Look no further than Verizon's Data Breach Investigations Report for data about the operational side of security — especially incidents and breaches. Now in its 15th (!!!) year, the report is one of the deepest and most comprehensive sources of information about the threats we face as an industry.
The report is awesome, full stop. Everyone working in and around cybersecurity should read it. That said, it's necessarily long and dense on information — anything less would omit important details and nuances.
At this point, it's safe to say the Lindy effect has set in for the Verizon DBIR report. It's incredible that a data set and methodology has continued for so long and exponentially increased in relevance. The report is just now hitting its stride and only keeps getting better.
The opportunity to summarize and interpret the report has created a whole cottage industry of derivative commentary and analysis. This metaphor from Digital Shadows CISO Rick Holland on the ShadowTalk Threat Intelligence Podcast explains it well:
It's like a Marvel movie or a Star Wars movie. It's very re-watchable because you'll pick up different things every time you read through it.
In my view, more discussion is better. There are so many ways to think about and remix the data. Multiple InfoSec professionals looking at the same base dataset, deriving their own meaning, and adding their own perspectives is a powerful phenomenon that's somewhat unique to the Verizon DBIR report.
I've been looking forward to taking my own shot at analyzing and interpreting the data. The release of the 2022 report was the perfect time. I'd love to do it every year.
This time, I'm staying closely aligned to the Results and Analysis section of the report. My hope is for this analysis to make it easier to a side-by-side read of the actual report with some pointed commentary about the impact on business and strategy.
We're going to jump straight into the core of the report. The Results and Analysis section is an extensive, wide-ranging tour de force of the Verizon DBIR dataset. The 15th edition of the DBIR report includes analysis of 914,547 incidents, 234,638 breaches, and 8.9 terabytes of cybersecurity data...wow!
The four components of the VERIS model are: Actors, Actions, Assets, and Attributes. The DBIR report also includes a bonus Timeline component. We'll go through all five components individually. Each has its own insights and nuances that are worth spending time on.
Wrangling and making sense of this much data is, unsurprisingly, quite hard. To help create order from the chaos, the Verizon DBIR team aligns this section of the report closely with the VERIS framework incident description model, or A4 threat model. Spending a bit of time understanding the basics of VERIS is a good prerequisite if you have time. Basic fluency with the terms makes a big difference.
There's a lot going on in this report with both data and interpretation — so, buckle up. It's time to go deep on one of the most iconic reports in the industry.
The actors section looks at who causes breaches and incidents. Contrary to what we're often told, most breaches result from external parties — not insiders or business partners. Straight from the report:
Our findings indicate that data compromises are considerably more likely to result from external attacks than from any other source. Nearly three out of four cases yielded evidence pointing outside the victim organization.
Despite all the chatter and hyperbole about insider threats, the report shows a clear trend about external threats. The authors' blunt description is the perfect summary:
Most data thieves are professional criminals deliberately trying to steal information they can turn into cash.
Yes, there are other people and motivations that lead to breaches. Those are the exception, not the rule. The results aren't even close:
The Verizon DBIR report findings directly contradict data from other vendor-produced reports about the percentage of breaches attributable to insiders. It's very confusing, and the confusion makes it difficult to know where to allocate resources to defend your company.
Look at incentives when you're deciding which report to trust. The DBIR data comes from dozens of different sources. It's not perfect, but there is no larger or more diversified set of cybersecurity incident data in the world.
Further complicating the situation, Verizon's DBIR data has an interesting plot twist. Even though most breaches are caused by external parties, the relative impact of insider breaches is much greater — over ten times greater, to be (somewhat) precise:
Partner breaches involve a much higher number of compromised records than external breaches, too. Even though external breaches happen at a higher frequency, internal and partner breaches have a much greater impact when they occur.
Motives are also interesting to look at. This conclusion is far more clear — threat actors are motivated by financial gains:
Hacktivism does happen, particularly in larger organizations. However, the overwhelming motive is money. This conclusion isn't surprising — it just puts data behind something most of us intuitively know.
The tricky part is that attackers aren't always after money directly. Bank accounts and credit cards are always an attractive target because they are directly related to money. However, it's often easier to exploit other types of assets and turn them into money. For example, customer data can be sold, or data can be ransomed. The motive is still money, but threat actors are devious about how they get it.
Unfortunately, there's no way to put a nice, tidy bow on threat actors. The conclusion we should make is that external, internal, and partner threat actors all matter, and they're probably after money. The best we can do is to implement controls around all three types of threat actors with a slant towards the company's financial resources.
The Verizon DBIR report's classification of actions is interesting because it gives structure to the methods used to carry out attacks. This is both incredibly hard to do and incredibly valuable when finished.
