The vast majority of identity breaches continue to be linked to a human element, and credential compromise. Third party risk exploded last year. IAM leaders looking to protect their infrastructure against modern attacks should prioritize identity hygiene best practices by locking down privileged credentials, especially from third parties and enforcing a least-privilege corporate policy.
Findings from the 2024 Verizon DBIR:
- Credential misuse continues to be the #1 vector of breaches at close to 40%. That’s more than double of phishing and vulnerability exploits. That’s how bad guys are getting their foot in the door. Once inside, roughly one-third of all breaches involved ransomware or some other extortion technique.
- The human element was a component of more than half of all breaches.
- Besides the human element, third party access (usually stemming from supply chain attacks) exploded, increasing 68% since last year.
Credential Misuse
It’s no surprise bad guys continue to target credentials. Vulnerability exploits grew a lot (MOVEit was a big reason for that), but even then that’s not close to the credential misuse problem.
Select ways-in enumerations in non-Error, non-Misuse breaches over time
Recommendation 1: The IAM leader must get a seat at the table together with the CISO, and show this type of data in order to secure a budget for their identity initiatives. Yes, vulnerability management, and phishing are a concern, however, statistically, IAM is where the best bang for their cybersecurity buck is.
The Human Element
The human element was a component of more than half of all breaches, at 68%. That’s more than double of other elements like ransomware or extortion (32%), errors (28%), and third parties (15%).
Among all human elements, the Verizon report still shows the external actors as the top catalyst for breaches at 65%. That means, the attacker is external, targeting a credential but there is a resurgence of internal actors at a whopping 35%— it almost doubled since last year. What is curious is that 73% of those internal actor breaches leveraged mundane, basic hygiene identity misconfigurations that could be very easily fixed.
Threat actors in breaches over time
Recommendation 2: I really like this statement made by Verizon in the report: “It’s much easier to harden a system than it is to harden an individual”. Gartner research has shown that security awareness training does not directly correlate to safer behavior. If processes are broken or hard to use, they will be bypassed by users, looking for a more efficient way to get their job done. The recommendation to IAM leaders is to beef up the IAM systems to be more resilient against attacks. Mundane and easy-to-fix problems like removing orphan, dormant and out of compliance accounts should be part of everyday identity hygiene. Adoption of MFA by all users should be paramount.
Third Party Risk Explosion
The third party risk driven by supply chain attacks include breaches like Solorigate and attacks like the one perpetrated by LAPSUS$ against Okta in 2022. These account for only 15% of all breaches, but the speed of growth is ramping up at scary 68% year over year.
Supply chain interconnection in breaches over time
Recommendation 3: Verizon recommends “organizations start looking at ways of making better choices so as to not reward the weakest links in the chain. In a time where disclosure of breaches is becoming mandatory, we might finally have the tools and information to help measure the security effectiveness of our prospective partners.” – I agree, and recommend IAM leaders to follow a structured approach to deal with their external providers. B2B IAM relationships are complex, and should be well defined by implementing secure delegated administration, identity verification (IDV) and continuous assessment of risk of these supply chain provider identities. That is the best effective way to mitigate this type of attack.