X-Force Threat Intelligence Index Exposes How Cybercrime is Evolving

securityintelligence | February 11, 2020

  • The X-Force Threat Intelligence Index highlights the most important trends that can help an organization better assess risk factors, understand relevant trends, and bolster its security in 2020.

  •   Phishing, using stolen credentials, and attacking known vulnerabilities are the top initial access vectors cybercriminals have relied on.

  •   Organized cybercrimes have emerged as the biggest driver of ransomware becoming a prolific threat to organizations.

IBM Security releases the IBM X-Force Threat Intelligence Index annually, which summarizes the most prominent threats raised by our research teams from over the past year. The purpose is to provide both defensive and red teams with information that can help better secure their organizations.



Developing an effective cybersecurity strategy comes about as a difficult task, considering the volume of threats the security teams face off daily. Organizations depend on actionable threat intelligence to help them understand and mitigate risks to see through the flood of data and alerts. To make an effective decision for allocating resources to prevent costly breaches, ransomware, and destructive attacks, it might work for organizations to look at long-term trends.



The X-Force Threat Intelligence Index highlights the most important trends that can help an organization better assess risk factors, understand relevant trends, and bolster their security in 2020, by studying the trends that shaped the information security landscape in 2019.

 

Among the findings in this year’s X-Force Threat Intelligence Index, a few stand out:

• The most common attack vectors.

• The evolution of ransomware and malware.

• The risks posed by accidental breaches caused by factors such as misconfigurations, inadvertent insiders, and old, continually exploited software vulnerabilities.



New data from 2019 also showed a trend toward attacks on operational technology (OT), posing threats to industries such as energy and manufacturing.



Finally, this year’s report provides geographic insights to show how threats vary by country or region.



Top Initial Access Vectors


Now at a time when attackers have access to billions of compromised records over the last ten years, rampant credential reuse, and an ever-growing number of unpatched vulnerabilities attackers have taken the path of least resistance through several ways to gain access and compromise organizations’ security.



X-Force Threat Intelligence Index 2020 revealed that phishing attacks, unauthorized use of credentials and exploitation of vulnerabilities were the initial infection vectors most used by attackers. Out of the top attack vectors in 2019, 31 percent of attacks relied on phishing (down from about half of attacks in 2018). Meanwhile, the share of attacks using stolen credentials in 2019 was close behind at 29 percent and attacks on known vulnerabilities increased significantly as a share of the top attack vectors, up to 30 percent in 2019 versus 8 percent in 2018.



The evolution of ransomware and malware


The Ransomware threat evolved into an all-out digital hostage crisis in 2019. As a retaliation to non-payments against stolen credentials, cybercriminals are destroying company data or publishing it on the internet or threatening an even more destructive attack.



We are going through a natural evolution of cybercrime now much like street crime and other forms of crime that evolved over long periods of time consistent with population growth.

- Steve Morgan, Founder of Cybersecurity Ventures

Ransomware attacks have risen considerably last year. The attacks have almost doubled between the second half of 2018 (10%) and the first half of 2019 (19%). It has affected companies in a large variety of industries, in both the public and private sectors and 12 countries across the globe. Top targets for these attacks were retailers, manufacturing and transportation, sectors where downtime is detrimental to operations, which adds to the pressure to pay. Another potential reason could include the ease of exploitation of legacy systems and lax security programs in some sectors.



The threat to human lives was also evident in 2019 as Healthcare organizations also faced the wrath of ransomware with attacks on the industry affecting a large number of facilities.



In 2019, one of the biggest drivers of ransomware becoming a prolific threat to organizations was the move of organized cybercrime gangs from the banking Trojan realms into the enterprise attack arena.



Banking Trojan operators are already known to be professional, sophisticated attackers who operate as a business. These capabilities, combined with access to already-compromised networks and an ability to spread to pivotal assets, have given ransomware like Ryuk, DoppelPaymer, LockerGoga, Sodinokibi, and MegaCortex the ability to extort victimized organizations for millions of dollars. Those who did not pay up often faced arduous recovery processes that were no less costly or faster.



