2024年数据泄露调查报告

2024DataBreach

InvestigationsReport

Phishing

Exploitvulnerabilities

Credentials

DesktopsharingEmailVPNWebapplications

Aboutthecover

Thisyear,thereportisdelvingdeeperintothepathwaytobreachesinan

efforttoidentifythemostlikelyActionandvectorgroupingsthatleadto

breachesgiventhecurrentthreat

landscape.Thecrackeddoorwayonthecoverismeanttorepresentthevariouswaysattackerscanmaketheirway

inside.Theopeninginthedoorshowsthepatternofourcombined“ways-in”percentages(seeFigure7foramorestraightforwardrepresentation),anditletsoutabandoflightdisplayingapatternoftheActionvectorquantities.Theinnercoverhighlightsandlabelsthequantitiesinalessabstractway.

Hopeyouenjoyourarthousephase.

2024DBIRTableofcontents4

Tableofcontents

1

Introduction5

Helpfulguidance6

Summaryoffindings7

2

Resultsandanalysis

Resultsandanalysis:Introduction

VERISActors

VERISActions

VERISAssets

VERISAttributes

3

11

15

18

23

25

IncidentClassificationPatterns

IncidentClassificationPatterns:

Introduction28

SystemIntrusion30

SocialEngineering36

BasicWebApplicationAttacks42

MiscellaneousErrors47

DenialofService49

LostandStolenAssets51

PrivilegeMisuse53

4

Industries

Industries:Introduction

56

AccommodationandFoodServices

60

EducationalServices

61

FinancialandInsurance

62

Healthcare

64

Information

66

Manufacturing

67

Professional,Scientificand

TechnicalServices

69

PublicAdministration

70

Retail

5

72

Regions

Regionalanalysis

6

75

Wrap-up

Yearinreview81

7

Appendices

AppendixA:Howtoreadthisreport86

AppendixB:Methodology88

AppendixC:U.S.SecretService92

AppendixD:UsingtheVERIS

CommunityDatabase(VCDB)

toEstimateRisk94

AppendixE:Contributingorganizations96

2024DBIRIntroduction5

Introduction

Greetings!WelcometoVerizon’s2024DataBreachInvestigationsReport(DBIR).

Thisyearmarksthe17theditionofthispublication,andwearethrilledtowelcome

backouroldfriendsandsayhellotonewreaders.Asalways,theaimoftheDBIRistoshinealightonthevariousActortypes,thetacticstheyutilizeandthetargetstheychoose.Thankstoourtalented,generousandcivic-mindedcontributorsfromaroundtheworldwhocontinuetostickwithusandsharetheirdataandinsight,anddeep

appreciationforourveryownVerizonThreatResearchAdvisoryCenter(VTRAC)

team(rockstarsthattheyare).Thesetwogroupsenableustoexamineandanalyzerelevanttrendsincybercrimethatplayoutonaglobalstageacrossorganizationsofallsizesandtypes.

Fromyeartoyear,weseenewandinnovativeattacksaswellasvariationsontried-and-trueattacksthatstillremainsuccessful.Fromtheexploitationofwell-known

andfar-reachingzero-dayvulnerabilities,suchastheonethataffectedMOVEit,tothemuchmoremundanebutstillincrediblyeffectiveRansomwareandDenialof

Service(DoS)attacks,criminalscontinuetodotheirutmosttoprovetheoldadage“crimedoesnotpay”wrong.

Theshiftinglandscapeofcyberthreatscanbeconfusingandoverwhelming.When,inadditiontotheattacktypesmentionedabove,onethrowsinfactorssuchasthe

humanelementand/orpoorlyprotectedpasswords,thingsbecomeevenmore

confused.Onemightbeforgivenforviewingthecurrentstateofcybersecurity

asacolorfulcyberMardiGrasparade.Enterprisefloatsofallshapesandsizes

cruisingpastalargecrowdofthreatactorswhoareshoutingoutgleefully“Throw

mesomecreds!”Ofcourse,humannaturebeingwhatitis,alltoooften,thefolks

onthefloatsdojustthat.And,aswithallsuchparades,whatisleftintheaftermathisn’tnecessarilypretty.Thepastyearhasbeenabusyoneforcybercrime.We

analyzed30,458real-worldsecurityincidents,ofwhich10,626wereconfirmeddatabreaches(arecordhigh!),withvictimsspanning94countries.

