Navigating the Modern Threat Landscape: Key Insights from the Verizon DBIR 2025

Breached Company

Breached Company

7 min read
Navigating the Modern Threat Landscape: Key Insights from the Verizon DBIR 2025
Photo by SumUp / Unsplash

Welcome back to our blog, where we unpack the latest in cybersecurity to help you stay informed and secure. Today, we're diving deep into the Verizon 2025 Data Breach Investigations Report (DBIR), a comprehensive examination of the recent state of cybercrime that draws on data collected between November 1, 2023, and October 31, 2024. This 18th annual report is built on an analysis of more than 12,000 breaches and over 22,000 security incidents, using the standardized Vocabulary for Event Recording and Incident Sharing (VERIS) framework to normalize data from numerous contributors.

The DBIR is a critical resource for understanding the evolving threat landscape, highlighting who is behind attacks, what methods they use, and what organizations can do to protect themselves. While the report covers a wide array of findings across industries, organization sizes, and regions, several key themes stand out in this year's analysis, particularly the ever-growing impact of third parties and the persistent influence of the human element.

The Growing Shadow of Third-Party Risk

One of the most striking findings in the 2025 DBIR is the significant increase in breaches involving a third party, which doubled from approximately 15% last year to 30% this year. This highlights a crucial challenge for modern Chief Information Security Officers (CISOs), who face a complex "balancing act" with the growing dependence on external entities.

Third parties are involved in various ways, acting not only as custodians of customer data but also underpinning critical organizational operations. The report emphasizes that managing this risk goes beyond simply relying on shared responsibility models; organizations must consider their partners' security limitations as well as their own. This dependency is felt keenly when a third party's vulnerability or incident directly impacts your organization.

Notable incidents this year involved credential reuse in a third-party environment, such as those affecting Snowflake customers, where leaked secrets discovered in public code repositories were leveraged. The median time to remediate leaked secrets found in a GitHub repository was a staggering 94 days. Other examples of impactful third-party incidents included disruptions to financial services and grounded planes due to a software update issue (CrowdStrike) and widespread impacts across industries from breaches affecting service providers like Change Healthcare and CDK Global.

The report offers high-level ideas for mitigating third-party risk:

  • For vendors in your software supply chain: Traditional vulnerability management and network segmentation apply. Keep devices away from the open internet, especially edge devices frequently targeted.
  • For vendors hosting your data: Focus on the security and resilience of their hosting and operational environments. Use third-party cyber risk management solutions that provide quantifiable insights beyond basic risk questionnaires.
  • For vendors connecting to your environment: Ensure comprehensive network segmentation and access control. Implement strict authentication policies, including password complexity, API key aging, and Multi-Factor Authentication (MFA), potentially even more extensive than those for employees.

Ultimately, the report stresses that achieving a reasonable level of security in this interconnected world requires effective collaboration, transparency, and increased information sharing with vendors. It's not enough to check the news; organizations must make vendor security outcomes a key part of the procurement process and have plans for addressing repeat offenders.

The Unwavering Influence of the Human Element

Despite technological advancements, the human element remains consistently involved in data breaches, accounting for around 60% of cases this year, a figure roughly unchanged from last year. This metric contrasts with fully automated attacks and includes any breach where human interaction was a "gating factor". If someone in your organization clicked a phishing email, visited a malicious website, or was otherwise involved, it falls under this category.

The human element in breaches can be broken down into components:

  • Social Actions: This includes techniques like Phishing or Pretexting, often aimed at stealing credentials.
  • Errors: Unintentional mistakes, such as misdelivery of sensitive information.
  • Malware Interactions: Users executing malicious attachments or downloading from websites.

There's a significant overlap between social actions (like phishing to steal credentials) and the subsequent abuse of those credentials. While this may seem daunting, it also offers multiple opportunities for defenders to intervene.

Prevalent Patterns and Techniques

The report details the most prevalent incident patterns observed:

  • System Intrusion: These are complex attacks often leveraging malware and/or hacking, with Ransomware accounting for 75% of breaches in this pattern. Ransomware continues to be a significant threat that does not discriminate by industry. Magecart infections (compromising e-commerce sites to steal payment card data) are another type of incident in this pattern, often leveraging exploited vulnerabilities and stolen credentials.
  • Basic Web Application Attacks (BWAA): This pattern is fundamentally about bad actors using the "least amount of effort" to access data. The Use of stolen credentials is the defining action, involved in about 88% of breaches in this pattern. Brute force attacks and establishing backdoors are also common. Notably, Espionage motive significantly increased in BWAA breaches this year, accounting for 62% compared to 10-20% in previous years.
  • Social Engineering: Consistently a top three pattern since 2019, Social Engineering relies on manipulating human behavior. Phishing and Pretexting remain the main techniques. Attackers are dedicating more time to building familiarity with victims. Emerging threats include Prompt bombing, a technique successfully used in more than 20% of Social attacks in the Public Sector this year. The report also highlights MFA bypass techniques like Adversary-in-the-Middle (AiTM), Password dumping, Hijacking, Token theft, and MFA interrupt, showing that dedicated adversaries will exploit weaknesses in MFA implementations. Business Email Compromise (BEC) continues to be a significant financial threat, resulting in billions of dollars in losses annually.
  • Miscellaneous Errors: Often caused by internal actors making unintentional mistakes, such as misdelivery.
  • Privilege Misuse: Involves actors (historically internal employees, but with an increase in Partner actors this year) misusing granted access, often for financial gain or espionage. Data theft is frequently achieved via simple LAN access.

