verizonv：2023年數據泄露調查報告（英文版）（89頁）.pdf

《verizonv：2023年數據泄露調查報告（英文版）（89頁）.pdf》由會員分享，可在線閱讀，更多相關《verizonv：2023年數據泄露調查報告（英文版）（89頁）.pdf（89頁珍藏版）》請在三個皮匠報告上搜索。

1、DBIR2023 Data Breach Investigations Report200510K20K30K201020152020About the coverThe magnifier on the cover is intended to visually convey the effort the team made to refocus our energy and resources more on our core breach dataset.The graph that is magnified is simply a cumulative count of the num

2、ber of breaches in our dataset as the years have gone by since our first report.Long-time readers may notice the Vocabulary for Event Recording and Incident Sharing(VERIS)Framework trademark honeycombs,which are meant to convey the 4As(Actor,Action,Asset,Attribute)and their various enumerations.3202

3、3 DBIR Table of contentsTable of contents1Helpful definitions and chart guidance 4Introduction 7Summary of findings 82 Results and analysis Introduction 11Actors 12Actions 14Assets 17Attributes 193 Incident Classification Patterns Introduction 22System Intrusion 24Social Engineering 31Basic Web Appl

4、ication Attacks 35Miscellaneous Errors 40Denial of Service 42Lost and Stolen Assets 44Privilege Misuse 464 Industries Introduction 49Accommodation and Food Services 53Educational Services 54Financial and Insurance 55Healthcare 56Information 57Manufacturing 58Mining,Quarrying,and Oil&Gas Extraction+U

5、tilities 59Professional,Scientific and Technical Services 61Public Administration 62Retail 63Small and medium business 655 Regions Introduction 706 Wrap-up Year in review 747 Appendices Appendix A:Methodology 79Appendix B:VERIS mappings to MITRE ATT&CK 83Appendix C:VTRAC 20-year retrospective 84Appe

6、ndix D:Contributing organizations 8542023 DBIR Helpful definitions and chart guidanceHelpful definitions and chart guidanceHello,and welcome first-time readers!Before you get started on the 2023 Data Breach Investigations Report(DBIR),it might be a good idea to take a look at this section first.(For

7、 those of you who are familiar with the report,please feel free to jump over to the introduction.)We have been doing this report for a while now,and we appreciate that the verbiage we use can be a bit obtuse at times.We use very deliberate naming conventions,terms and definitions and spend a lot of

8、time making sure we are consistent throughout the report.Hopefully this section will help make all of those more familiar.VERIS Framework resourcesThe terms“threat actions,”“threat actors”and“varieties”will be referenced often.These are part of the Vocabulary for Event Recording and Incident Sharing

9、(VERIS),a framework designed to allow for a consistent,unequivocal collection of security incident details.Here is how they should be interpreted:Threat actor:Who is behind the event?This could be the external“bad guy”that launches a phishing campaign or an employee who leaves sensitive documents in

10、 their seat back pocket.Threat action:What tactics(actions)were used to affect an asset?VERIS uses seven primary categories of threat actions:Malware,Hacking,Social,Misuse,Physical,Error and Environmental.Examples at a high level include hacking a server,installing malware or influencing human behav

11、ior through a social attack.Variety:More specific enumerations of higher-level categoriese.g.,classifying the external“bad guy”as an organized criminal group1 or recording a hacking action as SQL injection or brute force.Learn more here:https:/ DBIR facts,figures and figure data https:/verisframewor

12、k.orgfeatures information on the framework with examples and enumeration listings https:/ information on the framework with examples and enumeration listingsIncident vs.breachWe talk a lot about incidents and breaches and we use the following definitions:Incident:A security event that compromises th

13、e integrity,confidentiality or availability of an information asset.Breach:An incident that results in the confirmed disclosurenot just potential exposureof data to an unauthorized party.A Distributed Denial of Service(DDoS)attack,for instance,is most often an incident rather than a breach,since no

14、data is exfiltrated.That doesnt make it any less serious.Industry labelsWe align with the North American Industry Classification System(NAICS)standard to categorize the victim organizations in our corpus.The standard uses two-to six-digit codes to classify businesses and organizations.Our analysis i

15、s typically done at the two-digit level,and we will specify NAICS codes along with an industry label.For example,a chart with a label of Financial(52)is not indicative of 52 as a value.“52”is the NAICS code for the Financial and Insurance sector.The overall label of“Financial”is used for brevity wit

16、hin the figures.Detailed information on the codes and the classification system is available here:https:/www.census.gov/naics/?58967?yearbck=20121 By organized criminal group,we mean a group that does this for a living and has a set process they use repeatedly,not Tony Soprano and his band of merry

17、men.2023 DBIR Helpful definitions and chart guidanceIm sorry,this all happened when?While we have always listed the following facts in our Methodology section(because that is where this type of information belongs),we decided to also mention it here for the benefit of those who dont make it that far

18、 into the report.Each year,the DBIR timeline for in-scope incidents is from November 1 of one calendar year through October 31 of the next calendar year.Thus,the incidents described in this report took place between November 1,2021,and October 31,2022.The 2022 caseload is the primary analytical focu

19、s of the 2023 report,but the entire range of data is referenced throughout,notably in trending graphs.The time between the latter date and the date of publication for this report is spent in acquiring the data from our global contributors,anonymizing and aggregating that data,analyzing the dataset a

20、nd,finally,creating the graphics and writing the report.Rome wasnt built in a day,and neither is the DBIR.5The slanted bar chart will be familiar to returning readers.The slant on the bar chart represents the uncertainty of that data point to a 95%confidence level(which is standard for statistical t

21、esting).In laymans terms,if the slanted areas of two(or more)bars overlap,you cant really say one is bigger than the other without angering the math gods.Being confident of our dataStarting in 2019 with slanted bar charts,the DBIR has tried to make the point that the only certain thing about informa

22、tion security is that nothing is certain.Even with all the data we have,well never know anything with absolute certainty.However,instead of throwing our hands up and complaining that it is impossible to measure anything in a data-poor environment or,worse yet,just plain making stuff up,we get to wor

23、k.This year,youll continue to see the team representing uncertainty throughout the report figures.The examples shown in Figures 1,2,3 and 4 all convey the range of realities that could credibly be true.Whether it be the slant of the bar chart,the threads of the spaghetti chart,the dots of the dot pl

24、ot or the color of the pictogram plot,all convey the uncertainty of our industry in their own special way.Much like the slanted bar chart,the spaghetti chart represents the same concept:the possible values that exist within the confidence interval;however,its slightly more involved because we have t

25、he added element of time.The individual threads represent a sample of all possible connections between the points that exists within each observations confidence interval.As you can see,some of the threads are looser than others,indicating a wider confidence internal and a smaller sample size.Figure

26、 2.Example spaghetti chartFigure 1.Example slanted bar chart(n=205)62023 DBIR Helpful definitions and chart guidanceThe dot plot is another returning champion,and the trick to understanding this chart is to remember that the dots represent organizations.If,for instance,there are 200 dots(like in Fig

27、ure 3),each dot represents 0.5%of organizations.This is a much better way of understanding how something is distributed among organizations and provides considerably more information than an average or a median.We added more colors and callouts to those in an attempt to make them even more informati

28、ve.The pictogram plot,our relative newcomer,attempts to capture uncertainty in a similar way to slanted bar charts but is more suited for a single proportion.We hope they make your journey through this complex dataset even smoother than previous years.Credit where credit is due Turns out folks enjoy

29、 citing the report,and we often get asked how they should go about doing it.You are permitted to include statistics,figures and other information from the report,provided that(a)you cite the source as“Verizon 2023 Data Breach Investigations Report”and(b)content is not modified in any way.Exact quote

30、s are permitted,but paraphrasing requires review.If you would like to provide people a copy of the report,we ask that you provide them a link to rather than a copy of the PDF.Questions?Comments?Organizing a bank run?Let us know!Drop us a line at ,find us on LinkedIn,tweet VerizonBusiness with#dbir.G

31、ot a data question?Tweet VZDBIR!If you are interested in becoming a contributor to the annual Verizon DBIR(and we hope you are),the process is very easy and straightforward.Please email us at .Figure 3.Example dot plot(n=672).Each dot represents 0.5%of organizations.Orange:lower half of 80%.Yellow:u

32、pper half of 80%.Green:80%95%.Blue:Outliers.95%of orgs:1481,594,648.80%:1,274438,499.Median:29,774(log scale).Figure 4.Example pictogram plot(n=4,110).Each glyph represents 40 breaches.72023 DBIR IntroductionIntroduction“Success is stumbling from failure to failure with no loss of enthusiasm.”attrib

33、uted to Sir Winston ChurchillHello and welcome old friends and new readers to the 2023 Verizon Data Breach Investigations Report!We are happy to have you join us once again as we take a look at the sordid underbelly of cybercrime and see what lessons we may collectively learn from doing so.It often

34、seems that with every new defense strategy,appliance or Please-Save-Us-As-A-Service we create,buy or borrow,our adversaries are just as quick to adapt and find a new vantage point from which to attack.While this state of affairs is already unfortunate enough,it becomes worse still when we do not eve

35、n require them to evolve their tactics because the old ones still work just fine.Regardless of where we fall on the crazy-secure to not-so-secure spectrum,the quote above is a good road map to cybersecurity(and life in general).This report aims to take a look at the times when things did not work as

36、 intendednot to point fingers but to help us all learn and improve.In a time where almost everyone,corporations and individuals alike,is looking at ways to do more with less,we believe a close analysis of when our defenses failed can be very beneficial.While times of great change are always challeng

37、ing,they often also prompt us to take stock of our situation and,if necessary,refocus both our viewpoint and our energies.Such is the case with the DBIR this year.As a team,we decided to take a step back toward the fundamental things that got us where we are,an intense focus on actual data breaches

38、analyzed using our own VERIS Framework.And speaking of VERIS,one of the new goodies this refocusing brings is an even better mapping between VERIS and MITRE ATT&CK through a collaboration with MITRE Engenuity and the Center for Threat Informed Defense(CTID).2 It also helps that our parent organizati

39、on,the Verizon Threat Research Advisory Center(VTRAC),3 shared the most breaches ever for us to analyze.Did you know it is VTRACs 20th anniversary this year?Save us a slice of that cake,boss!As long-time readers will know,over the past few years,we have increasingly utilized non-incident data to add

40、 depth and dimension to our breach findings via various forms of research and analysis.While that remains a big part of what we do,as mentioned above,we did take purposeful steps toward a more direct focus on the breach side of the house this year.In short,the result of this was to make the report m

41、ore concise and succinct and less unwieldy.This year we analyzed 16,312 security incidents,of which 5,199 were confirmed data breaches.As always,we hope you find this information informative,useful,easy to understand and actionable.Finally,we thank our global data contributors most sincerely,as this