Whilethegeneralstructureofthereportremainsthesame,long-timereadersmaynoticeafewchanges.Forexample,the“first-timereader”sectionisnowlocatedinAppendixAratherthanatthebeginningofthereport.ButwedoencouragethosewhoarenewtotheDBIRtogiveitaread-throughbeforedivingintothereport.It

shouldhelpyougetyourbearings.

Last,butcertainlynotleast,weextendamostsincerethanksyetagaintoour

contributors(withoutwhomwecouldnotdothis)andtoourreaders(withoutwhomtherewouldbenopointindoingit).

Sincerely,

TheVerizonDBIRTeam

C.DavidHylender,PhilippeLanglois,AlexPinto,SuzanneWidup

Veryspecialthanksto:

–ChristopherNovakforhiscontinuedsupportandinsight

–DaveKennedyandErikaGiffordfromVTRAC

–KateKutchko,MarziyehKhanoukiandYoniFridmanfromtheVerizonBusinessProductDataScienceTeam

2024DBIRHelpfulguidance6

Helpfulguidance

Aboutthe2024DBIRincidentdataset

Eachyear,theDBIRtimelineforin-scopeincidentsisfromNovember1ofone

calendaryearthroughOctober31ofthenextcalendaryear.Thus,theincidents

describedinthisreporttookplacebetweenNovember1,2022,andOctober31,

2023.The2023caseloadistheprimaryanalyticalfocusofthe2024report,buttheentirerangeofdataisreferencedthroughout,notablyintrendinggraphs.Thetimebetweenthelatterdateandthedateofpublicationforthisreportisspentinacquiringthedatafromourglobalcontributors,anonymizingandaggregatingthatdata,analyzingthedataset,andfinallycreatingthegraphicsandwritingthereport.Thejokes,sadly,donotwritethemselves.

Creditwherecreditisdue

Turnsoutfolksenjoycitingthereport,andweoftengetaskedhowtogoaboutdoingit.

Youarepermittedtoincludestatistics,figuresandotherinformationfromthereport,providedthat(a)youcitethesourceas“Verizon2024DataBreachInvestigations

Report”and(b)thecontentisnotmodifiedinanyway.Exactquotesarepermitted,butparaphrasingrequiresreview.Ifyouwouldliketoprovidepeopleacopyofthereport,weaskthatyouprovidethemalinkto

/dbir

ratherthanthePDF.

Questions?Comments?Concerns?Lovetosharecutepetpictures?

Letusknow!Sendusanoteat

dbir@

,findusonLinkedIn,tweet

@VerizonBusiness

with#dbir.Gotadataquestion?

Tweet

@VZDBIR

!

IfyourorganizationaggregatesincidentorsecuritydataandisinterestedinbecomingacontributortotheannualVerizonDBIR(andwehopeyouare),theprocessisveryeasyandstraightforward.Pleaseemailusat

dbircontributor@

.

2024DBIRSummaryoffindings7

Summaryoffindings

Figure1.Selectways-inenumerationsinnon-Error,non-Misusebreaches(n=6,963)

Figure2.RansomwareandExtortionbreachesovertime

Ourways-inanalysiswitnesseda

substantialgrowthofattacksinvolvingtheexploitationofvulnerabilitiesasthecriticalpathtoinitiateabreachwhen

comparedtopreviousyears.Italmosttripled(180%increase)fromlastyear,whichwillcomeasnosurpriseto

anyonewhohasbeenfollowingthe

effectofMOVEitandsimilarzero-dayvulnerabilities.Theseattackswere

primarilyleveragedbyRansomware

andotherExtortion-relatedthreat

actors.Asonemightimagine,themainvectorforthoseinitialentrypointswasWebapplications.

Roughlyone-thirdofallbreaches

involvedRansomwareorsomeother

Extortiontechnique.PureExtortion

attackshaverisenoverthepastyear

andarenowacomponentof9%of

allbreaches.Theshiftoftraditional

ransomwareactorstowardthesenewertechniquesresultedinabitofadeclineinRansomwareto23%.However,whencombined,giventhattheysharethreatactors,theyrepresentastronggrowthto32%ofbreaches.Ransomwarewasatopthreatacross92%ofindustries.