It's a lot easier to classify actors because they're people: insiders, partners, and outsiders — done. Classifying the myriad ways attackers cause incidents and breaches is a lot more nebulous.
The data in this year's report reinforced some consistent, long-running themes. Attackers compromising and gaining control of remote access has been a central theme for years. The recent, exponential increase in remote work has just created new opportunities for attackers in an area we already knew was a problem.
This theme lends credibility to recent attention and financing activity in remote access and secure networking. A few recent examples:
Teleport raised a $110 million Series C at a $1.1 billion post-money valuation in May.
BastionZero was named the runner-up for the RSAC Innovation Sandbox Contest in April.
Firezone and Netmaker were unveiled as members of Y Combinator's Winter 2022 class at Demo Day in March.
Denial of Service (DoS) and credential stuffing attacks against web applications are also repeat offenders. The data makes an important distinction clear: DoS attacks cause a lot of incidents (46% of the total), but not a lot of breaches. In other words, they're an annoyance that impacts operations and availability more than security.
The theme for breaches is both commonality and diversity. The report states that "73% of breach varieties are found in the top 10 varieties" — a lot of commonality considering how many ways a breach can happen. However, the report's "Other" category is a kitchen sink of causes that accounts for ~30% of breaches. That's a lot of diversity bundled together, and it shows how murky the picture still is.
Use of stolen credentials (e.g. attackers stealing legitimate username and password combinations to log in directly) is a common attack and the leading cause of breaches. It's closely paired with credential stuffing, which is a brute-force attempt to gain access using stolen credentials. We've known about this problem for a long time.
Recent developments around passwordless authentication (WebAuthn and Passkeys, specifically) gives us a glimmer of hope about a real solution. There's a lot of chatter and nuance about passwordless that creates confusion about its viability as a solution, but let's ignore the drama for a second.
The strategic takeaway is this: attackers using stolen credentials to gain access is much, much less likely to happen with WebAuthn (Passkeys). Increasing adoption of WebAuthn by consumers and businesses makes a direct impact on reducing the frequency of this type of attack. As an industry, we need to lean into passwordless and make it happen.
The overall story for actions is persistence. We know what causes most incidents and breaches. Creating and implementing solutions to reduce or eliminate them is a much longer road. There are viable solutions out there, and we'll get to them with consistent effort and patience.
Data about which assets are being attacked is useful because it helps security practitioners know what to defend. (Note: It's also useful for investors because it's an indicator about which companies are solving the most important security problems.) The report describes assets like this:
Assets are the THING that the Action happens to. So, this is where you find WHAT was hacked via an exploit, WHO was socially engineered by an attacker or WHAT was lost or stolen.
The data is explicitly clear: bad actors attack servers more than anything else. A lot more — like, 80% of the time:
The frequency and volume of attacks on servers will be surprising to some, especially given the emphasis of public markets on endpoint security companies. With the shift to cloud computing, "servers" can roughly be translated to "cloud workloads" — and that has important strategic implications.
Endpoint security is important, but this data could be interpreted as overwhelming evidence in support of emerging Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) companies. When discussing CrowdStrike last year, I said this about emerging CSPM and CWP companies:
Endpoint computing isn't going away any time soon. However, the number of assets to protect is growing more quickly in the cloud. Well-funded cloud startups like Wiz and Orca Security are rapidly gaining traction and building great products. The competition in this part of the cybersecurity ecosystem is intense.
As this DBIR data shows, protecting servers and cloud workloads is critical for both organizations and companies in the endpoint security market.
The report's data about asset varieties is also insightful. In a preview of the Incident Classification Patterns we'll be discussing later, web application and mail servers get attacked a lot. Desktop and laptop endpoints do too, but not nearly at the same frequency as servers:
The big takeaway from the Verizon DBIR report about assets is that Internet-facing servers get attacked far more than anything else. Longer term, this gets even more complicated as more server workloads move to cloud providers. Based on the data, investments should be focused on protecting servers no matter where they live.
In the Verizon DBIR report, attributes are used to describe the type of data that is compromised in breaches. Here's the data from the report, which includes figures from both 2008 and a trend from 2017-2021:
A notable part about the trend of attributes is the decline in payment card data over time. It's still high, but a ~60% decline in a decade (including a ~10% decline in the past two years) is a meaningful change.
Why did this decline happen? Based on the data, I think it's fair to say PCI DSS has worked. The standard isn't perfect, but it's hard to argue with data like this. Companies had to make significant financial investments over this period to be compliant (especially Level 1 merchants), but the results are paying off.
Ironically, we can't seem to do the same for people. Digital identities, inclusive of both personal data and authentication credentials, are neck-and-neck for the most frequently compromised data variety. Both lead other varieties by a wide margin.
