Ransomware and human exploitation the two biggest threat patterns to cybersecurity: Verizon report

A consistent year on year increase in ransomware usage and the exploitation of the human element during cyber breaches have emerged as two key findings of the American communications giant Verizon’s Data Breach Investigations Report (DBIR) 2022. 

The newest edition of the study has analysed 5,212 confirmed data breaches from a total of 23,896 security incidents from an array of sectors, industries and regions to conclude that not only was ransomware activity detected 25% of all documented breaches in 2021, but also 82% of these breaches exploited human errors.

Human errors, particularly the misconfiguration of cloud storage networks, is another prominent reason observed last year, though Verizon notes that the pattern has leveled out in the past couple of years. 

It has also emerged that about 61% of the 23,000 documented incidents targeted supply chain networks. Although only 9% of all confirmed breaches successfully broke into a supply chain, the report notes that domino effects of a compromised pipeline can rake up to millions in losses.

The finance, information and professional services sectors in Asia, Europe and North America have seen the most number of confirmed breaches, the report adds, while noting that the findings may not be completely accurate considering that their researchers had unequal access to regional data.   

Why it matters: The frequency of cyberattacks on both public and private sectors has risen exponentially in the last few years, especially during the pandemic. Cyber breaches across the globe in 2021 resulted in victim entities and individuals incurring huge financial losses, not to mention the severe violations of confidential data and privacy. To gauge the attack patterns and methods of threat actors is the key to improve existing cybersecurity measures. 

Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter to experience MediaNama in a whole new way.

What were the standout attack patterns of 2021? 

The DBIR puts forth four key paths to an enterprise’s cyber estate in the past year: stolen credentials, phishing, exploiting vulnerabilities and malicious botnets. In order to exploit these four paths, threat actors used eight main attack patterns in 2021. 

Although there are some attacks which use automatic malware to seek system vulnerabilities, most of the patterns listed below have remained constant over the years and target individual employees.    

• Basic Web Application Attack: These attacks may target either an application itself to gain access to sensitive data, or they may use the application as a staging post to launch attacks against its users. These incidents leverage one or two entry points, using stolen credentials or exploiting an existing vulnerability to directly target an organisation’s most exposed internet facing infrastructure, such as web servers.

• Denial of Service: Attacks meant to shut down a machine or network, making it inaccessible to its intended users. DoS attackers accomplish this by flooding the target with traffic or sending it an overload of information that triggers a crash. The DBIR notes that along with financially motivated threats, DoS attacks are also rising in popularity among hacktivists.  

• Lost and Stolen Assets: These refer to incidents where an information asset was reported missing, whether through misplacement or malice. Stolen assets may be used to launch future attacks. 

• Privilege Misuse: These incidents are predominantly driven by unapproved or malicious use of legitimate privileges. Privileges can be accessed from the backdoor to an application or program using stolen or phished credentials. In turn, privileges themselves can be used to launch a subsequent attack. 

• Social Engineering: In cybersecurity vocabulary, “social engineering” refers to the psychological compromise of a person that alters their behavior into taking an action or breaching confidentiality. These attacks are often hidden inside emails or social media messages. These messages might look urgent or appealing, but if a user clicks them, their system might be compromised by the malware inside. Social attacks were reportedly most prevalent in the finance sector in 2021.   

• System Intrusion: Complex attacks that leverage malware and/or hacking to achieve their objectives including deploying ransomware. These attacks see the attacker get partial or complete access to the target system, from which they can either steal data or use ransomware to block the user out of their own data.

The report also expressed that utilising tools against the four access paths, such as deploying two-factor authentication and providing tools with password managers, can stop hackers from breaching. It concluded that the most important defense against hackers is efficiency. 

Ransomware used in 25% of all attacks 

What is ransomware? It is a type of malicious software in which the attacker encrypts the victim’s data and key files and demands a ransom to decrypt it. This kind of attack takes advantage of human, system, network, and software vulnerabilities to infect target devices.

“Ransomware alone is simply a model of monetisation of a compromised organisation’s access that has become quite popular,” the DBIR reveals, adding that ransomware was present in almost 70% of the breaches involving malware in 2021. The paper also notes that ransomware activity has seen a 13% increase from 2020.  

How does it operate? Ransomware operations are simple in the terms that the operator does not need to look for any specific data or credentials (eg: credit card, social security number), instead, they need to just shut down or throttle the victim’s functions or services long enough for them to come to a ransom.

Verizon has identified emails (in 40% of the incidents) and desktop sharing softwares (in 35% of the incidents) as the two major routes that ransomware operators use to enter a system. The paper suggests that locking down an enterprise’s third party facing infrastructure such as remote desktop protocols (RDPs may give remote access to a PC) and emails can better safeguard these routes. RDPs and remote desktop sharing softwares were also flagged as a major concern in the previous year’s report.

