BWAA-ck to Basics: Insights from the 2022 Verizon DBIR on Basic Web Application Attacks

June 13, 2022  Benjamin Gowan

The Verizon Data Breach Investigations Report (DBIR) is a treasure trove of data and a true gift to the cyber risk quantification community. From CISOs learning key trends, to analysts estimating breach frequencies in an industry, the DBIR has supplanted FUD with data, and guesstimates with estimates, for well over a decade.


Benjamin Gowan - RiskLens Data ScienceBenjamin Gowan is Data Science Manager for RiskLens. Learn more about data science at RiskLens.


This year, in fact, is the 15th anniversary of the DBIR. They took that milestone as an opportunity to feature archival data points and visuals going as far back as 2008. These retrospectives peppered throughout this edition are an homage to their rigor and consistency in methodology and admirable data practices across the years. 

Taking that spirit of practical community resource and getting back to basics, let’s look at some findings for this year’s report that may have gone under your radar.

Basic Web Application AttacksVerizon DBIR 2022 Cover

Definition

“These attacks are against a Web application, and after initial compromise, they do not have a large number of additional Actions. It is the 'get in, get the data and get out' pattern.”

2022 DBIR Table 1. Incident Classification Patterns, p.24

Basic Web Application attacks are a common and straightforward pattern typically used by financially motivated external actors in search of PII. Although, even advanced Nation State actors will opt for the simple methods of this pattern when they are readily exploitable.

As the DBIR so aptly puts it

“If the front door has a weak lock there is no reason to develop a complicated polymorphic backdoor with a fast flux network of C2 servers.”

2022 DBIR pg. 38

While everyone is understandably concerned about Ransomware & System Intrusions writ large, we don’t want to fall into the trap of fearing and preparing for the most exotic and advanced attacks, while much simpler issues are prevalent and addressable.

One of the eight core DBIR Incident Classification Patterns here are a few highlights about Basic Web Application Attacks (BWAA) that may surprise you…

  • In 2021, more incidents may have been BWAAs than System Intrusions

  • BWAA incidents have steadily increased every year since 2017 (whereas System Intrusions have actually declined from their highs)

  • BWAA are likely the primary pattern for breaches in such key industries as Finance and Healthcare.

Let’s dig into each of those findings.


Get a quick read on your loss exposure from Basic Web Application Attacks – try the free version of the RiskLens Benchmark tool.


Verizon DBIR Findings on Incident Pattern Prevalence in 2021

In DBIR Figure 32. Patterns over time in incidents (p. 23) under the hood they are using a sample of 17,165 incidents for the 2021 data points. Of those incidents, 4,002 were denoted as Basic Web Application Attacks (23%), outpacing the 3,526 incidents affiliated with the System Intrusion (21%).

Ever cautious about drawing conclusions from samples, the DBIR helpfully assesses the uncertainty around those proportions by bootstrapping an uncertainty interval for us. Since those ranges do not overlap (see table below), we can be relatively confident this is not a merely a sampling fluke (do note sample sizes change throughout the DBIR depending on the enumeration contexts and they carefully consider the CIs when making statements in text.) Denial of Service takes the top notch of course, but worth noting essentially none of those incidents become breaches, so they are different in kind.

Verizon DBIR Incident Pattern Prevalences in 2021

Source: https://github.com/vz-risk/dbir/tree/gh-pages/2022

Incidents Pattern Trend

Lets zoom out and take in the full range of Patterns in Incidents since 2017, highlighting our key subject pattern:

Verizon DBIR Increase in Basic Web Attacks 2021

Source: https://github.com/vz-risk/dbir/tree/gh-pages/2022

While others have had big jumps, no other pattern has seen quite the consistent growth over time as BWAAs have over the past five years in terms of incidents.


Read a RiskLens case study: Reducing Web Application Attack Risk


Top Breach Pattern in Key Industries

The multi-faceted DBIR Figure 75. Breaches by Industry (p. 51) provides a remarkable amount of data in a highly condensed form. Filtering down to the Finance and Healthcare industries, we can see that Basic Web Application Attacks take the top estimated proportion of breaches in both those NAICs codes.

We do want to be careful here, considering the DBIR-provided confidence intervals do overlap in places. A cautious reading would be that BWAAs are likely the most, but could be the second most prevalent pattern in these industries, but we are quite confident they are higher than third most likely, which we cannot say about the second most likely pattern (whew!). With a view that’s simple (BVAAs are the most likely) but also cautious (we could be wrong, here’s a measure of our uncertainty) this is a reinterpreted visual of that slice of the data.

Verizon DBIR Key Breach Patterns 2021

Source: https://github.com/vz-risk/dbir/tree/gh-pages/2022

So What?

It’s all well and good to be aware of the precipitous rise in Basic Web Application Attacks over the past five years and that it likely represents the prime pattern for breaches in several key industries… But what are we to do about it? Fortunately, the DBIR helps us there as well. In fact, a single action variety accounts for the vast majority of breaches in this pattern:

“…Over 80% of the breaches in this pattern can be attributed to stolen credentials.”

2022 DBIR p.37

So proper implementation of 2FA and password management controls will help safeguard against the lion’s share of breaches from this prevalent, and steadily rising, attack pattern.

In other words, we’re BWAA-ck to covering the basics.

Stay informed, stay safe.

RL-Banner-1024x281v1