The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.
Despite all that, Verizon’s annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the “human element” still plays a central role in most security breaches, whether it’s through social engineering, bad decisions, or similar.
According to the US carrier’s 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.
In addition, 82 percent of security breaches involved human behavior due to stolen credentials, phishing, misuse, or error, the report found.
“If I had to sum up this year’s DBIR: the more things change, the more they stay the same,” Rick Holland, CISO and vice president of strategy at cybersecurity firm Digital Shadows, told The Register in an email.
“The use of stolen credentials, phishing, and vulnerabilities remains the top way threat actors gain initial access to organizations. Companies are spending billions of dollars on defense, yet these problems persist.”
The report, now in its 15th year, was based on 23,896 security incidents analyzed by Verizon researchers. Of those, 5,212 were confirmed intrusions.
The 107-page report touches on a range of areas in the cybersecurity space, though ransomware was again a key topic. Beyond that and human behavior again playing a key factor in most breaches, the researchers also noted that supply chains are a growing target for bad actors, including groups that are more interested in espionage rather than financial gain.
That was illustrated in 2020 by the SolarWinds fiasco masterminded by Russia-linked crew Nobelium, during which malicious code was slipped into a software update to open a backdoor in government agencies and companies. Leveraging a partner in a supply chain can be a force-multiplier for an attacker, who can use the access to that one company to compromise and infiltrate the IT environments of their partners.
“2021 illustrated how one key supply chain breach can lead to wide ranging consequences,” they wrote. “Supply chain was responsible for 62 percent of system intrusion incidents this year. Unlike a financially motivated actor, Nation-state threat actors may skip the breach and keep the access.”
The rise in ransomware shouldn’t surprise many in the industry. Governments have been putting pressure on ransomware gangs and urging organizations to protect themselves, while software developers continue to release products aimed at stemming the flow of and damage from such attacks. Still, the list of significant ransomware attacks continues to grow, as illustrated last year with those against high-profile corporations including Colonial Pipeline, meat processor JBS Foods, and software and services company Kaseya.
Ransomware by itself is really just a model of monetizing an organization’s access
In addition, the tactics are also evolving. Where once threat groups would use ransomware to encrypt a victim’s data and refuse to release the decryption keys unless the ransom was paid, they now are getting deeper into extortion. This includes exfiltrating the data and threatening to release it publicly, or wiping storage drives clean, unless demands are met, or going after a victim’s customers.
New game, old tricks
What isn’t so new are the ways ransomware gangs are gaining initial access into a corporate network, according to the Verizon researchers. These methods include stealing credentials, phishing, exploiting vulnerabilities, and using botnets, they wrote. Those same methods also tend to be the way in for cybercriminals looking to commit crimes other than extortion.
“It’s important to remember, ransomware by itself is really just a model of monetizing an organization’s access,” they wrote.
In addition, three-quarters of ransomware incidents involve an intrusion via either desktop-sharing software (at 40 percent) or email (35 percent), which continues to be a soft spot that bad actors exploit. The researchers wrote that “there are a variety of different tools the threat actor can use once they are inside your network, but locking down your external-facing infrastructure, especially RDP [remote desktop protocol] and emails, can go a long way toward protecting your organization against Ransomware.”
A common theme running throughout the report was the role of the human factor in breaches. Human behavior, aka the Layer Eight problem, continues to be a glaring weak spot in cybersecurity, with individuals letting crooks into their companies’ IT environment by falling for phishing scams, clicking on malicious documents or links that lead to malicious websites.
“The most important research by and for the cybersecurity industry is out and it feels like the movie ‘Groundog Day,’ where we are waking up to the same results year after year since the first report in 2008,” John Gunn, CEO of authentication specialist Token, told The Register in an email.
“Compromised user credentials and the ‘human element’ are still the direct cause of about 80 percent of breaches. We can collectively wake up from this problem by implementing more secure authentication and going passwordless. Biometric and wearable authentication is more secure and more convenient and would almost instantly mitigate a massive amount of cybersecurity vulnerability.”
The researchers wrote that “even when a breach is not directly caused by a person, the information systems were still built by people. Frankly, we’d rather have people solving the problems since asking the AI to do it sounds much trickier. Unfortunately, nothing is perfect. Not people, not processes, not tools, not systems. But, we can get better, both at what we do and what we build.”
Digital Shadows’ Holland agreed.
“Don’t discount security awareness training,” he said. “It is not uncommon for security practitioners to complain about and mock security awareness training. Security awareness training can be engaging and improve your security posture. Is security awareness going to stop all the attacks? Of course not, but even a modest improvement can reduce defenders’ detection and response burden.” ®