Verizon 2024 DBIR Insights

Verizon 2024 DBIR Insights

Cybercrime Christmas is here again in the form of the most excellent Verizon 2024 Data Breach Investigations Report (DBIR). If you’re into well-researched cybersecurity crime information, this annual report is for you. It’s a massive undertaking, and we’re all indebted to Verizon for making this happen each year. As in previous years, there’s a ton in this report. Of note, APIs occupy a bit more space in this year’s DBIR than they have in the past, and we welcome the acknowledgement of this important attack vector. Cequence Security is proud to be the only API security vendor contributing threat intelligence to this important research.

All About Credentials

All breaches start with a “way in”. In other words, how do the attackers initiate their breach into an organization. The Verizon DBIR points out that while email phishing finished solidly in second place, web applications occupy first and third place, for credentials and exploit vulnerability respectively¹. So, making sure that you’ve got rock-solid threat detection and mitigation happening is key. After all, even if your organization is great at patching, and most are not, having a system in place to detect and block attacks while your app remains unpatched is key.

As noted above, phishing continues to be on the rise, helping fuel the criminal availability of end-user credentials. Of course, credential stuffing is a common tactic used in automated attacks. As the report notes, “Credential stuffing is Brute force’s more hip cousin.” In credential stuffing, the attacker is attempting to use credentials that are already known to be valid somewhere, rather than trying to use computing power to systemically “guess” at credential values. And given people’s propensity to re-use credentials, this ends up working at a high enough percentage level to keep it on the attacker’s hit parade. There’s no shortage of marketplaces for this illicit credential information, either. If you know where to look, for about $10 you can buy a thousand fresh credentials.

Verizon states, “If your organization has a high number of customers, especially consumer-facing web applications and application programming interfaces (APIs), you should consider instituting robust protections before attackers use a tool and a free list of proxies to attempt combinations they found in a chat site.”²

MOVEit or Lose It

Unsurprisingly, the zero-day MOVEit vulnerability and associated attacks loomed heavily in the Verizon DBIR. The Verizon team was able to identify “1,567 breach notifications that related to MOVEit by a combination of (very vague) breach descriptions and the timing of the breach itself.”³ This SQL injection vulnerability in Progress Software’s MOVEit file transfer app affected thousands of organizations around the world (including my bank, according to the disclosure letter I received). A patch was issued, but the gap between patch availability and deployment left a big window for attackers to steal data or otherwise wreak havoc.

We wrote a blog about the MOVEit vulnerability last year, noting that the first step in a situation like this is to know what you have. The MOVEit vulnerability was exploited via its API, so a solution like the Cequence Unified API Protection platform would enable an organization to identify MOVEit instances for either monitoring or deactivation.

Then, while waiting for a patch to be issued or tested internally before deployment, it would be ideal to have a solution that could identify and mitigate attacks in real time. Cequence does this by fingerprinting traffic and identifying anomalies. Once the traffic is fingerprinted, policies can be enacted to ensure attacks don’t succeed.

Take Action

Make no mistake, stolen credentials are criminal currency that will be used in a variety of attacks, and new vulnerabilities like MOVEit will continue to appear, so it’s critical to have solutions in place that will let you know where you are exposed and protect you in the time between zero day and patching. We’d love to talk with you in more detail about your specific situation. Or, let’s arrange a demo so you can see for yourself.

Last, if you haven’t already, please read the Verizon 2024 Data Breach Investigations Report for yourself. It’s well-written, easy to read, and there’s lots to learn from.

References

¹ Verizon 2024 Data Breach Investigations Report, Results and analysis, p. 12.

² Verizon 2024 Data Breach Investigations Report, Incident Classification Patterns, p. 44.

³ Verizon 2024 Data Breach Investigations Report, Results and analysis, p. 21.