The 2023 Verizon Data Breach Investigations Report was published this week. The DBIR — in its 16th year — analyzed 16,312 security incidents (of which 5,199 were confirmed data breaches) taking place between November 1, 2021 and October 31, 2022. In this post, we'll look at five takeaways.
1. Ransomware hasn't reached its full potential
"That almost a quarter of breaches involve a Ransomware step continues to be a staggering result. However, we had been anticipating that Ransomware would soon be hitting its theoretical ceiling, by which we mean that all the incidents that could have Ransomware, would have. Ransomware is present today in more than 62% of all incidents committed by Organized crime actors and in 59% of all incidents with a Financial motivation, so sadly there is still some room for growth."
The authors of the DBIR note the expectation that ransomware would have hit its theoretical ceiling, but not so fast ... the conclusion: ransomware will get worse. A few other ransomware facts from the 2023 DBIR:
- Overall costs of recovering from a ransomware incident are increasing even as the ransom amounts are lower.
- This suggests that the overall size of ransomware victims is trending down.
- While FBI data found that only 7% of ransomware incidents had a loss, the calculated median loss more than doubled to $26,000 and the 95% range of losses expanded to between $1 and $2.25 million.
2. Social engineering breaches nearly double
Social Engineering incidents have increased from the previous year largely due to the use of Pretexting, which is commonly used in BEC, almost doubling since last year. Compounding the frequency of these attacks, the median amount stolen from these attacks has also increased over the last couple of years to $50,000.
Social engineering incidents have nearly doubled, now accounting for 17% of all breaches. The DBIR found:
- The median amount stolen from social engineering attacks is $50,000.
- The most common attack vector for social engineering is email, with BEC nearly doubling since the previous year.
- Attack type doesn't have an impact on click/open rates for BEC attempts, as the median fail rates for both attachment and link campaigns are 4% and 4.7% respectively.
3. DDoS tops list of attack patterns
As Denial of Service continues to dominate our incidents, so do the capabilities of mitigation services. However, there has been a resurgence of low volume attacks that still cause issues to corporations.
Denial of Service attacks continue to rise, cited in 6,248 incidents with median bits per second growing 57% from 1.4 gigabytes per second last year to 2.2 Gbps. Another point from the report:
A point of attention that some of our partners brought to us was the growth of distributed DNS Water Torture46 attacks in, you guessed it, shared DNS infrastructure. It is basically a resource exhaustion attack done by querying random name prefixes on the DNS cache server so it always misses and forwards it to the authoritative server. It is quite silly when you think of it, but it can be a heavy burden with some simple coordination by the threat actors’-controlled devices.
4. Asset trends in the DBIR
We can see a small fluctuation on the top three, as slightly less Servers were affected and slightly more User devices, but this order has held true for at least a couple of years, ever since Person overtook the second spot.
Breaking down asset varieties involved in breaches, the order is:
- Web applications — outlining the importance of SaaS Management
- Mail servers
- User desktops or laptops
- Person - Finance — Likely related to social engineering
- User laptop
In its section on Lost and Stolen Assets, the DBIR looks at employees losing and misplacing devices. From the report:
This is a pattern where we see a high percentage of incidents not resulting in confirmed data breaches—largely because the status of confidentiality disclosure remains “at-risk” rather than “confirmed” due to the loss of custody of the asset in question. The exception is printed material, since no controls exist to shield documents from view once printed. Similar to last year, we again have less than 10% of the incidents as confirmed data breaches.
5. The DBIR is legitimately funny
It would be easy to assume an 89-page report on data breaches would be dry and boring. Not true. The writing in the DBIR is full of puns, levity, and even a few pop culture references. A sample:
- "47 Legal made us say that; of course, you should totally ridicule your [fren]emies in other industries."
- "44 Be sure to discuss this at parties. You’ll be wildly popular."
- On DDoS "We are going to need a bigger pipe."
There are several more Easter eggs throughout, including two good GPT-4 references. You'll have to find those yourself.
