Search
Close this search box.
EPISODE 142
The 2023 Verizon Data Breach Investigations Report (DBIR) Part 1

EP 142: The 2023 Verizon Data Breach Investigations Report (DBIR) Part 1

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

October 10, 2023

Have you read the Verizon DBIR report for 2023? Find out what it contains in the first of two episodes on this extremely useful report with your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Tags:

Episode Transcript

Speaker 3: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.

Jake Bernstein: Kip, what are we going to talk about today on episode 142 of the Cyber Risk Management podcast?

Kip Boyle: This is the episode I wait all year for, and I've heard some feedback from our audience that they really enjoy this one too. Today we're going to begin our traditional Verizon Data Breach Investigations Report episodes. This is where Kip and Jake read the report, the annual report that's released. We're going to look at the 2023 edition and we're going to tell you the high points, whether you've read the report or not already. We are going to share with you what's standing out for us.

Jake Bernstein: And of course we will include our traditional commentary and witty banter.

Kip Boyle: Yes. Yes, much witty banter and thank you for the script of witty banter that I have in my hands right now. That's great. Okay, so what are we going to do this year? We are going to really pay attention to the fact that they're refocusing on the core breach data set, and we're going to do this over two episodes just as we've done in the past, because why? The report is just so rich, it's just so much and we don't want to produce a 90 minute single episode in order to be able to get through it all. That said, the report is a little shorter this year, but it's still very rich. Today we're going to look at the overall findings and then in the next episode we're going to look at how various industries are doing. This is one of the things I love about this report is that your experience will vary depending on what industry you're in. We're going to take a look at that too.

Jake Bernstein: We will. And I didn't put it here, but in addition to industries, it's also going to take a look at the incident classification patterns because believe it or not, we only managed to get through chapters one and two in this first episode, but that's just because there's so much to look at.

Kip Boyle: Yeah. It's great. And by the way, if anybody wants to know how does the DBIR get made, we actually had some episodes a while ago where we interviewed the people who make the DBIR. If you want to go back into our catalog, I'll put those links in so you can go back if you want and learn how they actually make the sausage.

Jake Bernstein: Indeed. And I'm going to start with a few reminders. So the 2022.... Sorry, the 2023 DBIR deals with data collected between November 1st, 2021 and October 31st, 2022. Remember, there's always that shift, right? They have to actually have the time to analyze the data. It's exactly a one year shift from last year, but that's how it works. So it's always a November to October and it takes them six months to generate the report.

Kip Boyle: Right. Which you'll learn if you listen to those episodes that I've mentioned.

Jake Bernstein: You will. Exactly. That's no big deal. Now, there is a sacred tradition that I must continue because it is so critically important. I want to draw special attention again to how the DBIR handles incident versus breach. Key definition, as you know, not just for the DBIR, but for all cybersecurity discussions. To recap, as usual, an incident is a security event that compromises the integrity, confidentiality, or availability of an information asset. And a breach is an incident that results in the confirmed disclosure, not just potential exposure of data to an unauthorized party. But I do want to say something that's new this year, which they point out, and I thought it was worth putting in this episode, which is don't make the mistake of assuming that incidents aren't as important or not as interesting as breaches. Because for example, this definition means that a distributed denial of service attack a DDoS attack is almost always an incident.

It's almost never a breach just by its nature. But as anyone who has fought a DDoS attack knows they can be very serious and cause a lot of damage. Please don't make the mistake of thinking that incidents mean no big deal and it's only the breaches that are bad. I would actually say that almost every incident that makes it to the DBIR is something that you probably don't want to have to live through on a regular basis. So yeah, that's kind of my opening for this part. All right, Kip, I believe we have a quote from... Or a potential quote from a famous man. Go ahead. It's always entertaining how the DBIR does this.

Kip Boyle: Right. So if you've never read an edition of the DBIR, there's a certain amount of tongue in cheek that goes on.

