Verizon's 2022 DBIR: Analysis and insights on today's threat landscape

The threat landscape is becoming more complex, challenging, and dangerous every day. To navigate it safely — you must understand which attacks and attackers are coming your way and how you can best protect your organization from today’s biggest threats.

Every year, Verizon publishes its Data Breach Investigation Report (DBIR), where it analyzes security incidents and disclosed breaches and provides our industry's most comprehensive and accurate picture of the threat landscape.

DBIR’s 2022 edition analyzed 23,896 security incidents, which resulted in 5,212 confirmed data breaches. Verizon collected this data in partnership with approximately 80 global contributor organizations (including Atos).

In this blog, we provide an overview of the critical insights, analysis, and takeaways that every organization in every industry needs to know and take action on.

2022 DBIR overview: This year's at-a-glance insights

To start, let's look at some of the report's key trends and findings.

  • Most networks are compromised through one of four paths — credentials theft, phishing, exploiting vulnerabilities, and botnets.
  • Ransomware was involved in 25% of breaches, growing as much in the last year as in the prior five years combined.
  • A single supply chain incident was responsible for 62% of the year's system intrusions.
  • 80% of the bad actors who directly cause breaches are external players and not internal employees; however, breaches caused by internal actors compromised more than 10x as many records
  • Financial or personal gain remains the primary motive in 96% of incidents and breaches

The takeaway is simple: ransomware and supply chain attacks are the significant and growing threat they are made to be, malicious actors cause most incidents, and cybercrime has become a business.
Now, let's look at the primary tools deployed in this growing trade:

What you must defend against: Today's biggest threat patterns

The DBIR describes eight threat patterns that account for most security incidents and data breaches. To protect your organization, these are the primary threat patterns that you must defend yourself against.

System intrusion

A complex attack pattern. Here, bad actors deploy malware and other hacking techniques to infiltrate their victim's network. Once inside, they pursue various objectives, including compromising systems and exfiltrating data. Ransomware falls into this attack pattern and has become a component of many intrusions.

There were 7,013 incidents involving system intrusion, resulting in 1,999 confirmed data breaches. Most incidents exploited a backdoor or C2 and/or included ransomware. Within these confirmed data breaches, 42% involved compromised credentials, while 37% involved compromised personal data. The compromise of supply chains and partner ecosystems also contributed to a large percentage of last year's system intrusion activities, primarily due to a single large-scale incident.

Social engineering: the human element.

Here, attackers target the psychology of employees, users, or others with access to a network or system. The attacker tricks or convinces their target to either disclose confidential information or to take some other action that will grant the attacker access to the target's network or systems.

Verizon found that the human element was involved in 82% of the breaches in this year's report, which involved direct social engineering attacks. There were 2,249 incidents involving social engineering, resulting in 1,063 confirmed data breaches. Within these confirmed breaches, 63% resulted in compromised credentials, and 32% in the loss of internal data. While phishing was the most common form of social engineering deployed in successful breaches, many other actions were successfully used, including stolen credentials, pretexting, backdoors, C2s, or downloaders.

Basic web application attacks: a relatively simple attack pattern.
Bad actors target a web application, compromise it, grab as much data as possible, and then "get out" and abandon the attack.

The report lists 4,751 incidents involving basic web application attacks, resulting in 1,273 confirmed data breaches. Most of these involved compromising personal data (69%) and/or credentials (67%). Nearly all of these incidents occurred through only a few attack vectors — the bad actor either used stolen credentials, exploited a known vulnerability in the web application, or simply performed a brute force attack that gave them access to the application. Once inside, attackers created backdoors, monetized their access, or compromised data within the application.

Denial of services: a classic attack pattern.

The attacker compromises the availability of an application, network, or system and includes attacks on both networks and application layers. Some organizations only experience these attacks from time to time, while others combat them on a regular — and sometimes constant — basis. In fact, 1% of organizations experience 1,000+ such attacks every year.

Denial of service attacks are among the oldest attack patterns, and they remain the most common form of incident. There were 8,456 incidents that involved denial of service attacks. However, only four confirmed business services disruptions involved this attack pattern. This is not surprising, as this attack pattern does not seek to steal data but only seeks to disrupt a business's operations.

Lost and stolen assets

A typical pattern is where some information asset goes missing. Sometimes these incidents are malicious and involve an actual theft of the asset. They are often accidents and involve someone losing track of an asset or sensitive data.

There were 885 incidents that involved missing assets, and in most cases, the asset was accidentally lost by a user. Eighty-one data breaches involved missing assets, and in most cases, the asset was stolen by an external malicious actor. The assets themselves vary and can include hardware — like employee desktops, laptops, and mobile phones — or soft assets — primarily documents.

Privilege misuse

A common pattern is where the bad actor uses legitimate privileges in an unapproved or outright malicious manner. 100% of these incidents and breaches involve an internal threat actor, while 4% involve collaboration with external actors or other internal employees. In nearly every case — 78% of incidents and breaches — the bad actors steal data for financial gain, but a small minority attempt to intentionally sabotage or spy on their organization. In a small minority of cases (6%), the bad actor misused their privileges as a convenient shortcut for some legitimate purpose.

Most cases of privilege misuse result in data loss — 275 incidents involved privilege misuse, resulting in 216 confirmed data breaches. A few years in a row, we have observed a high success ratio in this type of attack, so organizations who want to be more cyber resilient should consider investments in UBA/UEBA cyber solutions, which allow for better AI-driven detection.

Miscellaneous errors

A wide range of unintentional actions directly compromises an information asset's security. In most cases, these are common and innocent errors, such as someone sending documents to the wrong person or misconfiguring an asset. Most of the time, these errors are performed by employees.

While these errors are almost always innocent, they still result in significant problems. There were 715 incidents that involved miscellaneous errors, and nearly all of them — 708 — resulted in the confirmed loss of data (primarily personal data).

Everything else

A grab-bag of actions and errors that don't conform to any other pattern but still cause incidents and breaches. The 2022 DBIR found nothing of much note in this "pattern" but maintained it to provide a home for every possible cause they analyzed.

Take the next step: defend against these threat patterns and more

We consider Verizon's DBIR a "must-read" every year, and the 2022 edition is no exception.

It provides a wealth of data and granular analysis and accurately answers many of your biggest questions about today's threat landscape.

Verizon's DBIR 2022 edition provides a wealth of data and granular analysis and accurately answers many of your biggest questions about today's threat landscape.

While we attempted to provide an overview of the report in this short blog, there is no substitute for the entire document. To learn more and dig into the details, access your free copy of Verizon's report.

But if you would prefer a tailored, 1-on-1 consultation on how you can fortify your defenses against these threats. Reach out to an Atos security expert or contact us via the Atos website.

By Maciej Zarski, Global Head of CERT

Posted on: June 1rst, 2022

Share this blog article

  • Share on Linked In

About Maciej Zarski
Global Head of Cert
Maciej Zarski is the Global Head of CERT at Atos. He is a Cyber Security Manager, Architect, Transformer and Enabler with over 15 years of experience in various IT and Security global roles in operations, transitions, designs, strategies and continual improvements. Maciej works with DevOps principles at heart. He focuses on creating value for clients – defending organizations under a cyber attack and helping clients build robust defenses that are resilient to future threats. At Atos, he is the Global Head of CERT, covering Digital Forensics, Incident Response, Threat Intelligence, Vulnerability Management and Red Teaming.

Follow or contact Maciej