Governance & Risk Management , Incident & Breach Response , Patch Management

Verizon DBIR: Cyber Defenders Are Facing Exploit Fatigue

Experts Warn That Human Failures Have Led to Surge in Successful Zero-Day Exploits
Verizon DBIR: Cyber Defenders Are Facing Exploit Fatigue
A surge in zero-day exploits is causing fatigue among cyber defenders, says Verizon. (Image: Shutterstock)

Cyber defenders and security engineers are suffering from fatigue caused by a surge in hackers exploiting zero-day vulnerabilities, Verizon executives said following the release of the company's 2024 Data Breach Investigations Report.

See Also: Cyber Insurance Assessment Readiness Checklist

The Wednesday report shows a 180% increase in successful cyberattacks targeting known flaws to gain initial access into victim networks between Nov. 1, 2022, and Oct. 31, 2023. Verizon researchers based their findings on 30,458 real-world security incidents, including 10,626 confirmed data breaches (see: Tracking Data Breaches: Targeting of Vulnerabilities Surges).

"Fatigue has set in over the last year for both cyber defenders and engineers," Verizon Business CISO Nasrin Rezai said Wednesday at an event on the 2024 DBIR held in Washington, D.C. "So what can we do [for] cyber defenders? Make it more automated, give them more analytics, and give them more risk-based methods by which they can prioritize."

Human error was a factor in at least 28% of assessed security incidents, the report says, and two-thirds of confirmed breaches targeted humans in addition to systems and networks. The researchers found that it takes cyber defenders nearly 55 days on average to mitigate 50% of critical vulnerabilities once patches become available, while attackers need just five days to start exploiting n-day vulnerabilities.

The report attributes the numerical increase in zero-day exploit attacks partially to the Clop ransomware group's mass exploitation of a major vulnerability found in Progress Software's MOVEit secure file transfer tool in 2023. The full impact of the largest hack of the previous year still remains unknown, but the latest analysis from security firm Emsisoft says that Clop directly or indirectly affected 2,770 organizations and exposed data pertaining to 95 million individuals.

Rezai said organizations should consider leveraging emerging technologies and artificial intelligence tools to streamline the patch management process, shorten the window of vulnerability and enhance their overall cybersecurity postures.

"We continue to see the human element playing a substantial role in the breach landscape," said Chris Novak, senior director of cybersecurity consulting for Verizon Business. Novak said that at least two-thirds of all breaches included some form of human involvement.

"A lot of these are things like inadvertent accidental errors," he said. "It may also be tied to things like social engineering attacks, where individuals are just tricked and fooled into doing something that they shouldn't."

About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.