Incident Classification Patterns: Introduction

Please provide the information below to view the online Verizon Data Breach Investigations Report.

The information provided will be used in accordance with our terms set out in our Privacy Notice. Please confirm you have read and understood this Notice.

By submitting the form, you are agreeing to receive insights, reports and other information from Verizon and affiliated companies in accordance with our Privacy Policy. California residents can view our California Privacy Notice.

Verizon may wish to contact you in the future concerning its products and/or services. If you would like to receive these communications from Verizon, indicate by selecting from the dropdown menu below. Please note that you can unsubscribe or update your preferences at any time.

Indicates a required field. The content access link will be emailed to you.

View only

Thank You.

Gracias.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Gracias.

You may now close this message and continue to your article.

  • The DBIR dataset is very large and, at times, extremely complex. It captures many different types of data points, and it grows larger each year. In order to create an easier way to analyze the ever-growing mountain of data and, even more importantly, to assist us in communicating our findings to our readers, we began using “Patterns” in our 2014 report.

  • The patterns are essentially clusters of “like” incidents. Starting in 2014, and for several subsequent years, there were nine patterns. Last year we found that due to changes in attack type and the threat landscape, the data was leading us toward revamping, combining and generally overhauling those patterns. Therefore, starting with the 2021 report, we moved from the original nine patterns down to the eight you see in this report. The eight patterns, and how they are defined, can be found in Table 1. Please be sure to peruse the way we define the different patterns, as we will refer to them throughout the report.

     

         
    Basic Web Application Attacks  

    These attacks are against a Web application, and after initial compromise, they do not have a large number of additional Actions. It is the “get in, get the data and get out” pattern.

    Denial of Service  

    Attacks intended to compromise the availability of networks and systems. This includes both network and application layer attacks.

    Lost and Stolen Assets  

    Incidents where an information asset went missing, whether through misplacement or malice.

    Miscellaneous Errors  

    Incidents where unintentional actions directly compromised a security attribute of an information asset. This does not include lost devices, which are grouped with theft instead.

    Privilege Misuse  

    Incidents predominantly driven by unapproved or malicious use of legitimate privileges.

    Social Engineering  

    A psychological compromise of a person that alters their behavior into taking an action or breaching confidentiality.

    System Intrusion  

    Complex attacks that leverage malware and/or hacking to achieve their objectives including deploying Ransomware.

    Everything Else  

    This “pattern” isn’t really a pattern at all. Instead, it covers all incidents that don’t fit within the orderly confines of the other patterns. Like that container where you keep all the cables for electronics you don’t own anymore: Just in case.

  • System intrusion

  • Although we have defined the System Intrusion pattern earlier in the report, a good example may be called for. When you think of Advanced Persistent Threat (APT) or some other form of capable actor moving across the environment popping shells, dropping malware, dumping creds and doing all the fun stuff you would expect from an unexpected Red Team exercise, that’s System Intrusion. This pattern consists of more complex breaches and attacks that leverage a combination of several different Actions such as Social, Malware and Hacking. From a look at our data this year, it would appear that defenders have faced all those challenges, particularly with rises in Ransomware and threats originating from partners (including vendors). 

     

         
    Frequency  

    7,013 incidents, 1,999 with confirmed data disclosure

    Threat actors  

    External (98%), Internal (2%) (breaches)

    Actor motives  

    Financial (93%), Espionage (6%) (breaches)

    Data compromised  

    Credentials (42%), Personal (37%), Other (35%), Internal (16%) (breaches)

    What is the same?  

    This pattern continues to see the Use of stolen credentials and malware, such as Ransomware, as the top concerns.

    Resumen  

    This pattern consists of more complex breaches and attacks that leverage a combination of several different actions such as Social, Malware and Hacking and is where we find Supply Chain breaches and Ransomware, both of which increased dramatically this year.

  • This pattern consists of more complex breaches and attacks that leverage a combination of several different actions such as Social, Malware and Hacking. From a look at our data this year, it would appear that defenders have faced all those challenges, particularly with rises in Ransomware and threats originating from partners (including vendors).

    To better understand this pattern, let’s take a look into the Action varieties and vectors that make up the incidents. Figure 35 shows the top action varieties with Backdoors (provided by the malware) and Ransomware competing for the top spot, followed by Use of stolen credentials. With regard to vectors, in Figure 36, we see Partner and Software Update (Shocker!) as the leading vectors for incidents. This is primarily attributed to one very large and very public security incident that happened last year. We’ll give you a hint, it rhymes with “PolarShins”. Please see “Partners, Supply Chains, and 3rd parties, oh my” for more information. However, if we look past the Partner and Software update varieties, we find that 14% of incidents involved Desktop sharing software as one of the main vectors, followed by Email at 9%. 

  • Figure 37 captures the distribution of file types along with the distribution of the delivery methods. It seems that the common route of Office docs and emails8 are still the tried-and-true method for delivering those initial payloads, which can then be used for further naughty deeds such as Ransomware deployment.

  • Rampant Rampaging Ransomware

    This section is the perfect sequel to last year’s finding of Ransomware dramatically increasing (unlike my Unamused Baboons NFT’s value). That trend has continued with an almost 13% increase this year (an increase as large as the last five years combined).

    Keeping in mind that while insidious, Ransomware alone is simply a model of monetization of a compromised organization’s access that has become quite popular. Ransomware operators have no need to look for data of specific value, e.g., credit cards or banking information. They only need to interrupt the organizations’ critical functions by encrypting their data. 