2024DBIRSummaryoffindings8

Figure3.Selectkeyenumerationsinbreaches

Wehaverevisedourcalculationoftheinvolvementofthehumanelementto

excludemaliciousPrivilegeMisusein

anefforttoprovideaclearermetricofwhatsecurityawarenesscanaffect.Forthisyear’sdataset,thehumanelementwasacomponentof68%ofbreaches,roughlythesameasthepreviousperioddescribedinthe2023DBIR.

Inthisissue,weareintroducingan

expandedconceptofabreachinvolvingathirdpartythatincludespartner

infrastructurebeingaffectedand

directorindirectsoftwaresupplychainissues—includingwhenanorganizationisaffectedbyvulnerabilitiesinthird-

partysoftware.Inshort,thosearebreachesanorganizationcould

potentiallymitigateorpreventbytryingtoselectvendorswithbettersecuritytrackrecords.Weseethisfigureat

15%thisyear,a68%increasefromthepreviousyear,mostlyfueledbytheuseofzero-dayexploitsforRansomwareandExtortionattacks.

OurdatasetsawagrowthofbreachesinvolvingErrors,nowat28%,aswe

broadenedourcontributorbaseto

includeseveralnewmandatorybreachnotificationentities.Thisvalidates

oursuspicionthaterrorsaremoreprevalentthanmediaortraditionalincidentresponse-drivenbiaswouldleadustobelieve.

2024DBIRSummaryoffindings9

15%

10%

Didnotclickclicked

5%

0%

2016201820202022

year

Figure4.Phishingemailreportratebyclickstatus

Figure5.SelectactionvarietiesinFinancialmotiveovertime

TheoverallreportingrateofPhishing

hasbeengrowingoverthepastfew

years.Insecurityawarenessexercise

datacontributedbyourpartnersduring2023,20%ofusersreportedphishinginsimulationengagements,and11%

oftheuserswhoclickedtheemail

alsoreported.Thisiswelcomenews

becauseontheflipside,themedian

timetoclickonamaliciouslinkaftertheemailisopenedis21secondsandthenonlyanother28secondsforthepersoncaughtinthephishingschemetoentertheirdata.Thisleadstoanalarming

finding:Themediantimeforusers

tofallforphishingemailsislessthan60seconds.

Financiallymotivatedthreatactorswilltypicallysticktotheattacktechniquesthatwillgivethemthemostreturn

oninvestment.

Overthepastthreeyears,the

combinationofRansomwareand

otherExtortionbreachesaccountedforalmosttwo-thirds(fluctuating

between59%and66%)ofthose

attacks.AccordingtotheFBI’s

InternetCrimeComplaintCenter

(IC3)ransomwarecomplaintdata,

themedianlossassociatedwiththecombinationofRansomwareand

otherExtortionbreacheshasbeen$46,000,rangingbetween$3(three

dollars)and$1,141,467for95%ofthecases.Wealsofoundfromransomwarenegotiationdatacontributorsthat

themedianratioofinitiallyrequested

ransomandcompanyrevenueis1.34%,butitfluctuatedbetween0.13%and

8.30%for80%ofthecases.

Similarly,overthepasttwoyears,we

haveseenincidentsinvolvingPretexting(themajorityofwhichhadBusiness

EmailCompromise[BEC]asthe

outcome)accountingforone-fourth(rangingbetween24%and25%)of

financiallymotivatedattacks.Inbothyears,themediantransactionamountofaBECwasaround$50,000,alsoaccordingtotheFBIIC3dataset.

2

Results

andanalysis

2024DBIRResultsandanalysis11

Results

andanalysis:Introduction

Hello,friends,andwelcometothe“Resultsandanalysis”section.Thisiswherewecoverthehighlightswefoundinthedatathisyear.Thisdatasetiscollectedfromavarietyofsources,includingourownVTRACinvestigators,reportsprovidedbyourdatacontributorsandpubliclydisclosedsecurityincidents.1

Becausedatacontributorscomeandgo,oneofourprioritiesistomakesure

wecangetbroadrepresentationondifferenttypesofsecurityincidentsandthe

countrieswheretheyoccur.Thisebbandflowofcontributorsobviouslyinfluencesourdataset,andwewilldoourbesttoprovidecontextonthosepotentialbiases

whereapplicable.

