When we know what threats we’re up against, we can prepare better. For this reason, reports like Verizon’s annual Data Breach Investigations Report (DBIR) are important, as they provide organizations with valuable information so they can prepare for and defend against prominent cyber attacks.
In this post, we gleaned crucial insights from the latest DBIR that can help inform external attack surface management (EASM) strategies in 2024, notably looking at common threat sources, most targeted assets, and top methods attackers used.
Where Do Threats Come From?
Understanding the origin of data breaches is crucial for organizations seeking to manage and reduce their attack surfaces effectively. According to the 2024 DBIR, external threats remained the top catalyst of data breaches, responsible for 65% of incidents. Organized crime groups and compromised partners are some of the key players in this category.
However, the number of internal threats also increased, accounting for 35% of the data breaches. A closer look reveals a significant increase in breaches attributed to “miscellaneous errors” committed by employees and contractors from 11% in 2023 to 26% in 2024. Some examples include misdelivery of sensitive data, publishing errors, and security misconfigurations.
While not inherently malicious, these mistakes can lead to vulnerabilities that attackers can then exploit, thereby expanding an organization’s attack surface. For example, security misconfigurations were named as one of the most critical security risks with 208,000 occurrences of Common Weakness Enumeration (CWE) mapped to this risk category.
What Are the Most Targeted Assets?
The 2024 DBIR sheds light on the assets that threat actors most targeted in the last months. For credential theft breaches, web applications and mail servers emerged as prime targets. This trend is unsurprising, considering that external-facing assets often serve as gateways to sensitive user data and privileged system access.
The report also revealed a broader trend. Servers were constantly targeted in almost all attack types, including system intrusions, basic web application attacks, miscellaneous errors, and denial-of-service (DoS) attacks.
Servers act as the backbone of an organization’s IT infrastructure, housing critical systems and data. For example, servers host websites and web applications. They may also communicate with external applications through application programming interfaces (APIs). Therefore, compromising servers often enables attackers to gain a foothold within a network, steal valuable information, or disrupt essential operations.
How Do Threat Actors Launch Attacks?
Knowing the tactics cyber attackers employ is crucial in developing effective EASM strategies. The 2024 DBIR reveals the most prevalent attack methods, highlighting two concerning trends—the proliferation of vulnerability exploitation and the rise of software supply chain attacks.
Vulnerability Exploitation
The DBIR discloses a substantial increase in attacks leveraging vulnerabilities as a critical path to initiate a breach. This method saw a staggering 180% growth compared to last year.
The report cites MOVEit and similar zero-day vulnerabilities exploited to deploy ransomware as prime examples. Notably, web applications were the primary vector for such attacks. In managed file transfer application MOVEit’s case, a ransomware group exploited a SQL injection zero-day vulnerability, CVE-2023-34362, to install persistent code on MOVEit Transfer web applications.
The increase in vulnerability exploitation underscores the importance of quickly applying security patches. However, the DBIR indicates that it takes an average of 55 days to remediate 50% of critical vulnerabilities even after patches become available, while a total of 20% of vulnerabilities may remain unremediated 180 days after patches are released.
Even detecting vulnerabilities may take time. The DBIR revealed a concerning gap between vulnerability publication and initial scans. For vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) list, the average time between public disclosure and the first scan is five days. However, this time frame jumps to 68 days for vulnerabilities not on the KEV list. Delays in vulnerability detection and patching create a window of opportunity for attackers to exploit even known vulnerabilities.
Software Supply Chain Attacks
The 2024 DBIR also emphasizes the growing risk of software supply chain attacks, revealing a 68% increase this year. These attacks target vulnerabilities in a third-party software, allowing attackers to gain access to an organization’s data indirectly and enabling them to launch ransomware and extortion attacks. This trend signifies a shift in tactics, where attackers exploit weaknesses in the supply chain to gain access to a broader range of victims through a single vulnerability.
What You Can Do
The latest DBIR paints a clear picture—the attack surface is laden with external-facing vectors waiting for exploitation. Organizations must proactively manage their attack surfaces to combat threats by employing the strategies below.
Include Vulnerability Root Causes in Attack Surface Discovery
Attack surface discovery is the threefold process of discovering all assets, mapping their connections, and identifying associated vulnerabilities. However, proactive EASM dictates that security teams shouldn’t wait for a Common Vulnerabilities and Exposures (CVE) ID to be published. Instead, they can scan for security weaknesses and misconfigurations known to lead to exploitable vulnerabilities.
For instance, they can use the OWASP Top 10 to detect and mitigate the most severe web application security risks. Security teams can also leverage the MITRE Corporation’s CWE Top 25, which lists some of the most common and dangerous software weaknesses.
By expanding attack surface discovery to include weaknesses and misconfigurations, security teams can take steps to mitigate them before threat actors can find out how they can be exploited.
Expand Asset Discovery
A comprehensive asset discovery process is essential to EASM. Security teams need to ensure the procedure accounts for a wide range of technologies, including web applications, mail servers, cloud-based systems, and shadow IT.
In addition, it is crucial for organizations to gain visibility over assets connected to software vendors. This way, they can immediately apply security patches as needed.
Understand Human Factors in Cybersecurity
The DBIR emphasizes the importance of taking into consideration the human component and how it affects cybersecurity. It highlights the need for better security awareness and training to equip employees with the necessary skills to identify and avoid phishing attacks, social engineering tactics, and cyber threats.
Since many breaches stem from human error, it’s also crucial for security teams to continuously scan for security misconfigurations as part of their attack surface discovery process.
Conclusion
Proactive security dictates constantly seeking out cybersecurity trends and insights. The DBIR serves as a valuable source of information, packed with insights that can help organizations of all sizes sharpen their EASM strategies.
Ready to find exploitable security weaknesses in your digital infrastructure? Kick off your 30-day free trial with Attaxion today.