Skip to content

2022 年 Verizon DBIR(數據洩露調查報告)關鍵要點

As malicious actors have advanced technologically and are finding new ways to infiltrate network systems globally, organizations need to respond accordingly by enhancing their knowledge and capabilities. 

The Verizon DBIR (Data Breach Investigations Report) has played a significant role in raising awareness among the workforce about the importance of maintaining cybersecurity hygiene. Below is a summary of the 2022 DBIR that helps organizations understand the essence of the report and equip themselves with better strategies to thwart cyberattacks and safeguard the confidentiality, integrity, and availability of their critical information assets.

Some Important Verizon DBIR 2022 Findings

The Verizon 2022 DBIR is an exhaustive report running more than 100 pages. Its 15th annual edition, DBIR 2022, is the most comprehensive report presented by Verizon since the first one in 2008. It analyzes 5,212 breaches in 2021 spread across eleven industrial sectors distributed in four regions globally. Below is the outline of the critical findings from the report that merit immediate consideration.

  1. Gateways that allow access: The DBIR has pointed out four significant gateways that enable malicious actors to infiltrate network systems and cause data breaches. They are:

    • Credential Theft

    • Phishing

    • Exploiting vulnerabilities

    • Botnets

No organization is safe without formulating a robust plan for handling these four compromising gateways.

  1. Ransomware’s continued growth: Ransomware continues to be a significant threat to organizations worldwide. It showed around a 13% increase last year, equivalent to the previous five years’ combined rise. Thus, it has increased by around 25% over those years combined. However, organizations can block ransomware by taking proper care of the four gateways discussed above, as the threat uses these gateways to access network systems.

  2. Supply Chain Attacks on the rise: The DBIR hints toward one significant supply chain attack that had an enormous impact. Though the report does not name the attack, it points toward the Solar Winds Supply Chain attack. As per the report, the supply chain area became responsible for 62% of last year’s system intrusions. 

  3. The internal element is still involved: The DBIR states that one cannot ignore internal involvement in data breaches. While external players comprise 80% of bad actors, the breaches caused by internal actors have been more significant, with an average breach impacting ten times more than an external one.

  4. The motive behind cyber crimes: The DBIR concludes that financial gain remains the primary motive behind 96% of cyber incidents and data breaches.

In a nutshell, the deduction will be as follows.

  • Ransomware attacks are increasing by the day.

  • Supply chain attacks are evolving into a significant threat.

  • Malicious actors and not human error cause more data breaches.

  • Cybercrime has become a significant money-spinning industry.

Eight Critical Threat Patterns Pointed out by the Report

The report highlights eight threat patterns responsible for almost all security breaches. Organizations must concentrate on these eight patterns while formulating defense strategies.

  1. System Intrusion 

System Intrusion is a complex attack pattern where malicious actors infiltrate the victim’s network systems using malware or complex intrusion techniques. Ransomware is the prime example of compromising systems and disrupting businesses for financial gains.

The DBIR mentions 7,013 incidents, of which 1,999 resulted in confirmed data breaches. Mostly, the bad actors exploited C2 (Command and Control) or a backdoor entry and included ransomware. Among the confirmed data breaches, 42% compromised credentials, while 37% compromised personal data. Besides, the report talks of increasing supply chain attack incidents.

  1. Social Engineering

Social Engineering attacks comprise the human element involved in cyber incidents. As per DBIR, about 82% of data breaches involve a human angle. It reports 2,249 social engineering attack incidents resulting in 1,063 confirmed data breaches. Furthermore, 63% of the violations compromised credentials, whereas 32% resulted in internal data loss. The primary attack modes were phishing and BEC (Business Email Compromise).

  1. Denial of Services

DDoS (Distributed Denial of Service) attacks are among the oldest attack patterns where the cyber attackers simultaneously target the network and application layers to increase traffic and compromise the application’s availability. The primary objective of the DDoS attack is to disrupt business and not steal data. The DBIR 2022 lists 8,456 disruptions, including four cases compromising information assets.  

  1. Privilege Misuse 

Privilege misuse is a dangerous trend because it compromises the trust element that employers have with their employees. Here, the malicious actors misuse their privileges and cause data breaches solely for financial gain. All of these attacks involve internal actors, with DBIR reporting 4% involving external collaboration. DBIR highlights 275 incidents resulting in 216 confirmed data breaches; 78% of such attacks are carried out for financial gain and the remaining are due to ulterior grudges, espionage, and convenience. 

  1. Basic Web Application (BWA) Attacks

The BWA attacks are similar to hit-and-run cases where the threat actors target a specific web application, compromise it, collect as much data as possible, and abandon the system. The DBIR lists 4,751 such instances culminating in 1,273 data breaches. 69% of these breaches compromised personal information and 67% credentials. Usually, the malicious actors exploit a known vulnerability in the system or use brute force to access it and compromise the information assets.

  1. Miscellaneous Errors

Miscellaneous errors generally constitute unintentional actions that directly compromise the information asset’s integrity. These could be errors like misconfiguring an asset or unwittingly sending information to the wrong person. Usually, internal employees are involved in such cases. The DBIR lists 715 such incidents, with nearly all resulting in compromising information assets, primarily personal data.  

