Security Needs Data: Insights From the Data Breach Investigation Report

In security, numbers can deceive. If somebody tells you a given risk has an "82% chance of materializing", run. Nobody possesses such reliable data. Numbers give pseudo-experts a varnish of credibility. Anybody can fudge them.

Verizon's Data Breach Investigation Report (DBIR) is one of the few reliable public data sources about the current state of security breaches and their associated costs. I expect cyber insurers to build detailed actuarial tables in the long term. Still, that enterprise may prove impossible: cyber threats are much more unpredictable than natural disasters, theft or vandalism.

We must cling to reliable sources such as the DBIR as an intellectual self-defence mechanism. Vendors and influencers need your fear to sell their salad. Just yesterday, a security awareness training vendor alarmed me on LinkedIn about "90%+ of breaches being due to humans", without providing a source...

I read the 2024 DBIR and here are some reliable conclusions.

Vulnerabilities Are Back In Style

I made the hack of the MOVEIt "secure" file transfer solution ppfosec's top story of 2023. The DBIR's data backs it up. Criminals could break into MOVEIt's software with a simple code injection, which made their lives easy. As a result, software vulnerabilities became a popular entry point, as much as stolen credentials.

Two conclusions emerge:

• Criminals will always use the path of least effort;
• You can't tunnel vision only on authentication.

Imagine if, next year, a piece of malware can execute on PDFs without macros, or a Javascript malware can break out of Chrome, or a WhatsApp WAV attachment can read into an iPhone's file system. Malware would become the #1 trend!

As much as I hate to write this: securing your systems based on headlines is not a stupid strategy. Yes, its reactive nature puts you behind, and I'd much rather build a comprehensive strategy around known standard practices. But still, I can't help but feel a quick fix for a small-medium enterprise is to follow the advice from reputable news sources!

Speaking of trends...

Generative AI is Nowhere to be Seen

In March 2023, I wrote How criminals will use generative AI to scam us. Looking back, I'm proud of this article because I still see publications, podcasts, journalists, and vendors throttling out the same ideas. I was ahead of the curve, yay! Or was I?

In the DBIR, the only mention of generative AI is ChatGPT Teams account selling on the black market. None of the scenarios such as AI-powered password guessing, ultra-realistic deepfake frauds, and well-written phishing emails happened.

Generative AI use in cyber criminality may be a cool academic discussion, but for now, it's speculative. In fact, given what we see in the data, I will be using this question as a "B.S. detector"...

Where the methods did change is...

Criminals Are Seeking New Revenue Streams

It might not appear so, but we are slowly winning against traditional ransomware. Based on FBI data, only 4% of ransomware victims paid the ransom (down from 7%), for a median loss of $46,000 (up from $26,000). Roughly speaking: the number of victims halved, and the criminals compensated by raising the price twofold. This reminds me of cable TV in the 2010s: twice the ads, twice the price, half the content.

The bad news is that hackers are finding less technical ways to extract revenue: fraud and extortion. Business email compromise (the biggest issue in the 2023 report) is still trending around 25% of breaches. Extortion is part of 10% of breaches, from 0% in 2023.

What is the difference between ransomware and "pure extortion"? Criminals will still breach your systems, lock you out, and ask for ransom. But they will also threaten to dox you to your regulators, customers, investors, and the media.

Initial analysis suggests extortion will have a short shelf life. Companies have become educated about security breaches and they'd rather face the music than pay the ransoms.

In short: we are getting better. And it's not the end...

Authorities' Initiatives Are Working

The DBIR feeds of FBI datasets. It gathers collaboration from the Cybersecurity and Infrastructure Security Agency (CISA). The CISA's catalog of "known exploited vulnerabilities (KEV) is built off a nationwide set of honeypots that can alert organizations of urgent threats within days, sometimes hours, of exploitation. The FBI took down the Qakbot ransomware, the Lockbit and Hive groups. I may be "drinking the Kool-Aid", but I'm forced to conclude that US institutions are performing both in awareness and enforcement, to tangible benefits.

It's not sexy to say we're winning, for obvious reasons. Security is infinite, and the minute we lower our attention, everything needs to be redone. We can't afford to sit on our laurels. Imagine if the trends I've observed this year end up reversing downwards for 2025. My optimistic take would look foolish. And that's the beauty of the doomsayers... if we call them out on their exaggeration, they could always say "better safe than sorry; hope for the best, prepare for the worst!" So I dare to believe our efforts are making a positive impact globally.

Do you share my optimism? Let us know in the comments!

Know What You’re Up Against: Insights from the 2023 Data Breach Investigations Report

Verizon’s Data Breach Investigation Report (DBIR) is a must-read resource to gain insight into current cybersecurity breaches. The 2023 version is out, and I read the whole 90 pages of it so you don’t have to!

ppfosecPierre-Paul Ferland