Jake Bernstein: You should, because it's great stuff. While Kip-

Kip Boyle: There's a lot of cheek, there's a lot of cheek in this report.

Jake Bernstein: Yeah.

Kip Boyle: Whether there's a tongue in it or not. Yeah, so they kind of kick it off with a quote from Sir Winston Churchill and he says, "Success is stumbling from failure to failure with no loss of enthusiasm." And I love that quote. That's kind of like just a typical day for me, whether I get to success or not is a completely different story. But now the report kind of riffs off that and says that stumbling from failure to failure with no loss of enthusiasm is the roadmap to cybersecurity, if not life in general. And so that's the theme this year. We're going to look at... Or the report does, and we will look at when defenses failed and what we can learn from those failures, which is one of the reasons why I agree with you, Jake, that incidents are very important for no other reason than to advance our learning.

Jake Bernstein: Yeah. And before we dive into all the findings, we've never really focused on it, but it's worth pointing out something that is interesting this year is that the VERIS framework, which, and VERIS, I don't remember the acronym, but it's what Verizon uses to categorize and classify and really analyze all of these incidents. But that framework has now been mapped to the meter attack framework or series of categorization, whatever it is. I think we just call it meter attack. Oh, MITRE, not meter. MITRE.

Kip Boyle: Yeah, we don't do metrics in this country.

Jake Bernstein: No. That's right. That's right. Okay. If you like that sort of thing though, the links to the way that that is all mapped out is on page seven of the report. All right, so numbers, this is always fun. 16,312 security incidents with 5,199 confirmed data breaches. This follows the trend from last year. The percentage of confirmed breaches as a total compared to the total security incidents analyzed continues to go up. And I think that is, it's hard to say why that is. It could just be that the data... There's no way of telling, right? The data could be better, it could be self-selecting it is what it is.

Kip Boyle: Or the attackers could genuinely be getting better at compromising.

Jake Bernstein: That's true. It's true. Okay, shall we dive into the findings?

Kip Boyle: Well, I do want to dive in, but first I want to say that VERIS stands for the vocabulary for event recording and incident sharing. And that's an entirely academic breakdown of that acronym because I think most people aren't depending on that vocabulary for their daily work. But you said it, so I just thought I would break it down. Okay. Hold on just a second.

Jake Bernstein: For those unable to see. Yeah.

Kip Boyle: Thank God I have a cough button.

Jake Bernstein: Yes, it's a cough button kind of day.

Kip Boyle: Yeah, something's tickling my throat. I don't know, maybe I'm just too excited. All right, so let's dive into the findings. Now, the DBIR always starts with the summary of their findings across the board. So here's a question for you, Jake. If I asked you to guess whether the classic business email compromise is still a big deal, imagining that you didn't actually write this script well, would you say?

Jake Bernstein: Well, I would say that classics are a classic. Classics are classics for a reason, but I don't think I could tell you anything statistically valid. And I would probably also think that they're not that... I mean, it's hard for me to imagine how often people fall for these. I would hope the number is going down, but the fact that you asked me this and that I wrote the script leads me to believe otherwise.

Kip Boyle: Yeah, that's correct. Business email compromise represents more than 50% of the incidents that fit the social engineering pattern. And not only that, but business email compromise almost doubled across Verizon's entire dataset. And what does this tell us? Well, the people who attack us are going to use what works and social engineering continues to work. Why? Because mostly it's not messing with technology, it's hijacking our primitive lizard brain. The amygdala, the center of our emotions. And so it turns out we're triggered very easily and for as long as it continues to work, they'll continue to use it to steal money.

Jake Bernstein: And I think it will. I don't think it'll ever stop working. And the simple reason is that, what do they say? A sucker's born every minute. But the reality is that this is just a part of the human condition is we can be tricked. That doesn't a complete... That doesn't mean that anyone should give up, it just means that the focus really always needs to be on the risks that are most common. And not to lose sight of how often social engineering does come into play.