42、 report would quite literally not be possible without them.Of course,the same can be said of our readers,so please accept our deep gratitude for your continued support.Sincerely,The Verizon DBIR TeamC.David Hylender,Philippe Langlois,Alex Pinto,Suzanne WidupVery special thanks to:Dave Kennedy and Er

43、ika Gifford from VTRAC.Kate Kutchko,Marziyeh Khanouki and Yoni Fridman from the Verizon Business Product Data Science Team.Gabriel Bassett for all the statistical tooling,charts and terrible jokes over the years.Good luck on your next adventure!2 https:/mitre-engenuity.org/cybersecurity/center-for-t

44、hreat-informed-defense/3 https:/ DBIR Summary of findingsSummary of findingsSocial Engineering attacks are often very effective and extremely lucrative for cybercriminals.Perhaps this is why Business Email Compromise(BEC)attacks(which are in essence pretexting attacks)have almost doubled across our

45、entire incident dataset,as can be seen in Figure 5,and now represent more than 50%of incidents within the Social Engineering pattern.Figure 5.Pretexting incidents over time74%of all breaches include the human element,with people being involved either via Error,Privilege Misuse,Use of stolen credenti

46、als or Social Engineering.83%of breaches involved External actors,and the primary motivation for attacks continues to be overwhelmingly financially driven,at 95%of breaches.The three primary ways in which attackers access an organization are stolen credentials,phishing and exploitation of vulnerabil

47、ities.Figure 7.Select enumerations in non-Error,non-Misuse breaches(n=4,291)Figure 6.Select key enumerations92023 DBIR Summary of findingsMore than 32%of all Log4j scanning activity over the course of the year happened within 30 days of its release(with the biggest spike of activity occurring within

48、 17 days).Log4j was so top-of-mind in our data contributors incident response that 90%of incidents with Exploit vuln as an action had“Log4j,”or“CVE-2021-44228”in the comments section.However,only 20.6%of the incidents had comments.Figure 9.Percentage of Log4j scanning for 2022Ransomware continues it

49、s reign as one of the top Action types present in breaches,and while it did not actually grow,it did hold statistically steady at 24%.Ransomware is ubiquitous among organizations of all sizes and in all industries.Figure 8.Ransomware action variety over timeFigure 10.Percentage of identified Exploit

50、 vuln that was Log4j(n=81).Each glyph represents an incident.2Results and analysis112023 DBIR Results and analysisResults and analysis:IntroductionHello friends,and welcome to the“Results and analysis”section.This is where we cover the highlights we found in the data this year.This dataset is collec

51、ted from a variety of sources,including our own VTRAC investigators,reports provided by our data contributors and publicly disclosed security incidents.Since data contributors come and go,one of our priorities is to make sure we can get broad representation on different types of security incidents a

52、nd the countries where they occur.This ebb and flow of contributors obviously influences our dataset,and we will do our best to provide context on those potential biases where applicable.As some of you may have noticed4 over the years,the incident data collection we do is based on the VERIS Framewor

53、k.It has been the bedrock upon which our multiyear dataset has been built and is what allows us to be able to speak with confidence when trends in the attack landscape surface.Our dataset currently contains 953,894 incidents,of which 254,968 are confirmed breaches,and we cant wait to celebrate5 with

54、 you when we reach 1 million6 incidents!In VERIS,the core categories we use to describe an incident are called the 4As:Actor(who),Action(how),Asset(where)and Attribute(what).An incident needs all these four to be“complete,”even if at the end of the day some of those are unknown to the parties invest

55、igating the incident.Keep an eye out for our instructive callouts in each of those sub-sections giving more context on our VERIS categories.Lets go over the results for each one of these.4 We certainly wont shut up about it.5 Not sure if we should be celebrating security incidents,but everyone loves

56、 a round number.6 Heres hoping being a millionaire doesnt get to our datasets head,and they decide to join the“Great Resignation”and retire in some tropical tax haven.12ActorsLife can be scary and unpredictable,which is why we like to start our results discussion with the cozy and familiar Actor ana

57、lysis.It really is true,as they say,that the only certainties in life are death,taxes and External actors.7As Figure 11 demonstrates,External actors were responsible for 83%of breaches,while Internal ones account for 19%.It is worth reminding our readers that Internal actors are not only responsible

58、 for intentional harm in these cases,but they are also just as likely8 to be responsible for Error actions.Regardless,the clear frequency of External actors as instigators of breaches is a datapoint that has held steady ever since we started this gig.Actor categories9External:External threats origin

59、ate from sources outside of the organization and its network of partners.Examples include criminal groups,lone hackers,former employees and government entities.This category also includes God (as in“acts of”),“Mother Nature”and random chance.Typically,no trust or privilege is implied for external en

60、tities.Internal:Internal threats are those originating from within the organization.This encompasses company full-time employees,independent contractors,interns and other staff.Insiders are trusted and privileged(some more than others).Partner:Partners include any third party sharing a business rela

61、tionship with the organization.This includes suppliers,vendors,hosting providers and outsourced IT support.Some level of trust and privilege is usually implied between business partners.Note that an attacker could use a partner as a vector,but that does not make the partner the Actor in this case.Th

62、e partner has to initiate the incident.7 Thats what they say,right?8 OK,actually twice as likely.9 https:/verisframework.org/actors.htmlFigure 11.Threat actors in breaches(n=5,177)2023 DBIR Results and analysis13Figure 12.Threat actor Motives in breaches(n=2,328)Figure 13.Threat actor Varieties in b

63、reaches(n=2,489)10 Huge win for anarchists and other state-abolishing ideologies,if you ask us.11 No,Mr.Bond,MI6 does not represent our average reader.Long-time readers of the report will be similarly shocked to learn that Financial motives still drive the vast majority of breaches(Figure 12),showin

64、g growth in relation to last year with a whopping 94.6%representation in breaches.If we look inside to see which external actors are the hardest working,the top performer is Organized crime(Figure 13).What is most interesting in Figure 13,however,is realizing that the internal variety of End-user sh

65、ows up more often than the external variety State-sponsored attackers.10 Those organization employees are mostly involved in Misuse(read,internal malicious activity)and Errors(accidents),which suggests where we should be paying more attention on our day-to-day security management.This is relevant be

66、cause we were expecting some increased activity in State-sponsored attacks,be it Espionage-related or not,due to the ongoing conflict in Ukraine.Even with anecdotal evidence of increased ideology or hacktivism-related attacks stemming from the geopolitical discussion,it really isnt making a dent in

67、larger statistical terms.It is also worth noting that this kind of activity would also be unlikely to disrupt our average readers organization.112023 DBIR Results and analysis14ActionsAction,as the name would imply,is what brings dynamism to our report.What dastardly deeds have the threat actors bee

68、n up to?If you replied“ransomware,”wed say you have no imagination,but you would also be right.This pesky Malware variety has been holding our talking points hostage for years now,and we cant scrounge up enough cryptocurrency to pay the ransom!Figures 14,15,16 and 17 describe the top Action varietie

69、s(what happened in more detail)and vectors(how those actions came to pass).Action categories12 Hacking(hak):attempts to intentionally access or harm information assets without(or exceeding)authorization by circumventing or thwarting logical security mechanisms.Malware(mal):any malicious software,scr

70、ipt or code run on a device that alters its state or function without the owners informed consent.Error(err):anything done(or left undone)incorrectly or inadvertently.Social(soc):employ deception,manipulation,intimidation,etc.,to exploit the human element,or users,of information assets.Misuse(mis):u

71、se of entrusted organizational resources or privileges for any purpose or manner contrary to that which was intended.Physical(phy):deliberate threats that involve proximity,possession or force.Environmental(env):not only includes natural events such as earthquakes and floods but also hazards associa

72、ted with the immediate environment or infrastructure in which assets are located.12 https:/verisframework.org/actions.htmlFigure 14.Top Action varieties in breaches(n=4,354)2023 DBIR Results and analysis15Figure 15.Top Action varieties in incidents(n=14,829)Figure 16.Top Action vectors in breaches(n

73、=3,194)Figure 17.Top Action vectors in incidents(n=10,502)2023 DBIR Results and analysis16As expected,the charts are led by either first-stage or single-stage attacks,namely Use of stolen creds for breaches and Denial of Service for incidents.This is consistent with previous years.What is concerning

74、,if unsurprising,is having Ransomware take over the second spot in incidents,now being present in 15.5%of all incidents.Meanwhile,the share of Ransomware did not grow in breaches and held steady(statistically,at least)at 24%.You can see the evolution of both in Figure 18.That almost a quarter of bre

75、aches involve a Ransomware step continues to be a staggering result.However,we had been anticipating that Ransomware would soon be hitting its theoretical ceiling,by which we mean that all the incidents that could have Ransomware,would have.Ransomware is present today in more than 62%of all incident

76、s committed by Organized crime actors and in 59%of all incidents with a Financial motivation,so sadly there is still some room for growth.Eagle-eyed readers will notice the absence of Partner and Software update as action vectors for incidents this year,in contrast to last years“software supply chai

77、npocalypse.”13 Instead,our collective Christmas was ruined by another Ghost of Technical Debt Past:the Log4j vulnerability popularly known as CVE-2021-44228.14We will be spending some time digging into the Log4j vulnerability in the“System Intrusion”section,but it is worth noting that the presence o

78、f the Exploit vuln action has kept stable in incidents and is actually less prominent in breaches,dropping from 7%to 5%.So,did the collective security industry sacrifice its holidays for nothing?Not quite.This is one of those cases where the alternatives are just more popular.Use of stolen creds,our

79、 current champion,increased its share from 41.6%to 44.7%,which more than accounts for the drop in Exploit vuln.More importantly,there was swift action from the community to spread awareness and patch all the different systems that had Log4j as a component.That surely helped avert a bigger disaster,s

80、o our success makes it look like it wasnt a big deal after all.15 In fact,Log4j was so top-of-mind in our data contributors incident response that 90%of incidents with Exploit vuln as an action had“Log4j,”or“CVE-2021-44228”in the comments section.Granted,only 20.6%of the incidents had comments at al

81、l,16 so even if it cant fully represent the whole dataset,it certainly speaks to how significant the vulnerability was in late 2021 and early 2022 for the incident response teams.Figure 18.Ransomware action variety over timeFinally,before I lose your attention,we should touch base on Loss.17 This ac

82、tion variety describes losing a physical device or media by accident and is often paired with the Carelessness action vector.It did show up fairly high in incidents.This is often because the data could not be confirmed as having been accessed and was therefore considered at risk rather than a breach

83、.It is worth pointing out though that those were mostly concentrated in the data from some of our public sector contributors,where this sort of event is more tightly reported.Regardless,we know everyone was super excited about leaving the house again as the pandemic waned,but please keep an eye on y

