Verizon DBIR: 'Shockingly Low' Gen AI Usage in Cybercrime

The rise of generative AI-fueled cybercrime appears significantly overstated, according to data breach researchers from Verizon.

The carrier on Wednesday unveiled its Data Breach Investigations Report, which analyzes 10,626 confirmed data breaches to understand the how the threat landscaping is evolving. The latest Verizon DBIR shows that vulnerability exploitation as a method for criminals to attack companies with ransomware and extortion grew 180% in 2023.

The 100-page Verizon DBIR document is a rich read, with a variety of angles, including a brief aside from Verizon's Threat Research Advisory Center team about the role of generative artificial intelligence in cybercrime.

Tempering Gen AI Hype

Tech leaders – especially cybersecurity vendors – have proclaimed publicly that cybercriminals are using malevolent large language models (LLM) to more efficiently code ransomware. The trend has often been framed as an arms race where the good guys and bad guys seek to use generative AI more effectively than the other.

The Verizon DBIR poured a bit of cold water on that picture. According to the Verizon Threat Research Advisory Center team, "nothing materialized" in its search to identify an emerging role of generative AI in attacks.

"Despite the pressure from a vocal minority of the cybersecurity community, it seems that the DBIR team will not be adding 'Evil AGI' to the VERIS actor enumerations in 2024," the Verizon's Threat Research Advisory Center team wrote in the report.

The report authors said their survey of criminal forums found plentiful mentions of generative AI. But rarely were criminals linking the technology to their actual attack mechanisms.

"The number of mentions of gen AI terms alongside traditional attack types and vectors such as 'phishing,' 'malware,' 'vulnerability' and 'ransomware' were shockingly low, barely breaching 100 cumulative mentions over the past two years," the Verizon DBIR authors wrote.

Source: Verizon DBIR

The authors acknowledged that the content creation capabilities of LLMs could certainly help with building nefarious tools. But they questioned exactly how useful gen AI will be to cybercriminals.

"If you extrapolate the commonly understood use cases of gen AI technology, it could potentially help with the development of phishing, malware and the discovery of new vulnerabilities in much the same way it helps your 10th grader writes that book report for school or your average AI social media influencer pretends to create a website by taking a picture of a drawing on a napkin. But would this kind of assistance really move the needle on successful attacks?" the report asked.

The authors said many social engineering attacks involve unsophisticated phishing or pretexting that threat actors could very well perform on their own.

"From our perspective, the threat actors might well be experimenting and trying to come up with gen AI solutions to their problems. There is evidence being published of leveraging such technologies in 'learning how to code' activities by known state-sponsored threat actors. But it really doesn’t look like a breakthrough is imminent or that any attack-side optimizations this might bring would even register on the incident response side of things," they said.

The authors did note an exception for deepfake-esque technology that fueled reports of fraud and non-consensual pornography creation.

You can find the discussion of generative AI on page 17 of the report.

Verizon DBIR: Internal Actors Proliferate

Internal actors accounted for 35% of data breaches in 2023, up from 20% the year prior. However, 73% of internal threat actors had actually just committed an error.

"... It showcases one longstanding suspicion of the team that mandatory breach disclosure at scale will help us better understand how mundane and preventable some of those incidents can be," Verizon wrote.

Source: Verizon DBIR

The third category – partners – continued to account for only a tiny portion of threat actors. However, 15% of breaches involved a third-party entity or supplier. That includes "software supply chains, hosting partner infrastructures or data custodians."