enterprise security

SecurityTrails Blog · May 26 · by Gianni Perez

The Role of Cloud Misconfigurations & the Attack Surface in the 2022 Verizon DBIR

Reading time: 8 minutes
Listen to this article

This year’s 15th installment of the Verizon Data Breach Investigations Report (DBIR) features yet another impressive dataset of corporate breaches and exposures marked by an overriding postulate: attack surfaces matter and they should dictate a large portion of your risk assessment strategy.

First launched in 2008, the DBIR’s 2022 version has been significantly expanded, from a modest amount of 500 cases, to include 5,212 breaches and 23,896 incidents examined through the lens of the VERIS 4A’s (Actor, Action, Asset, and Attribute) framework. Its timeline section looks at comprehensive aspects such as discovery time, any attacker actions taken pre- and post-breach, and the number of actions per breach. Additionally, there is a pattern-matching initiative to help organizations navigate through some of the most concerning incidents while providing a handful of preliminary security controls.

Industry verticals included in this 2022 report include Accommodation and Food Services (72), Arts, Entertainment and Recreation (71), Educational Services (61), Financial and Insurance (52), Healthcare (62), Information (51), Manufacturing (31-33), Mining, Quarrying, and Oil & Gas Extraction + Utilities (21 + 22), Professional, Scientific and Technical Services (54), Public Administration (92), Retail (44-45), and Very Small Businesses (10 employees or less).

The report highlights threats from different regions of the world such as Asia Pacific, Europe, Middle East, Africa, Northern America, Latin America, and the Caribbean, with SecurityTrails playing the role of intelligence contributor as in the recent past.

Verizon Data Breach Investigations Report

Summary of key findings

Through a series of carefully-selected and correlated investigative scenarios, a collective effort that the DBIR refers to as “creative exploration”—albeit without bias—the report’s findings continue to highlight several areas of interest from where cybercrime continues to drive profit. For example, identity theft and fraud motivate an important sector of transnational cybercrime, with some of the most explicit cases centered on the use of ransomware—no surprise there.

However, a bustling amount of incidents, where default or stolen credentials are being leveraged, extended the attack paths with relative ease—opportunistic or not, the problem showed evidence of being compounded by a growing lack of adequate visibility into publicly-facing assets and (any) corresponding vulnerabilities. At the tail end of the distribution, the vulnerability-to-breach ratios remained particularly significant. To put it in the DBIR’s own parlance, this is where attackers are looking (it’s a numbers game!); a sustainable environment with enough incentives as miscreants come hard on the heels of struggling security teams.

Important, too, are the enticing circumstances applicable to different industries. In other words, and perhaps not surprisingly, attacks based on a specific business model are likely to be more successful in the long run. An observed convergence between the human element and system misconfigurations remained just above the 5th percentile (a decrease from 2020), but it drove an estimated 13% of overall system breaches, with misconfigured cloud storage instances leading the trend.

As we can see from the key findings from the 2022 DBIR, lack of visibility into public-facing assets is one of the most prominent problems inhibiting security teams from preventing threats to their organizations. Since we introduced Risk Rules, our main goal was to help security teams find an easy way to generate a complete and dynamic inventory of all their digital assets, as well as identify CVEs and critical misconfigurations over all their hosts.

And when it comes to asset discovery, as you see from the following screenshot, ASI is particularly apt at letting you see all IT assets from a single, unified platform in mere seconds. Through ASI, you’re able to access all the data related to your project’s apex domain, subdomains, and associated domains through an easy-to-use interface, while keeping an eye on all the new digital assets added day by day.

ACME Corp Report

What about misconfigurations? Glad you asked.

Since 2018, misconfiguration errors have been on a steady rise. Despite concerted efforts by cloud providers to offer their consumers a mature shared responsibility model backed by suitable security controls, the truth is that unintended exposures, and even forgotten assets, continue to be all about your employees. According to the DBIR, up to 13% of breaches are caused by some sort of error or misconfiguration event which, paired with the lack of proper tracking and inventory capabilities, largely drives risk in all its verticals.