  1. Lost and Stolen Assets

Such attack patterns involve losing track of a specific information asset. At times, there can be theft of sensitive data. The DBIR mentions 885 incidents in this category, involving 85% internal threat actors. It included 81 data breach incidents, and the stolen devices were mostly documents, desktops, laptops, and mobile phones. 

  1. Everything Else 

This section covers the incidents that do not fit into the seven patterns described above. Though the DBIR has not listed any incident in this category, it has included it in the report for organizations to introspect.

Final Words

Verizon’s DBIR is a comprehensive report that provides a wealth of information about the different types of threats in today’s cybersecurity landscape. The report highlights how security-related incidents occur and thus, helps organizations to formulate a comprehensive cybersecurity strategy. As it has systematically classified the various threat factors, it is easy for organizations to verify which security control they are deficient in and which attack vectors they need to be cautious about most. They can then improve the safeguards to ensure their valuable information assets’ confidentiality, integrity, and availability.

#verizon #vicarius_blog

Reference

  1. Verizon. Data Breach Investigations Report (DBIR) – 2022. 

https://www.verizon.com/business/resources/reports/2022/dbir/2022-dbir-data-breach-investigations-report.pdf 

As part of our mission to secure the world’s OT, IoT and Cyber Physical infrastructures, we invest resources into offensive research of vulnerabilities and attack techniques.

Ripple20 are 19 vulnerabilities revealed by Israeli firm JSOF that affect millions of OT and IOT devices. The vulnerabilities reside in a TCP/IP stack developed by Treck, Inc. The TCP/IP stack is widely used by manufacturers in the OT and IoT industries and thus affects a tremendous amount of devices.

Among the affected devices are Cisco Routers, HP Printers, Digi IoT devices, PLCs by Rockwell Automation and many more. Official advisories by companies who confirmed having affected devices can be found here, in the “More Information” section.

The most critical vulnerabilities are three that can cause a stable Remote Code Execution (CVE-2020-11896, CVE-2020-11897, CVE-2020-11901) and another that can cause the target device’s memory heap to be leaked (CVE-2020-11898).

On behalf of our customers, we set out to explore the real impact of these vulnerabilities, which we’re now sharing with the public.

The research has been conducted by researchers Maayan Fishelov and Dan Haim, and has been managed by SCADAfence’s Co-Founder and CTO, Ofer Shaked.

Exploitability Research
We set out to check the exploitability of these vulnerabilities, starting with CVE-2020-11898 (the heap memory leak vulnerability), one of the 19 published vulnerabilities.

We created a Python POC script that is based on JSOF official whitepaper for this vulnerability. According to JSOF, the implementation is very similar to CVE-2020-11896, which is an RCE vulnerability that is described in the whitepaper. Also mentioned about the RCE vulnerability: “Variants of this Issue can be triggered to cause a Denial of Service or a persistent Denial of Service, requiring a hard reset.”

Trial Results:
Test 1 target: Samsung ProXpress printer model SL-M4070FR firmware version V4.00.02.18 MAY-08-2017. This device is vulnerable according to the HP Advisory.

Test 1 result: The printer’s network crashed and required a hard reset to recover. We were unable to reproduce the heap memory leak as described, and this vulnerability would have been tagged as unauthenticated remote DoS instead, on this specific printer.

Test 2 target: HP printer model M130fw. This device is vulnerable according to the HP Advisory.

Test 2 result: Although reported as vulnerable by the manufacturer, we were unable to reproduce the vulnerability, and we believe that this device isn’t affected by this vulnerability. We believe that’s because the IPinIP feature isn’t enabled on this printer, which we’ve verified with a specially crafted packet.

Test 3 target: Undisclosed at this stage due to disclosure guidelines. We will reveal this finding in the near future.

Test 3 result: We found an unreported vendor and device, on which we can use CVE-2020-11898 to remotely leak 368 bytes from the device’s heap, disclosing sensitive information. No patch is available for this device. Due to our strict policy of using Google’s Responsible Disclosure, we’ve reported this to the manufacturer, to allow them to make a patch available prior to the publication date.

Key Takeaways
We’ve confirmed the exploitability vulnerabilities on our IoT lab devices.

On the negative side: The vulnerabilities exist on additional products that are unknown to the public. Attackers are likely to use this information gap to attack networks.
On the positive side: Some devices that are reported as affected by the manufacturers are actually not affected, or are affected by other vulnerabilities. It might require attackers to tailor their exploits to specific products, increasing the cost of exploitation, and prevent them from using the vulnerability on products that are reported as vulnerable.

SCADAfence Research Recommendations
Check your asset inventory and vulnerability assessment solutions for unpatched products affected by Ripple20.
The SCADAfence Platform creates an asset inventory with product and software versions passively and actively, and allows you to manage your CVEs across all embedded and Windows devices.
Prioritize patching or other mitigation measures based on: Exposure to the internet, exposure to insecure networks (business LAN and others), criticality of the asset.
This prioritization can automatically be obtained from tools such as the SCADAfence Platform.
Detect exploitation based on network traffic analysis.
The SCADAfence Platform detects usage of these exploits in network activity by searching for patterns that indicate usage of this vulnerability in the TCP/IP communications.
If you have any questions or concerns about Ripple20, please contact us and we’ll be happy to assist you and share our knowledge with you or with your security experts.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SCADAfence
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.