Verizon's Chris Novak: Overcoming security breaches is 'survival of the fastest'

Public and private organizations are struggling to remediate security threats fast enough once those vulnerabilities are made known, says Verizon's Chris Novak.

Kelsey Ziser, Senior Editor

May 21, 2024

4 Min Read
 Security breach, system hacked alert with red broken padlock icon
(Source: NicoElNino/Alamy Stock Photo)

The exploitation of vulnerabilities as a way for bad actors to initiate security breaches has nearly tripled, according to Verizon's 17th annual Data Breach Investigations Report (DBIR).

"The exploitation of vulnerabilities as a kind of an initial access vector grew dramatically. That grew by over 180%, year-on-year," Chris Novak, senior director of Cybersecurity Consulting for Verizon Business, told Light Reading. "A lot of that was being driven by exploitation of things like zero-day vulnerabilities."

Vulnerability exploitation also accounts for 14% of all breaches, and it has increased by 180% from the previous period analyzed in the 2023 DBIR. The most recent report analyzed security incidents that took place between November 1, 2022, and October 31, 2023. About 90 organizations provide Verizon with data utilized in the DBIR.

Hackers are moving faster

"It's no longer survival of the fittest; it's survival of the fastest," Novak said. "If you look at the amount of time it typically takes an organization to remediate critical vulnerabilities with patches after they're available, it typically takes about 55 days to remediate about 50% of the critical vulnerabilities."

Verizon identified the average time it takes organizations to address vulnerabilities by analyzing the Cybersecurity Infrastructure and Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog.

Related:Hackers update phishing lures with COVID-19 misinformation – Verizon DBIR report

Organizations typically aren't able to match the speed required to address vulnerabilities once those vulnerabilities are public knowledge, said Novak. On the other hand, bad actors are "able to move on those zero-day [attacks] and move very quickly" after vulnerabilities are announced, he added. While bad actors take about five days to start scanning for targets, it takes organizations about two months to patch the vulnerabilities.

One of the largest vulnerability exploitations in 2023 was the MOVEit software breach, which had the biggest impact on the education and finance industries. MOVEit is a file transfer software, but hacker group CL0P attained access to MOVEit in May 2023, reported Experian. CL0P used malware to steal personal data and sent ransom notes to executives.

"Reports from CISA state that the CL0P ransomware team had compromised more than 8,000 global organizations from a handful of zero-day vulnerabilities being exploited," according to the 2024 DBIR.

Ransomware declines

The report found that extortion techniques, such as ransomware, represented 32% of all breaches. The majority of breaches (68%) involve a non-malicious human element, which can occur when an individual makes an error or is a victim of a social engineering attack.

Related:Ransomware attacks doubled last year; Verizon reports

While additional cybersecurity training would be helpful to reduce the instances of human error, there is a culture shift taking place that is helping employees feel more comfortable with self-reporting, said Novak. In simulations, 20% of users identified and reported phishing, and 11% of participants who clicked the email also reported it.

(Source: Verizon 2024 DBIR) Ransomware and extortion breaches over time.

Under the umbrella of extortion techniques, ransomware is actually declining.

"What we started to see for the first time is a decline in pure ransomware where [bad actors] lock up your systems or data and look for a ransom payment to unlock the system, and not publish the data," said Novak.

Now, bad actors are threatening to hit organizations with acts such as distributed denial of service (DDoS) attacks, and if targets don't pay up, the criminals will take down the company's systems for a period of time, explained Novak. Hackers will demonstrate their ability to take down the organization's system and then threaten to do it again at an inopportune time such as during a product release or an end-user conference.

Among other techniques used by cybercriminals, pure extortion is on the rise and now accounts for 9% of all breaches. In pure extortion attacks, bad actors specifically target executives and threaten to release information about their habits, family, etc., unless they send payment.

"The data continues to hold true from what we've seen in the past that the large majority of attacks are financially motivated," said Novak. "They're just going to keep looking for other ways to get under a victim's skin in order to extract money."

Pretexting and stolen credentials

Over the past two years, nearly 25% of financially motivated attacks involved pretexting, according to Verizon's DBIR. Pretexting is a social engineering attack in which bad actors lure their targets by creating a false identity, such as a relative requesting money to handle an emergency.

And during the past decade, about one-third of breaches involved the use of stolen credentials. The theft of credentials can pose a lasting challenge because some individuals who know their credentials were stolen don't change their passwords, said Novak. In addition, many smaller organizations still aren't using two-factor authentication, he said.

Third-party breaches were up 68% in the 2024 DBIR. In the previous year's report, 15% of breaches involved a third party, which includes data custodians, third-party software vulnerabilities and supply chain issues.

Verizon's DBIR authors reviewed 30,458 security incidents and 10,626 confirmed breaches to compile the 2024 report.

About the Author(s)

Kelsey Ziser

Senior Editor, Light Reading

Kelsey is a senior editor at Light Reading, co-host of the Light Reading podcast, and host of the "What's the story?" podcast.

Her interest in the telecom world started with a PR position at Connect2 Communications, which led to a communications role at the FREEDM Systems Center, a smart grid research lab at N.C. State University. There, she orchestrated their webinar program across college campuses and covered research projects such as the center's smart solid-state transformer.

Kelsey enjoys reading four (or 12) books at once, watching movies about space travel, crafting and (hoarding) houseplants.

Kelsey is based in Raleigh, N.C.

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like