Thisyearweonboardedagoodnumberofnewcontributorsandreachedan

excitingmilestoneofmorethan10,000breachesanalyzedinasingleedition.2

Itisanenormousamountofworktoorganizeandanalyze,butitisalsoincrediblygratifyingtobeabletopresenttheseresultstoyou.

Inanattempttobemoreactionable,wewouldliketousethissectiontodiscusssomehigh-levelfindingsthattranscendthefixedstructureoftheVocabulary

forEventRecordingandIncidentSharing(VERIS)4As(Actor,Action,AssetandAttribute)andexpandonsomeofthekeyfindingswehavebeenhighlightingoverthepastfewyears.

Figure6.Selectways-inenumerationsinnon-Error,non-Misusebreachesovertime

Waysinto

yoursensitivedata’sheart

Oneoftheactionableperspectives

wehavecreatedhasbeentheways-

inanalysis,inwhichwetrytomake

senseoftheinitialstepsintobreachestohelppredicthowtobestavoidor

preventthem.Westillhaveplenty

ofunknownActionsandvectors

dispersedthroughoutthedatasetas

investigationprocessesanddisclosurepatternswidelydifferacrossourdatacontributors,3butthisviewofwhatweknowforsurehasremainedstableandrepresentativeovertheyears.

Figure6paintsaclearpictureofwhathasbeenthebiggestpainpointfor

everyonethisyear.This180%increaseintheexploitationofvulnerabilities

asthecriticalpathactiontoinitiatea

breachwillbeofnosurprisetoanyonewhohasbeenfollowingtheMOVEit

vulnerabilityandotherzero-dayexploitsthatwereleveragedbyRansomware

andExtortion-relatedthreatactors.

Thiswasthesortofresultwewere

expectinginthe2023DBIRwhen

weanalyzedtheimpactoftheLog4j

vulnerabilities.Thatanticipatedworst

casescenariodiscussedinthelast

reportmaterializedthisyearwiththis

lesserknown—butwidelydeployed—

product.WewillbedivingintoadditionaldetailsofMOVEitandvulnerability

exploitationinthe“Action”and“SystemIntrusion”patternsections.

1HaveyoucheckedouttheVERISCommunityDatabase(VCDB)yet?Youshould,it’sawesome!(

/vcdb.html

)

2Wealsopassedourcumulative1millionincidentmilestoneasweforecastinthe2023DBIR,butweareonlymentioningthishereinthefootnotetonotaggravatethereport;itwasvery

disappointedthat1millionisnotenoughtoretireoninthiseconomy.

3We’renotthrowingshade—differenttypesofcontributingorganizationsfocusonwhatismostrelevantforthem,aswelltheyshould.

2024DBIRResultsandanalysis12

Todigfurtherintothisconceptofthewaysin,wearepresentinganewsliceofthedata,whereweareoverlayingthosedifferenttypesofActionswiththeirmostpopularvectorstohelp

focusresponseandplanningefforts.YoucantakeapeekatthoseresultsinFigure7.

Phishingattacksmostlyhavingan

Emailvectorisratherself-explanatory,4sowewouldliketofocusonthe

concentrationoftheWebapplication

vectorprevalenceforbothcredentialsandexploitvulnerability.ThepresenceofCredentialsinthegraphicshould

notbesurprisingasitcarriesalarge

shareoftheguiltforourBasicWeb

ApplicationAttackspattern(i.e.,gettingunauthorizedaccesstocloud-based

emailandcollaborationaccounts).

