What organizations can learn from the 2024 Verizon DBIR

The cyber threat landscape is in constant flux. That makes it difficult for security teams to understand what’s going on at any one time. Vendor reports offer snapshots of varying quality and granularity at different times of the year. Many are specific to particular attacks or threat groups, others are primarily focused on product-related issues, making year-on-year (YoY) comparisons challenging. That’s why security professionals rate Verizon’s Data Breach Investigations Report (DBIR) so highly. It provides a highly detailed, annual picture of the threat landscape – explaining which assets are most frequently targeted, why, how and by whom.

Despite much talk about the possible impact of AI on threat activity, this year was dominated by some familiar themes. Surging levels of exploitation – of both IT and human assets – have kept defenders on the back foot. They need both improved visibility and better control to mitigate such risks effectively.

Verizon DBIR 2024: 30,000+ breach investigations analyzed

Now in its 17th year, the 2024 DBIR was compiled from data breaches and incidents investigated by Verizon and partners. All these incidents were reviewed and converted into the Vocabulary for Event Recording and Incident Sharing (VERIS) framework. That helps to create a common, anonymous aggregate dataset which the report’s authors use to make sense of the chaotic world of cyber threats.

This year, the DBIR is based on analysis of 30,458 security incidents and 10,626 confirmed breaches during the period November 1, 2022, to October 31, 2023. So, what’s new? Three interlinked themes stand out.

1) Organizations are too slow to patch

We appear to be living through a new era of vulnerability exploitation. Granted, the data is skewed by the impact of the MOVEit campaign – a supply chain attack on popular file transfer software which led to the compromise of thousands of corporate customers and tens of millions of downstream victims. However, the DBIR notes a 180% increase in vulnerability exploitation as an initial access step for a data breach. The figure is almost triple that of last year’s report and is swelled in part by other ransomware-related bug exploits such as the zero-day attack that compromised Fortra’s GoAnywhere. It’s not all zero-day exploits either. Threat actors are increasingly quick to jump on recently disclosed vulnerabilities – such as attacks leveraging a bug in print management software PaperCut.

This is where defenders are struggling to keep up. Verizon’s analysis claims that it takes around 55 days to remediate half (50%) of the critical vulnerabilities listed on the Cybersecurity Infrastructure and Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog, once patches are available.

The volume of CVEs is surging so fast that even NIST can’t keep up, as evidenced by recent challenges with its National Vulnerability Database (NVD). However, with the threat actors showing no signs of slowing down, security teams should focus on CISA KEV as a key resource to inform patching strategy. More importantly, they need better situational awareness to accelerate patching of high-risk vulnerabilities.

2) Humans are an increasingly targeted asset

The 2024 DBIR also reveals the growing cybersecurity challenge presented by the “human element.” It lists “person” as the second most popular asset type featuring in breaches – primarily due to the growth in extortion-based attacks like ransomware. People were targeted in nearly two-fifths of breaches last year, almost double the figure a year previously. Part of this is also down to social engineering – which, as we’ll discuss, remains a key weak link in the cybersecurity chain for many organizations.

Figure 3 Verizon DBIR 2024: Select key enumerations in data breaches.

Security teams need better insight into what their people are doing, what privileges they have, and how their identity and access management (IAM) controls are configured.

However, people weren’t the most targeted asset in breaches last year; the top spot continued to belong to servers – present in over 80%. Of these, web app and mail servers were most frequently targeted in incidents, which is no surprise considering they are the first target in credential theft breaches. Third place goes to file servers – explained once again by the MOVEit campaign.

3) Most breaches stem from employees

As mentioned, humans remain a top cause of data breaches. Most (68%) of the breaches analysed in the report involve a “non-malicious human element” such as social engineering or another kind of human error. Interestingly, pretexting now accounts for more social engineering incidents than phishing. This technique is heavily linked to business email compromise (BEC) attacks, which cost victims over $2.9B in 2023, according to the FBI.

This is not to underestimate the impact phishing continues to have on security posture. It’s why “credentials” continue to be the top “action” in breaches (24%). Credentials are accessed in half (50%) of social engineering attacks, according to Verizon.

Unfortunately, the insider threat remains a serious challenge for organizations. Although the report reveals that phishing awareness is improving‚— in that 20% of users identify and report scam emails in phishing simulations – in many ways it is not. The median time for users to fall for phishing emails is now less than 60 seconds. And the headline figure of 68% of breaches stemming from human error or social engineering has not moved in a year. In EMEA, half (49%) of breaches now originate with insiders rather than external threat actors.

More visibility, more context, more control

Organizations looking to mitigate the risks outlined in the DBIR 2024 need better insight into their assets, and the relationships and business context between these assets, to improve their security posture. For that, they need a system that extracts data from third-party security tools including vulnerability management and IAM, and combines it with other data sources like CISA KEV, and business context. That will provide the continuous insight which can subsequently be fed into workflows for automated and immediate remediation.

Whether it’s an unpatched server, or a human asset that has multi-factor authentication switched off – enterprises need the full picture to make better informed decisions on security posture. Discover how organizations can implement a continuous approach to threat and exposure management: How to Implement CTEM.