The 2024 edition of the Verizon Data Breach Investigations Report (DBIR) has finally been released! The team did their usual bang-up job pulling key knowledge threads from the massive volume of data submitted by their ever-increasing number of contributors (of which GreyNoise is one!). Our researchers have pored over this tome to identify critical themes that should be of great import to GreyNoise customers and community.
The Year Of The Vuln
Identifying when attackers attempt to exploit vulnerabilities on internet-facing endpoints is at the heart of what we do at GreyNoise. So, it comes as no surprise that the DBIR team “witnessed a substantial growth of attacks involving the exploitation of vulnerabilities as the critical path to initiate a breach when compared to previous years.” The 180% increase was felt — almost daily — by all who keep track of headlines in the cybersecurity press. Our GreyNoise sensor fleet caught an extra 200K unique IPv4 addresses slinging malicious tagged activity our way (4.2 million malicious IPv4s in 2022 vs. 4.4 million in 2023), and the volume from those adversarial sources went from just over 10 million malicious tagged events to 13+ million.
One thing we did not expect was vulnerability exploitation chipping away at the volume of both credential-based attacks and phishing as the critical path action to initiate a breach, as seen in Figure 6 from the report:
Historically, phishing has been one of the most successful attack paths for our adversaries, and the volume of lost and stolen credentials is stunningly huge. However, organizations have been steadily investing in both more advanced phishing protection (including awareness training); and, credential blasts are both noisy and increasingly thwarted as organizations rely more heavily on elevated protections provided by identify and authentication providers like Okta.
Conversely, using internet infrastructure to find and exploit vulnerable, exposed services can be a risk-free activity for attackers, and there is an almost endless supply of both new vulnerabilities and unpatched hosts. GreyNoise excels at identifying this activity, and we provide the timeliest and most comprehensive information on those attack types and sources, bar none.
It was also a bit distressing, but not unsurprising (given Figure 6) seeing that vulnerability exploitation was at the heart of third-party-related breaches.
You Don’t Have Time To Patch
Every defender should print out page 21 of the 2024 DBIR and tape it to their wall (or, cubicle, if you’re in the 50% of IT folks still commuting to offices).
Most cybersecurity folks are not familiar with the “survival analysis” shown in Figure 19. It’s just a fancy way of estimating the time until some event occurs. This analysis focuses on vulnerability remediation data (i.e., “patching”), with an emphasis on how long it takes organizations to patch vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
GreyNoise researchers are huge fans of CISA KEV. We even benchmark ourselves against it! We meet or beat CISA over 62% of the time when it comes to having a tag ready for defenders to use. How do our customers use these tags? Well, the primary way is to block activity from IP addresses associated with these tags. While this may not prevent pinpoint targeted attacks, it absolutely buys them time to keep safe from opportunistic attacks, and helps them identify those targeted attacks much faster, and with greater precision.
Our own data clearly shows that once a proof-of-concept (PoC) is available, attackers waste zero time going after vulnerable systems. And, there is increasingly little daylight between when a CVE is published and when a PoC becomes available.
Seeing that 85% of CISA KEV entries remain unpatched after 30 days clearly shows that most organizations have no time to patch. This means protecting these assets from harm during that 30-day exposure is paramount.
Closing The Door On Attackers
The DBIR team used the “open door” metaphor for how attackers made their way into organizations in 2023. At GreyNoise, we’re highly focused on helping organizations safeguard every single entry point in their internet-facing infrastructure, while also laying out some of our own trapdoors to help confuse and ensnare them.
With GreyNoise, organizations can gain an edge over their adversaries, using our advanced sensors to identify targeted attacks quicker than ever before. Combined with the proven, battle-tested intelligence in our existing Noise dataset, defenders now have the tools to both make it extremely difficult for attackers to be successful, and slow them down long enough to finish asset remediation efforts. Join us as we work to chip away at the million-incident record the DBIR set this year, and turn the tide against our combined foes! You can get started with our data here, or connect with our team to talk about advanced features.