2023 Verizon DBIR: Phishing for Financial Gain
If threat actors had a motto, it would be, "If it ain’t broke, don’t fix it.”
The Verizon 2023 Data Breach Investigation Report (DBIR) shows us that if a threat actor finds an attack method that works, they’re going to use it over and over.
Attackers Do it for the Money
Verizon classifies incidents into patterns, such as denial of service (DoS), basic web application attacks, social engineering, and system intrusion. These four patterns account for the majority of incidents and breaches, while miscellaneous errors and stolen assets are less common. System intrusion accounted for roughly 40 percent of all breaches, and 80 percent of these intrusions involved ransomware.
Unsurprisingly, 95 percent of all reported attacks were perpetrated for financial gain. Verizon also notes that 24 percent of attacks were considered ransomware. That number is consistent with the previous year, which the report labels as statistically stable. If an organization encounters a breach, one in four times it will be to hold something valuable for a hefty payout.
Social Engineering is on the Rise
Stolen credentials remained the most widely used method to gain access, representing nearly 49 percent of all reported breaches. To harvest credentials, attackers often rely on social engineering techniques, including phishing and pretexting.
Pretexting is most commonly used in business email compromise (BEC), and the frequency of these attacks nearly doubled year over year. Attackers—often imitating a CEO or high-ranking manager—employ different techniques to convince a victim to disclose sensitive data. For example, they typically apply a sense of urgency, or they may falsify authentic documents (like a petition or questionnaire) or hijack existing communications between an employee and a manager. If they don’t get what they want, they will quickly escalate the situation and threaten the targeted employee.
These attacks are extremely popular for a reason—they work. Verizon states that the median amount stolen through social engineering is now $50,000.
If it’s an Exploit, it’s Probably Log4j
It was surprising to see vulnerabilities only accounted for five percent of all reported incidents. Of these attacks, a whopping 90 percent involved Log4j. This exploit was first announced in December 2021.
Verizon reports that over 32 percent of all Log4j scanning activity occurred in the first 30 days of its discovery, and the biggest spike in scanning activity hit within the first 17 days. Thanks to a quick patch response by the industry, many organizations were able to mitigate what could have been a major disaster. The report also notes that only about 20 percent of the organizations that contributed data to the 2023 Verizon Data Breach Investigations Report offered to name the specific exploit they encountered, so the fact that 90 percent of contributors referenced log4j points to the vulnerability’s wide distribution.
The Network as the Definitive Source of Cybertruth
What the attack patterns and techniques covered in the Verizon Data Breach Investigations Report have in common is that they are all network detectable with Reveal(x). Reveal(x) performs continuous packet capture, stream reassembly, full protocol parsing, and decryption of all network traffic in the east-west corridor to provide organizations with 360-degree visibility into user and device activity across their network and to detect lateral movement, privilege escalation, and other post-compromise attack techniques.
Reveal(x) also automatically discovers and identifies all assets communicating across a network—whether they’re managed or unmanaged—as well as the protocols and ports they use to communicate. In addition, it leverages machine learning to baseline normal network behavior and detect deviations from it. By combining machine learning with real-time asset discovery, Reveal(x) can identify when threat actors may be using compromised credentials to access and use assets with malicious intent.
When you have complete visibility, patterns become easier to detect. No matter how inventive an attacker may become, they can’t outsmart the network.