Get key data points and takeaways from the 2024 Verizon Data Breach Investigations Report.
The Verizon 2024 Data Breach Investigations Report was published earlier this month and, as always, offers a wealth of data on and insights into the current cyber threat landscape. The report analyzed more than 30,000 security incidents, including about 10,000 confirmed data breaches.
Stand-out data points this year include the rise of supply chain attacks, the role of human error, the number of breaches through stolen credentials, and the continued attacker focus on web applications.
Spotlight on Supply Chains
The report looked at supply chain interconnected influence, which was observed in about 15 percent of the breaches analyzed. This was a growth of 68 percent from the previous year, highlighting the escalating risks within interconnected supply chains.
These attacks target vulnerabilities across the entire software supply chain, including:
- Breaches within a business partner's network.
- Physical security breaches at a partner's facility.
- Hijacking software development processes to push out malicious updates.
- Exploiting vulnerabilities in open-source or third-party software
Legit customers have validated these trends through our interviews and discussions over the last few years. To take advantage of the vulnerabilities created by modern software development environments, sophisticated attackers have expanded their focus beyond front-end applications.
Expert nation-state attackers and professional cybercriminals know that infiltrating software supply chains and injecting malicious code is a one-to-many type attack that gets them more bang for their buck. The target organization will unknowingly send the code to hundreds or even thousands of customers or internal users downstream. Attacks like these have led to massive global breaches, such as those at 3CX, SolarWinds, Codecov, and CyberLink.
There’s still a need for strong application security controls inside of applications. However, the more devastating attacks are largely coming through software supply chains.
The Role of Human Error
Breaches involving errors are growing, accounting for almost a third of incidents in 2023. Errors include misconfigurations, clicking on links, and sending information or unencrypted data outside of the organization.
This is another data point that resonates with us here at Legit. We frequently see enterprises with misconfigured build servers, which is a common problem that creates significant vulnerabilities. Build systems are essentially automated, implicitly trusted pathways straight to the cloud, yet most aren’t treated as critical from a security perspective. In many cases, these systems — like Jenkins, for example — are misconfigured or otherwise vulnerable and unpatched.
Oftentimes, development tools are over-privileged because they’re easier to integrate if users have full access. In some instances, organizations spin up an open-source development server and then allow admin access to everything. They’re not worried about misconfigurations; they’re focused on application vulnerabilities. But this type of overly permissioned environment is prone to privilege escalation attacks that lead to other risks such as ransomeware and data leakage. In fact, this type of misconfiguration was the source of the SolarWinds and the Codecov attacks.
In addition, modern apps require hundreds of secrets to function (API keys, third parties, cloud credentials, etc.). At the same time, developers are pushed to innovate and develop code as fast as possible, frequently leading to shortcuts intended to drive efficiency and speed. One of those shortcuts is using secrets in development to accelerate testing and QA. The problem is that it’s very easy for these secrets to remain exposed. For example, a developer may test a piece of code with a key. When it works, they move it into production without removing that key. They either forget, or the key works and they don’t want to adjust it. Unmanaged secrets and other shortcuts in the SDLC lead to a continuously growing and significant source of risk to the organization.
Web Applications and Stolen Credentials
Web applications remain the most prevalent attack vector by far. Exploitation of vulnerabilities made a dramatic jump last year as a “way in” – increasing 180 percent – primarily thanks to the MoveIT zero-day vulnerability. Vulnerability and patch management are clearly not able to keep pace with the growing speed of threat actors scanning for and exploiting vulnerabilities.
But credential theft remains the most prevalent attack path, even above and beyond exploits and phishing.
The report found that external actors predominantly target credentials and personal information in web application attacks:
- Use of stolen credentials: 77%
- Brute force attacks: 21%
- Exploiting vulnerabilities: 14%
This highlights the critical importance of preventing secrets exposure. Most organizations will point to SAST/SCA/DAST as their primary application security tactics; however, these solutions are primarily identifying known vulnerabilities, not secrets. Having a solid secrets detection and management program is key.
Next Steps
The DBIR emphasizes the need for stricter security standards in software development. It urges organizations to hold their software vendors more accountable for secure coding practices.
We at Legit would emphasize the need for robust secrets management, and a focus on hardening the entire software factory and all its components, not just the code.
Read full Verizon report.
Learn more about how software security needs to evolve to keep up with development practices and attacker tactics.
