“Shocking” Discovery in Verizon Data Breach Report: Hackers Gonna Hack!

“Financial motives still drive the vast majority of breaches, showing growth in relation to last year with a whopping 94.6% representation in breaches.” “What is most interesting, however, is realizing that the internal variety of End-user shows up more often than the external variety State-sponsored attackers… which suggests where we should be paying more attention on our day-to-day security management” (p13).

To recap, breaches are overwhelmingly financially motivated and internal employees are now a more common threat actor than nation states. Having a disgruntled employee has always been a threat actor to consider. With all these layoffs, however, we most certainly have a lot more to contend with. The reality is sometimes simple and unpleasant – bills need to be paid, and without an income, some people will choose a retaliatory and malicious path to survive.

If your organization is actively going through a round of layoffs, I would strongly advise you to increase your security budget… like now.

As we continue through the report, we see that the most frequently observed asset in data breaches is the Server (p17). Digging a little bit deeper, the report goes on to highlight that “Web Applications”, a moniker seemingly used to encapsulate every network facing piece of software these days, is the top asset variety in breaches (p18). This is further substantiated by the fact that web applications are considered an attack vector in over 90% of all breaches where virtual currency is involved (p20).

Simply put: threat actors are financially motivated to attack your applications, and so they do.

Look, I recognize I’m probably not turning on a light bulb in your head that wasn’t already on in the first place. Logically, this line of thinking makes sense. We just now have some hot-off-the-press data to back it up. This is why we have “Product Security” teams – groups of people responsible for guiding the organization in its ability to design, implement, and release more secure products. With the complexity of today’s applications, the discipline of Product Security often encompasses some or all of application security, cloud security, platform security, operational security, supply chain security, and so forth; certainly not a job for the faint of heart!

Investment in and operationalization of various security tools, including SCA, SAST, DAST, IAST, RASP, etc. naturally accompany the responsibilities of such a discipline. Perhaps a natural result of an increasingly complex development ecosystem, Product Security teams suffer from operational inefficiencies such as tool sprawl and the various silos between security and the various engineering teams. Ultimately this leads to a massive data problem where Product Security is managing a backlog of thousands if not millions of vulnerabilities without an ability to answer a simple “why should we fix this critical instead of that critical?” question let alone drive meaningful and measurable improvements. This is why I believe an Application Security Posture Management (ASPM) is so important. Without it, you’re limited to the highly biased perspective of a single tool (and possibly a single vendor), causing you to miss out on the big picture. As an industry, we need to move towards pulling all of this seemingly disparate information together so we can understand that big picture and reduce, if not eliminate, today’s decisions about risk based solely on gut-instinct or whoever is the loudest person in the room.

Ok, enough preaching – let’s see how we can put these concepts into practice using the Verizon 2023 Data Breach Investigations Report. Here are 3 key action items I hope every Product Security team executes as a result of key insights gleaned from the report:

• Identify Assets with Financial Ties. I’m not necessarily talking about an asset that generates money for the company, although this is commonly the case. Rather, I’m referring to any asset constituting some part of an application that handles financial information. This could be processing payment, transferring funds, handling documentation and data pertaining to financial transactions, virtual currencies to include those found in video games, etc. The Verizon report tells us that these assets are of high target to hackers and often fall victim to breach. Once identified, tag these assets accordingly in your ASPM so that later you can reference them explicitly when writing security policies.
• Enumerate Identity Management Vulnerabilities. The Verizon report lists “Use of stolen credentials”, “Exploitation of Vulnerabilities” and “Brute Force” as the top 3 varieties of attack against applications that resulted in a breach. Issues pertaining to Credential Stuffing, Password Cracking/Guessing/Spraying, Application and Session Access Tokens, etc. are some classes of corresponding attacks called out by the Verizon report directly (p35). The data tells us that if these assets are going to be exploited, there is a high probability it will be the result of such an attack. Getting all your vulnerabilities into a single ASPM platform will allow such enumeration to go by fast…like, really fast!
• Re-prioritize Backlog Accordingly. Armed with this additional information, do you still believe your vulnerability backlog is prioritized accordingly? Or does this additional context, there’s that word again, require you to restructure your overall remediation gameplan? Having a data driven Product Security program such as this will not only increase your confidence in the actions you take, but also enable you to better defend those actions when needed. Having an ASPM that enables you to slice and dice your vulnerability backlog and generate reports that can be easily understood by Executives will most definitely accelerate your initiatives.

It’s always fun to review these sorts of annual reports. The data and observations you can find within are absolutely invaluable and often can be used to help you as a practitioner more effectively communicate with your teammates. A special “THANK YOU!” goes out to the Verizon DBIR Team. Putting together this report takes a lot of work, and we’re all incredibly grateful you chose to do so!

If you’re interested in learning more about how we are helping leading organizations with ASPM, I’d love to chat with you: https://tromzo.com/meet-eric-sheridan