Ransomware, supply-chain threats and how organizations and their employees are their own worst enemy when it comes to security are some of the key takeaways of Verizon’s annual report on the last 12 months of cyber-attacks.
The 2022 Data Breach Investigations Report (DBIR) published Tuesday provided some stark news for organizations aiming to secure themselves against threats that can result in system compromise and the loss of data, resources, money, time and/or all of the above.
The researchers behind the report–Gabriel Bassett, C. David Hylender, Philippe Langlois, Alex Pinto and Suzanne Widup–observed that the last few years have been “overwhelming” for everyone, without citing the obvious factors, i.e., the pandemic and the start of the war in the Ukraine right on its heels.
However, what the report’s custodians care most about is data related to the occurrence security incidents and breaches–with the former being any compromise of an information asset, and the latter exposure of data to unauthorized parties. And in 2021, researchers found that both experienced an unprecedented soar in occurrence.
“The past year has been extraordinary in a number of ways, but it was certainly
memorable with regard to the murky world of cybercrime,” they wrote in the report. “From very well-publicized critical infrastructure attacks to massive supply-chain breaches, the financially motivated criminals and nefarious nation-state actors have rarely, if ever, come out swinging the way they did over the last 12 months.”
Ransomware Here to Stay
There were few surprises among the DBIR’s key findings to those who observed the security landscape in 2021. In fact, some findings seem consistent with what the report has highlighted since its inception in 2008, one security professional observed.
“The most important research by and for the cybersecurity industry is out and it feels like the movie GroundHog Day, where we are waking up to the same results year after year since the first report in 2008,” John Gunn, CEO of security firm Token, wrote in an email to Threatpost.
One finding that reflects a threat that’s risen to prominence in just the last few years, however, is that ransomware continued its upward trend. This type of cybercrime–which locks up company’s data through intrusion and won’t release it until the organization pays a heft extortion sum—had an almost 13 percent increase year-over-year in 2021. The rise was as big as the last five years combined, in which the occurrence of ransomware rose overall 25 percent, researchers noted.
“Ransomware’s heyday continues, and is present in almost 70 percent of malware breaches this year,” they wrote.
Indeed, though ransomware groups have come and gone and federal authorities have taken great strides to crack down on this type of cybercrime, the gain is so lucrative for criminals that it will likely stick around for a while, security experts noted.
“Ransomware is by far the most reliable way that cybercriminals can capitalize on compromising their victims,” observed Chris Clemens, vice president of solutions architecture for security firm Cerberus Sentinel, in an email to Threatpost. “No other action attackers can take comes close to the ease and magnitude of guaranteeing a payout from their operations.”
Supply Chain Under Fire
Significant attacks on the supply chain—in which a breach occurs in one system or software that can easily spread across organizations– that demonstrated lasting repercussions also rose in prominence and occurrence in 2021, researchers found.
“For anyone who deals with supply chains, third parties and partners, this has been a year to remember,” they wrote.
Without mentioning it by name, the Verizon team cited as an example the now-infamous SolarWinds supply-chain attack that occurred at the very end of 2020 and still had companies scrambling to react to the fallout well into 2021.
Indeed, “supply chain was responsible for 62 percent of system-intrusion incidents this year,” researchers reported. Moreover, unlike a financially motivated threat actor, perpetrators of these crimes are often state-sponsored actors who prefer to “skip the breach and keep the access,” maintaining persistence on organization’s networks for some time, researchers said.
These attacks are so dangerous because, since the attack can start with one company but quickly travel to its customers and partners, there can be so many victims involved, researchers.
Further, often breaches that travel down the supply chain aren’t discovered until long after attackers already have gained access to an organization’s systems, making the potential for data breach and theft long-term more likely.
Error, Human and Otherwise
Two more key findings of the report are related in terms of where the ultimate responsibility lies—someone either inside or outside an organization that makes a mistake. Indeed, human error continues to be a dominant trend for how and why breaches occur, researchers found.
“Error continues to be a dominant trend and is responsible for 13 percent of breaches,” researchers noted. This finding is primarily due to misconfigured cloud storage, which of course is typically the responsibility of the person or people responsible for setting up the system, they said.
In fact, 82 percent of the breaches analyzed in the DBIR in 2021 involved what researchers call “the human element, which can be any number of things, they said.
“Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches alike,” researchers wrote.
Oldest Risk in the Book
Security experts expressed little surprise over the “human-element” finding, which is one that’s plagued the tech industry since even before security and the whole industry around it was a thing, noted one security professional.
“It has been that way since the beginning of computers and likely will be that way for decades to come,” noted Roger Grimes, data-driven defense evangelist for security firm KnowBe4, in an email to Threatpost.
Many of the errors that occur today are the result of clever social-engineering on the part of attackers, particularly in phishing attacks that trick people into clicking malicious files or links that allow computer access or provide personal credentials that can be used to compromise enterprise systems, he said.
The only way to solve security issues created by human error is through education, whether it be about misconfiguration errors, the importance of patching, stolen credentials, and or just “regular errors, such as when a user accidentally emails the wrong person data,” Grimes said.
“Humans have always been a big part of the computing picture, but for some reason, we always thought only technology solutions alone can fix or prevent issues,” he observed. “Three decades of trying to fix cybersecurity issues by focusing on everything but the human element has shown that it is not a workable strategy.