Verizon DBIR Shines a Light on Identity Compromises

Posted: 14th September 2022
By: Ellen Wilson
Verizon DBIR Shines a Light on Identity Compromises

Verizon recently released its 15th annual Data Breach Investigations Report (DBIR). 2022 has already been a major year for cyber attacks, and the headlines have reflected that, with well-publicized attacks on cloud systems and the supply chain making news around the world. Threat actors continue to expand their attack surface, their ability to breach organizations has increased, and the volume of attacks has grown. But the difficulty goes beyond that. Attacks have also become more sophisticated, and advanced evasive tactics make them more challenging to detect.

As discussed in a recent live webinar – with the Verizon DBIR lead engineer and co-author Philippe Langlois and Recorded Future Threat Intelligence expert Dylan Davis – threat actors continue to find new ways to capture credentials and sell them on the dark web to the highest bidder. Now more than ever, organizations need greater visibility on threat actor tactics for credential harvesting to proactively protect their organization.

Centering on Compromised Credentials

One of the biggest trends in the report is the significance of compromised credentials. More breaches involve using credentials more than any other entry method – with credentials being the way in for around half of all attacks this year. This statistic marks a trend toward more dynamic action varieties in breaches, with phishing and ransomware also in the top five.

Credentials take the spotlight in other parts of the report as well. The DBIR shows that the top type of asset impacted in breaches this year is servers, followed by people and their personal devices. Combined web application and mail servers make up 84% of affected devices, which is not surprising considering they’re the most likely to have internet access. This makes them a good access point for attackers trying to get past perimeter defenses using – you guessed it – stolen credentials.

The DBIR shows four key paths of entry into your estate: credentials, phishing, exploiting vulnerabilities, and botnets. Credentials have the largest share by a good margin, with around half the breaches. Looking at the top action varieties in basic web application attack breaches demonstrates the importance of proper password protection since 80% of these breaches are attributed to stolen credentials. Furthermore, the DBIR Report shows a 30% increase in the use of stolen credentials since 2017.

What You Can Do

None of this is surprising.

Right now, with the growth of remote work and digital interactions across multiple channels, organizations are working with countless devices interconnected without any clear perimeters. To manage this, cybersecurity professionals focus on verifying and authenticating users. This makes stolen corporate data like user credentials an especially valuable way to gain access and establish a foothold in networks. The more cybercriminals need user credentials, the bigger the stolen credentials business grows on the dark web.

So, how do you keep your credentials from being a part of nearly 50% of cyber attacks leveraging compromised user credentials?

You need to be able to detect exposed credentials in real-time so that you can take action before any harm comes to your organization. The Recorded Future Identity Intelligence module can help with that. The Identity Intelligence module offers the ability to query Recorded Future for single or bulk sets of compromised identities. The resulting insights provide critical details, such as password length, complexity, and whether the password was clear text or hashed.

Unfortunately, compromised data – including leaked and stolen credentials – are often not discovered until it is actively in use to attack your organization. To resolve this issue, you need to be able to monitor for mentions of your credentials across the broadest set of sources, from the open web to the dark web – and you need it in real-time.

The Recorded Future Identity Intelligence module can help. It provides greater visibility into data leaks and credential harvesting across hacker, criminal, and invitation-only sites – providing you with the broad scope of information you need. It also offers real-time collection and analysis of identity data so you can prevent threats before they can harm your organization. Getting this information quickly will let your IT or security team move faster and be better able to prevent future threats.

The Verizon Data Breach Investigation Report for 2022 showed us that user credentials are at the heart of a lot of this year’s threats. But Identity Intelligence can help you detect, investigate, and resolve compromised credentials – and keep your organization from being part of next year’s breach investigation.

For a deep dive into the prevalence of leaked credentials, monetization practices on the dark web, and the impact of compromises on organizations large and small, watch the on-demand webinar with the Verizon DBIR team: Shining a Light on Identity Compromises.