Kip Boyle: But there's ways of dealing with this. And we've done episodes in the past where we have focused specifically on the dangers of phishing and how to counteract it. I'll put some links in the show notes in case anybody wants to go back and listen to those episodes because like we say, this is not going to go away anytime soon. For those of us who are defenders, we really need to start understanding how to prepare our folks for the fact that our amygdala is getting tickled.

Jake Bernstein: And I mean, the graph on page eight of the DBIR has figure five pre-texting incidents over time. It's super fascinating. Back in 2016, it represented, gosh, what is that? Less than half a percent of all these, all pretesting incidents or all the incidents. And now in 2023, it's over 4%. Now keep in mind that's across all incidents, but that is a huge growth in this variety. Let's look at some additional key figures for the summary. First, here's one. 74% of all breaches involve the human element via error, privilege, misuse, the use of stolen credentials or social engineering. And look, I think what does this say? Nearly three quarters of all breaches are not necessarily about a technology failure. And I'm about to use-

Kip Boyle: Right. It's either people behaving badly, you've got an insider threat, or they're being manipulated by somebody who's behaving badly, which is what a business email compromise and a phish attack. And I mean, you're just manipulating people who have the privileges into making them do things that you know what, on a good day they'd never do them.

Jake Bernstein: Yep. And look, I'm not saying that you shouldn't invest in the latest, please save us as a service offering, which I think is hilarious. I did not come up with that. That's from the report. Please save us as a service.

Kip Boyle: Tongue in cheek.

Jake Bernstein: But I am saying that technology alone is never enough. And I think that's something we say a lot, right, Kip?

Kip Boyle: Yeah, we do because we have the data to justify saying it.

Jake Bernstein: It's true. Okay, so 83% of breaches involve external actors. This number continues to creep up. We'll get into a bit of detail on this, but if anyone is thinking somehow inside or internal actors are increasing versus external, and by the way, I'm not saying that you can't worry about internal, this is just as a percentage of the total. And all it really does is show that external actors are really driven. And it's 95% now by financial motivation. And also keep in mind that this still always means that 17%, almost 20%, almost one in five breaches did not involve external actors. That's a significant figure that will be worth diving into.

And then the last kind of main summary here is that the three primary ways that attackers access an organization are stolen credentials, phishing and exploitation of vulnerabilities. But there are some huge gaps here. Stolen creds were used nearly 50% of the time while an exploited vulnerability was used maybe 10% of the time. And my point here is I feel like still to this day, so many security teams, or maybe not even security teams, but leadership and particularly it focuses so much on stopping those vulnerabilities from being exploited, which is kind of a technological problem. But look at the numbers. The use of stolen creds is five times the amount of exploited vulnerability, so keep that in mind.

Kip Boyle: Well, one of the things that I've experienced over the course of my career is among IT professionals, there's a certain... The word I always want to use is contempt towards the people who use the technology. There's like how could they fall for that? Or God, they're idiots or whatever. And I've never... Whether that's objectively true or not, that attitude is actually getting in our own way. We're actually our worst enemy here because we really need to realize that these phishing attacks, these social engineering attacks just keep getting better and better and better. And I defy anybody who thinks they're an expert to be tested to identify random phishing attacks.

I mean, some of the stuff I get is bald-faced obvious, but the business email compromise stuff doesn't tend to be very obvious. I guess what I'm saying here is we need to accept the fact that people are even intelligent, well skilled people are getting exploited and we need to treat it as a real thing. We can't just chalk it up to stupidity and shake our head and walk the other direction.

Jake Bernstein: True.

Kip Boyle: That's not going to get us where we want to go. Okay. I'm sorry I cut you off. Were you done?

Jake Bernstein: I am done. It's your turn.

