Ben Jones

Verizon DBIR 2022: Combating Criminal Efficiency

This week Verizon released its annual Data Breach Investigations Report (DBIR).

The DBIR

The Verizon DBIR analyzes cybersecurity incidents throughout the year to provide security professionals with a “data-driven, real-world view on what commonly befalls companies with regard to cybercrime”. This year, the researchers examined 23,896 security incidents, of which 5,212 were confirmed data breaches.

Perhaps the least surprising trend that was identified from Verizon’s analysis – although the one most picked up on by the media – is that ransomware attacks continued to increase, up 13 percent on the previous year.

Unfortunately, ransomware continues to be a growing tactic for cybercriminals because it has been proven to be a very effective way of extracting funds from organizations. Hackers have also moved to more sophisticated methods over the past few years than what was traditionally thought of as ransomware – i.e. encrypting data and holding it to ransom. Double extortion, where the cybercriminals exfiltrate data before encryption, then threaten ransom for both the release of data and to stop them leaking it publicly, has become increasingly prevalent.

The rise of access brokers

However, as Verizon rightly points out, ransomware itself is just a method for monetizing the breach of an organization’s defenses (in years past other monetization methods such as data theft were the vogue) but when we talk about defending against ransomware what we are actually discussing is how to stop cybercriminals gaining access to a business’ network and systems in the first place.

Verizon identifies four “‘key paths’ into an organization’s estate: credentials, phishing, exploiting vulnerabilities and botnets. Stopping these paths from being utilized has become especially important as cybercrime has professionalized, with cybercriminals selling access points online for others to exploit. 

These “access brokers” sell-on the foothold they have within organizations – whether it be stolen credentials or software vulnerabilities – without having to take any of the risk themselves. At the same time, they make defense much harder for organizations by potentially sharing a vulnerability with multiple adversaries.

The supply chain exploited

Vulnerabilities in the supply chain are a particularly popular path of attack. According to the DBIR, the supply chain was responsible for an astonishing 62 percent of system intrusion incidents this year, which highlights the risk inherent in modern enterprise infrastructure that is a complicated web of vendors, partners and third parties. Verizon describes how threat actors favor supply chain breaches because they act as a “force multiplier, enabling them to breach upstream organizations and service providers before using the access and information they’ve gained to break into the systems of downstream organizations.”  

Again, taking the perspective of cybercriminals that are looking for the highest yield, this makes perfect sense. One access point in a supply chain company is an ongoing source of revenue, as criminals use the same vulnerability to exploit or extort multiple organizations. As the report succinctly describes it, “breaches beget breaches”.

Identifying early warning signs

Businesses that want to combat the cybercriminals that are selling access to their systems  – or are afraid of the rising trend of ransomware – should not be waiting until they have been exploited for their defenses to spring into action. The findings of this report and the incidents of the last year show just how ineffective that approach is. Instead, they have to find the cybercriminals where they operate: on the deep and dark web. 

They should be actively monitoring the dark web for stolen staff credentials or vulnerabilities in their systems, so they can take action to prevent attacks before they happen. The further monitoring of phishing sites, and looking for dark web clients within an organization will also help them to identify when and where they may be vulnerable. Ultimately, there are very few good reasons that dark web traffic would be going to or from your network – gaining visibility into this suspicious activity can have a huge impact on closing access to criminals before they execute their attack.

Importantly, dark web monitoring is also an activity that can be carried out for an organization’s supply chain, completely remotely and without the need to install an agent on their systems. The management of supply chain security is an issue that most companies have not been able to wrap their heads around but this is a simple way to not just test whether your partners and third parties are compliant (which you should still be doing) but actually if they are currently vulnerable to attack, and consequently leaving you at risk as well.

Combatting criminal efficiency

Commenting on the findings of the report, senior Information Security Data Scientist on the Verizon Security Research Team, Gabriel Bassett made the important point that attackers have developed “repeatable processes for all of these methods of access, becoming “efficient in these attacks so we have to be efficient in our defenses.”

Identifying the early warning signs of an attack through dark web intelligence is one of the most efficient ways that organizations can protect themselves –  far more effective than waiting until criminals have already gained or bought access to your systems.