One of the introductory sentences of the Verizon 2024 Data Breach Investigations Report starts things out perfectly: “The past year has been a busy one for cybercrime.” That might be an understatement as the report, now in its 17th year, analyzed 30,458 real-world security incidents and discovered that nearly 30% of them (10,626) were confirmed breaches — a record high.
Fittingly, the cover art this year is a slightly open door. It represents all the ways in which attackers have been able to breach our organizations this past year (phishing, exploited vulnerabilities, credentials), and the depiction of the shadow just outside the door stands for the action vector quantities (desktop sharing, email, VPN, web applications).
Let’s investigate this year’s findings and see what cybercriminals have been up to.
Top 3 Primary Vectors Remain the Same
While the numbers vary slightly, the rankings don’t. The top three primary vectors of initial entry remain the same as last year:
Credential theft 38% (down from last year)
Phishing 15% (roughly the same as last year)
Exploited vulnerabilities 4% (up 180% from last year)
The number of exploited vulnerabilities is worth digging into. The astonishing nearly 200% growth was driven primarily by several zero-day exploits, which were powerful enough to boost the numbers by triple digits. The top offending initial attack vector for exploited vulnerabilities? Web applications.
Meet the Top 3 Attack Patterns
Similar to last year, the top two attack patterns stayed relatively the same:
System intrusion continues to reign supreme in breaches, whereas DoS attacks take the top spot in incidents.
Social engineering, while still high, has nonetheless risen considerably since last year.
Miscellaneous errors, notably high in Finance and Healthcare, are now a top contender and rose more sharply than even social engineering over the past twelve months. These are instances in which unintentional actions have unwittingly placed information assets in danger.
Interestingly, the basic web application attack pattern has “fallen dramatically from its place” since the last DBIR. One possible reason is that its “get in, get the data, and get out” method might not carry enough of a win for threat actors looking to play the low-and-slow game, infiltrating and hiding out in the system for months while siphoning out data.
It Takes 5 Days to Detect, 55 Days to Remediate
Interestingly, the median time to detect a data breach is five days. However, it takes “around 55 days to remediate 50% of those critical vulnerabilities once their patches are available” — a much longer wait time. It makes sense that patching would take time; it does require planning and testing before it can be rolled out to avoid any unforeseen negative fallout from the fix. However, this is 55 days after the patch has become available. “’[The] patching doesn’t seem to start picking up until after the 30-day mark,” the DBIR reads, “and by the end of a whole year, around 8% of them are still open.”
Phishing: Gone in 60 Seconds
From this DBIR, we learn that phishing attacks happen quickly. This year’s data showed that the median time it takes to click on a malicious link once the email is opened is 21 seconds. From there, it is only another 28 seconds until users have entered their information, making the transaction on the whole a matter of less than a minute.
The good news is that the number of users reporting phishing attempts is steadily going up. According to the report, “More than 20% of users identified and reported phishing per engagement, including 11% of the users who did click the email.” This improvement is likely the result of effective security awareness training programs taking their intended effect on end-users. Familiarity breeds contempt, but that’s a good thing when it comes to malicious emails. It also breeds recognition.
Ransomware Is a Top Threat for 92% of All Industries
As was cited above, exploitation of vulnerabilities as the critical path to initiate a breach tripled in popularity this year. Web applications were the main entry point and ransomware was a top offender. “Roughly one-third of all breaches involved ransomware or some other extortion technique,” the report reads. We should note that this number reflects the exploits that make it all the way to the action or objective stage of an attack. There are many others that make entry but are detected and mitigated before real damage occurs. This makes the one-third figure conservative at best — the actual number of ransomware attempts is probably much higher.
Additionally, pure extortion rose in popularity and now makes up 9% of all breaches. This is where the attacker exfiltrates the data but does not encrypt it, so the victim can continue their operations. They demand that the victim pay up to have their data deleted (yes, deleted and not returned). Failure to pay means the data will be published. However, there is rarely honor among thieves, and even if the victim pays, there is no guarantee that the criminal will delete their information. The criminal might, however, share details of their success with their underground network, which would cause the victim to be constantly re-targeted because of their track history of paying out. Median payouts are $46,000, according to the report.
This past year, some traditional ransomware actors switched to pure extortion techniques, which brought the numbers down slightly. Notwithstanding, ransomware remains a “top threat” across 92% of industries.