The Credential Ecosystem and Mitigation

The report delves into the "credential ecosystems" that fuel patterns like BWAA, detailing how stolen credentials (usernames, passwords, API keys, etc.) end up in public code repositories or are collected by infostealer malware. These credentials are traded or sold on marketplaces, premium channels, or provided as free samples, offering attackers easy access to accounts.

Infostealer logs contain credentials for various site types, including streaming, gaming, and social media, but also unexpectedly often include credentials for enterprise-focused resources like developer tools, internal GitHub repositories, remote access servers, and cloud administration. The report estimates that approximately 30% of compromised systems listed in marketplaces are Enterprise-licensed devices. Furthermore, analysis found that 54% of ransomware victims' domains appeared in infostealer logs or marketplace postings, suggesting stolen credentials are a key tactic for some ransomware operators.

Given the prevalence of credential theft and abuse, the report strongly recommends focusing on credential protections:

  • MFA should be required, not optional. While not foolproof, it's significantly better than passwords alone.
  • Scrutinize logins: Build additional protection around the use of cookies and session keys, perhaps using conditional access policies.
  • Focus on passphrases over complexity requirements: Encourage long passwords and credential protections on internal systems.
  • Deploy OS hardening for endpoint systems and domain controllers.

Instead of assuming all is lost ("assume compromise"), the report suggests a more constructive approach: "assume access, ready defenses." This means limiting an adversary's reach and implementing friction points like secondary authentication factors within your environment, tailored to the risk level of different users (administrators, employees, customers).

Industry and Size Variations

While threat actors often target organizations pragmatically based on available data rather than size or industry, the report does examine industry-specific trends. For instance, Financial and Insurance is heavily targeted by financially motivated actors, with System Intrusion and Social Engineering as top patterns and ransomware and use of stolen credentials as key action varieties. The Manufacturing industry saw a stark rise in breaches and a notable increase in Espionage motive this year, with Internal data being the most commonly stolen type. Retail continues to see System Intrusion, Social Engineering, and BWAA as top patterns, with attackers increasingly targeting data other than payment card information, possibly due to improved payment security. Healthcare saw numerous high-profile breaches, with a significant angle involving compromised partners impacting large numbers of organizations and patients.

Regarding organization size, while large and small/medium businesses (SMBs) face a converging threat landscape, particularly with the rise of ransomware, the report notes that more than 90% of breached manufacturing organizations were SMBs. Ransomware groups don't discriminate based on size and are happy to breach smaller organizations, adjusting demands accordingly. The impact of an SMB breach can also be significant, as demonstrated by the National Public Data breach which affected billions of records.

Emerging Threats and Mitigation

The report also touches on emerging threats, including the potential misuse of Generative AI (GenAI). While GenAI hasn't revolutionized the threat landscape yet, there's evidence of its use by state-sponsored actors for phishing and coding. One email security partner reported that the percentage of malicious AI-written emails doubled over the past two years. Another concern is data leakage to GenAI platforms, with 14% of employees routinely accessing these systems on corporate devices, often outside corporate policy. The proliferation of infostealers and the availability of stolen credentials also contribute to this risk, especially with BYOD practices.

Addressing the human element effectively requires more than just traditional training. While training on reporting phishing leads to a significantly higher report rate (a four times relative increase with recent training), its impact on click rate is less prominent. The long-term strategy should involve incentivizing employees to report suspected social attacks and automating the process to block offending emails and identify victims faster.

For Social Engineering, specific controls include:

  • Account Management: Establish and maintain an inventory of accounts and disable dormant ones.
  • Access Control Management: Require MFA for externally-exposed applications and remote network access.
  • Security Awareness Programs: Implement security awareness and skills training.
  • Incident Response Management: Designate personnel and establish processes and contacts for reporting incidents, especially for BEC.

Conclusion

The Verizon DBIR 2025 paints a clear picture: the threat landscape continues to evolve, but some challenges remain constant. The increasing reliance on third parties introduces significant risk that organizations must actively manage through careful vendor selection, robust security requirements, and comprehensive plans for dealing with partner incidents. The human element remains central to the majority of breaches, underscoring the need for continuous training, awareness, and controls that account for human interaction.

Patterns like System Intrusion, Basic Web Application Attacks, and Social Engineering continue to dominate, heavily driven by threats like Ransomware and the pervasive use of stolen credentials. While attackers are adapting their techniques, including the potential misuse of GenAI and evolving MFA bypass methods, many fundamental mitigation strategies remain crucial. Strong authentication (especially MFA), credential protection, regular patching, network segmentation, and effective security awareness programs are essential defenses.

The DBIR emphasizes that effective cybersecurity requires collaboration, organization, and information sharing within the industry. By leveraging reports like the DBIR and frameworks like VERIS, organizations can gain valuable insights into the threat landscape, prioritize their efforts, and build more resilient defenses against the challenges ahead.

Read more