F5 Labs recently published our annual Application Protection Report. The 2022 edition is subtitled “In Expectation of Exfiltration,” reflecting the enduring value of stolen data to attackers, whether they use it for fraud or ransom. The report synthesizes data from several disparate sources to understand the evolution of the threat landscape over time, the relationship between organizations’ characteristics and the attack techniques they face, and—most importantly—what security practitioners can do to mitigate the risks.
Much of the focus of the report is on the continuing growth of ransomware, and with good reason: in 2021 ransomware techniques featured in 42% of application attacks leading to U.S. data breaches. However, the focus on ransomware should not obscure the risk of non-encrypting malware, which also grew dramatically, and tended to result in exfiltration of data without encryption. Overall, malware attacks of any kind featured in more than 30% of all attacks in 2021 that led to U.S. data breaches.
Speaking of data exfiltration, we chose the subtitle for the report when we found that exfiltration became dramatically more common in 2021. Four out of five application attacks that resulted in U.S. data breaches featured exfiltration as a tactic, including Magecart attacks, additional web attack campaigns, ransomware attacks, and other kinds of malware infections. Given the explosive growth of ransomware in 2020, and the appearance in early 2021 that ransom was surpassing fraud as a way to profit from cyberattacks, this finding surprised us, and indicates that fraud will continue to compete with ransom as a monetization strategy.
We also found that web exploits appeared to play a diminished role in data breaches, though this isn’t the whole story: while the proportion of web exploit-driven breaches decreased, the web exploits that were reported were nearly all of the type known as formjacking attacks, of which Magecart is the best-known example. Even as web exploits appear to become less common, they are becoming more focused on comparatively easy and low-touch attack chains that reap payment card numbers at large scale. This trend reflects the enduring value that payment card numbers have compared with other kinds of less-fungible data, especially considering that retail and other e-commerce targets of formjacking also tended to be the least frequent victims of ransomware.
Furthermore, while sophisticated campaigns by state-sponsored actors tend not to show up in our sources, a few known advanced attacks in our data set made clever use of web exploits to perpetrate precision attacks against organizations, reflecting that the largest numbers don’t always capture the risk that matters the most. While web exploits aren’t the go-to tactic the way they were a few years ago, vulnerability management and exploit protection are still enormously important for defense.
The report also examines the state of cloud security, finding that third- and fourth-party relationships in the cloud tended to make risk manifest in unexpected ways, and that access control misconfigurations were significantly more likely to produce a data exposure than malicious activity.
The recommended mitigations in the report are sorted in various ways depending on the operational priorities of different organizations, but control objectives such as data backup, network segmentation, and various forms of environmental hardening tended to rise to the top of the list no matter how it was sorted. The report also features the same attack chain analysis and visualization approach using the MITRE ATT&CK® framework that the team debuted in the 2021 report.
We are excited to share that a certain lead researcher on the Application Protection Report will be presenting this research at the RSA Conference in San Francisco. In addition to exploring these trends in greater detail, we'll be covering a wide range of less prominent but no less interesting attack behaviors. There's no shortage of amazing work at RSA, but if trends in attacker targeting are useful to you, consider stopping by Moscone South 208 at 1:15 p.m. Pacific on Wednesday, June 8. More information available here. And if you can’t make it to San Francisco but would like more detail, or to take a deeper dive into the data, just head over to F5 Labs.