Want to secure workload access to LLMs like ChatGPT? Join Our Webinar | 1 pm. PT on June 18


Credential and Secrets Theft: Insights from the 2024 Verizon Data Breach Report

Stolen identity data remains part of a large percentage of breaches, according to the annual landmark report.
Credentials insights from Verizon DBIR Report

Data breaches. We all know the drill by now because they happen so often: compromised systems, sensitive data exposed, and a scramble for damage control. 

The 2024 Verizon Data Breach Investigations Report (DBIR) offers an in-depth analysis of these persistent threats, highlighting the ongoing challenges and emerging trends. This year’s report, based on 30,458 security incidents and 10,626 confirmed data breaches, provides critical insights into the vulnerabilities that organizations face, particularly focusing on the significant risks associated with credential and secrets management.

Credential and secrets theft continues to play a major role in breaches. While the DBIR does not distinguish between human and non-human credentials, it clearly underscores the importance of protecting all types of identifying data. 

Credentials as a percentage of data compromised in breaches ranged depending on type of attack and industry involved. For example, 71% of all data compromised in “basic web application attacks” were credentials. Fifty percent of data compromised in incidents involving accommodation and food services companies were credentials, 28% in manufacturing, and 22% in financial and insujrance.

Humans are often involved in these breaches, whether through misconfigurations, poor management practices, or accidental exposure. In fact, the DBIR reports that 74% of breaches involved the human element, which can directly or indirectly lead to the compromise of both human and non-human credentials and secrets.

Credentials are not only the pot of gold at the rainbow for attackers, they also serve as a means to an end. The report breaks down the methods attackers use to compromise systems: Phishing was involved in 36% of breaches, often leading to the theft of credentials and secrets. Credential theft itself was directly involved in 24% of breaches. Vulnerability exploitation, meanwhile, was still significant, involved in 13% of breaches. These findings highlight the diverse strategies attackers employ and the importance of a multi-faceted security approach.

Given these findings, it is crucial for DevSecOps teams to understand the current threat landscape and adopt comprehensive security measures. Below are key highlights from the DBIR and practical tips to help secure credentials and secrets to mitigate risks.

Key DBIR Findings on Credential and Secrets Management Relevant for DevSecOps Professionals

High Incidence of Credential-Related Breaches

Credentials, both human and non-human, are a major vulnerability. The report shows that the use of stolen credentials was involved in 77% of breaches within the basic web application attacks pattern. This pattern includes attacks targeting web applications through methods such as SQL injection, cross-site scripting (XSS), and exploiting vulnerabilities to steal credentials. Additionally, the exploitation of credentials and secrets was involved in 24% of all breaches, making it one of the top vectors for system intrusions. This underscores the critical need to secure these credentials and secrets to prevent unauthorized access.

Exploitation of Vulnerabilities in Applications

Attackers frequently exploit vulnerabilities in applications to gain access to credentials and secrets. The DBIR indicates that 13% of breaches were due to the exploitation of public-facing applications. For DevSecOps teams, this means ensuring rigorous application security testing and timely patch management to close these exploitable gaps.

Credential Stuffing and Brute Force Attacks

Credential stuffing and brute force attacks remain effective tactics. Credential stuffing, which uses previously breached username and password combinations, was a key tactic in 21% of breaches. These attacks highlight the importance of implementing strong, unique passwords and protecting all credentials and secrets, including those used by non-human workloads.

Supply Chain Vulnerabilities

There was a significant rise in supply chain attacks, often involving third-party services and applications. These attacks accounted for 15% of all incidents, reflecting the interconnected nature of modern business operations and the vulnerabilities introduced by third-party integrations. DevSecOps teams must ensure that their partners and vendors adhere to robust security practices to protect shared credentials and secrets.

Industry-Specific Impacts and Best Practices

The impact of credential and secrets breaches varies by industry. The financial and insurance sectors, in particular, reported high incidences of such breaches, demonstrating the need for industry-specific security strategies. DevSecOps professionals should tailor their security measures to address the specific threats faced by their industry, incorporating lessons learned from sectors with high breach incidences.

Practical Tips for Avoiding Credential and Secrets Loss

For DevSecOps professionals, protecting non-human credentials and secrets is crucial. Here are some practical tips.

1) Regularly Rotate and Manage Credentials and Secrets

Regular rotation reduces the window of opportunity for attackers to use stolen credentials and secrets. Automation ensures this process is consistent and not prone to human error.

2) Monitor and Audit Credential and Secrets Use

Real-time monitoring and periodic audits help detect unusual or unauthorized access patterns, allowing for prompt response to potential breaches.

3) Limit Privileges and Access

Restricting access rights to the minimum necessary reduces the impact of compromised credentials and secrets. If an account is compromised, the attacker’s access is limited to only what is essential for that account’s function.

4) Use Dedicated Secrets Management Solutions

These tools securely store and manage sensitive information, ensuring that credentials and secrets are not hard-coded in applications or scripts where they can be easily exposed.

5) Ensure Secure Development Practices

Automated security checks during the development lifecycle help identify and remediate vulnerabilities related to credential and secrets handling before they reach production.

6) Implement Workload Identity and Access Management (IAM)

Secrets managers handle storing and releasing secrets, completing their role once secrets reach client applications. Workload IAM, however, ensures each workload has a unique identity and manages access accordingly. It provides continuous, context-aware authorization and automates authentication within applications, freeing developers to focus on features and reducing tech debt. Unlike secrets managers, Workload IAM addresses the full lifecycle of workload identities, offering a comprehensive and secure way to manage access for applications, scripts, and services. 

To download a copy of the 2024 Data Breach investigations report, visit here

You might also like

Discover how these different approaches can work together to protect your organization's sensitive data and ensure seamless operations.
The updated framework addresses the need to secure non-human identities. Here's how that can extend across the guidance's five key functions.
To protect sensitive credentials and reap the benefits of large language models, it's crucial to manage workload access alongside user access, reducing breach risks.