The recently released 2023 Verizon Data Breach Investigations Report (DBIR) provides an insight into the current state of cybersecurity, with notable attention drawn to the persistent issue of stolen credentials. While the findings point towards a rather static scenario, the DBIR authors point out that it speaks more to the lack of evolution in security postures and failure of users and organizations to address the foundational vulnerabilities. In other words, the same-old-same-old seems to be working just fine for threat actors.
The Status of Cyberattacks
The 2023 DBIR reveals system intrusion, fueled by the rise in ransomware and supply-chain attacks, to have surpassed basic web application attacks as the most prevalent form of attack, a trend echoing that of the previous year. The report also identifies financial gain as the prime motive behind 94.6% of this year’s breach incidents.
Two common issues, the use of stolen credentials and phishing, remain prevalent as seen in previous years. Despite being basic cybersecurity 101, their continued dominance underscores the importance of security fundamentals.
System Intrusion and Ransomware
With system intrusion reigning as the most prominent incident type, the report highlights ransomware as the primary intrusive action, constituting over 80% of the reported 2,700 incidents. The three top vectors for ransomware deployment include web applications (35%), desktop sharing software (25%), and emails via phishing (20%).
The Persistent Problem of Stolen Credentials
The 2023 DBIR report critically examines the prevalence and impact of stolen credentials. Despite many organizations claiming to have fallen victim to ‘highly sophisticated cyberattacks,’ the reality often is as basic as an exposed password or credential stuffing attack. With the prevalence of password reuse and frequency of data breaches, it’s easier than ever for threat actors to gain a foothold into an organization’s environment.
Exploiting stolen credentials topped the list of nefarious activities by cybercriminals, occurring in over 40% of the reported 4,354 incidents.
This trend reveals the persistent vulnerability of users and organizations to such attacks, suggesting a lack of significant steps to counter them.
In fact, the report indicates that the exploitation of vulnerabilities has slightly decreased compared to the increasing use of stolen credentials.
The Connection between Web Applications and Stolen Credentials
Web applications continue to be the most common vector in system intrusions, accounting for over 60% of the reported breach incidents. This aspect underscores the link between web application attacks and stolen credentials.
The general pattern follows the path of threat actors leveraging stolen credentials and vulnerabilities to access an organization’s assets. Typically, the stolen credential serves as the entry point, enabling further compromise through the exploitation of vulnerabilities like privilege escalation or the deployment of malware.
However, the origin of these stolen credentials often remains a mystery. While many can be traced back to password stealers, data breaches, or individual threat actors, the exact breakdown is largely unknown.
Personal Data and the Role of Stolen Credentials
The 2023 DBIR highlights that personal identifiable information (PII) is still the most targeted data in breaches. In a clear interplay, stolen credentials have emerged as the leading entry point for such violations, suggesting a significant link between the use of stolen credentials and the resultant exposure of a variety of personal data. This data includes sensitive information like medical records, bank account details, and payment card data.
Looking Ahead
The static trend and persistent problem of stolen credentials calls for a more proactive approach to cybersecurity. For researchers and companies working to combat these attacks, the continuous monitoring of compromised credentials should be a foundational part of any security strategy.
Additionally, organizations and users need to better understand their own security measures and prioritize them based on the nature and sensitivity of their data. This includes enforcing strong and unique passwords and encouraging regular updates and patching. Regular employee training on the latest cyber threats, especially phishing, is a simple yet effective measure that can go a long way in preventing breaches. Also, organizations need to pay closer attention to the security of their web applications. Secure coding practices and regular penetration testing can help identify vulnerabilities and fix them before they are exploited by threat actors.
Despite the seemingly stagnant cybersecurity landscape at times, it’s important to note that the static nature of the threats does not imply that our approach to them should also be static. A proactive, informed, and adaptable approach to cybersecurity can help organizations stay one step ahead of cybercriminals, even as they continue to use the same old tricks.
As the saying goes, “The more things change, the more they stay the same.”
In the context of cybersecurity, the threats may sometimes stay the same, but our defenses against them must continually evolve and improve.