Verizon DBIR 2022: What’s Worth Acting On?

When I was a corporate employee responsible for security strategy, I looked forward to the Verizon Data Breach Investigation Report every spring, as it was an essential tool to validate my strategy and investments. Often, the report’s insights on the latest trends and attacker actions provided guidance on where to deploy resources, which helped improve our effectiveness.

In reviewing the latest findings from the DBIR 2022, these are the headlines worth acting on.

The Barrier to Entry is Lower Than Ever for Attackers

Credentials are cybercriminal actors’ favorite data type because they are so useful for masquerading as legitimate users on the system. As dark web marketplaces mature and credentials are bought and sold, the barrier to entry is increasingly low for attackers. Add the spread of SaaS, applications and dependence on identity as the new perimeter and it is more challenging than ever for defenders.

If you have a portal, website or any web-based application that is internet-connected and requires authentication, protect the authentication mechanism—use CAPTCHA, require multifactor authentication and attempt to rate-limit logins.

One in Four Attacks are Ransomware-Related

The effects of ransomware have nearly doubled year-over-year, now accounting for 25% of the negative business impacts of breaches. This isn’t news. Cyberinsurance companies have known this for some time and have adjusted their policies accordingly. Many are increasing premiums significantly and some are even including special carveouts—ransomware coinsurance—requiring the organization to pay a portion of the ransom.

Although the market is responding, companies are often slow to develop or test processes for ransomware response. Now is the time to start. Review your backup controls, technology and recoverability. Review your email filtering technology’s effectiveness and your endpoint’s ability to detect and response to ransomware.

Because ransomware is primarily deployed through phishing attacks or stolen credentials, you should also look to improve email filtering. Improve credential protections, deploy multifactor everywhere and take advantage of conditional access.

Supply Chain: A Force Multiplier for Attackers

If an attacker can successfully target a service provider, the downstream impacts may be very significant on partner organizations. In fact, partners are now involved in 39% of the breaches.

Surprising? Unlikely. From the attacker’s perspective, why go after a mature, well-funded organization when I can breach a smaller organization that works within the security boundaries of that larger organization? The smaller supply chain partner may have credentials or, as a trusted partner, may allow for access to spread ransomware, command-and-control or simple wire fraud.

Every business in every industry has supply chain risk, whether we acknowledge it or not. When evaluating supply chain partners and various service providers, don’t forget to also evaluate their security program and be wary of any red flags.

Where Should You Focus?

  • For most industries and organizations: Focus on preventing basic web application attacks, system intrusion and social engineering.
  • For larger organizations: Do all the above, then add denial-of-service (DoS) to the list.
  • For mature organizations already doing the fundamentals: Develop an insider threat program. Breaches that have an insider element have a tenfold increase in compromised records and can do more damage than external threat actors.

All in all, analyze the data from the report, review your capabilities and invest in areas that will reduce risk—whether it be people, process or technology.

Avatar photo

Christopher Prewitt

Christopher Prewitt is CTO at MRK Technologies.

christopher-prewitt has 1 posts and counting.See all posts by christopher-prewitt