Most Common Threats in DBIR

Breaches due to system intrusion have ratcheted up dramatically since 2019, according to Verizon’s "2022 Data Breach Investigations Report." While system intrusion, which includes hacking, malware, and ransomware, was the most common type of data breach in 2021, it didn’t even make the top three in 2019.

The researchers analyzed 23,896 security incidents, of which 5,212 were confirmed data breaches. Similar incidents are grouped together into “patterns.”

To clarify, DBIR looks at eight patterns:

The second and third most common types of data breach in 2021 were basic Web application attacks and social engineering. In 2020, social engineering was the most common, followed by Web application attacks and then system intrusion. The top three in 2019 were Web application attacks, social engineering, and miscellaneous errors. System intrusions were the fourth most common pattern observed in Verizon’s dataset, the researchers said.

Where the Threats Are

System intrusions tend to be one of the more complex breaches because they consist of multiple different actions, such as social engineering, malware, and hacking. One reason for the spike for system intrusion may be the fact that supply chain and ransomware attacks increased dramatically this year, the researchers say. The most common actions -- how attackers are carrying out their activities -- for data breaches (grouped under system intrusions) included use of command-and-control servers to execute commands, stolen credentials, malware deploying backdoors, and ransomware. The five most common attack vectors were third-party software, software updates (SolarWinds, anyone?), desktop sharing software, email, and Web applications. 

In contrast, Web application attacks in Verizon's dataset consist of two groups of actions: ways to access the server and the payload itself. Ways to access the server include actions such as stealing credentials, exploiting vulnerabilities, and brute-forcing passwords. While the majority of the attacks focus on the Web application, breaches in this group, attackers also relied on backdoors, remote injection, and accessing desktop sharing software to compromise the server. 

The system intrusions in Verizon's dataset primarily targeted manufacturing (14.4%) and public-sector (13.9%) organizations. For Web applications, manufacturing remained the primary target, at 16.1%, and financial services was the second most popular target, at 15.8%. The list looks different for social engineering, where retail organizations (16.6%) were the most common target, followed by professional (13.8) organizations. 

While most breaches were the result of attacks by external adversaries, 14% of breaches were due to errors such as misconfigured cloud storage and exposed cloud servers. People are fallible – and it’s not just about configuration errors, as the report notes that 82% of breaches involved the human element. “Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches alike,” researchers wrote.