To reduce the profitability of high-stakes attacks and deter attackers in the long run, law enforcement continues to discourage companies from paying ransoms.



Of note in 2019 was code innovation in the malware arena. Attackers in this sphere constantly evolve their code to bypass security controls. According to data from Intezer, banking Trojans and ransomware showed the most innovation in their genetic code, with an increase in new (previously unobserved) code from 2018 to 2019. Some 45 percent of banking Trojan code was new in 2019, compared to 33 percent in 2018, while 36 percent of ransomware code was new in 2019, compared to 23 percent in 2018.



READ MORE: New ransomware hitting industrial control systems like a nuclear bomb



Misconfigurations and Insider Threats Expose Billions of Records


It was a big year for lost data with over 8.5 billion records leaked or compromised in 2019.



The analysis found that 86% of the 8.5 billion records breached in 2019 were compromised via misconfigured assets, including cloud servers and a variety of other systems. In 2018, the same issues affected only half of the record breached. It shows that the compromises could have been averted. As organizations move to the cloud, security must remain a high priority, especially when it comes to proper configuration, access rights and privileged account management (PAM).



The more the records are exposed, the more credentials are up for grab which can be used as an initial entry point into businesses. It is high time for organizations to pay closer attention to these potential security gaps and favor automation to limit human error and misconfiguration.



READ MORE: The biggest threat to your organization’s data: an insider



Other Highlights From the Report


OT attacks hit an all-time high


Malicious activity targeting operational technology assets, most notably industrial control systems (ICS), increased 2000 percent year-over-year in 2019, marking the largest number of attempted attacks on ICS and OT infrastructure in three years.



Tech and social media giants were the top spoofed brands in 2019


Among the top 10 spoof brands, Google and YouTube domains topped the list with nearly 60%, followed by Apple (15%) and Amazon (12%). Facebook, Instagram, Netflix, and Spotify were also among the top 10 spoofed brands. With nearly 10 billion accounts combined, the top 10 spoofed brands listed in the report offer attackers a wide target pool, increasing the likelihood of credential theft and account takeover.



North America and Asia were the most targeted regions


For the first time this year, the X-Force Threat Intelligence Index included geo-centric insights on the threat trends we’ve seen on a regional basis. North America and Asia suffered the largest data losses, having seen 5 billion and 2 billion records compromised, respectively.



Even organizations with a mature security posture and robust mitigation practices and solutions in place may be susceptible to a cyber incident.



Knowing how to remediate after responding to a cyber-attack and shutting down the source of the compromise is a crucial piece of the recovery process.

- X-Force Threat Intelligence Index

It can impact how quickly normal business operations resume. The remediation process is both a technical and non-technical process it also can be an emotional one.



At the onset of a crisis, teams typically work 24/7 until they can recover critical areas of the business and get most processes back online according to a predetermined business continuity plan, disaster recovery plan, and business priorities at the time of the incident.



Once the crisis has subdued and business-as-usual has resumed, however, “lessons learned” discussions should begin to take place and be documented.

Spotlight

Hear the word “hack,” and it’ll likely conjure up thoughts of computer hackers,forcefully making their way into a computer system to take or manipulate data. If you hear the term “growth hacker,” are you to extrapolate a similar concept with
growth?


Other News
PLATFORM SECURITY

Swimlane Extends Cloud-Based Security Automation into APJ Amid Momentous Growth in Region

