How Bad Is It Out There? Our Thoughts On Verizon's 2024 Data Breach Investigations Report (DBIR)

Verizon released its Data Breach Investigations Report (DBIR) for 2024,¹ an annual treat that highlights some trends companies should be aware of as they manage their cybersecurity programs and respond to and anticipate new legal and regulatory obligations. The DBIR is based on Verizon's examination of 30,458 incidents and more than 10,000 breaches. ²

We advise companies on cyber risk management, incident response, and compliance issues. We review reports like the DBIR to validate and inform our work. Verizon's report always has some great insights and things to think about, and this year took a deep dive into timely supply chain issues.

TRENDS VERIZON IDENTIFIED:

• 2023 reflected a substantial growth in the use of vulnerabilities by threat actors, including vulnerabilities resulting from software supply chain attacks;
• "The human element was a component of 68% of breaches" led by end user errors;³ and,
• Generative AI (GAI) has not emerged yet as a tool used to launch cybersecurity attacks.

ACTION ITEMS VERIZON SUGGESTS COMPANIES CONSIDER:

• Continue to prioritize vulnerability management and patching;
• Implement vendor/third-party risk management programs;
• Invest in employee cybersecurity education and training; and
• Adopt an AI governance model for internal use of artificial general intelligence (e.g., ChatGPT, Microsoft Copilot, Google Gemini, etc.).

WHAT WE FOUND INTERESTING:

This year's DBIR found a 180% increase over last year in the use of "vulnerabilities as the critical path to initiate a breach" with a boost from the MOVEit zero-day vulnerability. Vulnerabilities, particularly in web applications, were most frequently used by ransomware and other extortion-related threat actors.

• Web applications were leveraged through credential compromise most frequently, followed by vulnerabilities.
• "Roughly one-third of all breaches involved Ransomware or some other Extortion technique."
  • "Ransomware (or some type of Extortion) appears in 92% of industries as one of the top threats."
• The human element was a component of 68% of breaches which, according to the DBIR, shows where investment in security training and awareness "could potentially improve the outcomes of more than two-thirds of potential breaches."

OTHER POINTS TO NOTE:

In this year's report, Verizon extended its evaluation of supply chain to include breaches of third parties, including through vulnerabilities in third-party software. Supply chain and third-party risks increasingly have been a focus of government regulation and interest, so this section of the Report is particularly interesting for people watching policy in these areas. The Administration's National Cybersecurity Strategy (NCS) and the NCS Implementation Plans prioritize shifting legal liability for insecure software to the software manufacturer. The Cybersecurity and Infrastructure Security Agency (CISA) launched a voluntary Secure By Design Pledge signed by 175 companies, "focused on enterprise software products and services," a subject we previously discussed in conjunction with CISA's Software Security Attestation Form for government contractors providing software to federal agencies.

Verizon found that breaches involving third parties constituted 15% of breaches "mostly fueled by the use of zero-day exploits for Ransomware and Extortion attacks." Verizon observes these "are breaches an organization could potentially mitigate or prevent by trying to select vendors with better security track records." Verizon's findings highlight supply chain risks from third-party vendors, particularly software vendors.

For companies procuring software, the VDBIR findings suggest the growing importance of managing your software supply chain including through due diligence in vendor selection, vetting, and contractual requirements (e.g., prompt notice of security incidents; cooperation in organizational security investigations; and clarity around customer notification obligations).

Speaking at a Semafor event on the cyber threat landscape for policymakers and industry on June 18, Chris Novak, Verizon Business Senior Director of Cybersecurity Consulting and a key partner of the Verizon Data Breach Investigations Report (DBIR) team, provided some insights into key findings and analysis in the report. One of the most interesting trends is that Verizon isn't seeing GAI used to launch attacks.

Novak explained threat actors continue having success with traditional methods such as ransomware, phishing, pretexting, and business email compromise (BEC). Until these methods of exploitation stop working, threat actors will stick with those methods. As AI improves, threat actors will see how they can scale it. Nation-state actors, however, will be out in front since they have the resources to be first movers using AI for cyberattacks.

Novak said a lot of risk from AI and GAI is internal to your organization due to the sharing of information outside your boundaries, which could include intellectual property. He recommended organizations promote an acceptable way to use AI through the implementation of an "AI governance model."

Conclusion

While there was a substantial growth in threat actors' exploiting vulnerabilities from software supply chain attacks, the human element and end user errors were a component in most breaches. Given the prevalence of supply chain attacks, companies should take a close look at their vendor/third-party risk management programs. The human element remains a weak link in cybersecurity, and companies should consider investing in recurrent employee training and cybersecurity education efforts. Finally, while AI is getting considerable attention in cyber circles, GAI has not yet emerged as a significant factor in cyberattacks due in part, we think, to threat actors' continuing success in exploiting human and supply chain security weaknesses.

Footnotes

1 The Verizon Data Breach Investigations Report 2024 covers incidents between Nov. 1, 2022, and Oct. 31, 2023.

2The DBIR defines incident as "[a] security event that compromises the integrity, confidentiality or availability of an information asset." In contrast, the Report defines breach as "an incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party." A Distributed Denial of Service Attack (DDOS) is typically not treated as an incident "since no data is exfiltrated."

3 Verizon "exclude[d] Malicious Privilege misuse in an effort to provide a clearer metric of what security awareness can effect." DBIR p. 8.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.