84、our stuff when you go work from the coffee shop.13 Wouldnt you know,the moment we mention anything has not had relevance in our dataset,something new happens to remind us that change is the only constant.Best of luck for the teams responding to the 3CX supply-chain breach in late March 2023 as we cl

85、ose out this section.Make sure to keep copious notes so we can talk about it in a future edition of the report.14 Just rolls off the tongue,doesnt it?15 Who here was working on the Y2K bug?Dont forget to schedule your shingles vaccine!16 In everyones defense,most of the data sharing happening here i

86、s machine-to-machine.Long gone are the days of artisanal,bespoke,VERIS-coded incidents for most of our contributors.17 For the extremely online folks,we apologize for the psychic damage.2023 DBIR Results and analysis17AssetsFigure 19.Assets in breaches(n=4,433)Asset categories20Server(srv):a device

87、that performs functions of some sort supporting the organization,commonly without end-user interaction.Where all the web applications,mail services,file servers and all that magical layer of information is generated.If someone has ever told you“the system is down,”rest assured that some Servers had

88、their Availability impacted.Servers are common targets in almost all of the attack patterns,but especially in our System Intrusion,Basic Web Application Attacks,Miscellaneous Errors and Denial of Service patterns.Person(per):the folks(hopefully)doing the work at the organization.No AI chat allowed.D

89、ifferent types of Person will be members of different departments and will have associated permissions and access in the organization stemming from this role.At the very least they will have access to their very own User device and their own hopes and dreams for the future.Person is a common target

90、in the Social Engineering pattern.User device(usr):the devices used by Persons to perform their work duties in the organizations.Usually manifested in the form of laptops,desktops,mobile phones and tablets.Common target in the System Intrusion pattern but also in the Lost and Stolen Asset pattern.Pe

91、ople do like to take their little computers everywhere.Network(net):not the concept,but the actual network computing devices that make the bits go around the world,such as routers,telephone and broadband equipment,and some of the traditional in-line network security devices,such as firewalls and int

92、rusion detection systems.Hey,Verizon is a Telecommunications company,OK?Media(med):precious diluted data in its most pure and crystalline form.Just kidding,mostly thumb drives and actual printed documents.You will see the odd full disk drive and actual physical payment cards from time to time,but th

93、ose are more rare.Common in the Lost and Stolen Assets pattern.In case you just wandered out of an Accounting 101 class,our Assets are more than the numbers that you list on the left side of your balance sheet.18 They encompass the entities that can be affected in an incident or breach and end up be

94、ing manipulated by the threat actors for their nefarious goals.The callout box describes some of the most common top-level Assets in VERIS and some of the most common attack patterns that target them.Figure 19 has the breakdown of varieties of Assets affected in breaches,and the results are pretty m

95、uch what would be expected given the focus of System Intrusion,Basic Web Application Attacks and Social Engineering as the top attack patterns this year.We can see a small fluctuation on the top three,as slightly less Servers were affected and slightly more User devices,but this order has held true

96、for at least a couple of years,ever since Person overtook the second spot.Dont forget that in VERIS,people are assets too,19 and they are the“where”that is affected by social threat actions.18 However,not caring for them properly could cause liabilities that would go on the right side.19 Just ask yo

97、ur organizations HR department.20 https:/verisframework.org/assets.html2023 DBIR Results and analysis1821 We know,its a mouthful.22 From any country really.Breaking the Asset varieties down further in Figure 20 showcases Web application and Mail servers on top,as would be expected,but it is interest

98、ing to see Person-Finance trending up from last year as we see a related growth in Pretexting social actions.We will be discussing those,and more specifically BECs,in the“Social Engineering”section of this report.As a parting note,we continue to see very small numbers of incidents involving Operatio

99、nal Technology(OT),where the computers interface with heavy machinery and critical infrastructure,as contrasted with incidents involving Information Technology(IT),where we keep our cat pictures and internet memes.Industries like Manufacturing and Mining,Quarrying and Oil&Gas Extraction+Utilities21

100、continue to be relatively well-represented in our dataset,but reports of actual impact on OT devices are still too few for us to meaningfully write about in this report.For those keeping track,we had a 3.4%showing of OT assets in breaches that declared their impact.In summarykeep your attention leve

101、l high,given the potential impact when those systems are affected,but either those numbers are very low overall,or they just dont make it to our contributors dataset due to national22 security concerns.Figure 20.Top Asset varieties in breaches(n=3,207)2023 DBIR Results and analysis19AttributesAttrib

102、ute categories23Confidentiality(cp):refers to limited observation and disclosure of an asset(or data).A loss of confidentiality implies that data were actually observed or disclosed to an unauthorized actor rather than endangered,at-risk or potentially exposed(the latter fall under the attribute of

103、Possession and Control).Short definition:limited access,observation and disclosure.Integrity(ia):refers to an asset(or data)being complete and unchanged from the original or authorized state,content and function.Losses to integrity include unauthorized insertion,modification and manipulation.Short d

104、efinition:complete and unchanged from original.Availability(au):refers to an asset(or data)being present,accessible and ready for use when needed.Losses to availability include destruction,deletion,movement,performance impact(delay or acceleration)and interruption.Short definition:accessible and rea

105、dy for use when needed.The next time you meet an incident responder in the wild,know that all that goes through their mind is,“Did the asset or a copy of the data get out the door”(Confidentiality),“was it changed from a known and trusted state”(Integrity)and“do we still have access to it ourselves?

106、”(Availability).Please offer them a word of kindness and a beverage,because it is a very tortured existence.If you are feeling cold,they are cold too.One of the most interesting Attribute varieties we track year over year is the Confidentiality data varieties(Figure 21),or what kinds of data got out

107、 in a breach.Personal data represents Personally Identifiable Information(PII)from your customers,partners or employees,and it is the one that usually gets companies the most in trouble with regulators,as more and more privacy-related laws are passed around the world(although Medical data is a whole

108、 other ball of earwax).23 https:/verisframework.org/attributes.html24 Our Lambos might be parked in our parents garage,though.When VERIS describes Attributes,it is directly referencing the CIA triad in information security(InfoSec):Confidentiality,Integrity and Availability.Its a tried-and-true meth

109、od of understanding the potential impact of an incident by describing what properties of the asset were potentially affected.Virtual money,real problemsOne data variety really caught the DBIR teams attention this year:Virtual currency.We saw a fourfold increase this year in the number of breaches in

110、volving cryptocurrency from last year.That is a far cry from the days of innocence in 2020 and earlier,when we got one or two cases maximum each year.If our cartoon animal NFTs had these kinds of returns,we can assure you we would be living large and writing this report from our Lambos,not from our

111、parents basements.24Figures 23 and 24 show the top action varieties and vectors in breaches involving virtual currency,and it is a fierce competition between Exploit vulnerabilities,Use of stolen creds and Phishing.These types of breaches Figure 21.Top Confidentiality data varieties in breaches(n=5,

112、010)2023 DBIR Results and analysis20Figure 22.Availability variety over timeInternal data and System data are usually byproducts of an extensive breach with multiple steps,as information from emails and documents are vacuumed up by threat actors.Credentials have really gained ground over the past fi

113、ve years,as the Use of stolen credentials became the most popular entry point for breaches.Of course,we still get specific data being beset,such as Medical,Bank account information and Payment card data.Those could be specific,targeted events or just be a part of the data that is acquired during a r

114、ansomware attack with data exfiltration.And just in case you are not tired of us moaning about ransomware,25 please enjoy Figure 22,where we can see another impact of the ransomware growth as the Obscuration of data became the most common availability impact variety,handily overcoming plain old Loss

115、 of data.25 Were not bitter;youre bitter.26 That rug really tied the room together,man!fall between the actual coin networks or exchanges being breached via their applications and application programming interfaces(APIs),or phishing and pretexting activity on chat platforms(like Discord)of the coin

116、communities,where after a simple click on a link,suddenly your wallet is not yours anymore.Having assets in virtual currency is a risky endeavor at best,even when there are no bad actors involved in rug-pulling.26 The added focus of threat actors on these types of assets doesnt make the landscape an

117、y easier.Our parting message is that unless security is taken seriously in those cases,we,in fact,are not going to make it.Figure 23.Top Action varieties in breaches where virtual currency was involved(n=30)Figure 24.Top Action vectors in breaches where virtual currency was involved(n=48)2023 DBIR R

118、esults and analysis3Incident Classification Patterns222023 DBIR Incident Classification Patterns27 As opposed to ChatGPT and other AI platforms,which insist that humans may be the mistake.28 Its like they say,a pattern is worth about four As.29 https:/attack.mitre.org/30 https:/www.cisecurity.org/co

119、ntrols Incident Classification Patterns:IntroductionOne of the greatest gifts that evolution has granted the human race is a pattern-seeking brain.Was that just some swaying foliage in the jungle,or is a striped tiger sneaking around to pounce on us?The fact that humans are still around tells us we

120、got that question right more often than we didnt.Thankfully,we can also use our pattern-seeking superpowers to try to organize and make sense of all the different ways in which computers remind us they were a mistake.27Our incident patterns are,in a nutshell,a way to cluster similar incidents into a

121、n easy-to-remember shorthand.As we mentioned before,incidents are characterized by the 4As of VERIS,and we can avoid a long descriptive paragraph every time by classifying our incidents in this way.28 Our eight patterns,and how they are defined,can be found in Table 1.This year,we are showcasing a d

122、etailed breakdown of ATT&CK Techniques29 and Center for Internet Security(CIS)Critical Security Controls30 related to certain patterns,as those are the places that make sense so we dont repeat ourselves throughout this report.We are proud of the ATT&CK mappings release,as they represent the culminat

123、ion of a multiyear collaboration with MITRE CTID in creating and maintaining Figure 25.Patterns over time in incidents23Basic Web Application AttacksThese attacks are against a Web application,and after the initial compromise,they do not have a large number of additional Actions.It is the“get in,get

124、 the data and get out”pattern.Denial of ServiceThese attacks are intended to compromise the availability of networks and systems.This includes both network and application layer attacks.Lost and Stolen AssetsIncidents where an information asset went missing,whether through misplacement or malice,are

125、 grouped into this pattern.Miscellaneous ErrorsIncidents where unintentional actions directly compromised a security attribute of an information asset fall into this pattern.This does not include lost devices,which are grouped with theft instead.Privilege MisuseThese incidents are predominantly driv

126、en by unapproved or malicious use of legitimate privileges.Social EngineeringThis attack involves the psychological compromise of a person that alters their behavior into taking an action or breaching confidentiality.System IntrusionThese are complex attacks that leverage malware and/or hacking to a

