Security bugs are having a cybercrime moment: For 2023, 14% of all data breaches started with the exploitation of a vulnerability, which is up a jaw-dropping 180%, almost triple the exploit rate of the previous year.
Let’s put this in context, though. The MOVEit software breach, which wreaked supply chain havoc on companies across every sector, accounted for a large chunk of the increase in using exploits as an initial access method, and likely drove overall breach volumes up as well.
That’s according to Verizon Business’ 2024 Data Breach Investigations Report (DBIR), which analyzed a record 30,458 security incidents, out of which 10,626 were confirmed breaches — as a stat in itself, that’s more than double the numbers from a year ago.
Organizations Still Lack Security Maturity
The DBIR, released today, detailed just how far patching can go in heading off a data breach. It also noted that a full 68% of the breaches Verizon Business identified involved human error — either someone clicked on a phishing email, fell for an elaborate social-engineering gambit, was convinced by a deepfake, or had misconfigured security controls, among other snafus. That’s about the same percentage as last year, indicating that practitioners are not having much success when it comes to patching the human vulnerability.
In all, a picture in this year’s DBIR emerges of an organizational norm where gaps in basic security defenses — including the low-hanging fruit of timely patching and effective user awareness training — continue to plague security teams, despite the rising stakes for CISOs and others that come with “experiencing a cyber incident.”
“It can be a bit overwhelming for CISOs, particularly in environments where the security maturity of the organization is not as high as they would like,” Suzanne Widup, distinguished engineer in threat intelligence at Verizon Business, tells Dark Reading. “But seeing organizations (large and small) still falling down in some of the basics is disheartening.”
She adds, “Sometimes it takes the stakes being raised to get the attention of the appropriate people to affect change, sadly. What began with the data breach reporting laws has moved into serious consequences to company officers being codified into laws and regulations. But the bottom line is most organizations are not in business to worry about security. It has been an add-on after the fact for so long.”
Other trends in the DBIR underscore the fact that teams need to address their cyber risk as a priority, and soon: A full 15% of breaches in the past year came from the supply chain, including issues with data custodians, vulnerabilities in third-party code, malicious packages in software repositories, and so on. That is an eyewatering 68% increase from 12 months previous, indicating that adversaries have copped to the fact that this is a tough area for security teams to get their arms around.
MOVEit Moves the Cybercrime Needle
Using the MOVEit bug was like shooting proverbial fish in a barrel — the world suddenly became a target-rich environment in the middle of last year for the Cl0p extortion gang and those cybercriminals that followed in its footsteps.
MOVEit Transfer is a managed file transfer app from Progress Software that organizations use to exchange sensitive data and large files both internally and externally. Progress claims thousands of customers for MOVEit, including major brands such as Disney, Chase, BlueCross BlueShield, Geico, and Major League Baseball.
Cl0p reportedly spent two years developing the MOVEit file transfer zero-day exploit, first discovered and disclosed on May 31, 2023, by researchers after months of surreptitious attacks. Within a week of its public debut, CVE-2023-34362 was under mass exploitation by an array of threat actors; within a month, it had been used to breach at least 160 confirmed victims, including whales like Avast parent company Gen Digital, British Airways, Siemens, and UCLA. By the end of September 2023, it was linked to breaches at 900 different universities.
This MOVEit bonanza, which accounted for 8% of the breaches in Verizon Business’ data set, had a ripple effect on several metrics in the DBIR, including a finding that 32% of all breaches involved some type of extortion technique (the MOVEit attacks involved stealing information and holding it for ransom) and the bump in supply chain breaches. And the DBIR found that the spike in the use of exploits for initial access was driven primarily by the increasing frequency of zero-day vulnerabilities by ransomware actors — a category that fits MOVEit to a T.
It should be noted, however, that zero-day use was up even outside of MOVEit: “The exploitation of zero-day vulnerabilities by ransomware actors remains a persistent threat to safeguarding enterprises,” said Chris Novak, senior director of cybersecurity consulting at Verizon Business, in a media statement.
And finally, 32% of breaches had an extortion or ransom element, with an average loss of $46,000 per company per incident.
Challenges in Large-Scale Vulnerability Management
Dovetailing with the increase in the use of bugs for initial access, Verizon Business also found that on average it takes organizations 55 days to remediate 50% of critical vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Cybercriminals are a bit more johnny-on-the-spot: The median time for how long it takes for mass exploitations of the CISA KEV to develop on the Internet is just five days.
This “n-day” gap is one that threat actors have looked to exploit for years. But given the increasingly broad resources available to track and prioritize vulnerability patches, and the high stakes that now come with suffering a data breach (i.e., new mandatory SEC disclosure rules and personal liability for the CISO), it’s clear that security teams need to make a coherent effort to move the needle on this risk.
“Time to patch the critical vulnerabilities getting faster would be welcome news,” says Widup. “Having a background as a system admin, though, I do understand the necessities of testing the patches on complex environments to make sure you don’t break production systems and cripple the organization. But at least working on that metric would be a good place to start.”
One potential answer to getting off the patch-management hamster wheel is gaining more visibility into the attack surface, she advises.