Swimlane | April 19, 2022

Swimlane, the leader in low-code security automation, today announced the general availability of Swimlane Cloud in the Asia-Pacific Japan (APJ) region. This deployment is further evidence of Swimlane’s continued commitment to empowering APJ customers to enable new use cases previously not possible with traditional security orchestration, automation and response (SOAR). This includes unlocking the use of automation beyond the SOC, where Swimlane serves as the system-of-record for the entire security organization. Meeting the APJ Staffing Shortage Head-On with Swimlane Cloud The APJ region faces a significant cybersecurity talent shortage with an estimated 2.045 million open cybersecurity roles, accounting for 66% of the total global shortage, signaling the struggle to find qualified, skilled professionals to handle increasing security alerts. Without automation, these overburdened security administrators must manually perform repetitive and time-consuming tasks needed to track, mitigate and resolve security events across multiple security platforms. Despite significant time investments, security teams cannot realistically analyze and adequately prioritize security alerts and events at the rate necessary to protect networks. “In order to mature our security operations, we knew it was necessary to advance how we monitor and respond to threat intelligence by taking a more proactive approach to security operations,” said Tanajak Watanakij, CISO, R V Connex. “With our existing talent pool, we turned to Swimlane’s low-code security automation offering to create a centralized system of record for our Security Operations Center (SOC) and remove dependencies on a host of manual processes. Swimlane’s interactive dashboards and automated, easily customizable workflows reduced our mean time to respond and ultimately helped us ensure continuous compliance and prevent breaches across the entire R V Connex Corporation and our MSSP customers.” “Security teams across APJ need solutions that reduce the manual operations needed to respond to security threats and speed up incident response. We are a customer-focused company with a powerful platform for helping companies ease the burden security teams face daily. Swimlane is fully dedicated to supporting the region’s ongoing cybersecurity challenges through the adoption of low-code security automation.” Johan Wikenstedt, Vice President of Asia Pacific and Japan (APJ) for Swimlane Demand for Low-Code Automation Continues to Climb Swimlane’s current product initiatives in APJ continue to drive regional market traction highlighted by: 173% revenue growth of regional presence in the past four months, with more than 7x revenue growth in the past 6 months. 142% growth of regional employee headcount in the past six months. New sales offices established in Australia, Malaysia and South Korea. Net-new customer adoption in Australia, Bangladesh, India, Japan, Malaysia, Philippines, Singapore, Thailand, and New Zealand. Vertical expansion of customer adoption across banking, technology, financial services, government, MSSP, and manufacturing industries. 8 new go-to-market partners established in the region. Lumen Technologies turned to Swimlane after experiencing a rapid period of growth that challenged the company’s security team to capacity. Swimlane’s low-code security automation platform allowed the organization to maintain the integrity of its security operations and quickly adapt to business growth across its SecOps infrastructure. Within the first quarter of implementing the solution, Lumen achieved a 30% automation level. Today, 70% of security events hitting the Security Operations Center (SOC) can be fully automated without human intervention. “Swimlane was a partner from the start, helping us ensure the solution was easy to manage and operate and providing technical support whenever we needed,” said Wai Kit Cheah, Director of the Security Practice at Lumen Technologies. “With Swimlane’s robust automation engine, events can be processed from any source, enabling our security team to integrate security automation with user and entity behavior analytics (UEBA) and third-party threat intelligence feeds. This allowed us to achieve a holistic look at our ecosystem and has quickly made Swimlane’s platform an essential component of our SOC.” Swimlane Medley Partner Program Expands to Malaysia Swimlane has invested significantly in Malaysia due to the region’s robust national cybersecurity strategy and world-class talent. As part of its growth in the region, Swimlane recently announced a partnership with CyberSecurity Malaysia, the national cyber security specialist agency under the purview of the Ministry of Communications and Multimedia Malaysia (KKMM), to assist the organization on its mission to build a more resilient cyber ecosystem throughout Malaysia. “Our strategic partnership with Swimlane comes at an exciting time for CyberSecurity Malaysia as we seek to elevate a strategic cybersecurity vision for the region,” said Dato’ Ts. Dr. Haji Amirudin Abdul Wahab, CEO of CyberSecurity Malaysia. “Together, Swimlane and Cybersecurity Malaysia will leverage our combined experience, capabilities, and products to deliver innovative cybersecurity solutions across Malaysia and ensure companies in the region have access to the world’s most-capable low-code automation technology to safeguard their networks and data.” Join Swimlane at the SecOps Automation Summit 2022 Swimlane will hold the SecOps Automation Summit 2022 in South Korea, Malaysia and Australia in late April and early May. Presenters include Co-Founder and Chief Strategy Officer Cody Cornell and other members of the Swimlane team, along with various current partners and customers, to explore new and future innovations in the dynamic field of security automation. To learn more about the summit and Swimlane’s expansion in the APJ region, visit https://swimlane.com/swimlane-helps-address-asia-pacifics-security-skills-shortage. About Swimlane Swimlane is the leader in cloud-scale, low-code security automation. Supporting use cases beyond SOAR, Swimlane improves the ease with which security teams can overcome process and data fatigue, as well as chronic staffing shortages. Swimlane unlocks the potential of automation beyond the SOC by delivering a low-code platform that serves as the system-of-record for the entire security organization and enables anyone within the organization to contribute their knowledge and expertise to the protection of the organization.