Butrecencybiasmightmakefolks

doubttheprevalenceofexploitationofvulnerabilities.Becausethisreportisbeingwritteninthebeginningof2024,thefocushasbeenonzero-day(or

near-zero-day)vulnerabilitiesinvirtualprivatenetwork(VPN)software.5

Naturally,theshareofVPNvectorintheexploitvulnvarietywilllikelyincrease

forour2025reporttoreflectthose

trends,butthebottomlineisagainself-evidentandself-explanatory.Anythingthataddstoyourattacksurfaceontheinternetcanbetargetedandpotentiallybethefirstfootholdforanexternal

threatactor,andassuch,thefocusshouldbetotrytokeepfootholdstoaminimum.

NomatterhowyoufeelaboutyourVPNsoftwarerightnow,havingasmany

ofyourwebapplicationsaspossiblebehinditmightbeabetterstrategy

thanhavingtoworryaboutemergencyovernightpatchingofthesoftware—

andalltheotherdependencies

thatpowerthewebapplications

themselves.Thiswillnotcompletelymitigatetheriskandwillnotbethe

Figure7.Selectways-invarietyandvectorenumerationsinnon-Error,non-Misusebreaches(n=2,770)

rightfitforallorganizations,butintheworst-casescenario,theCybersecurityInfrastructureandSecurityAgency

(CISA)mighthaveyouripoutonlyonetoolfromyournetworkasopposed

toseveral.

Anyway,allthisnuancedoesnotaffectouropinionofhavingdesktopsharingsoftwaredirectlyconnectedtothe

internet.Gofixthatpronto,please.

Weareonly

humanafterall.

Oneothercombinedmetricwe

havebeentrackingforafewyears

isrelatedtothehumanelementin

breaches.Thereisalotoffocuson

howfullyautomatedattackscanruinanorganization’sday,6butitisoften

surprisinghowmuchthepeopleinsidethecompanycanhaveapositiveeffectonsecurityoutcomes.

Thisyear,wehavetweakedourhumanelementmetricabitsoitsimpactandactionopportunitiesareclearer.You

see,whenDBIRauthors(andthewholeindustryingeneral)woulddiscuss

thismetric,itwouldbealongsidean

opportunitygapforsecuritytraining

andawareness.Itisnotperfect,butifyouhadaclearinvestmentpaththat

couldpotentiallyimprovetheoutcomesofmorethantwo-thirdsofpotential

breaches,youmightatleastsitdownandlisten.

Itturnsoutthatouroriginalformula

forwhatwasincludedinthehuman

elementmetricbuiltinPrivilege

Misusepatternbreaches,which

arethecasesinvolvingmalicious

insiders.Havingthosemixedwith

honestmistakesbyemployeesdid

notmakesenseifouraimwasto

suggestthatthosecouldbemitigatedbysecurityawarenesstraining.7

4AndanincredibleLforthe*ishingportmanteauenthusiasts

5Unlessbynowwehavesuccessfullyrippedthemoutofournetworksentirelyandarebacktooursmokesignalsandcarrierpigeonways.

6Weourselveswerejusttalkingaboutthegrowthofexploitationofvulnerabilitiesasapathwayintobreaches.

7Wedreadtothinkwhat“awarenesstraining”formaliciousinsiderswouldlooklike.

2024DBIRResultsandanalysis13

Figure8showcasesthenewhumanelementovertime(withmalicious

insidersremoved)toprovideabetterframeofreferenceforourreaders

goingforward.Itispresentinmore

thantwo-thirdsofbreachesas

foreshadowedtwoparagraphsago,

morepreciselyin68%ofbreaches.

Itisstatisticallysimilartoourfindingslastyear,whichmeansthatina

certainway,theincreaseswehad

acrosstheboardintheMiscellaneousErrorspattern(human-centric)and

asaresultoftheMOVEitvulnerability(automated)weresimilarinscope

asfarasthismetricisconcerned.

Fansofthe“originalflavor”human

elementarenotmissingmuchbecausetheinclusionoftheMisuseaction

wouldhavebroughtthepercentage

to76%,statisticallyonlyslightlymorethanthepreviousreport’s74%.Still,

weprefertheclearerdefinitiongoingforward,andwewillleavetheanalysisofthosebothersomeinsidersandtheirmisdeedstothe“PrivilegeMisuse”

patternsection.