127、chieve their objectives,including deploying Ransomware.Everything ElseThis“pattern”isnt really a pattern at all.Instead,it covers all incidents that dont fit within the orderly confines of the other patterns.Like that container where you keep all the cables for electronics you dont own anymore:Just

128、in case.a working relationship between its standard and VERIS.You can read more about this in our Appendix B.So,enjoy the cognitive load we just removed from your(pattern-seeking)grey matter as we deep dive into specific results and detailed analysis for each pattern.As we have in prior years,here w

129、e present our Incident Classification Patterns(patterns)and show how they fared year over year.Figure 25 shows the patterns over time for incidents,and you can see that Denial of Service is top of the heap,as it has been for several years.When you contrast this graphic with Figure 26,you can see how

130、 different the environment looks when we are focused on those incidents where there was confirmed data loss.The System Intrusion patternwith its more complex attackshas been an overachiever and includes multistep attacks that feature ransomware.But were getting ahead of ourselves.Lets move into the

131、detailed pattern sections for the full story.2023 DBIR Incident Classification PatternsFigure 26.Patterns over time in breachesTable 1.Incident Classification Patterns24System IntrusionFrequency3,966 incidents,1,944 with confirmed data disclosureThreat actorsExternal(96%),Internal(4%),Multiple(2%),P

132、artner(1%)(breaches)Actor motivesFinancial(97%),Espionage(3%)(breaches)Data compromisedOther(42%),Personal(34%),System(31%),Internal(24%)(breaches)SummaryThis pattern largely pertains to attacks perpetrated by more dedicated criminals who utilize their expertise in hacking and ready access to malwar

133、e to breach and/or impact organizations of different sizes,frequently leveraging Ransomware as their means of getting a payday.What is the same?Ransomware continues to dominate this pattern as attackers leverage a bevy of different techniques to compromise an organization.This is mine,and this is mi

134、ne Imagine strolling into your office one morning only to discover an alarming desktop image from some criminal group with a cringeworthy name requesting Bitcoin(BTC)in exchange for the return of all your data.Hopefully,being the avid DBIR reader you are,you would have recent and well-tested backups

135、 to restore from.However,what if these criminals do not stop at only encrypting your data but also threaten to leak portions of your more sensitive information unless paid?Oftentimes it appears that no matter how fast our defenses and practices evolve,attackers adapt theirs just as quickly.2023 DBIR

136、 Incident Classification PatternsRelevant ATT&CK techniquesExecution:TA0002Persistence:TA0003Privilege Escalation:TA0004Defense Evasion:TA0005Credential Access TA0006Exploit vuln(VERIS)Exploitation for Privilege Escalation:T1068 Exploit Public-Facing Application:T1190 Exploitation for Defense Evasio

137、n:T1211 Exploitation for Credential Access:T1212 Exploitation of Remote Services:T1210 External Remote Services:T1133 Vulnerability Scanning:T1595.002Use of stolen creds(VERIS)Compromise Accounts:T1586 Social Media Accounts:T1586.001 Email Accounts:T1586.002 External Remote Services:T1133 Remote Ser

138、vices:T1021 Remote Desktop Protocol:T1021.001 Use Alternate Authentication Material:T1550 Web Session Cookie:T1550.004 Valid Accounts:T1078 Default Accounts:T1078.001 Domain Accounts:T1078.002 Local Accounts:T1078.003 Cloud Accounts:T1078.00425This creates a perpetual arms race,and nowhere is it bet

139、ter represented than in the System Intrusion pattern.We frequently think of the threat actors in this pattern as the“hands on keyboard”type of attackers.While they might leverage automation to gain a foothold,once they are inside the organization,they utilize finely honed skills to bypass controls a

140、nd achieve their goals.As Figure 28 illustrates,this commonly includes Ransomware.They use a variety of tools to traverse your environment and then pivot,including using phishing and stolen credentials to obtain access and adding backdoors to maintain that access and leverage vulnerabilities to move

141、 laterally.We can see these attacks more clearly when we break them into three smaller,more consumable portions.Namely,the initial access phase,the breach escalation and the results.Figure 27 has a breakdown of the Action-Asset combinations that we see during different steps of the attack.Jiggling l

142、ocksWhen looking at Figure 27,we see the clear leaders for the initial accessa great deal of hacking servers and an almost equal amount of unknown actions.In terms of hacking,9%of incidents involve Exploiting vulnerabilities and 8%involve the Use of stolen credentials.When we examine only our incide

143、nts that contain the exploitation of vulnerabilities,we find those vulnerabilities are largely exploited via Web applications(Figure 29).Figure 29.Action vectors in System Intrusion incidents(n=787)Figure 27.Steps in System Intrusion breaches2023 DBIR Incident Classification PatternsFigure 28.Action

144、 varieties in System Intrusion incidents(n=2,700)26Well,that escalated quickly.Once attackers have access to your environment,they will typically look for ways to escalate privileges,maintain persistence and locate paths to move across the organization to achieve their ultimate goal,whatever that ma

145、y be.For those ATT&CK aficionados out there,you may be thinking this In addition,we see some User devices being directly targeted,and we also observe Phishing in roughly 6%of cases.Phishing provides just another means of ingress,either to get a set of usable credentials or to deploy a payload on a u

146、ser system.Malware is largely distributed via email and often comes in the form of Microsoft Office documents(see Figure 30).This makes sense when you consider that most of these documents now have the ability to run code on the client system,which is extremely useful if youre an attacker.Admittedly

147、,there are many cases in which we do not know the exact means of entry the attacker used.However,these pathways of Exploiting vulnerabilities,Using stolen credentials and Phishing are very similar to previous years findings,and lets face it,they are straight out of InfoSec 101.This again demonstrate

148、s the importance of the fundamentals.Figure 30.Malware delivery method proportion per organization2023 DBIR Incident Classification Patterns27ResultsWith such a high reliance upon the installation of malware across this pattern(either in the form of Ransomware,backdoors or payment card skimming malw

149、are)we shouldnt be too surprised when we find servers that have illicit software installed as the most common combination of Attribute and Asset.The second most common is the exfiltration of data,and rounding out the trio is the loss of availability,aka rendering your data unreadable.These top three

150、 describe the final steps associated with many of these attacks quite wellattackers find a way to install their payload across the organization,steal data and then encrypt the systems on their way out.Ransomware seriously,were still doing this section?Ransomware continues to be a major threat for or

151、ganizations of all sizes and industries and is present in 24%of breaches.Of those cases,94%fall within System Intrusion.While Ransomware has increased only slightly this year,it is so ubiquitous that it may simply be a threat that we will always have to protect against91%of our industries have Ranso

152、mware as one of their top three actions.To understand how these attacks occur,it is often useful to look at the top Vectors for the actions.In this case,the most common ways in are Email,Desktop sharing software and Web applications(Figure 31).Email as a vector isnt going away any time soon.The conv

153、enience of sending your malware and having the user run it for you makes this technique timeless.The next most common vector,Desktop sharing software,makes sense,since these breaches and incidents frequently leverage some means of accessing a system.What better way to do that than by using a built-i

154、n tool such as RDP or a third-party version to provide the criminal mastermind a nice GUI?sounds like were talking about a big chunk of that matrix.Well,we are.While we have a higher view of the incidents,we do not always have the telemetry required to find out exactly what techniques were used.Howe

155、ver,below we discuss some of the additional hacking techniques and malware capabilities that we can track.Malware that maintains command and control(C2)access to the system was witnessed in about 5%of incidents.Also present are the more typical types of malware that profile hosts,scan networks and(a

156、 local favorite)dump passwords.Lastly,just in case you thought the 2010s were behind us,we even found a handful of crypto miners in this dataset.There were not enough for us to confirm that they are back en vogue,but definitely enough to confirm that certain parties still consider compromised server

157、s as free real-estate from which to mine.Figure 31.Action vectors for Ransomware(n=690)2023 DBIR Incident Classification Patterns28Splitting the Log4jAs we DBIR authors groggily awoke from our hyperbolic slumber to start collecting and writing about all the major happenings in the cybersecurity worl

158、d,we saw yet another major cybersecurity event had slowly played out after the cutoff of our data collection.This occurred first in 2020,with SolarWinds,31 and history has repeated itself in 2021 with Log4j,32 opening what seems to be a Pandoras box of vulnerabilities.However,there is one advantage

159、to waitingwe get to watch as the dust settles and provide an objective analysis as to what actually occurred.There was a great deal of uncertainty and complexity surrounding the incidents involving the Log4j vulnerability.One of which was the fact that no one really understood the full scope of the

160、breach as it was not simply in one software product but was actually in a library used by numerous applications and programs(both purchased and open sourced.)A quick recap of the event is perhaps warranted to refresh everyones memory.The vulnerability was disclosed in late November 2021,and within a

161、 few days the first exploitations began to appear.The vulnerability,given the designation of CVE-2021-44228,was given a whopping criticality score of 10.33 By the end of December,0.003%of the scanning activity captured by honeypots were actively poking and prodding for this specific vulnerability.Wh

162、ile that number might seem small,the velocity was rather striking,with more than 32%of all Log4j scanning activity over the course of the year happening within 30 days of its release(the biggest spike of activity occurred within 17 days,as Figure 32 shows).This velocity is an interesting comparison

163、versus organizations median time to patch,which is currently 49 days for critical vulnerabilities,a number that has stayed relatively consistent over the years.However,it may not have been as big of a disaster as many predicted.When examining the DBIR incident dataset,we actually saw a decrease of v

164、ulnerability exploitation leading to incidents and breaches,with Log4j being mentioned in 0.4%of our incidents(just under a hundred cases).However,when examining these cases,we found that Log4j was used by a variety of actors to achieve an assortment of different objectives,with 73%of our cases invo

165、lving Espionage and 26%involving Organized crime.Given the nature of the vulnerability,allowing remote code execution,we predictably saw a lot of malware activity associated with it,such as Backdoors and Downloaders to pull in additional hosts.Finally,in about 26%of the cases,we saw the exploit of L

166、og4j being leveraged as part of Ransomware attacks,which only goes to show that attackers will leverage whatever beachhead they can get.31 https:/www.cisa.gov/news-events/news/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network32 https:/www.cisa.gov/news-events/news/cisa-iss

167、ues-emergency-directive-requiring-federal-agencies-mitigate-apache-log4j33 Though insiders have indicated that it could have gone up to 11.Based on some of the vulnerability scanning data we analyzed(as in the good folks scanning for vulnerabilities,not the bad ones)we found that vulnerable Log4j sh

168、owed up in 8%of organizations.And in other somewhat surprising news,we also found that there was a greater percentage of Log4j installations that were end of life(EOL)with 14%of organizations,even if they werent actually vulnerable to Log4j explicitly.Lastly,22%of the organizations had multiple(i.e.