Keeping this in mind, our Risk Rules become your best ally when it comes to detecting potential threats, such as any kind of server and app misconfigurations, including the ones from Cloud environments as well—as mentioned by the latest DBIR.

Risk Rules Snapshot

Let’s see some examples of the most popular server/app misconfigurations running in the cloud detected by our Attack Surface Intelligence platform. Important: these misconfigurations are just a few examples and not a comprehensive list.

Name Description
Apache 2.4.49/2.4.50 - Path Traversal and Remote Code Execution A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. In certain configurations, for instance if mod_cgi is enabled, this flaw can lead to remote code execution. This issue only affects Apache 2.4.49 and 2.4.50 and not earlier versions.
Amazon AWS Metadata Service Check The AWS host is configured as a proxy which allows access to the metadata service. This could allow significant access to the host/infrastructure.
Kubernetes Pods - API Discovery & Remote Code Execution A Kubernetes Pods API was discovered. When the service port is available, unauthenticated users can execute commands inside the container.
ElasticSearch v1.1.1/1.2 RCE The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. Be aware this only violates the vendor’s intended security policy if the user does not run Elasticsearch in its own independent virtual machine.
Docker Container - Misconfiguration Exposure A Docker container misconfiguration was discovered. The Docker daemon can listen for Docker Engine API requests via three different types of Socket - unix, tcp, and fd. With tcp enabled, the default setup provides un-encrypted and unauthenticated direct access to the Docker daemon. It is conventional to use port 2375 for un-encrypted, and port 2376 for encrypted communication with the daemon.
Jupyter ipython - Authorization Bypass Jupyter was able to be accessed without authentication.
Insecure Firebase Database If the owner of the app has set the security rules as true for both “read” & “write” an attacker can probably dump the database and write his own data to firebase database.
Open Proxy To Internal Network The host is configured as a proxy which allows access to other hosts on the internal network.
DigitalOcean Key Exposure via Axiom This misconfiguration allows an attacker to access DO key exposure via Axiom (a dynamic infrastructure framework to efficiently work with multi-cloud environments)
Nacos 1.x - Authentication Bypass A misconfiguration allows a remote attacker to bypass authentication mechanisms of an affected Nacos instance and gain access to all API REST endpoints.

In fact, our ASI risk engine can detect in excess of 200+ misconfigurations, fundamentally changing the way common vulnerabilities are curated and presented.

Final words

Although Verizon’s DBIR isn’t entirely representative of all data breaches—a presupposition that the firm is happy to disclaim—it definitely reflects the reality of many organizations across the globe; a reality that’s rooted in the almost proverbial “you can’t defend what you can’t see.” Consequently, its timely release is rigorously aimed at keeping defenders appraised regarding some of the most notorious tactics, techniques, and procedures used by threat actors and the visible danger they pose to the industries which they target.

Without a doubt, the popularity of Verizon’s DBIR in the cybersecurity industry has been growing over time, and will continue to do so in the foreseeable future. As more businesses and state entities move their operations to the cloud, the ever-shifting attack surface is likely to become the next battlefront; a reverberating ground for unchecked vulnerabilities, misconfigurations, unintended asset exposures (e.g., cloud storage), and similar human-centric activity with the potential to quickly deteriorate any robust security posture.

Explore the DBIR in detail; look for the specific pattern(s) affecting your line of business and, in due diligence, spend some time strategizing your next move by, first and foremost, gaining adequate visibility over all your organization’s IT assets.

See the unknown, and catch risks and misconfigurations in your cloud environment with Attack Surface Intelligence.

Gianni Perez Blog Author
GIANNI PEREZ

Gianni is a technical writer at SecurityTrails and adjunct college cybersecurity instructor with over two decades of infosec experience. He knows firsthand the demands security professionals face, and draws upon his knowledge of IT systems - from administration and software dev, as well as automation, to provide valuable security insights that make a real difference.

X