According to IBM X-Force’s latest Threat Intelligence Index, 30% of all cyber incidents in 2023 involved abuse of valid credentials. X-Force’s report stated that abuse of valid credentials exceeded phishing as a top threat for the first time.
I love IBM, but they are mixing up root causes and outcomes of root causes. What I mean is that you have to ask yourself how the credentials were stolen in the first place. Were they stolen from the user or a website? Were they guessed at? Were they cracked from exfiltrated password hashes?
It is important that cybersecurity defenders do not mix up initial root causes for how something happened and the outcome of that breach. If you want to stop people from breaking into your house, you need to pay attention to how they break into your house and mitigate those entry points. Focusing mostly on what the bad actor did after they broke into your house does not really help you with the problem.
For example, a lot of people list ransomware as their top worry. I get it. Ransomware is a top concern. It can exfiltrate your private data, steal login credentials, and maliciously encrypt computers and data. Ransomware has brought down companies, large and small, law enforcement agencies, hospitals, and even entire cities. It is a big problem. But if you want to stop ransomware, you need to figure out how ransomware is getting into your organization. Is it through social engineering, unpatched software, misconfigurations, or some other method?
Ransomware is not your real problem. Ransomware is the outcome of your real problem. How the ransomware is getting in is your problem you need to solve and the primary thing you need to identify and mitigate to stop ransomware. Or let’s put it this way. If I could wave a magic wand and make ransomware just immediately disappear forever, if you did not close the holes that allowed ransomware to get in, you would just be fighting some other problem (e.g., password-stealing trojans, wiperware, etc.). Ransomware is not your real problem. It is an outcome of your real problem.
Same thing with credential theft. Credential theft is an outcome of your real problem. How did the thieves get the credentials in the first place? The major ways are theft, guessing and password hash cracking. What was the most commonly used method?
It turns out it was social engineering, and specifically phishing, by a huge margin.
Infosecurity Magazine reports that “58% of organizations suffered account takeovers in 2023, of which 79% came from credentials harvested through phishing.” So, nearly 80% of credential abuse came from phishing.
IBM’s X-Force report said phishing was the number two biggest root cause at 30%. They said credential theft was 30% of the problem (apparently edging over phishing by a decimal point). But if 79% of credential theft came from phishing attacks, that means you have to add another 24% to phishing (i.e., 30% x 79%). So, phishing is still the biggest root cause problem at 54% (i.e., 30% + 24%). Nothing else comes close in IBM’s report when you are not mixing up initial root exploits and outcomes.
This is not surprising. Social engineering and phishing has been involved in 70% - 90% of all successful data breaches by my own tracking over two decades. Many surveys and companies have just been incorrectly co-mingling initial root exploits with outcomes of those exploits. Not every company. For example, Forrester states “90% of data breaches will include the human element in 2024.” Verizon’s 2023 Data Breach Report states, “74% of all breaches include the human element.” The year before, the Verizon report said 82% of breaches involved the human element. These figures include other causes such as mistakes, but the vast majority of the human element is social engineering.
Co-mingling root causes and outcomes of root causes is a common mistake. For example, the otherwise wonderful MITRE ATT&CK framework co-mingles initial root causes and outcomes. ATT&CK lists 10 initial access techniques (they are missing a few). Phishing is one of those initial access techniques. Then under the 17 types of Credential Access exploitation, they list Adversary-in-the-Middle, Steal Web Session Cookie, and MFA interception. How did all of those likely happen? Probably social engineering and phishing. What percentage of Credential Access exploitation can be tied to social engineering and phishing? Well, Infosecurity Magazine says 79%. I believe it is more right than wrong.
It is not alone. Barracuda Networks states “Spear phishing emails make up less than 0.1% of all emails sent, but they are responsible for 66% of all breaches.” They are not saying that spear phishing makes up 66% of email attacks. They are saying it makes up 66% of ALL BREACHES! One thing, spear phishing, makes up two-thirds of all breaches.
Note: Unpatched software and firmware comes in second, being involved in about 33% of successful breaches.
We all know social engineering and phishing are a huge problem. But many cyber defenders do not know that it is the largest problem by far. And if you read a report saying social engineering and phishing is only like 30% of the problem…or only the second biggest initial root access problem, you know that, for sure, they are mixing up root access methods and outcomes of root access methods.
The biggest causes of data breaches are social engineering and phishing, by far, and it has been that way for a long time. That fact is unlikely to change any time soon. Make sure you are focused on how thieves are most likely to break into your house.