Let's get started.
Choose your country to view contact details.
Call for Sales.
Or we'll call you.
Existing customers, sign in to your business account or explore other support options.
You will soon receive an email with a link to confirm your access, or follow the link below.
You may now close this message and continue to your article.
Hello friends, and welcome to the “Results and analysis” section. This is where we cover the highlights we found in the data this year. This dataset is collected from a variety of sources, including our own VTRAC investigators, reports provided by our data contributors and publicly disclosed security incidents.
Since data contributors come and go, one of our priorities is to make sure we can get broad representation on different types of security incidents and the countries where they occur. This ebb and flow of contributors obviously influences our dataset, and we will do our best to provide context on those potential biases where applicable.
As some of you may have noticed4 over the years, the incident data collection we do is based on the VERIS Framework. It has been the bedrock upon which our multiyear dataset has been built and is what allows us to be able to speak with confidence when trends in the attack landscape surface. Our dataset currently contains 953,894 incidents, of which 254,968 are confirmed breaches, and we can’t wait to celebrate5 with you when we reach 1 million6 incidents!
In VERIS, the core categories we use to describe an incident are called the 4As: Actor (who), Action (how), Asset (where) and Attribute (what). An incident needs all these four to be “complete,” even if at the end of the day some of those are unknown to the parties investigating the incident. Keep an eye out for our instructive callouts in each of those sub-sections giving more context on our VERIS categories.
Let’s go over the results for each one of these.
Life can be scary and unpredictable, which is why we like to start our results discussion with the cozy and familiar Actor analysis. It really is true, as they say, that the only certainties in life are death, taxes and External actors.7
As Figure 11 demonstrates, External actors were responsible for 83% of breaches, while Internal ones account for 19%. It is worth reminding our readers that Internal actors are not only responsible for intentional harm in these cases, but they are also just as likely8 to be responsible for Error actions. Regardless, the clear frequency of External actors as instigators of breaches is a datapoint that has held steady ever since we started this gig.
External (ext): External threats originate from sources outside of the organization and its network of partners. Examples include criminal groups, lone hackers, former employees and government entities. This category also includes God (as in “acts of”), “Mother Nature” and random chance. Typically, no trust or privilege is implied for external entities.
Internal (int): Internal threats are those originating from within the organization. This encompasses company full-time employees, independent contractors, interns and other staff. Insiders are trusted and privileged (some more than others).
Partner (prt): Partners include any third party sharing a business relationship with the organization. This includes suppliers, vendors, hosting providers and outsourced IT support. Some level of trust and privilege is usually implied between business partners. Note that an attacker could use a partner as a vector, but that does not make the partner the Actor in this case. The partner has to initiate the incident.
Long-time readers of the report will be similarly shocked to learn that Financial motives still drive the vast majority of breaches (Figure 12), showing growth in relation to last year with a whopping 94.6% representation in breaches. If we look inside to see which external actors are the hardest working, the top performer is Organized crime (Figure 13).
What is most interesting in Figure 13, however, is realizing that the internal variety of End-user shows up more often than the external variety State-sponsored attackers.10 Those organization employees are mostly involved in Misuse (read, internal malicious activity) and Errors (accidents), which suggests where we should be paying more attention on our day-to-day security management.
This is relevant because we were expecting some increased activity in State-sponsored attacks, be it Espionage-related or not, due to the ongoing conflict in Ukraine. Even with anecdotal evidence of increased ideology or hacktivism-related attacks stemming from the geopolitical discussion, it really isn’t making a dent in larger statistical terms. It is also worth noting that this kind of activity would also be unlikely to disrupt our average reader’s organization.11
Action, as the name would imply, is what brings dynamism to our report. What dastardly deeds have the threat actors been up to? If you replied “ransomware,” we’d say you have no imagination, but you would also be right. This pesky Malware variety has been holding our talking points hostage for years now, and we can’t scrounge up enough cryptocurrency to pay the ransom!
