System Intrusion

Please provide the information below to view the online Verizon Data Breach Investigations Report.

Submit View only

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

2024

Summary

While shifts in tactics leveraged by Actors have modified some of the top Actions, the overall effect of these Actors continues to be felt by the majority of industries and organizations of all sizes.

What is the same?

Ransomware attacks continue to drive the growth of this pattern as they now account for 23% of all breaches.

Frequency		5,175 incidents, 3,803 with confirmed data disclosure
Threat actors		External (100%) (breaches)
Actor motives		Financial (95%), Espionage (5%) (breaches)
Data compromised		Personal (50%), Other (34%), System (26%), Internal (22%) (breaches)

System of an Intrusion

In the world of our attack patterns, it’s been a competitive year, and there have been a lot of contenders vying for the first-place prize of MFB: most frequent breach (granted, not as prestigious as the MVP, but you work with what you have). System Intrusion, for the third year in a row, leads the pack with 36% of breaches. Not sure exactly what they’re winning (our guess would be a good bit of cash), but we can certainly tell you who is losing, and that’s all of us. Let’s dive into what is driving the continued success of this pattern.

The makeup of this pattern hasn’t changed much. It is where our more sophisticated attacks⁵⁷ are found. They still largely consist of breaches and incidents in which the threat actor leverages a combination of Hacking techniques and Malware to penetrate the victim organization—more or less what one might expect from an unauthorized penetration test. However, rather than providing a helpful written report at the conclusion of the exercise, they typically deploy Ransomware and provide the victim with a much less helpful extortion note. These Ransomware attacks account for 70% of the incidents within System Intrusion, as seen in Figure 28. The other often seen actions in the System Intrusion pattern tend to be those that provide the actor access to the environment, such as Exploit vulnerabilities and Backdoors. We also saw Extortion creeping into this space, primarily due to a large and impactful event that we will discuss later in the report—so stay tuned.⁵⁸

Data Breach Investigation Report figure 28

Ransomhow?

With regard to vectors (Figure 29), we saw a great deal of Direct install. This is when threat actors use their existing system access to install malware, such as Ransomware or Backdoors. The vector of Web applications, which is a favored target of exploits, also appeared frequently, as we discussed in the ways-in analysis in the “Results and analysis” section. Of course, we still see threat actors leveraging Email to reach users and Desktop sharing software to gain entry into systems. Because these threat actors use a plethora of tools and techniques, this data is longer tailed, which is why Other shows up relatively often in our top five. Within the category of Other are vectors such as VPNs, Software updates and a whole bunch of Unknowns (our bet is that it is most likely split among the tactics discussed above, just not explicitly reported to us). Therefore, when prioritizing your efforts at protecting yourself, don’t neglect addressing malware infections, stolen credentials or unpatched systems as it may lead you to break out in Ransomware.⁵⁹

Ransomwho?

Much like Sisyphus with his never-ending task, it seems that the hardworking people in IT must continue to contend with the evolving threat of Ransomware. Ransomware has again dominated the charts, accounting for 11% of all incidents, making it the second most common incident type. Ransomware (or some type of Extortion) appears in 92% of industries as one of the top threats.

Data Breach Investigation Report figure 29

When we remove the Ransomware groups from this dataset,⁶⁰ we’re left with a pretty even split of 44% run-of-the-mill types of criminals and 40% State-affiliated actors. It shouldn’t be too surprising to find out that the tactics used by criminals are very closely aligned to those used by Actors working on the behalf of their country.

Ransomware (or some type of Extortion) appears in 92% of industries as one of the top threats.

Clearly, the major difference is what they do with that access. The subset of criminals in this pattern who aren’t doing Ransomware/Extortion are quietly siphoning off Payment data from e-commerce sites and account for 57% of breaches involving stolen Payment cards, while the State-affiliated actors look to pivot and steal other types of data.⁶¹

Ransomwhat?

Understanding the cost associated with Ransomware is a bit complex as there are several primary and secondary costs to consider, not to mention the possible soft costs associated with reputational impacts. While we try our best to capture these costs, it’s worth noting that the result isn’t a full picture but simply our best approximation using the data we have.

One of the easier costs to capture is the amount associated with paying the actual ransom. Analyzing the FBI IC3⁶² dataset this year, we found that the median adjusted loss (after law enforcement worked to try to recover funds) for those who did pay was around $46,000 as shown in Figure 30. This is a significant increase from the previous year’s median of $26,000, but you should also take into consideration that only 4% of the complaints had any actual loss this time, as opposed to 7% last year.

Data Breach Investigation Report figure 30

Data Breach Investigation Report figure 31

Another way we can slice the data is by looking at ransom demands as a percentage of the total revenue.⁶³ The median amount of the initial ransom demand was 1.34% of the victim organization’s total revenue—with 50% of the demands being between 0.13% and 8.30% (Figure 31). We know this is quite a spread for the initial ransom demand percentage. There were a few within the top 10% of cases reaching up to 24% of total revenue. Hopefully these ranges assist organizations in running risk scenarios with an eye toward potential direct costs associated with a ransomware attack. Of course, there are many other factors that should also be considered, but this is a good starting point.

CIS Controls for consideration

Bearing in mind the breadth of activity found within this pattern and how actors leverage a wide collection of techniques and tactics, there are a lot of safeguards that organizations should consider implementing. Below is a small subset of all the things an organization could do. They should serve as a starting point for building out your own risk assessments to help determine what controls are appropriate to your organization’s risk profile.

