Verizon published its 2024 Data Breach Investigations Report (DBIR) Wednesday, highlighting the interplay between actions and attack vectors that provide the initial pathway for breaches.
The 100-page report is the 17th annual Verizon DBIR, covering cybersecurity incidents and data breaches between Nov. 1, 2022, and Oct. 31, 2023. With nearly 30,500 incidents and a record 10,626 confirmed data breaches across 94 countries analyzed for the report, the 2024 DBIR provides a comprehensive view of the global threat landscape with some changes to its analysis method compared with previous years’ reports.
Here are five key takeaways from the 2024 DBIR:
1. Vulnerability exploitation for initial access nearly tripled in 2023
The use of vulnerabilities as an initial breach entry point increased 180% in 2023 compared with 2022, according to the DBIR. Exploitation of vulnerabilities such as the MOVEit zero-day that led to the third-party breach of more than a thousand organizations rose from less than 10% of incidents to nearly 20%.
“The 2024 Verizon DBIR emphasizes a critical increase in vulnerability exploitations, highlighting the need for urgent, strategic vulnerability management. We advise organizations to implement comprehensive, proactive strategies, including agent-based and agent-less security measures, to preempt potential breaches,” Saeed Abbasi, manager of vulnerability research at Qualys’ Threat Research Unit, told SC Media. “Additionally, organizations require a multi-layered defense strategy, integrating advanced detection tools, zero-trust frameworks, and rapid patch management.”
Vulnerability exploitation of web applications specifically represented roughly 20% of data breaches, with VPN vector exploitations expected to take up an increasing share by 2025.
The significance of breaches like MOVEit led Verizon to introduce a new metric of supply chain interconnection, which includes breaches through third-party partners as well as exploitation of third-party software.
Vulnerability exploitation made up roughly 90% of supply chain interconnection breaches, and supply chain breaches made up 15% of breaches this year, a 68% jump compared with last year. This highlights the need for organizations to examine the security track record of potential partners and software suppliers when deciding which vendors to work with.
“As architectures become increasingly complex, combined with more dependencies on third-party code and services, supply chain attacks targeting software dependencies and operational third-party providers will continue to escalate, especially as threat actor techniques become more stealth and harder to detect,” said Nick Rago, vice president of protect strategy at Salt Security, in an email to SC Media.
2. Human error still factors in most breaches, as users click phishing emails within seconds
The 2024 Verizon DBIR also features a strong focus on the human element of cyber incidents and breaches, with human error factoring into 68% of breaches. While this percentage is nearly the same as the proportion for last year’s report, this year’s DBIR highlights new information and dynamics related to the human element.
One eye-opening datapoint from the report is the fact that the median time for users to click on a phishing simulation link was just 21 seconds, while the median time to submit sensitive data to the simulated phishing site was just 28 seconds.
However, the research also found that 20% of users reported the simulated phishing email without clicking the link, while 11% of those who did click the link still reported the email as phishing, both representing an increase in phishing awareness compared with previous years.
At the same time, human error beyond phishing led to a 75% increase in breaches caused by internal actors, which made up 35% of breaches in 2023. In most cases (73%) the internal threat was due to “miscellaneous errors,” which includes misdelivery of data, loss/misplacement of data, misconfiguration and other mistakes leading to data compromise. Misdelivery was the most common type of miscellaneous error breach, making up more than 50% of this type of breach.
Beyond the obvious need for staff training and education, SlashNext CEO Patrick Harr told SC Media that technology such as AI can help protect the human element from itself when it comes to phishing and other internal risks.
“We have to shift our posture from a network-centric to a human-centric security posture. We will put an AI bubble around the user to become a super-human with an extra pair of computer vision eyes, and an ability to listen with spoken language contextualization by using AI,” Harr said. “Everyone has talked about a personal co-pilot to help from a security posture, and we will see the rise of these AI co-pilots to augment humans and help users make the best decisions.”
3. Pure extortion attacks increase, signaling decreased reliance on encryption ransomware
Ransomware attacks continue to be the top threat across 92% of industries and made up nearly a quarter (23%) of data breaches in 2023. This is a slight decrease from last year, due to an increasing proportion of pure extortion attacks, in which an attackers steals data without encrypting it and threatens to leak it if a ransom is not paid.
Pure extortion, which was relatively rare by the end of 2022, made up 9% of breaches in 2023. When pure extortion and traditional ransomware attack numbers are combined, extortion breaches follow the same rising trend line seen with ransomware over the last few years, suggesting a change of strategy rather than a decrease in ransomware-related threats.
“This indicates to us that it may be the same actors, and they are simply shifting tactics to best leverage the type of access they have. This combination did show a significant growth as part of breaches,” the report read.
The report noted that the significant rise in extortion attacks over the past year is also due in large part to the effects of the MOVEit attack conducted by the Cl0p ransomware group.
4. Generative AI yet to make a significant mark in cyberattack landscape
The 2024 DBIR dedicates one page to generative artificial intelligence (GenAI), noting an “emphasis on ‘artificial,’ not ‘intelligence.’”
While generative AI has been a hot topic among both cyber defenders and threat actors over the past year, the report authors said its use by threat actors has so far been mostly theoretical and experimental. This is supported by Microsoft’s recent report on the use of GenAI by state-sponsored threat actors, which mostly involved “exploring and testing” the capabilities of large-language models (LLMs) like ChatGPT.
Research referenced in the DBIR showed that the vast majority of GenAI discussion on cybercrime forums over the last two years has centered around selling accounts to GenAI services and soliciting non-consensual AI-generated pornography. Meanwhile, mentions of GenAI in combination with attack types like malware and phishing were rare, with little more than 100 mentions on the crime forums studied.
The report noted that deepfake-related threats seem to be advancing at a faster pace than those leveraging LLMs, with several reported cases of deepfake-facilitated fraud.
5. Threat actors continue to adapt to cyber defenses
Many aspects of the report point to threat actors’ adaptive nature in responding to defenses, continuing the never-ending dance of one-upmanship that has always pervaded the cybersecurity sphere.
In addition to the shift from traditional ransomware to pure extortion methods, the report revealed that basic web application attacks took a nose dive between 2022 and 2023; while these types of attack contributed to nearly 30% of breaches in 2022, they appeared in only about 10% of attacks in 2023.
The authors attribute this change to organizations getting better at blocking these less sophisticated attacks, especially in the financial sector, where basic web application attacks were previously the most common attack type but have now been completely usurped by social engineering, miscellaneous human errors and more complex system intrusion.
Just as threat actors are adapting their tactics to get better at dodging defenses, cyber defenders should stay aware of the threat landscape described in the DBIR, in order to adapt their own strategies to combat the latest attack trends.