“What has been will be again, and what has been done will be done again; there is nothing new under the sun.”
— Ecclesiastes 1:9
In a field as fast-moving as cybersecurity, you’d think the above quote wouldn’t hold true. Still, we find ourselves looking back over 2022 and finding that it’s the same old attack vectors wreaking havoc.
This article is the third in a series summarizing the findings of our new report:
Today, we’ll complete our two-part segment on the most prevalent attack vectors of 2022 with two more old favorites.
Supply Chain Attacks, A.K.A The Soft Underbelly
In the 2022 Data Breach Investigations Report, supply chain attacks accounted for around 12% of all incidents and 1% of breaches. Incident figures were heavily impacted by the SolarWinds breach, which led to the most common vector being the use of a backdoor or C2 resulting from a compromised software update.
1% may not sound much, but if we include compromised email accounts used for phishing, pretexting, etc., the reality is more concerning. It’s also important to note that, due to privileged access and often subtle objectives, supply chain aspects of many incidents and breaches likely go unreported. In line with this, a 2022 Anchore Survey of IT executives and leaders from large U.S. and European organizations found that 62% had been impacted by a supply chain attack in the last year.
So, how do these attacks take place? Research by the European Union Agency for Cybersecurity found:
- 66% of supply chain attacks focus on the supplier’s code.
- 62% exploit customers’ trust in the supplier.
- 62% include the use of malware.
In short, dismissing supply chain attacks purely because SolarWinds distorted the most recent DBIR dataset would be a mistake. Software supply chain attacks have been a fact of life in certain industries (particularly government) for some years now. It’s likely that as larger organizations continue to increase their resilience to direct attacks, the supply chain—notably, the software supply chain—will prove a popular vector for cyberattacks in the coming years.
Like ransomware, DBIR data suggests supply chain attacks are a recent phenomenon. The annual report didn’t even discuss supply chain attacks until 2018 when a specific attack (CCleaner) was mentioned in an appendix. However, while the number of attacks may have been lower, the impact has always been outsized—just cast your mind back to the 2011 RSA hack for a refresher.
DDoS: Will It Never Stop?
Today, DDoS attacks account for roughly 40% of all security incidents—and close to 0% of breaches. While DDoS attacks are sometimes used to distract security resources away while a more targeted operation takes place, the attacks themselves aren’t designed to compromise data. We’ll look more closely at the various motivations behind DDoS attacks later on.
Interestingly, while DDoS attacks target organizations in practically every industry, they aren’t indiscriminate. The median attack lasts less than four hours, and most organizations experience fewer than 10 attacks each year. So, where do all the incidents come from? Easy: a minority of organizations (<1%) experience over 1,000 attacks each year. That’s almost three attacks per day.
Research by Cloudflare finds that network- and application-layer DDoS attacks have risen by 97% and 111%, respectively, over the last year. If you read back over past reports (or just take our word for it) you’ll see that while there have been peaks and troughs, the number of DDoS attacks worldwide has grown steadily over time for the last two decades.
DDoS attacks have been around for a long time, ever since ISP Panix was knocked offline in 1996 by a SYN flood. While the principle has remained the same ever since, the techniques used have evolved.
During the last decade, we’ve seen:
- Ubiquitous use of malware to enslave groups of Internet-connected devices around the world (botnets) and use them to conduct high-volume attacks.
- Reflection and amplification techniques allow attackers to multiply the volume of attacks while hiding their true source.
- The rise of application-layer attacks which aim to disrupt web servers by overloading them with HTTP requests. These attacks are measured in requests per second (Rps) rather than the more traditional network attacks, which are measured in bits per second (Bps).
Combined, these techniques have led to a steady rise in the average volume of DDoS attacks, from 422Mbps in 2013 to 1.3Gbps in 2022. Attacks are also harder to detect than they were in the past, often cycling vectors throughout the attack to evade protective controls.
Get the Full Cybercrime Story
A cybercrime report could be anything from one page to a hundred pages long. As simple as saying, “Cybercriminals go where the money is,” or as complicated as digital forensics and malware analysis.
In our new report, we’ve striven for a happy medium that gives insight into current, past, and possible future cybercrime trends without getting bogged down in unnecessary details. We’ve also included the most important steps to protect against cybercrime over the next decade.
Download the report to learn:
- The two BIG exceptions to financially motivated cybercrime and why they’re so common.
- Why statistics don’t tell the whole story regarding internal vs. external attacks—and why that matters when designing a risk-based cybersecurity program.
- Where cybercrime will definitely go over the next few years—plus longer-term predictions from industry veterans Dr. Zero Trust (Chase Cunningham) and Dan Schaupner.
