X-Force Threat Intelligence Index Exposes How Cybercrime is Evolving

• The X-Force Threat Intelligence Index highlights the most important trends that can help an organization better assess risk factors, understand relevant trends, and bolster its security in 2020.

•   Phishing, using stolen credentials, and attacking known vulnerabilities are the top initial access vectors cybercriminals have relied on.

•   Organized cybercrimes have emerged as the biggest driver of ransomware becoming a prolific threat to organizations.

IBM Security releases the IBM X-Force Threat Intelligence Index annually, which summarizes the most prominent threats raised by our research teams from over the past year. The purpose is to provide both defensive and red teams with information that can help better secure their organizations.

Developing an effective cybersecurity strategy comes about as a difficult task, considering the volume of threats the security teams face off daily. Organizations depend on actionable threat intelligence to help them understand and mitigate risks to see through the flood of data and alerts. To make an effective decision for allocating resources to prevent costly breaches, ransomware, and destructive attacks, it might work for organizations to look at long-term trends.

The X-Force Threat Intelligence Index highlights the most important trends that can help an organization better assess risk factors, understand relevant trends, and bolster their security in 2020, by studying the trends that shaped the information security landscape in 2019.

Among the findings in this year’s X-Force Threat Intelligence Index, a few stand out:

• The most common attack vectors.

• The evolution of ransomware and malware.

• The risks posed by accidental breaches caused by factors such as misconfigurations, inadvertent insiders, and old, continually exploited software vulnerabilities.

New data from 2019 also showed a trend toward attacks on operational technology (OT), posing threats to industries such as energy and manufacturing.

Finally, this year’s report provides geographic insights to show how threats vary by country or region.

Top Initial Access Vectors

Now at a time when attackers have access to billions of compromised records over the last ten years, rampant credential reuse, and an ever-growing number of unpatched vulnerabilities attackers have taken the path of least resistance through several ways to gain access and compromise organizations’ security.

X-Force Threat Intelligence Index 2020 revealed that phishing attacks, unauthorized use of credentials and exploitation of vulnerabilities were the initial infection vectors most used by attackers. Out of the top attack vectors in 2019, 31 percent of attacks relied on phishing (down from about half of attacks in 2018). Meanwhile, the share of attacks using stolen credentials in 2019 was close behind at 29 percent and attacks on known vulnerabilities increased significantly as a share of the top attack vectors, up to 30 percent in 2019 versus 8 percent in 2018.

The evolution of ransomware and malware

The Ransomware threat evolved into an all-out digital hostage crisis in 2019. As a retaliation to non-payments against stolen credentials, cybercriminals are destroying company data or publishing it on the internet or threatening an even more destructive attack.

We are going through a natural evolution of cybercrime now much like street crime and other forms of crime that evolved over long periods of time consistent with population growth.

- Steve Morgan, Founder of Cybersecurity Ventures

Ransomware attacks have risen considerably last year. The attacks have almost doubled between the second half of 2018 (10%) and the first half of 2019 (19%). It has affected companies in a large variety of industries, in both the public and private sectors and 12 countries across the globe. Top targets for these attacks were retailers, manufacturing and transportation, sectors where downtime is detrimental to operations, which adds to the pressure to pay. Another potential reason could include the ease of exploitation of legacy systems and lax security programs in some sectors.

The threat to human lives was also evident in 2019 as Healthcare organizations also faced the wrath of ransomware with attacks on the industry affecting a large number of facilities.

In 2019, one of the biggest drivers of ransomware becoming a prolific threat to organizations was the move of organized cybercrime gangs from the banking Trojan realms into the enterprise attack arena.

Banking Trojan operators are already known to be professional, sophisticated attackers who operate as a business. These capabilities, combined with access to already-compromised networks and an ability to spread to pivotal assets, have given ransomware like Ryuk, DoppelPaymer, LockerGoga, Sodinokibi, and MegaCortex the ability to extort victimized organizations for millions of dollars. Those who did not pay up often faced arduous recovery processes that were no less costly or faster.

To reduce the profitability of high-stakes attacks and deter attackers in the long run, law enforcement continues to discourage companies from paying ransoms.

Of note in 2019 was code innovation in the malware arena. Attackers in this sphere constantly evolve their code to bypass security controls. According to data from Intezer, banking Trojans and ransomware showed the most innovation in their genetic code, with an increase in new (previously unobserved) code from 2018 to 2019. Some 45 percent of banking Trojan code was new in 2019, compared to 33 percent in 2018, while 36 percent of ransomware code was new in 2019, compared to 23 percent in 2018.

READ MORE: New ransomware hitting industrial control systems like a nuclear bomb

Misconfigurations and Insider Threats Expose Billions of Records

It was a big year for lost data with over 8.5 billion records leaked or compromised in 2019.

The analysis found that 86% of the 8.5 billion records breached in 2019 were compromised via misconfigured assets, including cloud servers and a variety of other systems. In 2018, the same issues affected only half of the record breached. It shows that the compromises could have been averted. As organizations move to the cloud, security must remain a high priority, especially when it comes to proper configuration, access rights and privileged account management (PAM).

The more the records are exposed, the more credentials are up for grab which can be used as an initial entry point into businesses. It is high time for organizations to pay closer attention to these potential security gaps and favor automation to limit human error and misconfiguration.

READ MORE: The biggest threat to your organization’s data: an insider

Other Highlights From the Report

OT attacks hit an all-time high

Malicious activity targeting operational technology assets, most notably industrial control systems (ICS), increased 2000 percent year-over-year in 2019, marking the largest number of attempted attacks on ICS and OT infrastructure in three years.

Tech and social media giants were the top spoofed brands in 2019

Among the top 10 spoof brands, Google and YouTube domains topped the list with nearly 60%, followed by Apple (15%) and Amazon (12%). Facebook, Instagram, Netflix, and Spotify were also among the top 10 spoofed brands. With nearly 10 billion accounts combined, the top 10 spoofed brands listed in the report offer attackers a wide target pool, increasing the likelihood of credential theft and account takeover.

North America and Asia were the most targeted regions

For the first time this year, the X-Force Threat Intelligence Index included geo-centric insights on the threat trends we’ve seen on a regional basis. North America and Asia suffered the largest data losses, having seen 5 billion and 2 billion records compromised, respectively.

Even organizations with a mature security posture and robust mitigation practices and solutions in place may be susceptible to a cyber incident.

Knowing how to remediate after responding to a cyber-attack and shutting down the source of the compromise is a crucial piece of the recovery process.

- X-Force Threat Intelligence Index

It can impact how quickly normal business operations resume. The remediation process is both a technical and non-technical process it also can be an emotional one.

At the onset of a crisis, teams typically work 24/7 until they can recover critical areas of the business and get most processes back online according to a predetermined business continuity plan, disaster recovery plan, and business priorities at the time of the incident.

Once the crisis has subdued and business-as-usual has resumed, however, “lessons learned” discussions should begin to take place and be documented.