169、,more than one)instances of the Log4j vulnerability in their systems.This underlying vulnerability in a dependency has brought back the discussion around having a software bill of materials(SBOM).You may think that SBOM is a term kids are throwing around in between their“no caps”and“bussin,”but its

170、goal is to help organizations understand all the ingredients(software packages and libraries)that go into making the software their organization relies upon.Having a mature SBOM process across their ecosystem enables organizations to quickly identify vulnerabilities within the underlying libraries a

171、nd help with future remediation processes for something like Log4j.Figure 32.Percentage of Log4j scanning for 20222023 DBIR Incident Classification Patterns29CIS Controls for considerationBearing in mind the breadth of activity found within this pattern and how actors leverage a wide collection of t

172、echniques and tactics,there are a lot of safeguards that organizations should consider implementing.A small subsetincluding the CIS Control Numberis below,which should serve as a starting point for building out your own risk assessments to determine what controls are appropriate to your organization

173、s risk profile.Protecting devices Secure Configuration of Enterprise Assets and Software 4 Establish and Maintain a Secure Configuration Process 4.1 Establish and Maintain a Secure Configuration Process for Network Infrastructure 4.2 Implement and Manage a Firewall on Servers 4.4 Implement and Manag

174、e a Firewall on End-User Devices 4.5Email and Web Browser Protection 9 Use DNS Filtering Services 9.2Malware Defenses 10 Deploy and Maintain Anti-Malware Software 10.1 Configure Automatic Anti-Malware Signature Updates 10.2Continuous Vulnerability Management 7 Establish and Maintain a Vulnerability

175、Management Process 7.1 Establish and Maintain a Remediation Process 7.2Data Recovery 11 Establish and Maintain a Data Recovery Process 11.1 Perform Automated Backups 11.2 Protect Recovery Data 11.3 Establish and Maintain an Isolated Instance of Recovery Data 11.4Protecting accountsAccount Management

176、 5 Establish and Maintain an Inventory of Accounts 5.1 Disable Dormant Accounts 5.3Access Control Management 6 Establish an Access Granting/Revoking Protocol 6.1 Require MFA for Externally-Exposed Applications 6.3 Require MFA for Remote Network Access 6.4Security awareness programs Security Awarenes

177、s and Skills Training 142023 DBIR Incident Classification Patterns3034 https:/www.ic3.gov35 Feel free to make that inflation joke now.36 This sentence was famously said by a man who flew a kite with a key in a thunderstorm.Makes you think.What this suggests is that the overall costs of recovering fr

178、om a ransomware incident are increasing35 even as the ransom amounts are lower.This fact could be suggesting that the overall company size of ransomware victims is trending down.Even though the amounts requested by the threat actors would be smaller for those smaller companiesthey want to get any mo

179、ney they canthe added costs of recovering their IT infrastructure under a backdrop of likely technical debt would spike their overall losses.This is conjecture,as we dont have the company size data and not all complaints have the associated transaction value data in this specific dataset.Even so,thi

180、s is a result we have been expecting to see due to the increase of automation and efficiency of ransomware operators.Regardless,its fair to say that an ounce of prevention is worth a pound of cure,36 so we cannot emphasize enough the need of having a plan and/or incident response resources at the re

181、ady ahead of your next unscheduled encryption event.In reviewing Figure 33,of the incidents with loss,the calculated median more than doubled to$26,000,and the 95%range of losses expanded to sit between$1 and$2.25 million,putting that upper bound in scarier territory if you are a small business.The

182、FBI did find that only 7%of the incidents had losses in this case,so its not all bad news.Now,before any one of you makes a snarky quip about inflation and the base rate of the economy,here is the unusual part:When combining the paid-out transactions to the threat actors on the same time period,we g

183、et a much smaller median$10,000(Figure 34),and this median is actually less than the two previous years when the DBIR team has had access to this dataset.Since we are hot on the subject of ransomware,we thought it would be interesting to revisit the breach impact data provided by our partner,the FBI

184、 Internet Crime Complaint Center(IC3).34When we last reviewed this data in the 2021 DBIR,we found that 90%of the incidents reported to the IC3 had no financial loss result,but for the remaining 10%,the median amount lost was$11,500,and the range of losses in 95%of the cases were between$70 and$1.2 m

185、illion.2023 DBIR Incident Classification PatternsFigure 33.95%and 80%confidence intervals of Ransomware incident cost per complaint(n=2,575)Figure 34.Median transaction size for Ransomware based on FBI IC3 complaintsJust one more(Ransomware)note31Relevant ATT&CK techniquesCompromise Accounts:T1586 E

186、mail Accounts:T1586.002Establish Accounts:T1585 Email Accounts:T1585.002External Remote Services:T1133Internal Spearphishing:T1534Phishing:T1566 Spearphishing Attachment:T1566.001 Spearphishing Link:T1566.002 Spearphishing via Service:T1566.003Phishing for Information:T1598 Spearphishing Service:T15

187、98.001Use Alternate Authentication Material:T1550 Application Access Token:T1550.001Valid Accounts:T1078 Domain Accounts:T1078.002Social EngineeringFrequency1,700 incidents,928 with confirmed data disclosureThreat actorsExternal(100%),Multiple(2%),Internal(1%),Partner(1%)(breaches)Actor motivesFinan

188、cial(89%),Espionage(11%)(breaches)Data compromisedCredentials(76%),Internal(28%),Other(27%),Personal(26%)(breaches)SummarySocial Engineering incidents have increased from the previous year largely due to the use of Pretexting,which is commonly used in BEC,almost doubling since last year.Compounding

189、the frequency of these attacks,the median amount stolen from these attacks has also increased over the last couple of years to$50,000.What is the same?Phishing and Pretexting continue to dominate this pattern,thus ensuring that email remains one of the most common means of influencing individuals.Pr

190、ofessional engineers?Engineering is a beautiful combination of math and physics applied to a practical and meaningful endor so were told.However,much to our parents disappointment,most of us are not engineers,but only an infinite collection of monkeys tied to typewriters.(Legend has it we will compo

191、se“Hamlet”by pure chance any day now.Watch your back,GPT-4.)However,this section is about another,not-so-useful-to-society,form of engineerthe social engineer.This pattern focuses on tactics used by threat actors that leverage our innate helpful nature to manipulate and victimize us.These attackers

192、use a combination of strategies to accomplish this:by creating a false sense of urgency for us to provide a reply or to perform an action,a fake petition from authority,or even hijacking existing communication threads to convince us to disclose sensitive data or take some other action on their behal

193、f.Social engineering has come a long way from your basic Nigerian Prince scam to tactics that are much more difficult to detect.This increased sophistication explains why Social Engineering continues to rise and currently resides in our top three patterns(accounting for 17%of our Breaches and 10%of

194、Incidents).2023 DBIR Incident Classification Patterns32Please use this bank account number going forward.There is a common misconception when it comes to distinguishing phishing from the more complex forms of social engineering.Raise your hand if you havent received an email with a dubious attachmen

195、t or a malicious link requesting that you update your password.Nobody?Yeah,thats what we thought.This is phishing,and it makes up 44%of Social Engineering incidents.Now,who has received an email or a direct message on social media from a friend or family member who desperately needs money?Probably f

196、ewer of you.This is social engineering(pretexting specifically)and it takes more skill.The most convincing social engineers can get into your head and convince you that someone you love is in danger.They use information they have learned about you and your loved ones to trick you into believing the

197、message is truly from someone you know,and they use this invented scenario to play on your emotions and create a sense of urgency.Figure 35 shows that Pretexting is now more prevalent than Phishing in Social Engineering incidents.However,when we look at confirmed breaches,Phishing is still on top.On

198、e of the more complex social attacks is the BEC.In these pretexting attacks,actors leverage existing email threads and context to request that the recipient conduct a relatively routine task,such as updating a vendors bank account.However,the devil is in the details,and the new bank account belongs

199、to the attacker,so all payments the victim makes to that account will make zero dents in what they owe that vendor.These types of attacks are often much harder to detect due to the groundwork laid by the threat actors prior to the attack.For example,they might have spun up a look-alike domain that c

200、losely resembles that of the requesting party and possibly even updated the signature block to include their number instead of the vendor theyre pretending to represent.These are just two of the numerous subtle changes that attackers can make in order to trick their marksespecially those who are con

201、stantly bombarded with similar legitimate requests.Perhaps this is one of the reasons BEC attacks have almost doubled across our entire incident dataset,as can be seen in Figure 36,and now represent more than 50%of incidents within this pattern.Attack type doesnt appear to have much of an effect on

202、click/open rate.The median fail rates for attachment and link campaigns are 4%and 4.7%respectively,and the median click rate for data entry campaigns is 5.8%(though the data entry rate is 1.6%).Figure 35.Action varieties in Social Engineering incidents(n=1,696)Figure 36.Pretexting incidents over tim

203、e2023 DBIR Incident Classification Patterns33Inconspicuous beginnings Because this pattern is largely based on human-targeted attacks,it makes sense that the very first action in this pattern will be some form of phishing or pretexting email(Figure 37).In fact,email alone makes up 98%of the vector f

204、or these incidents,with the occasional sprinkling of other communication methods,such as phone,social media or some internal messaging app that some folks might be Slacking off on(cough,cough).Two paths diverged,etc.,etc.What happens after that initial email is where things often diverge.There are t

205、wo major routes that the attacks typically take.Most commonly,if the attackers are soliciting credentials and obtain them,then they will leverage those credentials to access the users inbox(found in 32%of incidents).The road less traveled is whereby simply using email communicationthe attackers are

206、able to spin a credible story(albeit fictitious)to convince someone to do their bidding.Persuading someone to change the bank account for the claimed recipient,for example,is found in 56%of incidents.Of course,a combination of tactics can also be used.The attackers may leverage their acquired access

207、 to a users inbox to look for an email chain they can hijack or search the victims address book to find people who can be targeted further.Its not uncommon for attackers to add forwarding rules to make sure their activities stay undetected as long as possible,which is why Figure 37.Steps in Social E

208、ngineering breaches2023 DBIR Incident Classification Patterns34Time is of the essence.When responding to social engineering attacks(and the same could be said of most attacks),rapid detection and response is key.The importance of timely detection is highlighted by the increasing median cost of BECs,

209、as shown in Figure 38,which has risen steadily from 2018 and now hovers around the$50,000 mark.However,unlike the times we live in,this section isnt all doom and gloom.Fortunately for the victims,law enforcement has developed a process by which they collaborate with banks to help recover money stole

210、n from attacks such as BEC.More than 50%of victims were able to recover at least 82%of their stolen money.This illustrates the importance of ensuring that their employees feel comfortable reporting potential incidents to security,since their willingness to do so greatly improves the organizations ab

