The Biggest Takeaway from the 2022 Verizon DBIR

The annual Verizon Data Breach Investigations Report (DBIR) contains several useful security insights. Reflecting on another year where cybersecurity attacks have frequently starred in news headlines, the 2022 DBIR confirms a lot of what professionals already know: cyber attacks continue to increase in frequency, and organizations of all sizes need to bolster their defensive postures in order to stay safe. 

But there are a couple of key takeaways from the report. Compromised credentials are still a main area of concern in the report, and the impact grows as both ransomware and supply chain attacks impact every industry. 

[Putting aside the outlying data from the Solar Winds breach, Desktop Sharing Software (DSS) is the most popular vector for ransomware. Notably, the use of stolen credentials occurred in nearly all of the DSS attacks – another indicator at the root entry points for many system intrusions.]

What are the Big Takeaways? 

  1. The Still-Growing Concern of Stolen Credentials

“There’s been an almost 30% increase in stolen credentials since 2017, cementing it as one of the most tried-and-true methods to gain access to an organization for the past four years”. (37) 

The credential crisis features heavily in the 2022 DBIR, most notably because so few solutions have been widely adopted to combat the issues. Whether organizations have internalized the vulnerability or not, it is still being widely exploited by cybercriminals on a mass scale. 

It will surprise no one that the main motivator for threat actors continues to be financial gain, present in 96% of breach incidents this year. The links between stolen credentials and financial leverage are easy to trace. Cybercriminals often obtain credentials and use them to apply for credit cards or government benefits, but they also further exploit them by using them as entry points for other personal and professional accounts–from streaming services to social media. 

Stolen credentials can also be leveraged in other directions, including phishing scams (where the seemingly legitimate credential fools the victim), and fraud cases like stolen social accounts, infiltrated home security, and identity theft. 

While the stolen credentials often aren’t the end goal themselves, access to Personally Identifiable Information (PII) and to financial gain are. 

  1. The Entry Point for Ransomware Attacks…(compromised credentials)

This year, the Verizon DBIR indicates that System Intrusion has become the frontrunner of incident categories, a slight change from last year, when Basic Web Application Attacks were at the top. A system intrusion refers to any unauthorized activity within the digital system. Broadly speaking, system intrusions usually involve attempts to steal network resources. In the DBIR, delivery of ransomware is classified as a type of System Intrusion, which also includes the delivery of other kinds of malware (e.g. stealers), exfiltrating data, and gaining shell access to a machine. 

Over the past year, ransomware attacks have increased by almost 13%, a rise as big as the last five years combined. It’s important to remember that ransomware, by itself, is less a vector and more a way of a nefarious organization monetizing existing access to your system. Blocking the key pathways to access is the more effective way of protecting a company from ransomware invading your network–and of those key paths (credentials, phishing, exploiting vulnerabilities, and botnets), credentials are by far the most utilized, and dangerous. 

The fact that so many attack vectors stem directly from compromised credentials underscores the overarching need to lock down password security. 

In fact, the DBIR notes that the data “demonstrates the importance of proper password protection since over 80% of the breaches in [Basic Web Application Attacks] can be attributed to stolen credentials.” 

While it’s likely that both the warnings and statistics come across as broken records to some, it’s not clear that the message from previous reports have really sunk in. And as Santayana tells us… “those who do not learn from history are doomed to repeat it.” Since 2009, poor password practices have shown themselves to be one the leading causes of data breaches.

What You Can Do To Protect Your Data, and Your Organization

To Protect Credentials: 
Continuous credential monitoring is a crucial part of defense against RDP compromise, ransomware, and web application attacks. It’s no longer sufficient to have a static blacklist of a couple million passwords–these days, an organization needs to monitor passwords at the moment of creation and on an ongoing basis, and check them against an ever-updated, dynamic password list. 

Sources for stolen credential data remain various and sometimes unreliable on the individual level, but overall the collection of novel stolen credentials remains high. Continuing to leverage automated collection systems will be integral, as well as closely monitoring threat actor behavior to rapidly adapt when sources change.

Monitoring other types of compromised personal data may provide additional support against phishing attacks, and for detecting fraud itself.

And to Protect PII: 
For cybersecurity analysts, moving into PII monitoring will greatly expand the net cast for data in general, and the sources we can leverage. One under-explored source is the enormous body of data exfiltrated from ransomware attacks and published on the darkweb.
Based on the landscape described in the DBIR, monitoring PII will be highly relevant to helping customers prevent fraud in the near future.

(Don’t know where to start? Try an audit to see just how big the problem might be.) 

Conclusions 

From wide-scale breaches that make top headlines, to ransomware attacks on small businesses that go under the radar, the human element remains a root cause of many security issues. According to the DBIR this year 82% of breaches involved the human element, whether it is the “use of stolen credentials, phishing, misuse, or simply an error.” 

Business owners and decision makers in many roles must accept this, and adapt quickly to improve their security posture with the knowledge that user habit is the aspect of security most out of our control. 

Cybersecurity professionals must also remind themselves to expect that threat actors will always take the past of least resistance. It may be tempting to focus on patching vulnerabilities, upgrading software, and integrating complex AI monitoring systems, but none of that will matter if threat actors can gain access by simply guessing a password.  

Act now to shore up your password policies and start scanning for compromised credentials, to keep you, and your organization, safe. 

Let’s briefly compare some highlights from the previous years DBIR to this years: 

2021 vs 2022

Data Point20212022
Use of Stolen Credentials Over 80% of ‘hacking’ incidents involved stolen credentialsWithin Web Application attacks, 80% involved stolen credentials. 
Types of most frequently compromised data in cyber incidents Credentials: ~ 59%
Personal Data (including SSNs, addresses, insurance information): ~ 45%
Credentials: ~ 67%
Personal Data: ~ 69%