Kip Boyle: Oh good. Okay. Continuing with examining the overall themes, ransomware, it's very interesting to follow the news stories on ransomware and to try to figure out whether people think it's coming or going up, going down. But I love being able to come back to the DBIR because it's all data-driven, right? It's not perception driven. And guess what? Ransomware is not slowing down. Now, it's not growing either, but it continues to be one of the top action types involved with breaches, and it remains steady at 24% of all breaches and it's ubiquitous. You'll find when we go into the next episode and we're looking at different industries and so forth, you're going to see that it's really everywhere. It's pervasive. And therefore everybody, no matter what your industry, no matter how large or small your organization is, ransomware continues to be an issue. And I think in the next edition of the DBIR, we're going to start seeing data around just pure extortion because one of the things that seems to be happening is that why do I have to encrypt your data when I can just steal a copy of it and just extort you over the fact that if you don't pay me, I'm going to release it. I think we're going to see next year that that's becoming a thing.

Now, the dataset also includes the Log for J event, and there's some good data in here on that. More than 32% of all log for J scanning activity happened within 30 days of its release. And the biggest spike happened within 17 days of its release. And that continues to remind us that once a vulnerability becomes publicly known, the race is on to exploit it before it gets patched. And so there still is a desperate need to patch vulnerabilities, even though the report says it's not a top source of breaches, stay on top of it.

Jake Bernstein: We'll get into why that was, but I think it's worth pointing out that Log4j was on top of everyone's mind so much so that in the 20.6% of incidents, which is still thousands, that included comments, 90% of them with exploit vulnerability as an action included the phrase Log4j or it's CVE 2021 44228. And that's fascinating because this was, spoiler alert, I'm going to spoil my own script. The industry did pretty well with Log4j and that's one of the takeaways is that if it looks like it wasn't that big a deal, it is in large part because it was so much on everyone's mind and everyone did spend their Christmas getting it fixed.

And we'll get into that. It is now time to dive into their results and analysis. And this is, it's only about, gosh, 10 pages of the report, but we're going to spend the rest of the episode on these 10 pages.

Kip Boyle: It's so rich, there's just so much there.

Jake Bernstein: It's so rich. I'm going to start off by something that just amazes me, which is as of this year, the dataset, the total dataset contains 953,894 incidents with 254,968 confirmed breaches. They are indeed approaching one million incidents to be analyzed, which I think is depressing, but also impressive.

Kip Boyle: Right? It's depressingly impressive.

Jake Bernstein: It is. Here we go. As a reminder, the four VERIS categories, the core categories are the four A's. Actor, action, asset and attribute, which corresponds to who, how, where, and what. And the DBIR doesn't consider an incident to be "complete" without all four of those, even if we don't necessarily know the answer to, for example, who or anything like that. The DBIR consistent with they're refocusing on core data does include a few more details about their categories and you can see them in the report and we'll bring them up if and when it's helpful.

Kip Boyle: Yeah. Okay, so let's consider actors. The percentage of external actors and breaches just continues to go up. Last year it was 80%. This year it's now 83%. And usually external actors are what we would call criminal groups. Some of them are lone hackers like Mr. Robot or whatever. They could also be former employees. They can be nation states, government entities that are attacking, but it can also include things that are a bit more traditional. In my work, I remember 20 years ago, we were also probably more preoccupied with acts of God. Hurricanes, natural disasters, that sort of thing, mother nature, just throwing a wrench into our day. And then also random chance. Sometimes things just fail and often it's the stuff that you thought would never fail.

Okay. An important point here to realize is that no trust or privileges is implied for external entities. They really are external and they've got to be able to somehow reach in and manipulate our infrastructure. Now, internal actors include employees, independent contractors, interns, and really any other staff. Insiders are trusted and privileged at some degree or another. And if you're following the least privileged principle, then most of your folks are not going to be running as admin as they do their work throughout the day. And that's going to help protect you. Now, we're also seeing a small percentage of actors which would be categorized as partners, and this includes any third party sharing through a business relationship with the victim organization.