211、ility to respond.With this in mind,we encourage companies to step away from the“phishing exercises will continue until click rates improve”stance and adopt a more collaborative approach to security.Protect accountsAccount Management 5 Establish and Maintain an Inventory of Accounts 5.1 Disable Dorma

212、nt Accounts 5.3Access Control Management 6 Establish an Access Granting Process 6.1 Establish an Access Revoking Process 6.2 Require MFA for Externally-Exposed Applications 6.3 Require MFA for Remote Network Access 6.4Security awareness programsSecurity Awareness and Skills Training 14Although not p

213、art of the CIS Controls,a special focus should be placed on BEC and processes associated with updating bank accounts.Managing incident responseIncident Response Management 17 Designate Personnel to Manage Incident Handling 17.1 Establish and Maintain Contact Information for Reporting Security Incide

214、nts 17.2 Establish and Maintain an Enterprise Process for Reporting Incidents 17.3 Why do BECs work?Much like Ransomware,which is the monetization of access to an organizations network,BECs are just one of the many means criminals have of monetizing access to a users inbox and contacts.BECs can be t

215、argeted internally,meaning that the attacker will leverage a compromised employees email account to target their own organization by impersonating the user.We commonly see actors trying to redirect payroll deposits into an account they control.Alternatively,actors can target partners by using access

216、 to an employees email account,so they can impersonate that user and request updates to payments in order to include their own bank account.CIS Controls for considerationThere are a fair number of controls to consider when confronting this complex threat,and all of them have pros and cons.Due to the

217、 strong human element associated with this pattern,many of the controls pertain to helping users detect and report attacks as well as protecting their user accounts in the event that they fall victim to a phishing lure.Lastly,due to the importance of the role played by law enforcement in responding

218、to BECs,it is key to have plans and contacts already in place.Figure 38.Median transaction size for BECs(n=73,420).Based on FBI IC3 complaints where a transaction occurred.2023 DBIR Incident Classification Patterns35Basic Web Application AttacksFrequency1,404 incidents,1,315 with confirmed data disc

219、losureThreat actorsExternal(100%),Internal(1%),Multiple(1%)(breaches)Actor motivesFinancial(95%),Espionage(4%),Fun(1%)(breaches)Data compromisedCredentials(86%),Personal(72%),Internal(41%),Other(19%)(breaches)SummaryWhile representing approximately one-fourth of our dataset,these breaches and incide

220、nts tend to be largely driven by attacks against credentials,with the attackers then leveraging those stolen credentials to access a variety of different resources.What is the same?Poorly picked and protected passwords continue to be one of the major sources of breaches within this pattern.Relevant

221、ATT&CK techniquesBrute Force:T1110 Credential Stuffing:T1110.004 Password Cracking:T1110.002 Password Guessing:T1110.001 Password Spraying:T1110.003Compromise Accounts:T1586 Email Accounts:T1586.002Exploit Public-Facing Application:T1190External Remote Services:T1133Valid Accounts:T1078 Default Acco

222、unts:T1078.001 Domain Accounts:T1078.002Use Alternate Authentication Material:T1550 Application Access Token:T1550.001Active Scanning:T1595 Vulnerability Scanning:T1595.002Who dunnit?While it may liven up our humdrum existence to imagine the threat actors behind breaches as characters from a game of

223、 Clue(the cyber version),37 it is more likely to have been an average Jane Doe using stolen credentials or some well-known vulnerability.37 Was the breach caused by the mysterious Spiderlady via a complicated zero day on an internet-facing server?Or was it perpetrated by the Sophisticated Panda usin

224、g drones inside a Kubernetes cluster?38 Yes,it is the“Groundhog Day”of InfoSec topics.I bet you can find it in our past reports!This pattern,which accounts for 25%of our breaches,consists largely of leveraging stolen credentials and vulnerabilities to get access to an organizations assets.With this

225、beachhead,the attackers can then do a variety of things,such as stealing key information hiding in emails or taking code from repositories.While these attacks arent complicated,they certainly are effective and have remained a relatively stable part of our dataset,which prompts us to discuss once aga

226、in(drum roll,please),the importance of multifactor authentication(MFA)and patch management!382023 DBIR Incident Classification Patterns36Initial access86%of the breaches,as you can see in Figure 39,involve the Use of stolen credentials.And where better to use those credentials than against the vario

227、us web servers that contain our sensitive information?The other major part of the puzzle within this pattern is the use of exploits.This is where attackers have an exploit and the victims just happen to have a vulnerability(handy for the criminal).This typically occurs in only about 10%of the datase

228、t,and while that may sound like an insignificant number of breaches,unpatched vulnerabilities are still the bread and butter for many attackers,with 50%of organizations experiencing over 39 Web application attacks this year.3939 One of the advantages to running these types of attacks is that the ser

229、ver never tires,never sleeps,it just throws exploits at everyone continually,night and dayunlike your humble cybersecurity analyst who needs at least four coffees a day and nine hours of sleep.Breach escalationEven though we refer to these attacks as“basic,”theyre not simply“one and done”incidents w

230、here credentials are leveraged against a web application and the attacker then goes on their merry way.There is often some sort of middle step(Figure 40).For instance,malware is frequently one of the primary means of maintaining persistence(look at us,using them fancy ATT&CK terms),with Backdoor or

231、C2 in about 2%of the incidents.In other cases,the attackers will leverage their current access to conduct additional attacks.Figure 39.Top Action varieties for Basic Web Application Attacks breaches(n=1,287)2023 DBIR Incident Classification Patterns37ImpactsWith regard to impact,we commonly see that

232、 after Web applications,Mail servers are one of the preferred targets for attackers.This makes sense,because hidden away in our inboxes among the hundreds of unread emails40 there are often key internal documents(41%of breaches involve mail servers)or,sadly,credentials to some other system.The findi

233、ngs for this pattern show that attackers can access Internal data(41%),Medical data(6%)and even Banking data(6%)using simple inbox mining tactics(again,reminding us of the importance of good email and server hygiene).40 Sorry,Grandma.Figure 40.Steps in Basic Web Application Attacks2023 DBIR Incident

234、 Classification Patterns38As the Nations Cyber Defense Agency,the Cybersecurity and Infrastructure Security Agency(CISA)sees how our nations adversaries operate and what tools they use.While some of these adversaries use advanced tools and techniques,most take advantage of unpatched vulnerabilities,

235、poor cyber hygiene or the failure of organizations to implement critical technologies like MFA.Sadly,too few organizations learn how valuable MFA is until they experience a breach.Since joining CISA,Ive made it a priority to raise MFA awareness across all sectors to better protect our nations critic

236、al infrastructure.Importantly,we need more and better data to understand the scope of,and solutions to,the threats we face in cyber,and You cant eat just one.One thing you probably dont hear often is someone saying,“If I only had more usernames and passwords to remember.”Credentials are as ubiquitou

237、s as sand in the desert and almost as hard to hold onto.Threat actors seem to have a plentiful supply as well.However,what is missing in our data,and we try to be explicit when it comes to biases and limitations,is that we dont necessarily know where all these credentials are coming from.But we here

238、 on the DBIR team love a good mystery.Did the butler do it?Are aliens real?What about the Yeti?Ghosts?People with strong work ethics?Alas,we will probably never know.We may also never know where the criminals obtained the credentials in the first Quote from Jen EasterlyDirector U.S.Cybersecurity and

239、 Infrastructure Security Agencyweve called on our industry partners to provide radical transparency to allow our defenders to better see,understand and ultimately protect our citizens,customers and companies.In particular,its critical that“high-value targets”like system administrators and Software a

240、s a Service(SaaS)staff use phishing-resistant MFA.But more and better information is just the beginning.Working collaboratively,I look forward to seeing what we can do to together to make our nation more resilient,more secure,and to show measurable progress including in next years Verizon Data Breac

241、h Investigations Report.place.We might have a good idea in terms of the different ways that one would be capable of getting credentials,such as buying them from password stealers who are nabbing them through social engineering or even spraying them in a brute force attack.What we dont have is the ex

242、act breakdown of how many of our breaches and incidents are caused by each.As the old adage goes“What we know is a drop;what we dont know is an ocean.”Its not all bad news,however.Even though there are many ways to steal credentials,we have many ways to protect them as well.One of the best ways(stop

243、 me if you have heard this one before)is the use of MFA.Before you recline in your chair and“Well,ACKtually”us,we do realize there are limitations to some MFA implementations.As youre undoubtably aware,some very high profile breaches this year demonstrated some of those shortcomings.In some cases,cr

244、iminals used social engineering to convince users to accept the authentication attempts.In other instances,they stole the session cookie and used it to masquerade as the user.Of course,some MFA bypasses werent really bypassing MFA because some of the services werent properly configured to ONLY use M

245、FA.As mentioned above,what we cant really tell you at this time is how much there were of each,as we need to both update our standard VERIS and collect the data.While this would be an awesome opportunity for us to finally settle the score and discuss which MFA is better and which bypasses are levera

246、ged the most,we will have to keep this placeholder for another year.2023 DBIR Incident Classification Patterns3941 This sounds like what you would call someone who photobombs people in a timely manner,doesnt it?CIS Controls for considerationMitigating against stolen credentials by protecting account

247、sAccount Management 5 Establish and Maintain an Inventory of Accounts 5.1 Disable Dormant Accounts 5.3Access Control Management 6 Establish an Access Granting Process 6.1 Establish an Access Revoking Process 6.2 Require MFA for Externally-Exposed Applications 6.3 Require MFA for Remote Network Acces

248、s 6.4Mitigating against vulnerability exploitation Continuous Vulnerability Management 7 Establish and Maintain a Vulnerability Management Process 7.1 Establish and Maintain a Remediation Process 7.2 Perform Automated Operating System Patch Management 7.3 Perform Automated Application Patch Manageme

249、nt 7.4If you happen to be interested in how we updated VERIS to capture attacks that bypass MFA,look no further than the list below:1.Added a new Action to indicate the take-over of a secondary authentication mechanism(hijack)2.Added a new data varietyMultifactor credentialto indicate whether the ot

250、her factors,aside from credentials,were captured 3.Added the social variety of Prompt Bombing41 for those attacks that target sending annoying levels of authentication requests to usersHopefully,the combination of our existing enumerations,along with these new ones,will capture the majority of the c

251、ases we encounter.If not,we will re-examine our enumerations with the next version of VERIS.2023 DBIR Incident Classification Patterns40Miscellaneous ErrorsYou cant find good help these days.The great English poet and essayist,Alexander Pope once quipped,“It is hard to hire people who dont screw thi

252、ngs up.”Well,it was something more or less along those linesjust take our word for it.Regardless of who said(or did not say)what,the Miscellaneous Errors pattern continues to comprise a decent chunk of our breach data.If you are a“glass half full”kind of reader,you may take comfort in the fact that

253、this year,error-related breaches are down to 9%as opposed to 13%last year.If you are a“glass half empty”reader,you may simply attribute it to reporting since last year we had 715 error incidents and 708 with confirmed data disclosure as opposed to 602 incidents,with 512 confirmed breaches this year.

