Full Report
since forever, i’ve been told (and told others) that the greatest threat is from the inside. turns out, not so much. verizon business (usa) apparently conducted a four year study on incidents inside their organisation and found that the vast majority, 73%, originated from outside. however, the majority of breaches occurred as a result of errors in internal behaviour such as misconfigs, missing patches etc. (62% of cases). So attackers are generally outsiders taking advantage of bad internal behaviours, rather than local users finding 0-day. From the exec summary:
Analysis Summary
# Incident Report: Verizon Business External Threat Leveraging Internal Weakness Study
## Executive Summary
A four-year study conducted by Verizon Business (USA) revealed that while the vast majority (73%) of security incidents originated from external sources, the successful execution of these breaches was predominantly enabled by internal behavioral errors, such as poor patching and misconfigurations (accounting for 62% of cases). Insiders were responsible for fewer incidents, but those breaches tended to be significantly larger in scope. The primary conclusion is that external attackers are succeeding by exploiting internal security negligence rather than uncovering novel zero-day exploits.
## Incident Details
- **Discovery Date:** Not specified (Study covered a four-year period concluding prior to the article's publication date).
- **Incident Date:** Spanning a four-year period (Specific dates not provided).
- **Affected Organization:** Verizon Business (USA)
- **Sector:** Telecommunications/Business Services
- **Geography:** USA
## Timeline of Events
*Note: Since this is a summary of a retrospective study, the timeline details specific technical attack progression rather than a single event.*
### Initial Access
- **Date/Time:** Varies across the study period.
- **Vector:** External sources were the primary origin (73% of incidents).
- **Details:** External attackers initiated intrusions.
### Lateral Movement
- **Details:** Not explicitly detailed, but internal context suggests movement was facilitated by existing internal vulnerabilities (misconfigs, missing patches).
### Data Exfiltration/Impact
- **Details:** Insider-caused breaches, though fewer in number, were noted as being *much larger* when they occurred. Business partners were also responsible for over a third of breaches, a metric that increased five-fold over the study period.
### Detection & Response
- **Details:** The study itself represents the analytical process following the incidents. Specific containment/eradication steps are not detailed in this summary.
## Attack Methodology
*Note: The methodology reflects common enablement techniques gleaned from the aggregate study data, not a specific observed attack chain.*
- **Initial Access:** Primarily external.
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed, likely leveraging existing environmental weaknesses.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Not detailed.
- **Discovery:** Attackers targeted the **application layer** more frequently than the operating system.
- **Lateral Movement:** Facilitated by internal security failures.
- **Collection:** Not detailed.
- **Exfiltration:** Not detailed.
- **Impact:** Breaches often resulted from a **combination of events** rather than a single action. Less than a quarter of attacks exploited vulnerabilities; most attacks leveraged configuration errors or low-level "bite-sized chunks" of opportunity.
## Impact Assessment
- **Financial:** Not detailed.
- **Data Breach:** The scale was heavily dependent on the attacker source; insider breaches were significantly larger when they occurred.
- **Operational:** Not detailed.
- **Reputational:** Not detailed.
## Indicators of Compromise
*No specific technical Indicators of Compromise (IOCs) were provided in the source material, as it focuses on aggregate trends.*
- **Network indicators:** N/A
- **File indicators:** N/A
- **Behavioral indicators:** Increased activity from business partners was noted as a growing risk factor.
## Response Actions
- **Containment measures:** Not detailed.
- **Eradication steps:** Not detailed.
- **Recovery actions:** Not detailed.
## Lessons Learned
- The traditional view that insider threats are the greatest risk is outdated; external sources caused the vast majority (73%) of incidents.
- The success of external attacks is overwhelmingly due to internal security posture weaknesses (62% of breaches linked to misconfigs/missing patches).
- Insider-caused breaches, while fewer, carry a disproportionately higher impact/scope.
- Breaches frequently involve a **combination of events** rather than a single, sophisticated exploit.
- Application-layer targeting and exploiting common vulnerabilities/misconfigurations are more prevalent than zero-day exploitation.
## Recommendations
- Prioritize remediation efforts on common internal operational weaknesses, specifically patching cadences and configuration management across applications and systems.
- Increase scrutiny and process enforcement regarding threats originating from **business partners** (third-party risk management).
- Focus security training and tooling on detecting chained, low-level attack patterns rather than solely focusing on sophisticated, single-point zero-day defenses.