Protecting devices

Secure Configuration of Enterprise Assets and Software [4]
– Establish and Maintain a Secure Configuration Process [4.1]
– Establish and Maintain a Secure Configuration Process for Network Infrastructure [4.2]
– Implement and Manage a Firewall on Servers [4.4]
– Implement and Manage a Firewall on End-User Devices [4.5]
Email and Web Browser Protections [9]
– Use DNS Filtering Services [9.2]
Malware Defenses [10]
– Deploy and Maintain Anti-Malware Software [10.1]
– Configure Automatic Anti-Malware Signature Updates [10.2]
Continuous Vulnerability Management [7]
– Establish and Maintain a Vulnerability Management Process [7.1]
– Establish and Maintain a Remediation Process [7.2]
Data Recovery [11]
– Establish and Maintain a Data Recovery Process [11.1]
– Perform Automated Backups [11.2]
– Protect Recovery Data [11.3]
– Establish and Maintain an Isolated Instance of Recovery Data [11.4]

Protecting accounts

Account Management [5]
– Establish and Maintain an Inventory of Accounts [5.1]
– Disable Dormant Accounts [5.3]
Access Control Management [6]
– Establish an Access Granting/Revoking Process [6.1, 6.2]
– Require MFA for Externally-Exposed Applications [6.3]
– Require MFA for Remote Network Access [6.4]

Security awareness programs

Security Awareness and Skills Training [14]

MOVEit or don’t.

Over the summer, we were teased with the idea of a great crossover, one involving the father of the atomic bomb and a plastic doll. For this year’s report, we have a similar type of crossover but perhaps a bit less entertaining. In the hope of continuing to increase their affiliates’ profits, ransomware groups have demonstrated a remarkable ability to evolve their tactics.

One such recent evolution was snapshotted in the MOVEit incident, where threat actors⁶⁴ used a zero-day attack (a previously unknown and unpatched vulnerability) in file management software and went on a spree appropriating whoever’s data they could get their hands on and holding it hostage. While the attack affected organizations from a variety of sectors, Education was by far the largest impacted (Figure 32), accounting for more than 50% of the breached organizations, according to our breach notification dataset.

While this seems like pretty standard e-criminal stuff, it was a shift in tactics worth discussing. For starters, the group didn’t actually deploy Ransomware in all of these cases, even though it was previously partial to that tactic. There could have been myriad reasons as to why the group didn’t choose this option, and anything we’d suggest would be speculation. What it did accomplish, however, was to slightly confound the differences that exist between the System Intrusion and Social Engineering patterns by introducing a big chunk of data that neatly fits in both categories. After it stole the data, Cl0p used Extortion as a means of separating the victims from their hard-earned money.

Data Breach Investigation Report figure 32

When we look at Ransomware breaches over time (Figure 33), we notice a dip in the cases; however, when we combine it with Extortion, we see that it follows pretty much the same trend line. This indicates to us that it may be the same actors, and they are simply shifting tactics to best leverage the type of access they have. This combination did show a significant growth as a part of breaches, as we touched on in the second entry of our “Summary of findings” section.

The DBIR team looks at numbers,⁶⁵ not code, so this report isn’t the best place to explain all the technical elements. Nevertheless, what the vulnerability essentially did was to allow the attackers to upload a backdoor through a crafty SQL injection attack. This backdoor allowed the attackers to perform several different tasks such as downloading data and manipulating the application’s legitimate users.

Data Breach Investigation Report figure 33

Unfortunately, because of the nature of the platform, file transfer systems need to be on the internet, and the fact that this was an unknown vulnerability at the time of exploit ensured that there was nothing victims could have done to prevent it. There can be no doubt that this was a large-scale and impactful attack; however, it wasn’t without precedent. In fact, just a few months before, in January 2023, the same group had targeted another file hosting platform resulting in a rather busy month for Ransomware claims.

As we gaze into our crystal ball, we wouldn’t be surprised if we continue to see zero-day vulnerabilities being widely leveraged by ransomware groups. If their preference for file transfer platforms continues,⁶⁶ this should serve as a caution for those vendors to check their code very closely for common vulnerabilities. Likewise, if your organization utilizes these kinds of platforms—or anything exposed to the internet, for that matter—keep a very close eye on the security patches those vendors release and prioritize their application.

⁵⁷ If these attacks were people, they would drink fine wine in restaurants, pontificate loudly on the vintage and drive cars made in Scandinavia.

⁵⁸ And if you could hit the Like and Subscribe buttons, we’d appreciate it. Oh, wait, wrong platform. 59 And a visit to the dermatologist won’t help.

⁵⁹ And a visit to the dermatologist won’t help.

⁶⁰ Ah, wouldn’t that be nice? Just the thought of it improved my mood.

⁶¹ Can’t tell you what, though. It is strictly confidential information.

⁶² https://www.ic3.gov

⁶³ Note that the source of this data is from ransomware negotiators, which might be a self-selecting sample. Those who can afford to employ a negotiator in this kind of incident may also be targeted with higher ransom demands since they are likely to be higher revenue organizations.

⁶⁴ Widely attributed to be the Cl0p ransomware group (https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a)

⁶⁵And pop culture references

⁶⁶Even though, as 2024 begins, the focus seems to be on VPN and remote Desktop sharing software.