254、Its my favorite mistake.Perhaps“favorite”is too strong a word.Misdelivery(sending something to the wrong recipient)accounts for 43%of breach-related errors in our dataset(Figure 41).Publishing errors(showing something to the wrong audience)is in second place at 23%.Finally,Misconfiguration,the much-

255、loved action type of the lazy person,comes in third and accounts for 21%of error-related breaches.This might tempt us to think that people are unreliableperish the thought.However,you can rely on them to at least keep things interesting by switching up their mistakes to help keep you on your toes.Fr

256、equency602 incidents,512 with confirmed data disclosureThreat actorsInternal(99%),Partner(2%),Multiple(1%),External(1%)(breaches)Data compromisedPersonal(89%),Medical(19%),Other(10%),Bank(10%)(breaches)SummaryMisdelivery,Misconfiguration and Publishing errors continue to be the headliners,and the er

257、rors that lead to breaches are most often committed by System admins and Developers.What is the same?Employees continue to make mistakes,and sometimes they result in considerable damage to their organizations.Figure 41.Action varieties over time in Miscellaneous Errors breaches2023 DBIR Incident Cla

258、ssification Patterns4142 If you were born under the sign of Misdelivery you should expect good news soon.3,9,13 and 33 are your lucky numbers.In fact,as Figure 41 illustrates,Misconfiguration and Misdelivery have ebbed and flowed over the last few years as if they were part of the choreographed danc

259、e of celestial bodies.In last years report,Misdelivery and Misconfiguration converged,but this year Misdelivery is in the ascendancy,42 whereas our old faithful dog,the Publishing error,is once again meeting Misconfiguration on its downward slope.CIS Controls for considerationControl dataData Protec

260、tion 3 Establish and Maintain a Data Management Process 3.1 Establish and Maintain a Data Inventory 3.2 Configure Data Access Control Lists 3.3 Enforce Data Retention 3.4 Securely Dispose of Data 3.5 Segment Data Processing and Storage Based on Sensitivity 3.12 Deploy a Data Loss Prevention Solution

261、 3.13Secure infrastructureContinuous Vulnerability Management 7 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets 7.6Application Software Security 16 Use Standard Hardening Configuration Templates for Application Infrastructure 16.7 Apply Secure Design Principles in Appli

262、cation Architectures 16.10Train employeesSecurity Awareness and Skills Training 14 Train Workforce on Data Handling Best Practices 14.4 Train Workforce Members on Causes of Unintentional Data Exposure 14.5Application Software Security 16 Train Developers in Application Security Concepts and Secure C

263、oding 16.9If we drill down a little deeper(Figure 42),its easy to see that these three Error types have won the popularity contest by a wide margin.However,the team is saddened to see that Gaffe is always at or near the bottom(considering how many of those we make ourselves).As illustrated in Figure

264、 43,the majority of errors that lead to breaches are committed by Developers and System admins,along with a sprinkling of End-users.Given the Error action types that are most often found in breaches,it is hardly surprising that those who have more responsibility for maintaining the data and the upke

265、ep of the environment are also those who are most frequently responsible.Speaking of responsibility,the error vector of Carelessness appeared in 98%of cases.Yikes!Maybe Pope was on to something.Figure 42.Top action varieties in Miscellaneous Errors breaches(n=450)Figure 43.Top actor varieties in Mis

266、cellaneous Errors breaches(n=89)2023 DBIR Incident Classification Patterns42Denial of ServiceWe will not be denied.As the name would imply,the Denial of Service pattern covers all of those attacks that try to keep you from streaming your next episode of“Below Deck,”watching your next TikTok movie or

267、 loading your timeline on Twitter.43 Sadly,all of this can obviously add up to the nuisance of having to acknowledge the real world and the people around us.We can all agree that would be terrible indeed.However,as some of our readers may know,organizations still actually need the internet to be up

268、and running in order to conduct business.Every year,DoS shows up as a huge volume of Incidents in our datasets,stemming from several different mitigation service partners,including Verizons own.They are all doing an excellent job in preventing those Incidents from having any significant impact on or

269、ganizations.In that light,even though the Denial of Service pattern has consistently taken the top spot in Incidents for the last several years(Figure 44),there is really not a lot of nuance to be discussed here,apart from our usual suggestion to invest in some sort of mitigation service if you care

270、 about the continued availability of your network presence on Frequency6,248 incidents,4 with confirmed data disclosureThreat actorsExternal(100%)(incidents)SummaryAs Denial of Service continues to dominate our incidents,so do the capabilities of mitigation services.However,there has been a resurgen

271、ce of low volume attacks that still cause issues to corporations.What is the same?Denial of Service attacks continue to be ubiquitous and have remained in the top spot of incidents for several years now.43 Not sure if we can blame our usual threat actors for this one.Figure 44.Patterns over time in

272、incidents2023 DBIR Incident Classification Patterns43the internet.This is not due to a lack of nuance in the DDoS dataset overall but more a reflection of a lack of the typical details that we traditionally analyze such as Actors,Assets and Attributes.Even so,it didnt feel right to deny our readers

273、a Denial of Service section,as there are still important trends and information that are necessary to be reviewed.Its important to realize theyre still there,even if you can easily solve them.Also,it is a respite to not have to write about Ransomware for a couple of pages.as costs of bandwidth and C

274、PU processing become more accessible and available and suggests a trend that is hard to break on escalating competition between the attackers and mitigating services.Just make sure your contracted service can clear that bar,and most of the impact will likely be absorbed.Let the machines fight it out

275、 Transformers-style and crack open a cold beverage while you worry about all the other attack patterns afflicting your corporation.Even as the volume of garbage in our networks grows,some attacks have a more subtle touch.A point of attention that some of our partners brought to us was the growth of

276、distributed DNS Water Torture46 attacks in,you guessed it,shared DNS infrastructure.It is basically a resource exhaustion attack done by querying random name prefixes on the DNS cache server so it always misses and forwards it to the authoritative server.It is quite silly when you think of it,but it

277、 can be a heavy burden with some simple coordination by the threat actors-controlled devices.Make sure to check on your DNS infrastructure resiliency and check for options with your mitigation service as well to make sure you are protected against these attacks too.44 Be sure to discuss this at part

278、ies.Youll be wildly popular.45 I bet you thought our inflation numbers in the U.S.were bad,huh?46 This is NOT a subtle name!We are going to need a bigger pipe.One important point we should touch on is the growth of median and above median percentiles in bits per second of DDoS attacks(see Figure 45)

279、.44 The median grew a whopping 57%45 from 1.4 gigabytes per second(Gbps)last year to 2.2 Gbps now,and the 97.5 percentile grew 25%from 99 Gbps to 124 Gbps.This is to be expected Figure 45.Bits per second in DDoS incidents(n=10,622)2023 DBIR Incident Classification Patterns44Lost and Stolen AssetsFre

280、quency2,091 incidents,159 with confirmed data disclosureThreat actorsExternal(92%),Internal(68%),Multiple(60%),Partner(1%)(breaches)Actor motivesFinancial(100%)(breaches)Data compromisedPersonal(87%),Medical(30%),Other(21%),Bank(13%)(breaches)SummaryThis pattern continues to be a problem for organiz

281、ations because these small(and not so small)devices are just so portable.Weve seen their capacity to store large amounts of data increase over time,while employees ability to misplace them(or External actors to steal them)remains predictably common.What is the same?Devices and media are still more l

282、ikely to be lost by Internal actors than stolen by External ones.Where go my laptop?The headline in this pattern is“Your stuff is gone,”which isnt really a news flash.Whether the missing item(s)had“help”in the form of someone stealing a laptop,or was accidental,as in classified printed documents bei

283、ng mislaid in high-level government officials residences,the more portable an asset is,the more it needs protection against loss and theft.This is a pattern where we see a high percentage of incidents not resulting in confirmed data breacheslargely because the status of confidentiality disclosure re

284、mains“at-risk”rather than“confirmed”due to the loss of custody of the asset in question.The exception is printed material,since no controls exist to shield documents from view once printed.Similar to last year,we again have less than 10%of the incidents as confirmed data breaches.While stolen device

285、s certainly represent a risk to organizations,employees are much more likely to cause a breach accidentally through loss.This fact has held true year over year on a consistent basis,as shown in Figure 46.What is going missing,you may ask?Unsurprisingly,its the portable user devices,such as laptops,a

286、nd mobile phones.In fact,phones have become quite the commodity(Figure 47).Considering the fact that no one ever seems to put them down,its hard to believe so many are lost.2023 DBIR Incident Classification PatternsFigure 46.Top Action varieties in Lost and Stolen Assets incidents45CIS Controls for

287、considerationProtect data at restData Protection 3 Encrypt Data on End-User Devices 3.6 Encrypt Data on Removable Media 3.9Secure Configuration of Enterprise Assets and Software 4 Enforce Automatic Device Lockout on Portable End-User Devices 4.10 Enforce Remote Wipe Capability on Portable End-User D

288、evices 4.112023 DBIR Incident Classification PatternsFigure 47.Top Assets in Lost and Stolen Assets incidents46Privilege MisuseFrequency406 incidents,288 with confirmed data disclosureThreat actorsInternal(99%),Multiple(7%),External(6%),Partner(2%)(breaches)Actor motivesFinancial(89%),Grudge(13%),Es

289、pionage(5%),Convenience(3%),Fun(3%),Ideology(2%)(breaches)Data compromisedPersonal(73%),Medical(34%),Other(18%),Bank(12%),Payment(12%)(incidents)SummaryYour employees continue to use their access to commit breaches and,in some cases,initiate fraudulent transactions.We saw more collusion between mult

290、iple types of actors this year.What is the same?This pattern continues to be dominated by the Internal actor,by definition.Most are motivated by financial gain,and Personal data continues to be a favorite target.My employees love me!People may think they are somehow immune to a data breach.They may

291、put their trust in their security controls,thinking they have amazing,impenetrable defenses.They may put their trust in“flying under the radar”or believe they are too small to have a breach.But this kind of thinking largely assumes breaches come from the outside,from the“bad actors”that are external

292、 to the organization.What they fail to take into account is the risk of an insider breach.“Surely,MY people wouldnt do that!”they say.But of course,they wouldand dont call me Shirley.The hard fact to face is that some of our employees also cause data breaches for malicious reasons.The most common no