Attacks on supply chain networks

What is a supply chain? A supply chain is the network between a company and its suppliers to produce and distribute a specific product to the final buyer. 

Supply chains were the most frequently attacked domain in 2021, featuring as the target in 61% of the breaches last year and despite being a victim in 9% of confirmed breaches, there may be far wider implications of a supply chain attack. 

What makes a supply chain attack dangerous? In a normal hack, cyber criminals pick one company to target and find a unique way to break into that particular victim’s computer network. But during a supply chain attack, hackers infiltrate a trusted company that supplies software or IT services to many other firms. Their goal is to slip malware into the “supply chain” of software updates the company installs on its customers’ computers.

Why are supply chains attacked so frequently? The singularly large scope of harm makes supply chains such an attractive target for threat actor groups.  

The victims of supply chain attacks have been classified into three types: primary, secondary and tertiary.

The primary victims are the vendor that has been breached, the secondary victims are the users of the vendor’s supply chain and the tertiary victims are the customers of the secondary entity. 

For example, in the May 2021 DoS attack on Colonial Pipelines, which streams jet fuel to southwestern United States, the primary victim was the pipeline company, the secondary victims were the gas companies using its services and the tertiary victims were the airlines dependent on the fuel and their customers.

State interest: Supply chains are also a preferred target for nation-state actors, the report notes. However, these actors prefer to breach and stay hidden for as long as they can, siphoning all the data that comes their way till they are detected by security. 

The report cites the French government’s 2021 discovery of a three-year-old ongoing Russian hack in an IT monitoring system as a prime example of a nation-motivated supply chain breach. 

Exploiting the human element

In a finding that exposes the cost of human mismanagement, 25% of total breaches in the 2022 report were the result of social engineering attacks, proving that people remain the weakest link in an organisation’s cybersecurity defence by far. 

“When you add human errors and misuse of privilege, the human element accounts for 82% of analysed breaches over the past year,” the Verizon report adds.

Be it weak passwords or the curiosity at seeing a message from a friend, threat actors will use all vulnerabilities to bring down a firewall. The human element is a constant vulnerability that has been repeatedly featured in the DBIR ever since the first edition came out in 2008.

Since the Verizon report deals mostly with primary victims, it classifies three main ways in which the human element is fooled into getting access to their organisation:

• Phishing refers to an attempt by cybercriminals posing as legitimate institutions, usually via email or instant messaging, to obtain sensitive information from targeted individuals. The criminal may pose as an employer or senior management to gain access to backdoor keys and credentials from junior level workers.
• Errors may encompass many activities: from accidentally downloading disguised malware or having vulnerable passwords to overlooking firewall vulnerabilities or even forgetting to log out of an organisation account. The massive theft of 100 million credit card records held by Capital One in 2019 was made possible by a misconfigured firewall.
• Theft, in this report, refers to the act of stealing credentials or assets via any means other than using false identities to separate the category from phishing. Examples may include a heist using a disguised keylogger or the theft of credentials or sensitive information using a brute force password cracker hidden in a software bundle.     

Verizon’s recommendations to keep organisations safe

Verizon has also aligned the DBIR 2022 findings with the Center for Internet Security’s Critical Security Controls to come up with a list of security measures (or “controls”) to help organisations create safer cyber environments.

• Data protection: This pertains to the processes and technical security measures to identify, classify and securely handle organisational data in all its forms. Encrypting or locking up data is the most basic and according to Verizon the “best” practice to prevent any accidental exposure.

• Secure configuration of enterprise assets and software: This control contains safeguards focused on engineering solutions that are secure from the moment of creation. This protection offers to reduce error-based breaches such as misconfiguration and loss of assets by enforcing remote deletion abilities on devices.

• Account management: This security measure is targeted toward helping organisations manage the access to employee accounts and is useful against brute force and credential phishing attacks

• Access control management: This measure manages the rights and privileges of users and enforces multi factor authentication on key components of the environment. Verizon classifies this an important defence against the use of stolen credentials.

• Security Awareness and Skills Training: Verizon calls this measure a “classic”. Taking into consideration the prevalence of errors and social engineering attacks in data breaches, the report notes that security awareness and technical training is a necessary investment in order to help employees against “a world full of cognitive hazards.”

Read also:

• Nearly 12 Lakh Cyber Security Incidents Observed In 2020: MHA
• Ransomware Incidents In India Doubled In 2021 At 132, Up From 54 In 2020: MeitY In Parliament
• 2020 Was A Good Year For Cyber Criminals, A Bad One For Financial And Payments Security