Key Findings from the Verizon 2023 Data Breach Investigations Report
The Verizon Data Breach Investigations Report (DBIR) is always eagerly awaited by security researchers, practitioners, and the broader cybersecurity community as it takes an in-depth look at security incidents across different threat actors, incident types and impacted industries, giving it an unrivaled depth and breadth. Now in its 16th year, the Verizon 2023 Data Breach Investigations Report analyzed incidents from November 1, 2021, to October 31, 2022.
This year’s report analyzed 16,321 security incidents, of which 5,199 were confirmed data breaches.
About the Research: The dataset is collected from a wide range of sources, including publicly disclosed incidents, and the work done by the Verizon Threat Research Advisory Center (VTRAC). The team analyses the data based on their own VERIS Framework, which creates an anonymous aggregate dataset. The essential elements of VERIS are known as the 4As’: actor (who), action (how), asset (where) and attribute (what).
Top 5 Takeaways from the Verizon 2023 DBIR
1. The Growing Prevalence of Social Engineering and BEC Attacks
Business email compromise (BEC) attacks have nearly doubled in the past year, accounting for over 50% of incidents involving social engineering techniques. This rise is primarily due to the increasing use of pretexting, a deceptive tactic where attackers use false stories to trick victims into sharing sensitive information or enabling malware. Thread hijacking, a sub-type of pretexting, is becoming particularly notorious for its ability to leverage existing email threads for fraudulent activities.
2. The Significant Role of the Human Element in Data Breaches
The report reveals that human involvement is a contributing factor in 74% of all breaches. This includes errors, privileged access misuse, use of stolen credentials, and social engineering. External actors are responsible for 83% of breaches, while internal actors, including employees and third-party partners, account for 19%.
3. The Financial Motivation Behind Cyberattacks
Unsurprisingly, financial gain remains the primary motive behind cyberattacks, with organized crime groups responsible for over 70% of breaches. This continued trend emphasizes the need to protect valuable data, such as protected health information (PHI) and personally identifiable information (PII), from theft or loss.
4. The Increasing Use of Stolen Credentials
Stolen credentials are the most common attack method for breaches and credential theft is rampant. To defend against this, organizations must implement solutions that can quickly baseline user behavior, understand context and content, and flag anomalous activity.
5. The Persistence of Privilege Misuse as a Top Internal Threat
Privilege misuse is the leading internal threat, often resulting from employees deliberately seeking employment with targeted organizations to steal data. To combat this, visibility into sensitive data access and recognizing unusual behavior is crucial.
The Role of Assets in this Year’s DBIR
The concept of an asset is a critical part of the Verizon model, and the report defines them as ‘the entities that can be affected in an incident or breach and end up being manipulated by the threat actors for their nefarious goals’. This chart shows the type of assets most affected by breaches in 2023.
As the report notes, given that system intrusion, web application attacks and social engineering are some of the most common attack methods. Therefore, it is not surprising to see machines (servers & user devices) and people to be the most exploited assets.
The growth in BEC attacks and social engineering have made individual employees an important target for attackers, and it is important for security teams to be able to understand their level of access to business-critical systems or sensitive datasets. Attacks that take advantage of trusted insiders with privileged access and the correct credentials are some of the hardest to identify.
Security teams need to understand all assets that can be compromised, whether that is devices, servers, users and more, whether that data is in the cloud or on-premises, what the Verizon DBIR provides is an unparalleled insight into what attackers have been targeting in the last 12 months, and the tactics they have used successfully.
How to Apply the Learnings
A significant update made in this year’s report is an improvement in the mapping between VERIS and MITRE ATT&CK framework. This is potentially very interesting for security practitioners, as it can make this dataset more actionable. Many security tools, including the Noetic platform, can use MITRE ATT&CK techniques or mitigations to highlight potential security coverage gaps.
We have only scratched the surface of the findings in this year’s report. We would recommend a detailed review of the findings which look at different incident classification patterns and trends by industry sector. The authors have provided not only relevant MITRE ATT&CK techniques, but also CIS Controls for consideration to help security practitioners understand what steps they can take to mitigate the threats relevant to their organization.
One thing is clear is that you can only protect the assets you know about, so having a clear understanding of your attack surface and potential exposure is key. That is where Noetic can help, by delivering a 360-degree view of all assets in the organization, their security posture, and the cyber relationships between them. To find out more why this matters and how a Cyber Asset Attack Surface Management solution can help, check out our whitepaper: ‘Making the Case for CAASM’.
About The Author(s)