293、naccidental Internal actor breach is Privilege abuse.This is just what it sounds likeemployees abusing the access they have been given to do their jobs to steal data instead.They are significantly more likely to do this for their own financial gain(Figure 48).We know,its a shocker.2023 DBIR Incident

294、 Classification PatternsFigure 48.Internal actor motives in Privilege Misuse breaches(n=59)47Well just help ourselves.Weve talked about your employees committing these actsbut our At-a-Glance table shows that we see other kinds of threat actors in this pattern.Interestingly,we see multiple threat ac

295、tors(Internal,External,Partnersome combination of these three)in 7%of the breaches.This is collusionevidence of multiple kinds of Actors working together to bring about a data breach.Indeed,we have seen instances where organized fraud gangs have sent in people with the objective of being hired by bu

296、sinesses for the purpose of facilitating large-scale scams.We have seen this in multiple industries,and it has continued to plague organizations for years.These people can be difficult to spotthey may present and interview convincingly.This practice by financially motivated criminal groups makes it

297、even more important to have your detective controls in place to catch the inappropriate access that these people are enabling.One of the difficulties in responding to an incident like this is that no companys onboarding process is perfect,and most onboarding involves getting the new hire added to va

298、rious groups and systems that arent always directly controlled by IT.Those investigations often reveal process-related weaknesses in the IT infrastructure.We are increasingly seeing Privilege Misuse breaches paired with Fraudulent transactions,more so this year than in the past several,as shown in F

299、igure 49.Fraudulent transactions are an Integrity violation that is frequently the end game of the BEC and is typically a money transfer to a threat actor-controlled bank account.However,since Internal actors already have access to the systems where bank accounts and routing information are stored i

300、n these cases,theyre probably just making that banking update themselves.Seeing Internal actors increasingly just redirect funds is especially concerning,considering it may be someone in a position to siphon significant resources away from the organization.Figure 49.Fraudulent transactions in Privil

301、ege Misuse breaches2023 DBIR Incident Classification Patterns4Industries492023 DBIR IndustriesIndustries:IntroductionIf you are a new reader,you may find this introduction of some use.If,on the other hand,you are a long-time reader,then just move along;this will all be familiar territory.The 2023 DB

302、IR examined 16,312 incidents,of which 5,199 were confirmed data breaches.We take a look at both from the point of view of their respective industries in the upcoming sections.Attacks that consistently prey on one industry may not affect another industry at all.Attack surfaces,the interest of specifi

303、c threat actors and the infrastructure a given industry relies upon all play a big role in how they experience security incidents.The types and quantity of data the industry handles,how people(customers,employees,etc.)interact with them,and a host of other factors too numerous to mention will also d

304、ictate the kinds of attacks each industry encounters.A large organization whose business model focuses entirely on mobile devices and the apps it includes will naturally have a different set of risks than a very,very small business with no internet presence but that uses a point-of-sale(PoS)vendor t

305、o manage their systems for them.The infrastructure,and conversely the attack surface,largely drives the risk.Therefore,we caution our readers not to make inferences about the security posture(or lack thereof)of a particular sector47 based on how many breaches or incidents an industry reports.These n

306、umbers are heavily influenced by several factors,including data breach reporting laws and partner visibility.Because of this,some of the industries have very low numbers,and as with any small sample,we must advise readers that our confidence in any statistics derived from a small number must also be

307、 less.If you are reading this only for a glimpse of your industry,our recommendation is to verify what the top patterns are on the summary table accompanying each industry and also spend some time with those pattern sections.47 Legal made us say that;of course,you should totally ridicule your frenem

308、ies in other industries.50Table 2.Number of security incidents and breaches by victim industry and organization sizeIncidentsBreachesIndustryTotalSmall(11,000)Large(1,000+)UnknownTotalSmall(11,000)Large(1,000+)UnknownTotal16,31269448915,1295,1993762234,600Accommodation(72)25442248684163Administrativ

309、e(56)38814163281113Agriculture(11)661560330330Construction(23)877179664161Education(61)4966315418238288202Entertainment(71)4321334169310182Finance(52)1,82970301,7294773818421Healthcare(62)52228154794332315395Information(51)2,105451101,9503802319338Management(55)91089108Manufacturing(3133)1,81437241,

310、7532591815226Mining(21)252023132011Other Services(81)143721341006193Professional(54)1,396176541,1664218532304Public Administration(92)3,270871103,0735824839495Real Estate(53)83155635910247Retail(4445)40462442981913328130Transportation(4849)349132531110681385Utilities(22)11712699333327Wholesale Trade

311、(42)9642223253231119Unknown2,777122,7741,553121,550Total16,31269448915,1295,1993762234,6002023 DBIR Industries51IncidentsPatternActionAsset2023 DBIR IndustriesFigure 50.Incidents by industry52BreachesPatternActionAssetFigure 51.Breaches by industry2023 DBIR Industries53Ill just scrape that off.Syste

312、m Intrusion is the top pattern in this sector for the second year running.Included in this pattern,among other things,is a collection of various types of malware.Approximately one-third of cases involved the use of Ransomware,and much of the remainder consisted of RAM scrapers.In fact,RAM scrapers t

313、argeting the PoS is the favorite combo in this sector,which likely comes as no surprise to those trying to maintain their defenses.Payment card data was targeted 41%of the time,which is the same percentage we saw last year,but since Credentials and Personal data fell as a proportion of the whole,the

314、y have taken a back seat to credit cards.Along with the increased focus on the data type of Payment cards comes the motivation of Financial.Last year,we saw the Espionage motive in 9%of the breaches,but this year,it is all Financial all the time.48Accommodation and Food ServicesFrequency254 incident

315、s,68 with confirmed data disclosureTop patternsSystem Intrusion,Basic Web Application Attacks and Social Engineering represent 90%of breachesThreat actorsExternal(93%),Internal(9%),Multiple(1%)(breaches)Actor motivesFinancial(100%)(breaches)Data compromisedPayment(41%),Credentials(38%),Personal(34%)

316、,Other(26%)(breaches)What is the same?We are seeing the same three attack patterns hitting this sector as we did last yearbut the order has changed.External actors continue to target this industry because of the lucrative data the members hold.SummaryPayment card data continues to be the top target

317、for Data types in this sector,unsurprisingly.The use of RAM scrapers continues to be a favorite tool of the Financially motivated attackers that regularly plague this sector.NAICS 7248 Honestly,what isnt though?Give a person a phish and you feed them for a day!Social continues to have a considerable

318、 presence in this sector.While Phishing and Pretexting(the main difference between them is how hard the adversary must work to make it happen)are the main social engineering concerns in Accommodation,they are too close to call for the top spot.Most of these social attacks are coming in via email,so

319、make sure it is easy for your employees to report any questionable attempt quickly.There is nothing like having your employees be your first line of defensethey are certainly already on the front line of targets.2023 DBIR Industries54Frequency497 incidents,238 with confirmed data disclosureTop patte

320、rnsSystem Intrusion,Miscellaneous Errors and Social Engineering represent 76%of breachesThreat actorsExternal(72%),Internal(29%),Multiple(1%),Partner(1%)(breaches)Actor motivesFinancial(92%),Espionage(8%),Convenience(1%),Fun(1%)(breaches)Data compromisedPersonal(56%),Credentials(40%),Other(25%),Inte

321、rnal(20%)(breaches)What is the same?System Intrusion and Miscellaneous Errors are yet again two of the top three patterns for this industry.The ratio of External and Internal actors is nearly the same as last year.SummaryBasic Web Application Attacks dropped out of the top three to be replaced by So

322、cial Engineering.Ransomware continues to play a large role in breaches in this vertical.Educational ServicesWho saw that coming?In a move that shocked faculty,staff and students alike,last years much lauded salutatorian,Basic Web Application Attacks,has dropped out(of the top three patterns).Miscell

323、aneous Errors is still present(isnt it always?)and has increased slightly from last year.As you may have guessed,these errors are the usual suspects:Misdelivery,Publishing errors and Misconfiguration.Social Engineering clawed its way to the number three position,increasing from 14%last year to 21%in

324、 2023(Figure 52).This rise is primarily represented by Phishing attacks,which showed up in 18%of breaches,and Pretexting scenarios(4%).NAICS 61Hacking was present in 40%of breaches,with the Use of stolen credentials appearing in 31%of them.Not to be outdone,Malware also showed up in 40%of breaches,w

325、ith Ransomware present in 30%of those breaches.Lets review that finding for the exam:Ransomware was responsible for almost one-third of all breaches in the Educational Services vertical.In spite of this impressive showing from both Hacking and Malware,the System Intrusion pattern,while maintaining i

326、ts number one spot,decreased slightly from last year.Figure 52.Patterns in Education breaches2023 DBIR Industries55Frequency1,832 incidents,480 with confirmed data disclosureTop patternsBasic Web Application Attacks,Miscellaneous Errors and System Intrusion represent 77%of breachesThreat actorsExter

327、nal(66%),Internal(34%),Multiple(1%)(breaches)Actor motivesFinancial(97%),Espionage(3%),Convenience(1%),Ideology(1%)(breaches)Data compromisedPersonal(74%),Credentials(38%),Other(30%),Bank(21%)(breaches)What is the same?The top three patterns remain the same,but their order of ascendancy has rearrang

328、ed.Personal data,very useful for fraud,continues to be the most desired data type stolen.SummaryWith Basic Web Application Attacks as the top pattern,we know that the adversaries are successfully gaining access without too much effort.This,combined with the Misdelivery error,indicates there is room

329、for good controls to cover a decent percentage of attacks in this sector.These attacks are so basic.“We were compromised by a highly sophisticated cyberattack.”So reads a large percentage of data breach notification letters.But really,just how sophisticated is a brute-forced password?Or better still

330、,credential stuffing where you dont even have to guess the passwordyouve acquired it from another breach!The Basic Web Application Attacks pattern is the most prevalent in this sector,which means those not-so-complex attacks are succeeding splendidly for the adversaries.Why put forth a great deal of

331、 effort when just a little will do?Waitdid I give you that?Another prominent attack involves Internal actors making mistakes.Misdeliverywhere protected data is sent to the wrong recipientis the most common.Sometimes it is a matter of paper documents going to the wrong people,and other times it is ju

332、st the electronic version that goes astray.Either way,extra care needs to be given to catching these kinds of Errors before they cause a data breach.Financial and InsuranceNAICS 52Make them work for it.Rounding out the top three is the pattern that requires adversaries to actually put forth a bit of

333、 effort,System Intrusion.While it dropped from 27%to 14%this year(allowing Miscellaneous Errors to dominate),it remains a serious issue.This illustrates that at least some of the time,adversaries had to trot out their more sophisticated techniques in order to get the job done.Interestingly,Ransomware is decreasing as a favorite tactic in this pattern for this sector.We discuss it more in depth in