Introduction

In today’s digital landscape, the prevalence of cyber threats and incidents has become a significant concern for individuals, organizations, and governments alike. I have had the opportunity to explore numerous vendor reports in the past months and gain insights into the evolving nature of breaches and incidents. Through my research, I have discovered a multitude of interest findings, highlighting the relentless persistence and sophistication of cybercriminals. Many things are changing and for that I’ve decided to bring you the followings takeaways.

By analyzing these reports, it becomes clear that breaches and incidents are not isolated occurrences but rather an ongoing battle in the realm of cybersecurity. The information gathered highlights the critical need for robust security measures, constant monitoring, and proactive incident response strategies to safeguard digital assets from malicious actors. As we delve further into this blog post, we will explore the specific findings and recommendations outlined in these reports, aiming to provide insights and practical advice to help individuals and organizations navigate the complex cybersecurity landscape.

Actors

The main threat actors involved in data breaches are External to the victim. Less then 20% of actors are internal, which means they are eligible for intentional attack as well as unintentional attack (is. errors, stolen devices, weak credentials)

Threat Actors in Data Breaches

The main reason threat actors are attacking victim is by far “money“. They are Financially motivated in mostly cases which emphasize the importance of being part of a bigger and organized industry (organized crime)

Threat Actor Motivation in Data Breaches

While organized crime is the principal threat actor, “non-nation state or State-affiliated” threat actor is the second most common threat actors. In this category we include Noname*, KillNet and other “war sympathetic groups”.

Actions

To my surprise, as someone who has become accustomed to viewing ransomware as the primary threat actor action, this year has witnessed a gradual but noteworthy shift. Ransomware is no longer at the forefront of attacker actions; instead, it has slipped into the second position. What we are observing predominantly in the current landscape is the prominence of stolen credentials as the principal action undertaken by threat actors.

Top Action performed by actors in data breaches

Traditionally, ransomware has garnered significant attention due to its disruptive and financially driven nature. However, recent trends suggest that threat actors are increasingly focusing on exploiting compromised credentials as their preferred method of attack. This shift can be attributed to several factors, including the rise of sophisticated phishing campaigns, data breaches resulting in massive credential leaks, and the monetization potential of stolen login information.

The implications of this shift are far-reaching and demand heightened attention from both individuals and organizations. Stolen credentials provide threat actors with an entry point to compromise sensitive systems, gain unauthorized access to valuable data, and even facilitate lateral movement within networks. Moreover, the aftermath of such breaches can be catastrophic, leading to financial losses, reputational damage, and legal ramifications.

Another intriguing observation that has emerged is the resurgence of “Exploit Vulnerabilities,” which had been somewhat overlooked until this year. The primary reason for this resurgence can be attributed to the prevalence of various remote code execution vulnerabilities, or more broadly, remote exploitable vulnerabilities. These vulnerabilities have captured significant attention in the cybersecurity landscape, ranging from well-known instances like Log4j (very abused during the 2022) to more recent RCE.

Assets

In the realm of data breaches, it is evident that a significant portion of the compromised assets primarily consists of servers and general IT infrastructure. These critical components form the backbone of organizations’ digital operations and are often targeted by threat actors seeking to gain unauthorized access or exploit vulnerabilities. The compromise of servers and IT infrastructure can have severe consequences, ranging from service disruptions to the potential exposure of sensitive information.

Compromised Assents in Data Breaches

However, following closely in the list of compromised assets are personal information and data pertaining to individuals. This includes a range of personally identifiable information (PII) such as email addresses, names, surnames, phone numbers, addresses, and user logs. The targeting of personal data highlights the value placed on this information by threat actors, who seek to exploit it for various malicious purposes, such as identity theft, phishing attacks, or even selling it on the dark web.

The inclusion of personal information in data breaches raises significant concerns regarding privacy and security. The exposure of such sensitive data not only poses risks to individuals’ personal lives but also has broader implications for organizations responsible for safeguarding this information. The fallout from these breaches can result in financial losses, reputational damage, legal consequences, and erosion of trust among stakeholders.

Attributes

Data breaches encompass a wide range of compromised information, and understanding the nature of the data involved is crucial in comprehending the extent of the breach’s impact. Analysis of various data breach incidents reveals that the principal category of compromised data is related to individuals, constituting approximately 36% of the total. This includes personally identifiable information (PII) such as names, addresses, email addresses, phone numbers, and other personal details that can be exploited for identity theft, fraud, or other malicious activities.