Suppliers, vendors, hosting providers, outsourced IT support. These are all good examples. And also there's some level of trust and privilege going on here. They may not have full connectivity to their customers, but they're going to have some amount. And often enough, I mean, we can go back to the target data breach and we can see that the credentials of an HVAC outsider was enough to start a multi-million dollar debacle. One thing to remember is that partner is the only actor where the incident is initiated by the partner. If the partner is a vector, then that falls elsewhere in the report. They're splitting hairs, but it's for a reason.

Jake Bernstein: And I mean, just to be clear, so the Target data breach, that's an example of where the partner was a vector. This is really a situation where the actor is.... I'm sorry. The partner is the bad actor. It's rare, but there's still a green line there, which means it's not totally impossible, which is a little distressing to be honest.

Kip Boyle: Yeah.

Jake Bernstein: Okay. We already know it hasn't changed, but the main motivation is, the main motivation of these actors is financial. And really it is just under 95% of breaches were motivated by financial gain and involved organized crime.

Kip Boyle: That is in the report on page 13, I mean, it's just a glance at the page, it's so obvious.

Jake Bernstein: And it's nearly a 10% jump over last year's stats. Now, I think something that they point out is interesting, and I'm not entirely sure what to make of it, but the end user threat actor variety showed up almost twice as often as a nation state or state affiliated actor. This is consistent with the fact that financial motivation is so much more... Espionage is the second highest, but it's at, I don't know, Kip, maybe that's five to 8% and it's a fraction. And so even if espionage related attacks, our thought to be going up anecdotally, it really, it's not enough to affect the stats.

Kip Boyle: Yeah, I mean, just because we talk about it a lot doesn't mean that it's actually supported by the data is happening a lot and it's not. But isn't that true for most news? I mean, we're really focusing on the exceptional and the things that don't happen very often.

Jake Bernstein: Indeed.

Kip Boyle: That are quite sensational. That's enough on actors. Now, let's take a look at actions. Now, this is one of the most helpful parts of the DBIR because it tells you what the bad guys and girls are actually doing in these incidents and breaches, and that gives us some valuable insights into what we should be doing as defenders. And so you can take measures to try and stop them or slow them down, discourage them, make them go somewhere else. The DBIR describes actions by variety, which is the type of action, and it also describes actions by vector, which is the means that the action took place. And this distinction is both important and it's also useful. The report also uses categories of which there are only a few. There's hacking, malware, error, social misuse, physical and environmental. Those are the actual categories. Now, in the interest of not boring you to death, I'm not going to define precisely each one of those categories, but if you go to page 14 of the report, you'll find the definitions there. It's useful. But okay, Jake, what's the top action? Let's do a rundown.

Jake Bernstein: Okay, real quick, then the use of stolen credentials by far the top action, it's at, man, we'll say 45 to 50%, and then you get other, which is at, what is that, 30 ish, 25% or so?

Kip Boyle: Yeah. A grab bag.

Jake Bernstein: Ransomware is in third place really creeping up on other, I mean, I'm going to say it's maybe no more than-

Kip Boyle: It's just a hair behind. Yeah.

Jake Bernstein: That's just a hair behind other. And then you've got fishing at, call it, I don't know, maybe 10%. And then pre-texting, which is pretty much tied with phishing here. Now, one of the things that I want to point out about this chart on page 14 is that once you get past those top five, the rest, and I will tell you what they are this year, unlike last year, are almost, I mean, they're all pretty much the same. And I think it's important to understand that because for a couple of reasons, and I think I probably say this elsewhere again, but it's not like... You don't get just one action. Don't make the mistake of assuming that just because use of stolen credentials is at the top, it means that, oh, okay, that just means that most incidents or breaches rather involve stolen credentials and that's it.