I'm curious to see if privacy regulations make an impact on breaches of personal data over time. Privacy regulations are on a much earlier timeline than payment card standards. PCI DSS version 1.0 is eighteen years old now. Privacy regulations like GDPR have only been enforceable since 2018. What will this chart look like in 10-15 years?
The actionable trend from the attributes section of the Verizon DBIR report is to focus on protecting personal data and credentials. Protecting personal data likely overlaps with existing privacy projects organizations have been working on. Protecting credentials is hard, but it's on the verge of becoming easier with recent convergence around passkeys. There's a lot to look forward to in this area of the report over time.
Finally, the Verizon DBIR report includes a small section about breach timelines. Here's the core chart:
The cruel irony about the report's timeline data is that it looks good for bad reasons. Companies find out about breaches because attackers disclose the breach first:
The top Discovery Method for breaches (more than 50%) is now “Actor Disclosure” (normally either on the asset in the form of a ransomware note or on a criminal forum to sell the data or announce the breach). Neither of which is desirable.
That's one way to shorten the discovery timeline... but clearly not what we want to happen. Unfortunately, what we want doesn't matter.
The strategic impact of this data is that companies need to be prepared for unexpected public disclosure of breaches. The odds of this happening are basically 50/50. This means "soft" exercises like incident response tabletops, public relations communications, and more matter.
Another insightful observation is the amount of steps threat actors take to breach a company. Most breaches are accomplished in five or fewer steps:
The report's recommendation is to prioritize lengthening the attack path, which is good advice. Reframing this conclusion slightly (in my own words): most threat actors go after low hanging fruit, so to speak. If an attack is going to take more than five steps, it's probably not worth the effort. They'll give up unless the incentives for proceeding make it worthwhile to continue.
Finally, this section of the report goes into the overall value chain for breaches. This is one of the newer parts of the report — the data has only been collected for two years. It's also one of the most interesting parts. It feels like this section will be much larger in the future and could even be a report on its own.
Why is the entire value chain for breaches important? Because breaches aren't isolated incidents — they take preparation to execute, and they feed off each other:
...an attacker ecosystem exists both before and after the breach, and it plays into and feeds off of the incident.
It often seems that breaches beget more breaches, creating a Circle of Breach so to speak.
I also liked this analogy from the report about how to think about breaches:
The takeaway is not to think of breaches only in terms of starting or ending. Instead, think of them like you might think of a sports team: they are either on the field or preparing to be.
People focus a lot of their attention on breaches themselves. It's totally reasonable — breaches are often major events that grab news headlines and create ripple effects throughout the industry. If we take a step back, though, the bigger picture is just as important. We need to look at the end-to-end value chain if we're going to make a meaningful reduction in breaches and cybercrime.
Understanding the cybercriminal ecosystem is one of the first steps. An adjacent (but relevant) project is the World Economic Forum's Cybercrime ATLAS research. The objective is to understand and map the ecosystem to help direct actions and resources. If you want to take a deeper dive, the project was discussed in detail by a panel at RSA Conference 2022 (paywalled, replay available for attendees and digital passes).
The value chain data in the Verizon DBIR report is incredibly useful, especially with a relatively short history compared to other data points in the report. Continued collection and analysis of data over time, combined with macro-level ecosystem research like the Cybercrime ATLAS project, is an exciting development to watch.
Long-Term Trends and Conclusions
If you look at the Verizon DBIR report year after year, it's clear that many trends and observations from the report repeat themselves. The authors fully embrace this and use it to provide excellent commentary and look backs at previous reports.
The recurring themes are:
Data compromises result from external attacks.
The primary motive behind cybercrime is financial gain.
Most breaches are caused by stolen credentials, ransomware, and phishing.
Servers are attacked far more than any other asset.
Credentials and personal data are the most frequently targeted data types.
On one hand, it's troubling that the same themes keep coming up. A pessimist would say that we just can't seem to fix problems we've known about for years. There's some truth to that point of view, but I see it differently.
Cybersecurity is a classic definition of a wicked problem. It has no solution because it's so complex and intertwined. Framed that way, it's encouraging that trends about our problems have remained relatively stable for years.
Securing our organizations and ourselves is a difficult enough problem already. Knowing what our challenges are and how to face them should give us some solace, even if they're impossible to fully solve.
The heroic effort by the Verizon DBIR team to quantify and explain our problems in a manageable, actionable way is one of the most valuable and impactful contributions in the history of our industry. I'm excited to cover the 2023 report in even more depth next year.
Thank you to the DBIR Team: Gabriel Bassett, C. David Hylender, Philippe Langlois, Alex Pinto, and Suzanne Widup for producing yet another amazing report for all of us to learn from. Your work over the years is appreciated.