Report

Why Hackers Love Credentials: Parsing Verizon’s 2022 Breach Report

July 18, 2022

The 2022 Verizon Data Breach Investigations Report (DBIR), the fifteenth such report in as many years, leads off with a startling statistic: Credentials are the number one overall attack vector hackers use in data breaches. Use of stolen credentials accounts for nearly half the breaches studied by Verizon, far ahead of phishing and exploit vulnerabilities, which account for 19% and 8% of attacks, respectively. Botnets, the fourth most common entry path for hackers, represent a mere 1% of attacks.

Credentials are the number one attack vector in several categories of attack covered in the report. In cases of web application attacks, for example, Verizon research attributes over 80% of attacks attributed to stolen credentials—surpassing exploited vulnerabilities and brute force attacks, which occur in fewer than 20% of cases. Forty three percent of Business email compromise (BEC) involve the use of stolen credentials as the way into the target organization.

Why Credentials Are Such a Popular Target

If you’re a hacker, stealing user credentials makes a great deal of sense. After all, with valid credentials, you can legitimately gain access to networks and applications. There’s not a lot of hacking to do. You just log in like you belong there. Once you’re in, you enjoy the same system privileges as the user whose log in you have swiped. If that user is an administrator, all the better. You can modify systems, delete data, create new user accounts and on and on.

Additionally (and unfortunately), legitimate user credentials are not that hard to get. In some cases, hackers don’t even have to engage in elaborate cyberattacks to get their hands on them. They can just buy them on the dark web. For not a lot of money, a low-skilled hacker can purchase real, current credentials for corporate system users.

Book a free demo with one of Kovrr's cyber risk quantification experts today.

The Scale of the Credential Vulnerability

According to the Verizon report, credentials are not just a popular mode of attack. They are also among the most commonly breached forms of data. In system intrusion attacks, for example, credentials are the number one type of data compromised, targeted in 42% of attacks. In social engineering attacks, credentials are also the most popular targets, stolen in 63% of breaches.Of course stolen credentials are scary, but what are the true costs behind these types of attacks?

Analysis of data from Kovrr’s cyber incidents database, which contains both threat intelligence and financial data on a vast collection of cyber incidents  show specific industries being specifically targeted by a breach of credentials. The table below represents the percentage of total stolen credentials from a specific industry out of all stolen credentials across industries i.e., if 100 records were stolen globally, 32.94 of these were stolen from the education industry. 

% of stolen credentials from a specific industry out of all stolen credentials across industries.

The fact that education makes up such a large portion of total can be attributed to any number of factors. We assert that two of these are the most important: the large number of users that exist within the organization, and their tendency to change very often.

Combined with the COVID-19 pandemic, and the sudden transition to remote studying and teaching, that factor became even more severe.The other industries that are most often victims of credentials theft (Information,Public Administration) are all natural targets for credential theft. By their nature, not only do they handle many user credentials, but they are also prime targets for spreading to new organizations.

The Costs Behind Stolen Credentials 

The most common motivation for credential theft is ransomware. It is one of the most useful leverages used, after an organization has been compromised, in order to monetize on the access achieved by the attacker.

If we are to analyze the financial impact of a ransomware attack, we can see it consists of several components: the obvious extortion cost (in case the ransom is paid), response and restoration costs, legal fees, monitoring costs, and additional costs.

Below is a small snippet of incidents which occurred due to stolen credentials and their associated financial impacts, beyond the extortion cost. In fact,  in many cases the extortion cost is only marginal compared to the other losses suffered by the victim. All incidents have been collected from Kovrr’s cyber incidents database.

Examples of incidents that have occurred due to stolen credentials, along with financial impact.

Kovrr’s cyber incidents database contains many additional ransomware incidents. By analyzing all incidents, we extracted both the average extortion payment, which is $5.5M, and the average total cost of a ransomware event - a whopping $22M (when considering these numbers it should be taken into account that data on the costs of ransomware attacks is available mostly for large businesses located in North America).

Overall, it can be seen that ransomware, which is mainly executed following credential theft (40% of ransomware attacks began through desktop sharing software, which is mostly accessed through stolen credentials), has a high potential cost for victims. As many of these attacks start through leaked or insecure credentials, the cost of securing these credentials is clear.  

Get a free ransomware report to discover your organization's exposure to a ransomware event.

Mitigating the Threat of Stolen Credentials

Given the prevalence of credentials both as a target of hackers and as an attack vector, it probably makes sense to develop an effective risk mitigation strategy for credentials. Countermeasures might include controls like multi-factor authentication (MFA) and zero trust policies that authenticate users by means beyond the basic username/password combination. Password updating policies, sophisticated privileged access management (PAM) solutions and biometrics can all play a role, too—if they’re needed.

An important question to ask in all this is, “What is the true nature of my credential risk?” Yes, credential theft is a big problem, as Verizon has revealed. But, what’s it to my business? What would a credential-based attack really cost my business?

The answer might be shockingly high or low. If you could estimate the hard dollar impact of a credential attack on our business, you might find the number to be surprisingly manageable. The opposite could also be true. The cost of a credential attack could wreck your business.

Cyber risk quantification (CRQ) is a process that uses data about threats, your business, insurance losses and many other factors to put a price tag on a cyber risk like credential theft. With CRQ, you can figure out what an attack using credentials would actually cost to remediate. Using this information, you can plan your cyber defense in alignment with expected financial impacts.

Threats of attacks using stolen credentials, as well as attacks targeting credentials, represent a potentially significant area of cyber risk. Mitigation strategies are available. With CRQ, however, it is possible to make decisions about how much of a priority to place on credential risk, and plan and budget accordingly.

Get a FREE ransomware analysis report at https://www.kovrr.com/cyber-risk-quantification-report 

Gal Ziv Yacimvoich

Cyber Data Engineer

Industry Recognition