No, no, no. That's not how this works. These are often multi-stage attacks. We'll talk about this a little bit. And a lot of these things can... A single incident or breach can involve several actions, and that is why I'm a little scared at how similar the rest of them are because you have to worry about all of them, even though individually they're not as popular as use of stolen credentials. Here they are in order for what it's worth. And again, these are very, very close. Exploit vulnerability is the next one. Mis-delivery, privilege abuse, backdoor or C2, exporting data and then finally scan network. Now I'm going to leave to the listener, the exercise of digging into what all those individual action varieties, how they're defined, which is in the report. But it is telling because it really shows that you can't just focus on the top five. The rest of those are potential. I don't think it would be reasonable Kip to look at this chart and say, well, I don't have to worry about backdoor or C2 because it's only 5%.

Kip Boyle: Right.

Jake Bernstein: I don't think that would work.

Kip Boyle: Well tell me, do you think that these action categories, if you map them into a kill chain or MITRE attack framework, right? I mean that's kind what you're saying, right? Is that you string these together.

Jake Bernstein: Well, that's my point. You string these together. That's exactly right. Now what's interesting, and I think is pretty common, is that for incidents, so that was the top action varieties for breaches, the top action varieties for incidents do look quite a bit different. You've got denial of service at the top at around 45%. You've got a big drop down to about 17% for ransomware. Loss and use of stolen credentials are about the same at call it 14% and then other at 10%. Now, one of the things that's interesting here is ransomware has actually grown to second place, and I think we're going to talk about that in just a moment. Kip, why don't you tell us about the action vectors and then the way I kind of structured our discussion this year is give people the data and then we're going to talk about what it all means.

Kip Boyle: Okay. All right, cool. All right. Let me tell you about the action vectors. And the first thing that's apparent is that there are differences between the action vectors involved in breaches versus the ones involved in incidents. We're going to need to take them separately. But once again, we have web application in-

Jake Bernstein: Actually, sorry, Kip, I realize I may have misled you slightly with my overly clever pros here. The difference between the... The difference in the vectors, or sorry, the difference in the varieties, the action varieties between breaches and incidents are significant. When you look at the vectors, there's almost no difference. And that's what you're going to tell us now. Sorry.

Kip Boyle: Okay. Yep. All right, sorry. All right, strike that. Reverse it. Okay. Once again, we have web application in the hacking category as the number one vector in both breaches and incidents. And it's about 80% of the incidents and about 65% of the breaches, but it's top. After that we have email at about 18% of incidents, but 30% of breaches carelessness, which is in the error category, remains in third place across both, but it's only about 8% for incidents, double though, 16% in breaches. And at this point we see only minor differences between incidents and breaches as you go down the stack. On page 15 in the report, you see this bar chart. And as you go down the stack, now you're only seeing a few differences here and for whatever reason, other as the category and desktop sharing software are flipped in the stack. Other is behind desktop sharing software in breaches, they're reversed in incidents. I don't know that that's a significant thing, but it just pops out. It just pops out as you look at it.

Jake Bernstein: It does pop out, but it's not significant. Yeah.

Kip Boyle: Anyway, after that, you get backdoor email unknown downloaded by malware and direct install for both incidents and breaches. And the last few vectors include local area network access, remote injection, email attachments. Anyway, it's all on page 15 of the report.

Jake Bernstein: Indeed. Okay, so what do we get from all these numbers? Well, don't worry because we're going to tell you. The first thing is what I said a minute ago, which is these incidents and breaches are often multi-stage attacks. Even though it seems like some varieties or vectors are extremely common, that's often because they're either the first stage or happen to represent one of the few single stage attacks. It is no surprise that use of stolen credentials and doss denial service are the top action varieties for breaches and incidents respectively, particularly since that's how it works.

Now, and I mentioned this, it is somewhat distressing seeing ransomware take second place in incidents at about 15%. The DBIR authors had kind of been hoping that ransomware was going to hit its theoretical ceiling, meaning that every incident that could involve ransomware would have, but that does not appear to be the case. Ransomware is present in more than 62% of all incidents committed by organized crime and in 59% of all incidents with a financial motivation. There remains, there's room for growth. And let's back up a second and remember, this goes to my point earlier on that just because it's an incident and not a breach doesn't mean it's not a big deal. Remember that a breach is just the confirmed loss of confidentiality. A ransomware attack that is completely "successful" against you in terms of you paid the ransom, doesn't necessarily involve a breach if the bad guys, if there's no evidence that they got the data, it's so important. In other words, what this really says here is the takeaway is that ransomware is not going away.