Figures 14, 15, 16 and 17 describe the top Action varieties (what happened in more detail) and vectors (how those actions came to pass).
Hacking (hak): attempts to intentionally access or harm information assets without (or exceeding) authorization by circumventing or thwarting logical security mechanisms.
Malware (mal): any malicious software, script or code run on a device that alters its state or function without the owner’s informed consent.
Error (err): anything done (or left undone) incorrectly or inadvertently.
Social (soc): employ deception, manipulation, intimidation, etc., to exploit the human element, or users, of information assets.
Misuse (mis): use of entrusted organizational resources or privileges for any purpose or manner contrary to that which was intended.
Physical (phy): deliberate threats that involve proximity, possession or force.
Environmental (env): not only includes natural events such as earthquakes and floods but also hazards associated with the immediate environment or infrastructure in which assets are located.
As expected, the charts are led by either first-stage or single-stage attacks, namely Use of stolen creds for breaches and Denial of Service for incidents. This is consistent with previous years. What is concerning, if unsurprising, is having Ransomware take over the second spot in incidents, now being present in 15.5% of all incidents. Meanwhile, the share of Ransomware did not grow in breaches and held steady (statistically, at least) at 24%. You can see the evolution of both in Figure 18.
That almost a quarter of breaches involve a Ransomware step continues to be a staggering result. However, we had been anticipating that Ransomware would soon be hitting its theoretical ceiling, by which we mean that all the incidents that could have Ransomware, would have. Ransomware is present today in more than 62% of all incidents committed by Organized crime actors and in 59% of all incidents with a Financial motivation, so sadly there is still some room for growth.
Eagle-eyed readers will notice the absence of Partner and Software update as action vectors for incidents this year, in contrast to last year’s “software supply chainpocalypse.”13 Instead, our collective Christmas was ruined by another Ghost of Technical Debt Past: the Log4j vulnerability popularly known as CVE-2021-44228.14
We will be spending some time digging into the Log4j vulnerability in the “System Intrusion” section, but it is worth noting that the presence of the Exploit vuln action has kept stable in incidents and is actually less prominent in breaches, dropping from 7% to 5%. So, did the collective security industry sacrifice its holidays for nothing?
Not quite. This is one of those cases where the alternatives are just more popular. Use of stolen creds, our current champion, increased its share from 41.6% to 44.7%, which more than accounts for the drop in Exploit vuln.
More importantly, there was swift action from the community to spread awareness and patch all the different systems that had Log4j as a component. That surely helped avert a bigger disaster, so our success makes it look like it wasn’t a big deal after all.15 In fact, Log4j was so top-of-mind in our data contributors’ incident response that 90% of incidents with Exploit vuln as an action had “Log4j,” or “CVE- 2021-44228” in the comments section. Granted, only 20.6% of the incidents had comments at all,16 so even if it can’t fully represent the whole dataset, it certainly speaks to how significant the vulnerability was in late 2021 and early 2022 for the incident response teams.
Finally, before I lose your attention, we should touch base on Loss.17 This action variety describes losing a physical device or media by accident and is often paired with the Carelessness action vector. It did show up fairly high in incidents. This is often because the data could not be confirmed as having been accessed and was therefore considered at risk rather than a breach. It is worth pointing out though that those were mostly concentrated in the data from some of our public sector contributors, where this sort of event is more tightly reported. Regardless, we know everyone was super excited about leaving the house again as the pandemic waned, but please keep an eye on your stuff when you go work from the coffee shop.
In case you just wandered out of an Accounting 101 class, our Assets are more than the numbers that you list on the left side of your balance sheet.18 They encompass the entities that can be affected in an incident or breach and end up being manipulated by the threat actors for their nefarious goals. The callout box describes some of the most common top-level Assets in VERIS and some of the most common attack patterns that target them.