Another significant portion, accounting for around 28% of breached data, comprises credential information. These credentials can encompass usernames, passwords, security tokens, or any other form of authentication data that grants access to various accounts or systems. The compromise of credentials poses a severe threat, as attackers can misuse them to gain unauthorized access to sensitive information or carry out fraudulent activities, potentially causing significant harm to individuals and organizations alike.

Top Confidentiality data varieties in breaches

Furthermore, internal system information constitutes approximately 18% of the data found in data breaches. This category encompasses details regarding assets, networks, servers, and other internal infrastructure components. The compromise of internal system information poses a significant risk to organizations, as it can lead to unauthorized access, system disruptions, data manipulation, or even complete control of critical infrastructure.

Ransomware Transaction Focus

While it is evident that all cyber incidents have a negative impact on the victims, affecting their reputation, operations, and availability, an interesting observation emerges when analyzing data breach incidents. Surprisingly, approximately 93% of data breach incidents do not directly result in financial losses. This implies that the majority of data breaches have non-monetary consequences, such as reputational damage or operational disruptions, rather than immediate financial implications.

However, it is crucial to note that the remaining 7% of data breach incidents do result in financial losses, primarily because the affected organizations admit to paying a ransom. This indicates that a small but significant portion of victims opt to give in to the demands of ransomware attackers, resulting in a financial impact. According to data from the FBI’s Internet Crime Complaint Center (IC3), the average ransom transaction amount was around $10,000 last year. However, in 5% of cases, the average ransom payment significantly surpassed this figure, reaching a staggering $1.2 million.

Median Transaction size for Ransomware based on FBI IC3 compaints

While the average ransom transaction may not appear excessively high, it is important to acknowledge the existence of the upper echelon of payments in the 5% of cases. For those unfortunate enough to fall within this subset, the financial burden becomes far more substantial, exceeding $1.2 million. This highlights the unpredictable nature of ransomware attacks, where the financial implications can vary drastically depending on the specific circumstances and demands.

Therefore, it is crucial for organizations to approach data breaches and ransomware incidents with utmost vigilance, even if the average ransom amount appears relatively moderate. The potential financial consequences of paying a ransom should not be underestimated, especially for those who find themselves in the minority facing exorbitant demands. By implementing robust security measures, maintaining data backups, and adopting proactive incident response strategies, organizations can better protect themselves against the debilitating effects of data breaches and minimize the risk of falling victim to costly ransom demands.

Main Financial Loss Focus

When discussing financial losses resulting from cyber attacks, it becomes evident that social engineering remains one of the most prevalent and influential techniques used by attackers. Social engineering involves manipulating individuals or exploiting their trust to deceive them into performing certain actions, such as making fraudulent payments. Among the various types of social engineering attacks, one of the most significant contributors to financial loss is Pretexting, also known as Business Email Compromise (BEC) fraud, accounting for approximately 35% of reported occurrences.

First Cause of Financial Loss in Social Engineering

Pretexting involves the creation of a false narrative or scenario to deceive individuals into revealing sensitive information or making unauthorized transactions. Attackers often impersonate trusted entities, such as business partners, executives, or vendors, to trick victims into divulging confidential information or transferring funds to fraudulent accounts. This deceptive tactic can result in substantial financial losses for targeted organizations.

Phishing attacks rank second in terms of financial impact, accounting for approximately 28% of reported cases. Phishing involves the use of fraudulent emails, messages, or websites that appear legitimate to trick individuals into revealing personal information, login credentials, or financial details. Once obtained, this information can be exploited for various fraudulent activities, including unauthorized transactions or identity theft.

The usage of stolen credentials follows closely behind, constituting approximately 23% of reported cases. In this scenario, attackers acquire login credentials through various means, such as data breaches or phishing attacks, and then utilize the stolen credentials to gain unauthorized access to systems or accounts. This unauthorized access can lead to financial loss through fraudulent transactions, unauthorized account access, or unauthorized changes to financial data.

Median Transaction size for BEC in years, according to FBI IC3

Contrary to popular perception, ransomware attacks account for only around 10% of cases in which attackers lure victims and subsequently activate ransomware on their machines. Ransomware attacks involve the encryption of victim’s files or systems, holding them hostage until a ransom is paid. While these attacks can be financially devastating, they are relatively less prevalent compared to other social engineering techniques.

Published by marcoramilli

Ethical Hacking, Advanced Targeted Attack Expert and Malware Evasion Expert