Kip Boyle: Right. In fact, it's only getting more pervasive. It's one of the lowest risk, high reward activities I can think of. If you're a criminal, if you're sitting around going, how should I exploit people? Well, God, this just runs to the top of the list for crying out loud. Easy.

Jake Bernstein: And just reminding people. If you go back to figure eight on page nine of the report, it's showing the ransomware percentage in breaches versus incidents. And yes, in breaches it's about the same. It's holding steady at 24/25%, but the percentage of it in incidents since 2021, it has skyrocketed. And that is bad news because it really just, that just means that these, that ransomware is continuing to be a big problem.

Kip Boyle: Yep. Yeah. And probably due to more innovative ways of delivering the malware. Anyway, all right, moving on. Let's also notice that the partner and the software update action vectors have dropped off the charts completely this year after 2021 software supply chain apocalypse.

Jake Bernstein: Good. That's good.

Kip Boyle: There's a phrase to coin. I don't think I'm going to be using that again, but so this year it was of course Log4j, which doesn't show up as often as you might think. We've kind of talked about this already because the industry was pretty successful at mitigating what really could have been a major disaster. I remember on behalf of different customers of ours, we got single question questionnaires on what are you doing for Log4j? And even as I was helping some organizations complete their applications for cyber insurance and with their ransomware supplements, this question came up a lot too. People paid a lot of attention to it. Now the data here is interesting. Exploit vulnerability, which Log4j definitely qualifies as it actually dropped in breaches from 7% to 5%. But that's only because the bad guys naturally go to the easiest solution.

The use of stolen creds actually increased from 41.6% to 44.7%, and that easily accounts for the drop in the exploit vone. And finally, we note that the loss of, for example, literally losing a laptop or a thumb drive or some sort of physical media showed up rather high in the incidents this year. But that's more because access cannot be confirmed. We can't call them breaches because we have no way to know whether or not the data on these lost devices was in fact harvested. Maybe that data was encrypted and we just lost the physical asset, not the data. Now the reason is clear people started leaving their houses again after the COVID lockdowns and quarantines, and they started losing stuff again. Why? Because they're taking stuff with them and losing it in the back of Ubers and taxis and coffee shops and what have you. Keep hold of your stuff people.

Jake Bernstein: Yep. Okay, so time for assets. Assets hasn't changed a whole lot, so we can move quickly, but it's always important to understand what the attackers are targeting. I'll just go through this quickly. No surprise that the most common asset involved in breaches by far is the server at almost 82%. Things drop off rapidly. A person is involved in about 25% of breaches followed by user devices at 18%. Very, very slight difference. Server went down a tiny bit, user devices went up, but it was only a couple percent. More specific asset varieties are as follows. Web applications on the servers are number one at about 65% followed by mail, also a server at 35%, both of which are modest increases from last year. And just to, again, these are all breaches because that's where it's most interesting.

User desktops or laptops came in almost identically at last year's 18%. But then we witnessed a change, Kip. Person finance has trended significantly up from last year. Now coming in at fourth place at around 10% of breaches. DBIR authors think this might be related to the growth in pre-texting social actions. If you want to learn more checkout page 18 of the DBIR. And then last but not least, I want to mention that operational technology, OT incidents are still there. It's a small number, but it might actually be small more because of reporting concerns due to national security issues. It'll be interesting to see what happens if there's this new law taking effect next year called CIRCIA, which basically involves critical infrastructure reporting of cyber incidents. I don't believe that's necessarily going to be made public, but you never know. Maybe it will mean that incidents get reported to Verizon more and we learn more. There you go. That is assets.