Figure 19 has the breakdown of varieties of Assets affected in breaches, and the results are pretty much what would be expected given the focus of System Intrusion, Basic Web Application Attacks and Social Engineering as the top attack patterns this year.
We can see a small fluctuation on the top three, as slightly less Servers were affected and slightly more User devices, but this order has held true for at least a couple of years, ever since Person overtook the second spot. Don’t forget that in VERIS, people are assets too,19 and they are the “where” that is affected by social threat actions.
Server (srv) : a device that performs functions of some sort supporting the organization, commonly without end-user interaction. Where all the web applications, mail services, file servers and all that magical layer of information is generated. If someone has ever told you “the system is down,” rest assured that some Servers had their Availability impacted. Servers are common targets in almost all of the attack patterns, but especially in our System Intrusion, Basic Web Application Attacks, Miscellaneous Errors and Denial of Service patterns.
Person (per): the folks (hopefully) doing the work at the organization. No AI chat allowed. Different types of Person will be members of different departments and will have associated permissions and access in the organization stemming from this role. At the very least they will have access to their very own User device and their own hopes and dreams for the future. Person is a common target in the Social Engineering pattern.
User device (usr): the devices used by Persons to perform their work duties in the organizations. Usually manifested in the form of laptops, desktops, mobile phones and tablets. Common target in the System Intrusion pattern but also in the Lost and Stolen Assets pattern. People do like to take their little computers everywhere.
Network (net): not the concept, but the actual network computing devices that make the bits go around the world, such as routers, telephone and broadband equipment, and some of the traditional in-line network security devices, such as firewalls and intrusion detection systems. Hey, Verizon is a Telecommunications company, OK?
Media (med): precious diluted data in its most pure and crystalline form. Just kidding, mostly thumb drives and actual printed documents. You will see the odd full disk drive and actual physical payment cards from time to time, but those are more rare. Common in the Lost and Stolen Assets pattern.
Breaking the Asset varieties down further in Figure 20 showcases Web application and Mail servers on top, as would be expected, but it is interesting to see Person - Finance trending up from last year as we see a related growth in Pretexting social actions. We will be discussing those, and more specifically BECs, in the “Social Engineering” section of this report.
As a parting note, we continue to see very small numbers of incidents involving Operational Technology (OT), where the computers interface with heavy machinery and critical infrastructure, as contrasted with incidents involving Information Technology (IT), where we keep our cat pictures and internet memes. Industries like Manufacturing and Mining, Quarrying and Oil & Gas Extraction + Utilities21 continue to be relatively well-represented in our dataset, but reports of actual impact on OT devices are still too few for us to meaningfully write about in this report.
For those keeping track, we had a 3.4% showing of OT assets in breaches that declared their impact. In summary— keep your attention level high, given the potential impact when those systems are affected, but either those numbers are very low overall, or they just don’t make it to our contributors’ dataset due to national22 security concerns.
When VERIS describes Attributes, it is directly referencing the CIA triad in information security (InfoSec): Confidentiality, Integrity and Availability. It’s a tried-and-true method of understanding the potential impact of an incident by describing what properties of the asset were potentially affected.
The next time you meet an incident responder in the wild, know that all that goes through their mind is, “Did the asset or a copy of the data get out the door” (Confidentiality), “was it changed from a known and trusted state” (Integrity) and “do we still have access to it ourselves?” (Availability). Please offer them a word of kindness and a beverage, because it is a very tortured existence. If you are feeling cold, they are cold too.
One of the most interesting Attribute varieties we track year over year is the Confidentiality data varieties (Figure 21), or what kinds of data got out in a breach. Personal data represents Personally Identifiable Information (PII) from your customers, partners or employees, and it is the one that usually gets companies the most in trouble with regulators, as more and more privacy-related laws are passed around the world (although Medical data is a whole other ball of earwax).
Confidentiality (cp): refers to limited observation and disclosure of an asset (or data). A loss of confidentiality implies that data were actually observed or disclosed to an unauthorized actor rather than endangered, at-risk or potentially exposed (the latter fall under the attribute of Possession and Control). Short definition: limited access, observation and disclosure.
