Incident Classification Patterns: Introduction

The patterns are essentially clusters of “like” incidents. Starting in 2014, and for several subsequent years, there were nine patterns. Last year we found that due to changes in attack type and the threat landscape, the data was leading us toward revamping, combining and generally overhauling those patterns. Therefore, starting with the 2021 report, we moved from the original nine patterns down to the eight you see in this report. The eight patterns, and how they are defined, can be found in Table 1. Please be sure to peruse the way we define the different patterns, as we will refer to them throughout the report.

Although we have defined the System Intrusion pattern earlier in the report, a good example may be called for. When you think of Advanced Persistent Threat (APT) or some other form of capable actor moving across the environment popping shells, dropping malware, dumping creds and doing all the fun stuff you would expect from an unexpected Red Team exercise, that’s System Intrusion. This pattern consists of more complex breaches and attacks that leverage a combination of several different Actions such as Social, Malware and Hacking. From a look at our data this year, it would appear that defenders have faced all those challenges, particularly with rises in Ransomware and threats originating from partners (including vendors). 

This pattern consists of more complex breaches and attacks that leverage a combination of several different actions such as Social, Malware and Hacking. From a look at our data this year, it would appear that defenders have faced all those challenges, particularly with rises in Ransomware and threats originating from partners (including vendors).

To better understand this pattern, let’s take a look into the Action varieties and vectors that make up the incidents. Figure 35 shows the top action varieties with Backdoors (provided by the malware) and Ransomware competing for the top spot, followed by Use of stolen credentials. With regard to vectors, in Figure 36, we see Partner and Software Update (Shocker!) as the leading vectors for incidents. This is primarily attributed to one very large and very public security incident that happened last year. We’ll give you a hint, it rhymes with “PolarShins”. Please see “Partners, Supply Chains, and 3rd parties, oh my” for more information. However, if we look past the Partner and Software update varieties, we find that 14% of incidents involved Desktop sharing software as one of the main vectors, followed by Email at 9%. 

Figure 37 captures the distribution of file types along with the distribution of the delivery methods. It seems that the common route of Office docs and emails⁸ are still the tried-and-true method for delivering those initial payloads, which can then be used for further naughty deeds such as Ransomware deployment.

Rampant Rampaging Ransomware

This section is the perfect sequel to last year’s finding of Ransomware dramatically increasing (unlike my Unamused Baboons NFT’s value). That trend has continued with an almost 13% increase this year (an increase as large as the last five years combined).

Keeping in mind that while insidious, Ransomware alone is simply a model of monetization of a compromised organization’s access that has become quite popular. Ransomware operators have no need to look for data of specific value, e.g., credit cards or banking information. They only need to interrupt the organizations’ critical functions by encrypting their data. 

Ransomware Routes

While Ransomware comes in a variety of different flavors with catchy and not so catchy names, the way that Ransomware makes its way onto a system isn’t quite as diverse. In Figure 39 you can see the pairings of the Actions to their respective vectors which are used to deploy Ransomware. There are a couple of key points to consider: 40% of Ransomware incidents involve the use of Desktop sharing software and 35% involved the use of Email. There are a variety of different tools the threat actor can use once they are inside your network, but locking down your external-facing infrastructure, especially RDP and Emails, can go a long way towards protecting your organization against Ransomware. 

When we examine the types of malware blocked, we find that Droppers are typically the second most common. This aligns well with Email being such a prevalent entry point. If attackers have credentialed remote access, they can leverage that directly. Otherwise they must make their own remote access by emailing either malicious links or attachments. 

Looking Back: Ransomware     

Even though the first Ransomware case occurred when at least one of the current authors was still in diapers (1989), it took quite a while for it to become a mainstay in the DBIR. The first case of Ransomware showed up in our data in 2008 and it wasn’t until 2013 that we had sufficient data to write something about it. And we quote:

“When targeting companies, typically SMBs, the criminals access victim networks via Microsoft’s Remote Desktop Protocol (RDP) either via unpatched vulnerabilities or weak passwords. Once they’ve gained initial access they then proceed to alter the company’s backup so that they continue to run each night but no longer actually backup any data. [2013 DBIR page 31]”

Had we known that what was true nine years ago would still be true today, we could have saved some time by just copying and pasting some text. Oh well, maybe in another nine years things will change for the better.

The next type of incident vector is the Supply Chain. We define Supply Chain breaches as a sequence of one or more breaches chained together. In our data this may be a breach where there are secondary victims (when seen from the primary victim’s breach) or where a partner was the vector (when seen from the secondary victim’s breach). Another common example would be when a compromised software vendor is used to push a malicious update to an organization resulting in a breach, or a generic partner breach where a partner is compromised and either a set of credentials or some trusted connection is used to gain access. 

After the major events of last year, these types of incidents account for 9% of our total incident corpus and 0.6% of our breaches this year.  Due to the major event in 2021 in which a large network administration tool was compromised and used to push a backdoor to compromised servers, we see an extremely high rate of Backdoor¹¹ in the action varieties. However, there are still other noteworthy items within those remaining percentages such as Ransomware, Use of stolen credentials and other forms of malware with the capabilities you might expect to see. We have encountered cases of Supply Chain attacks in previous reports, reminding us that even if it’s not a frequently used tactic each year, there is an established precedent for these attacks.

Ending remarks 

When large-scale events like those we experienced in 2021 happen, they can shake our confidence in our abilities to protect ourselves. However, it is important to keep in mind that the close collaboration between federal security organizations and the cybersecurity community resulted in the detection and remediation of this event within a few months rather than years. While we do not have sufficient information to know whether or not the perpetrators considered it a successful operation, we can say that as an industry and as a community, we were ultimately successful in sharing resources and protecting each other from a complex threat. Thank you to everyone that stepped up and assisted in this effort.   You deserve a drink of your choice and the DBIR team would be happy to raise a glass with you.

⁸ With the median organization receiving over 75% of its malware via email.

⁹ I mean, we’re told it ended. We can neither confirm nor deny as we are still in our bunkers awaiting the imminent arrival of Ragnarök.

¹⁰ The timeline section talks about value chains and event chains, which are both part of the attacker Circle of Breach.

¹¹ And because “Backdoor or C2” contains backdoor, we see a large amount of it as well.