Kip Boyle: All right, and attributes. Just like last year, I get to do attributes. All right, so this is the CIA triad confidentiality, integrity and availability. And the focus this year is a little bit different as compared to last year's, but like last year, breaches involve a loss of confidentiality. I mean that's the definition of them. And the data of varieties impacted are useful. As you might expect, personal data tops the list at 50%, but credentials are right behind at 45% thereabouts. And that makes sense given the data that we've already looked at to get to this point. Now, internal data comes next at about 35%, followed by system data, 17%. And then you get this tail medical, bank, other and payment. And this is more or less consistent with last year's numbers.

Jake Bernstein: And I think this is interesting. It just shows that payment is like PCI data. People don't, the bad guys just aren't as interested in that because it's so much harder to use compared to what used to be. But I think I'm amazed that personal information and credentials are almost tied. That's pretty close and pretty impressive. Okay, now there is something new in the attributes here, and that's a discussion of virtual currency. So there was a fourfold increase in the number of breaches involving cryptocurrency over last year. And we have two figures devoted to crypto breaches on page 20 of the DBIR and they're fascinating.

For the top actions... Sorry, the top action varieties in crypto breaches. You've got a fierce three-way competition going between exploit vulnerability use of stolen credentials and phishing. And these are the types of breaches, by the way, that kind of fall between the actual coin networks or exchanges being breached via their applications or APIs. And then the phishing or pre-texting activity on chat platforms where you can lose your wallet with a single bad click. Top action vectors are, I would say, a bit less of a competition. Web application is at the very top at 90%, and then email is a distant second place at around 15% with social media remote access and other rounding out that figure. It is fascinating, and I think it is worth realizing that those things are not secure. They're only as secure as their weakest link people. That's how it is.

Kip Boyle: I don't find the virtual currency stuff that surprising.

Jake Bernstein: No, it's not surprising.

Kip Boyle: I just don't. But I'm glad to see it in here.

Jake Bernstein: I'm glad they put it in here because I think it's important to have it there.

Kip Boyle: Yeah. Yeah, definitely. Okay. Believe it or not, we're almost finished with our episode today. The last part that we want to touch on is the availability of variety over time graph. Now, you're going to find this on page 20 of the report. It's actually figure 22 and it's kind of on the top of the page and it looks like a giant pliers.

Jake Bernstein: It does.

Kip Boyle: Or some sort of a pincher because over the last, what, four years?

Jake Bernstein: Yeah, only four years.

Kip Boyle: Yeah. It's completely inverted. So in 2019, only about 20% of the availability impacts involve obscuration, which is to say ransomware and 65% involve the loss. And here we are at 2023 and it's completely flipped. 80% of the availability impacts are now due to obscuration as a result of ransomware. Ransomware makes your data obscure, you can't use it even if you still have it. And now only 15% is from loss. And this is one of the reasons why I love this report. It just makes everything thing so clear.

Jake Bernstein: Yeah, it really does. And I like, the authors go to great lengths to just in case you're not tired of us moaning about ransomware, but I mean, the point is really important. I mean, there's lots of different ways to slice and dice data and visualize it. And this figure 22 could not be more telling. I mean, it's fascinating.

Kip Boyle: I mean, if you're going to go in front of your board of directors or senior decision makers, you should be using this figure 22. If they don't already understand what's going on, this will make it clear.

Jake Bernstein: They will.

Kip Boyle: Okay. That takes us through the first part of the report and the end of this episode. Did you want to say anything else before we wrap it up completely, Jake?

Jake Bernstein: No, let's wrap it up and we will come back next time for the conclusion.

Kip Boyle: All right, that wraps up this episode of the Cyber Risk Management Podcast. Today we did part one of our analysis of the 2023 edition of the Verizon Data Breach Investigations Report, commonly known as the DBIR, just to see what we could learn at a high level. And so next time we're going to dig into the incident classification patterns as well as the industry data, so come back for that. We'd love to have you here, but we'll see you next time.

Jake Bernstein: See you next time.

Speaker 3: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.