Integrity (ia): refers to an asset (or data) being complete and unchanged from the original or authorized state, content and function. Losses to integrity include unauthorized insertion, modification and manipulation. Short definition: complete and unchanged from original.
Availability (au): refers to an asset (or data) being present, accessible and ready for use when needed. Losses to availability include destruction, deletion, movement, performance impact (delay or acceleration) and interruption. Short definition: accessible and ready for use when needed.
Internal data and System data are usually byproducts of an extensive breach with multiple steps, as information from emails and documents are vacuumed up by threat actors. Credentials have really gained ground over the past five years, as the Use of stolen credentials became the most popular entry point for breaches.
Of course, we still get specific data being beset, such as Medical, Bank account information and Payment card data. Those could be specific, targeted events or just be a part of the data that is acquired during a ransomware attack with data exfiltration. And just in case you are not tired of us moaning about ransomware,25 please enjoy Figure 22, where we can see another impact of the ransomware growth as the Obscuration of data became the most common availability impact variety, handily overcoming plain old Loss of data.
One data variety really caught the DBIR team’s attention this year: Virtual currency. We saw a fourfold increase this year in the number of breaches involving cryptocurrency from last year. That is a far cry from the days of innocence in 2020 and earlier, when we got one or two cases maximum each year. If our cartoon animal NFTs had these kinds of returns, we can assure you we would be living large and writing this report from our Lambos, not from our parents’ basements.24
Figures 23 and 24 show the top action varieties and vectors in breaches involving virtual currency, and it is a fierce competition between Exploit vulnerabilities, Use of stolen creds and Phishing. These types of breaches fall between the actual coin networks or exchanges being breached via their applications and application programming interfaces (APIs), or phishing and pretexting activity on chat platforms (like Discord) of the coin communities, where after a simple click on a link, suddenly your wallet is not yours anymore.
Having assets in virtual currency is a risky endeavor at best, even when there are no bad actors involved in rug-pulling.26 The added focus of threat actors on these types of assets doesn’t make the landscape any easier. Our parting message is that unless security is taken seriously in those cases, we, in fact, are not going to make it.
4 We certainly won’t shut up about it
5 Not sure if we should be celebrating security incidents, but everyone loves a round number.
6 Here’s hoping being a millionaire doesn’t get to our dataset’s head, and they decide to join the “Great Resignation” and retire in some tropical tax haven.
7 That’s what they say, right?
8 OK, actually twice as likely.
9 https://verisframework.org/actors.html
10 Huge win for anarchists and other state-abolishing ideologies, if you ask us.
11 No, Mr. Bond, MI6 does not represent our average reader.
12 https://verisframework.org/actions.html
13 Wouldn’t you know, the moment we mention anything has not had relevance in our dataset, something new happens to remind us that change is the only constant. Best of luck for the teams responding to the 3CX supply-chain breach in late March 2023 as we close out this section. Make sure to keep copious notes so we can talk about it in a future edition of the report.
14 Just rolls off the tongue, doesn’t it?
15 Who here was working on the Y2K bug? Don’t forget to schedule your shingles vaccine!
16 In everyone’s defense, most of the data sharing happening here is machine-to-machine. Long gone are the days of artisanal, bespoke, VERIS-coded incidents for most of our contributors.
17 For the extremely online folks, we apologize for the psychic damage.
18 However, not caring for them properly could cause liabilities that would go on the right side.
19 Just ask your organization’s HR department.
20 https://verisframework.org/assets.html
21 We know, it’s a mouthful.
22 From any country really.
23 https://verisframework.org/attributes.html
24 Our Lambos might be parked in our parent’s garage, though.
25 We’re not bitter; you’re bitter.
26 That rug really tied the room together, man!
Choose your country to view contact details.
Existing customers, sign in to your business account or explore other support options.