there were also packages that targeted what w
311、e(and a few people smarter than we are)believe are dependency confusion attacks.In these types of attacks,the attackers take advantage of how some tooling checks for packages on public repositories before it checks for private ones.If the attackers know that organizations are using the library“super
312、-cool-internal-library,”which is stored in their internal repository,the attackers can create a library on a public repository called“super-cool-internal-library”and the tooling may check the public repo first before looking at the internal ones.Fortunately,there are various programming best practic
313、es that can help mitigate this,alongside all the great companies that are out there helping protect us from these threats.Take a breather after reading this section;there seem to be a lot of landmines that you have to avoid to help keep your organization safe from credential attacks.This is not new.
314、We(and many others)have said it before:Multifactor authentication(MFA)goes a long way toward mitigating these types of attacks.For that matter,so does not letting your kids use your corporate computer to find ways of making free V-Bucks.83 As with anything else security related,the most effective co
315、ntrols are typically the ones that leverage the human element along with technical resources.2024 DBIR Incident Classification Patterns47Miscellaneous ErrorsI know exactly what Im doing.In our fast-paced and hectic world,it is easy to make the occasional mistake.The key is to make sure that those er
316、rors remain occasional and do not become habitual.Employees might be inching toward the latter state given the fact that we saw approximately five times as many Error-related breaches this year as we did in last years report.Does this substantial increase mean that incompetence and inattention to de
317、tail are booming?84 Possibly,but it is also,as stated earlier in this report,indicative of the generosity of our data-sharing partners.The greater the number of breaches that we examine,the higher these percentages become.More than 50%of errors in 2023 resulted from Misdelivery(sending something to
318、the wrong recipient),as shown in Figure 46.This was also the No.1 category in last years report.Misconfiguration is the next most common error and was seen in approximately 10%of breaches.Misconfiguration has been on a downward trend85 for the last three years.There are a few possible explanations f
319、or this.Chief among them is that(thankfully)many systems are becoming more secure by default,making the practice of standing up new tech without reading the manual a less risky proposal.Other factors may include that security researchers are not spending as much time on finding these systems with th
320、eir screen doors flapping in the wind,and,lastly,Frequency2,679 incidents,2,671 with confirmed data disclosureThreat actorsInternal(100%)(breaches)Data compromisedPersonal(94%),Internal(34%),Bank(14%),Other(12%)(breaches)SummaryErrors have increased substantially this year,possibly indicating a rise
321、 in Carelessness,although it may also reflect increased data visibility with new contributors.More than 50%of errors were the result of Misdelivery,continuing last years trend,while other errors,such as Disposal,are declining.End-users now account for 87%of errors,emphasizing the need for universal
322、error-catching controls across industries.What is the same?We can always count on people making mistakes.The categories of mistakes they make are consistent year over year,and while some Error varieties have been decreasing,the ranking of frequency remains the same.2024 DBIR Incident Classification
323、PatternsFigure 46.Top Action varieties in Miscellaneous Errors breaches(n=2,586)84 Look around at your coworkers,and use your best judgment to answer that question.85 Not unlike most of civilization 48criminals may be using the same tools historically utilized by researchers to discover these errors
324、 and exploiting them to steal data,which would result in the attack showing up with a Hacking action rather than Error.Classification errors,Publishing errors and Gaffes(verbal slips)are all relatively tightly packed in order of mention.Disposal errors continue to decline ever so slightly(as has bee
325、n the general trend for the last several years)and accounted for just over 1%of the cases in this pattern.It is unclear whether more attention has been paid to this matter or employees have simply gotten better at burning records in a barrel in the parking lot.Figure 47 shows one rather drastic chan
326、ge in this pattern related to actors:End-user accounted for 87%of errors as opposed to 20%in last years report,while System administrators dropped to only 11%(from 46%last year).This drop is in large part the result of the corresponding rise in Misdeliveryit takes a System administrator to misconfig
327、ure,but any old End-user can misdeliver.Power to the people!CIS Controls for considerationControl dataData Protection 3 Establish and Maintain a Data Management Process 3.1 Establish and Maintain a Data Inventory 3.2 Configure Data Access Control Lists 3.3 Enforce Data Retention 3.4 Securely Dispose
328、 of Data 3.5 Segment Data Processing and Storage Based on Sensitivity 3.12 Deploy a Data Loss Prevention Solution 3.13Secure infrastructureContinuous Vulnerability Management 7 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets 7.6Application Software Security 16 Use Stand
329、ard Hardening Configuration Templates for Application Infrastructure 16.7 Apply Secure Design Principles in Application Architectures 16.10Train employeesSecurity Awareness and Skills Training 14 Train Workforce on Data Handling Best Practices 14.4 Train Workforce Members on Causes of Unintentional
330、Data Exposure 14.5Application Software Security 16 Train Developers in Application Security Concepts and Secure Coding 16.9Lastly,the Miscellaneous Errors pattern shows a relative diverse array of industry types(Figure 48),with Healthcare and Public Administration at the top(understandably,given rep
331、orting requirements)and a good showing from other industries such as Financial and Insurance;Education;and Professional,Scientific and Technical Services.This illustrates the important fact that carelessness is somewhat of a universal trait,so employers in any vertical should ensure that their contr
332、ols will catch these kinds of errors early.2024 DBIR Incident Classification PatternsFigure 47.Top Actor varieties in Miscellaneous Errors breaches(n=2,260)Figure 48.Top industries in Miscellaneous Errors breaches(n=2,671)49Denial of ServiceAnother year,another victory lap to our running champion,De
333、nial of Service.Figure 49 shows this pattern being responsible for more than 50%of incidents analyzed this year.86 This pattern has been the most prevalent one for several years now,and you dont have to think very hard to understand why:Denial of Service attacks are relatively cheap to execute,and it is actually fairly easy for them to be successful,87 at least until an organizations defenses are