“It’s a bit like the tree falling in the forest — these software vulnerabilities exist whether or not someone finds them, and if we have more people looking for them by whatever means or motives, then we see them exploited (maliciously) or submitted to bug bounty programs (as a security researcher), which just means they are coming to light then,” she explains. “The real action item for security teams is to do vulnerability scanning of the software that is deployed in their environments to see if they can find and report problems before they are found by someone with malicious intentions.”
She also notes that considering vulnerability rates when bringing new platforms into the environment can help close the n-day gap simply by restricting the attack surface. “[This means] having security standards as part of the software vendor selection process, to make sure that the vendor is cognizant of the risks to their own organization and that of their customers. It may be that the best choice of a software vendor from a risk perspective is the one that follows the [tenets] of Secure by Design.”
The overall lack of timely patching has had a surprise halo effect, according to the report: Despite the hype around AI risks, Verizon Business found little evidence that AI-enabled cybercrime was about to deliver organizations a data-breach Waterloo.
“While the adoption of artificial intelligence to gain access to valuable corporate assets is a concern on the horizon, a failure to patch basic vulnerabilities has threat actors not needing to advance their approach,” said Novak.
Humans Still the Weakest Cyber Link
The DBIR found one trend that saw almost no change, ready for filing under “no surprise there”: Most breaches (68%) involve a “non-malicious human element” who falls for phishing, misconfigures something, or otherwise makes a mistake. In other words, it’s us. The problem is us.
And we fail fast, too. It takes less than 60 seconds for a mark to fall to a phishing routine, according to Verizon Business’ phishing test results. The median time to click on a malicious link after an email is opened is 21 seconds, and then only another 28 seconds before the victim is obliviously entering their data into an attacker-controlled form.
Falling for social-engineering attacks in general is costly, too: The analysis found that the median loss in the past two years for business email compromise (BEC) scams is $50,000.
There was one slight glimmer of hope in the data-crunching: One-fifth (20%) of users identified and reported phishing in simulation engagements, and 11% of users who clicked on a decoy email went on to report it.
“So we did see some improvement in people not falling for the phish in simulations, and then those who have fallen for it, at least realizing it fairly quickly and reporting it,” Widup explains. “It is vital to make sure that people can easily and quickly report when they have made a mistake, and not to discourage them with punishments. It is also important to have multiple layers of controls in place so that if someone does fall for a social attack, it doesn’t necessarily mean a breach.”
Supply Chain Threats Accelerate to Warp Speed
For the first time, Verizon is specifically breaking out supply-chain breaches as its own metric, which, as previously mentioned, are up significantly in volume in the last year.
“The threat actors are definitely turning towards compromising the larger third-party software companies, and it makes a lot of sense from their perspective if you think about it,” says Widup. “They can compromise one vendor, and gain access to a large number of downstream victims in the form of their customer base. If they use the same kind of processes that push code updates, like we saw with SolarWinds, they have the opportunity to push malware to those systems without having to do the work of going into each of their environments. It’s definitely more bang for their buck in terms of resources and effort expended. Then they can decide which of these newly compromised systems they want to leverage for further attacks.”
The DBIR defines these as breaches that occur through a third-party “custodian,” such as a managed service provider (common in the MOVEit cases); entry via a business partner (i.e, the HVAC incident that led to the 2013 Target breach); physical breaches in a partner company facility or even partner vehicles used to gain entry to a target; SolarWinds and 3CX-style breaches where software development processes and updates were hijacked; and vulnerabilities in open source or third-party software.
“This metric ultimately represents a failure of community resilience and recognition of how organizations depend on each other,” according to the report’s authors. “Every time a choice is made on a partner (or software provider) by your organization and it fails you, this metric goes up.”
They added, “We recommend that organizations start looking at ways of making better choices so as to not reward the weakest links in the chain. In a time where disclosure of breaches is becoming mandatory, we might finally have the tools and information to help measure the security effectiveness of our prospective partners.”
Time to Shore Up the Security Basics
For companies looking to take the DBIR findings to heart and take action, the report includes CIS Critical Security Controls for consideration in the sections where they apply.
“If they haven’t already, I would recommend taking a look at them and all of the CIS Critical Security Controls as well, since their recommendations are tailored to the security maturity level of the organization,” advises Widup. “It’s a very helpful place to go for developing a security strategy, and we’d love to see more organizations adopting this or some other formal security methodology towards making their environments more secure. We break our metrics down into organizational size, industry, and regions to help our readers determine which threats they are most likely to face, and to point them in a direction where they can get some help with deciding how to increase their ability to defend against those threats.”
The DBIR’s focus on real-world metrics will hopefully be a tool for security teams to use to bring the stakes into focus for business owners and the board, she adds.
“People use the DBIR metrics to bring the threat from the theoretical ‘this bad thing might happen to us’ into the reality of ‘this is already happening to other organizations of a similar size and in the same industry, and we need to address it now,'” she explains. “Breaches are not going away anytime soon, and any organization that thinks they are flying under the radar is in for a rude awakening. It is not a matter of if. It is a matter of when.”