  • Ransomware Routes

    While Ransomware comes in a variety of different flavors with catchy and not so catchy names, the way that Ransomware makes its way onto a system isn’t quite as diverse. In Figure 39 you can see the pairings of the Actions to their respective vectors which are used to deploy Ransomware. There are a couple of key points to consider: 40% of Ransomware incidents involve the use of Desktop sharing software and 35% involved the use of Email. There are a variety of different tools the threat actor can use once they are inside your network, but locking down your external-facing infrastructure, especially RDP and Emails, can go a long way towards protecting your organization against Ransomware. 

    When we examine the types of malware blocked, we find that Droppers are typically the second most common. This aligns well with Email being such a prevalent entry point. If attackers have credentialed remote access, they can leverage that directly. Otherwise they must make their own remote access by emailing either malicious links or attachments. 

     

    Looking Back: Ransomware     

    Even though the first Ransomware case occurred when at least one of the current authors was still in diapers (1989), it took quite a while for it to become a mainstay in the DBIR. The first case of Ransomware showed up in our data in 2008 and it wasn’t until 2013 that we had sufficient data to write something about it. And we quote:

    “When targeting companies, typically SMBs, the criminals access victim networks via Microsoft’s Remote Desktop Protocol (RDP) either via unpatched vulnerabilities or weak passwords. Once they’ve gained initial access they then proceed to alter the company’s backup so that they continue to run each night but no longer actually backup any data. [2013 DBIR page 31]”

    Had we known that what was true nine years ago would still be true today, we could have saved some time by just copying and pasting some text. Oh well, maybe in another nine years things will change for the better.

  • Partners, Supply Chains, and 3rd parties, oh my

    For anyone who deals with supply chains, third parties and partners, this has been a year to remember. For those who need a quick recap, 2020 ended9  (sadly, soon after the data collection window for the 2021 report) with a bit of a bang as a massive espionage campaign was discovered by our intrepid friends in the cybersecurity community. This event kicked off a complex, grueling, and herculean effort to identify the potential victims impacted by the supply chain breach. While we typically don’t examine individual events, but restrict our attention to the larger trends, this one incident alone had a tremendous effect in the industry and impacted our dataset in some surprising ways. One only need glance at Figure 36 to see just how severe an influence this one incident had on our System Intrusion pattern: skyrocketing Software updates moved Partner from its previous position as somewhat of a novelty (formerly showing up in less than 1% in our data) to an astounding 60% of incidents. However, while this incident might seem like an anomalous one-off, it may actually be representative of larger trends that we’ve been seeing in the industry, in terms of the interconnected risks that exist between the vendors, partners and third parties we work with on a daily basis.10

    To understand the big picture of these breaches, we need to define Third-party and Supply chain breaches and that can be a bit complex. First of all, we should caveat that we code our incidents based off of the victim. Therefore, it is typically (though not always, of course) one victim, one incident. However, that fails to capture the interconnected nature of real-world environments when discussing Supply Chain and Third-party breaches. Over time we added fields that would assist to capture breaches with “secondary victims” that were impacted by the initial breach.

    We define Third-party breaches as a single breach that compromised a Third-party. In our data, this is when the data owner is different from the breached victim. An example would be a datacenter that suffered a ransomware incident which encrypted their customer’s data. While their customer’s internal infrastructure was never directly breached, they were certainly impacted.

    In our 2022 dataset we found that Third-party breaches represent a small percentage (1%) of our breach data. Nevertheless, we can still find some interesting data points. For example, within these Third-party breaches, we found the Use of stolen credentials along with Ransomware as two of the top five action varieties. 

  • The next type of incident vector is the Supply Chain. We define Supply Chain breaches as a sequence of one or more breaches chained together. In our data this may be a breach where there are secondary victims (when seen from the primary victim’s breach) or where a partner was the vector (when seen from the secondary victim’s breach). Another common example would be when a compromised software vendor is used to push a malicious update to an organization resulting in a breach, or a generic partner breach where a partner is compromised and either a set of credentials or some trusted connection is used to gain access. 

    After the major events of last year, these types of incidents account for 9% of our total incident corpus and 0.6% of our breaches this year.  Due to the major event in 2021 in which a large network administration tool was compromised and used to push a backdoor to compromised servers, we see an extremely high rate of Backdoor11 in the action varieties. However, there are still other noteworthy items within those remaining percentages such as Ransomware, Use of stolen credentials and other forms of malware with the capabilities you might expect to see. We have encountered cases of Supply Chain attacks in previous reports, reminding us that even if it’s not a frequently used tactic each year, there is an established precedent for these attacks.

  • Ending remarks 

    When large-scale events like those we experienced in 2021 happen, they can shake our confidence in our abilities to protect ourselves. However, it is important to keep in mind that the close collaboration between federal security organizations and the cybersecurity community resulted in the detection and remediation of this event within a few months rather than years. While we do not have sufficient information to know whether or not the perpetrators considered it a successful operation, we can say that as an industry and as a community, we were ultimately successful in sharing resources and protecting each other from a complex threat. Thank you to everyone that stepped up and assisted in this effort.   You deserve a drink of your choice and the DBIR team would be happy to raise a glass with you.

  • 8 With the median organization receiving over 75% of its malware via email.

    9 I mean, we’re told it ended. We can neither confirm nor deny as we are still in our bunkers awaiting the imminent arrival of Ragnarök.

    10 The timeline section talks about value chains and event chains, which are both part of the attacker Circle of Breach.

    11 And because “Backdoor or C2” contains backdoor, we see a large amount of it as well.

Let's get started.