Theweakestlinksinthe

chainofinter-connection

Finally,aswereviewthebigpictureofhowthethreatlandscapechangedthisyear,8wewouldliketointroduceanewmetricthatwewillbetrackinggoing

forward.Asthegrowthofexploitationofvulnerabilitiesandsoftwaresupplychainattacksmakethemmore

commonplaceinsecurityriskregisterdiscussions,wewouldliketosuggestanewthird-partymetricwherewe

embracethebroadestpossible

interpretationoftheterm.9HaveapeekatFigure9,wherewecalculateda

supplychaininterconnectioninfluencein15%ofthebreacheswesaw,a

significantgrowthfrom9%lastyear.A68%year-over-yeargrowthisreallysolid,butwhatdowemeanbythis?

Forabreachtobeapartofthesupplychaininterconnectionmetric,itwill

havetakenplacebecauseeitherabusinesspartnerwasthevectorofentryforthebreach(likethenow

fabledheating,ventilatingandair-conditioning[HVAC]companyentrypointinthe2013Targetbreach)orifthedatacompromisehappened

Figure8.Humanelementenumerationinbreachesovertime

Figure9.Supplychaininterconnectioninbreachesovertime

8Numberoftimestheword“MOVEit”ismentionedinthisreport:25

9Inasurprisingrolereversal,asweareoftenverypedanticinourdefinitions

2024DBIRResultsandanalysis14

inathird-partydataprocessoror

custodiansite(fairlycommonintheMOVEitcases,forinstance).Less

frequentlyfoundinourdataset,butalsoincluded,arephysicalbreachesinapartnercompanyfacilityorevenpartnervehicleshijackedtogain

entrytoanorganization’sfacilities.10

Sofar,thisseemslikeaprettystandard

third-partybreachrecipe,butwearealsoaddingcases,suchasSolarWindsand3CX,inwhichtheirsoftware

developmentprocesseswerehijackedandmalicioussoftwareupdates

werepushedtotheircustomersto

bepotentiallyleveragedinasecondstepescalationbythethreatactors.Thosebreachesareultimatelycausedbytheinitialincidentinthesoftwaredevelopmentpartner,andsoweareaddingthosetothistab.

Nowforthecontroversialpart:

Exploitationofvulnerabilitiesiscountedinthismetricaswell.Asmuchaswe

canarguethatthesoftwaredevelopersarealsovictimswhenvulnerabilities

aredisclosedintheirsoftware(and

sure,theyare),theincentivesmight

notbealignedproperlyforthose

developerstohandlethisseemingly

interminabletask.Thesequalitycontrolfailurescandisproportionatelyaffect

thecustomerswhousethissoftware.Wecanclearlyseewhatpowerful

andwide-reachingeffectsahandful

ofzero-dayormismanagedpatching

rolloutshadonthegeneralthreat

landscape.Westoppedshortofadding

exploitationofmisconfigurationsininstalledsoftwarebecause,

althoughthosecouldbearesultofinsecuredefaults,systemadminscangetquitecreativesometimes.

Figure10showsthebreakdown

ofVERISactionsinthesupply

chainmetricand,asexpected,

itisdrivenbyExploitvuln,which

ushersRansomwareandExtortionattacksintoorganizations.

Thismetricultimatelyrepresentsa

failureofcommunityresilienceand

recognitionofhoworganizations

dependoneachother.Everytime

achoiceismadeonapartner(or

softwareprovider)byyourorganizationanditfailsyou,thismetricgoesup.

Werecommendthatorganizations

startlookingatwaysofmaking

betterchoicessoastonotreward

theweakestlinksinthechain.Ina

timewheredisclosureofbreachesisbecomingmandatory,wemightfinallyhavethetoolsandinformationtohelpmeasurethesecurityeffectivenessofourprospectivepartners.

Wewillkeepaclosewatchonthis

oneandseektoimproveitsdefinitionovertime.Wewelcomefeedback

andsuggestionsofalternative

angles,andwebelievetheonly

waythroughitistofindwaysto

holdrepeatoffendersaccountableandrewardresilientsoftwareandserviceswithourbusiness.

Figure10.Actionvarietiesinselectedsupplychaininterconnectionbreaches(n=1,075)

10Weshouldstopwatchingthose“Mission:Impossible”moviesduringDBIRwritingseason.

2024DBIRResultsandanalysis