The Role of Cloud Misconfigurations & the Attack Surface in the 2022 Verizon DBIR

Note: The audio version doesn't include code or commands. Those parts of the post can be seen in the text version. This year's 15th installment of the Verizon Data Breach Investigations Report (DBIR) features yet another impressive dataset of corporate breaches and exposures marked by an overriding postulate: attack surfaces matter and they should dictate a large portion of your risk assessment strategy. First launched in 2008, the DBIR's 2022 version has been significantly expanded, from a modest amount of 500 cases, to include 5212 breaches and 23896 incidents examined through the lens of the VERIS 4A's (Actor, Action, Asset, and Attribute) framework. Its timeline section looks at comprehensive aspects such as discovery time, any attacker actions taken pre, and post-breach, and the number of actions per breach. Additionally, there is a pattern-matching initiative to help organizations navigate through some of the most concerning incidents while providing a handful of preliminary security controls. Industry verticals included in this 2022 report include Accommodation and Food Services (72), Arts, Entertainment and Recreation (71), Educational Services (61), Financial and Insurance (52), Healthcare (62), Information (51), Manufacturing (31 to 33), Mining, Quarrying, and Oil & Gas Extraction + Utilities (21 + 22), Professional, Scientific and Technical Services (54), Public Administration (92), Retail (44-45), and Very Small Businesses (10 employees or less). The report highlights threats from different regions of the world such as Asia Pacific, Europe, Middle East, Africa, Northern America, Latin America, and the Caribbean, with SecurityTrails playing the role of intelligence contributor as in the recent past. Summary of key findings Through a series of carefully-selected and correlated investigative scenarios, a collective effort that the DBIR refers to as "creative exploration", albeit without bias, the report's findings continue to highlight several areas of interest from where cybercrime continues to drive profit. For example, identity theft and fraud motivate an important sector of transnational cybercrime, with some of the most explicit cases centered on the use of ransomware, no surprise there. However, a bustling amount of incidents, where default or stolen credentials are being leveraged, extended the attack paths with relative ease, opportunistic or not, the problem showed evidence of being compounded by a growing lack of adequate visibility into publicly-facing assets and (any) corresponding vulnerabilities. At the tail end of the distribution, the vulnerability-to-breach ratios remained particularly significant. To put it in the DBIR's own parlance, this is where attackers are looking (it's a numbers game!); a sustainable environment with enough incentives as miscreants come hard on the heels of struggling security teams. Important, too, are the enticing circumstances applicable to different industries. In other words, and perhaps not surprisingly, attacks based on a specific business model are likely to be more successful in the long run. An observed convergence between the human element and system misconfigurations remained just above the 5th percentile (a decrease from 2020), but it drove an estimated 13% of overall system breaches, with misconfigured cloud storage instances leading the trend. How Attack Surface Intelligence helps prevent DBIR’s most popular threats As we can see from the key findings from the 2022 DBIR, lack of visibility into public-facing assets is one of the most prominent problems inhibiting security teams from preventing threats to their organizations. Since we introduced Risk Rules, our main goal was to help security teams find an easy way to generate a complete and dynamic inventory of all their digital assets, as well as identify CVEs and critical misconfigurations over all their hosts. And when it comes to asset discovery, as you see from the following screenshot, A-S-I is particula...