Incident Classification Patterns: Introduction

Please provide the information below to view the online Verizon Data Breach Investigations Report.

The information provided will be used in accordance with our terms set out in our Privacy Notice. Please confirm you have read and understood this Notice.

By submitting the form, you are agreeing to receive insights, reports and other information from Verizon and affiliated companies in accordance with our Privacy Policy. California residents can view our California Privacy Notice.

Verizon may wish to contact you in the future concerning its products and/or services. If you would like to receive these communications from Verizon, indicate by selecting from the dropdown menu below. Please note that you can unsubscribe or update your preferences at any time.

Indicates a required field. The content access link will be emailed to you.

View only

Thank You.

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

Pareidolia is a fancy word for seeing patterns in nature—clouds that look like bunnies, a face in your toast looking back at you from your breakfast plate, etc. As we have said before in this report, the human mind looks for patterns even when they are not actually there.53 People simply need patterns to make sense of their world, and the realm of cybersecurity is no different. Several years ago, we realized that certain incidents appear to happen over and over again in clusters that share certain similar characteristics. From that realization, we devised our incident patterns that we have featured in our report for the last several years.

These incident patterns serve to cluster similar incidents into categories that make them easier to understand and recall. They are based on the 4As of VERIS (Actor, Action, Asset, Attribute), which you can read more about in the “Results and analysis” section earlier in this report.54 The incident classification patterns, of which there are eight, are defined in Table 1, and Figure 26 below shows how they have changed over time in incidents.

Data Breach Investigation Report figure 26
Data Breach Investigation Report figure 27

We are once again featuring relevant ATT&CK techniques55 and Center for Internet Security (CIS) Critical Security Controls56 relevant to certain patterns.

Figure 27 illustrates how the various patterns have ebbed and flowed over the last few years in breaches. As you can see, System Intrusion continues to be the top pattern from a breach perspective (as opposed to incidents, where DoS attacks are still king). Both the Social Engineering and Miscellaneous Errors patterns have risen appreciably, particularly the latter, since last year. Conversely, the Basic Web Application Attacks pattern has fallen dramatically from its place in the 2023 DBIR. We get to delve into the reasons for these fluctuations further along in this section.

Basic Web Application Attacks

 

These attacks are against a Web application, and after the initial compromise, they do not have a large number of additional Actions. It is the “get in, get the data and get out” pattern.

Denial of Service

 

These attacks are intended to compromise the availability of networks and systems. This includes both network and application layer attacks.

Lost and Stolen Assets

 

Incidents where an information asset went missing, whether through misplacement or malice, are grouped into this pattern.

Miscellaneous Errors

 

Incidents where unintentional actions directly compromised a security attribute of an information asset fall into this pattern. This does not include lost devices, which are grouped with theft instead.

Privilege Misuse

 

These incidents are predominantly driven by unapproved or malicious use of legitimate privileges.

Social Engineering

 

This attack involves the psychological compromise of a person that alters their behavior into taking an action or breaching confidentiality.

System Intrusion

 

These are complex attacks that leverage malware and/or hacking to achieve their objectives, including deploying Ransomware.

Everything Else

 

This “pattern” isn’t really a pattern at all. Instead, it covers all incidents that don’t fit within the orderly confines of the other patterns. Like that container where you keep all the cables for electronics you don’t own anymore—just in case.

Table 1. Incident Classification Patterns
 

53 We are pretty sure the toast face is real though.

54 You did read it, right? You are not just skimming the report, are you?

55 https://attack.mitre.org

56 https://www.cisecurity.org/controls

Let’s
connect

Call Sales
877-297-7816

Have us contact you
Request a call

Call for Public Sector
844-825-8389