Read More

SOFTWARE SECURITY

Criminal IP New Cybersecurity Search Engine launches first beta test

AI Spera | April 12, 2022

AI Spera announced Criminal IP, a new cybersecurity platform, today. Criminal IP is a total Cyber Threat Intelligence (CTI) search engine intended to identify potential vulnerabilities that threatening companies or individuals' IT assets. It also offers a new way to manage them comprehensively by allowing users to find results for malicious IP address, malicious domains, phishing sites, forged certificates, all IT assets, and other security related information immediately. The company has been recruiting beta service testers and plans to operate beta service for three months from April 28. Testers pre-registering for beta service will be given a three-month free license and if testers participate in the service survey, they can receive an additional one-month free license as a reward. Criminal IP visualizes all IT assets connected to the Internet based on IP addresses held by companies and individuals. This allows users to see the details of their assets at a glance, from DB servers, files servers, middleware servers, administrator servers as well malicious sites, and easily spot the assets exposed to the attack surface. The solution also provides all possible information about domains in real time, including network logs, used programming technologies and security-related information, without having to directly access websites. Analyzing this information with AI/Machine learning technology, it shows an overall score of the domain and DGA (Domain Generation Algorithm) score in five stages (Critical, Dangerous, Moderate, Low, Safe) allowing users to determine and respond to threats. Users can prevent security problems in advance by searching for vulnerabilities in IT assets and identifying cyber attackers' attack points for attack surface management purposes through Criminal IP data. In addition, everything that has happened to a particular IP address can be recorded like a criminal record to track malicious behavior of an IP address. "Above all, this platform is the ultimate comprehensive solution that maximizes user's convenience by providing all CTI information distributed by different solutions in one place. In hopes that Criminal IP can be used in a variety of areas to defend against evolving cyber threats, including education and research, corporate security teams, white hackers, state agencies, and cybercrime investigations, we decided to operate free beta services to receive feedback on product improvement." Byungtak Kang, CEO at AI Spera Features and benefits of Criminal IP include: providing a wide range of cyber threat information, including malicious IPs, C&C domains, various domain information, threat intelligence images and CVEs, which map IP& Domain scoring algorithms and various threat information based on big data on 4.2 billion IP addresses and billions of domain addresses worldwide analyzing all possible details about domains including screenshots, domain category, whois information, used technologies, connected IP addresses, page redirections, certificates, network logs, cookies as well as interesting security-oriented features like possible malicious contents and replicated phishing domains with overall score of the domain and DGA (Domain Generation Algorithm) score searching and updating global IP addresses and domains in 24/7 to extract applications and services in use, and provide information on security vulnerabilities of IT assets to enable real-time automatic attack surface management offering straightforward search result based on a wide range of specific search filters so that users can conveniently access the right information they need About AI Spera AI Spera is a fast-growing company in the field of cyber threat intelligence. Based on AI and Machine Learning technology, the company focuses on detection of anomalies and data-oriented security solutions. The company supports as many corporates, security developers and researchers as possible to view the attack surface through the eyes of an attacker and provide various AI-based intelligence security solutions across industries including online games, financial, security and national institutions.

Read More

SOFTWARE SECURITY

ConnectWise Amplifies MSP Cyberattack Defense with Incident Response Service

ConnectWise | April 20, 2022

ConnectWise, the world’s leading software company dedicated to the success of IT solution providers, today announced a new service offering designed to help MSPs and their clients rapidly respond to attacks and recover from security incidents. The ConnectWise Incident Response Service provides direct, around-the-clock access to a team of expert cybersecurity analysts to provide immediate assistance to assess, contain and remediate threats to minimize impact and business disruption. According to the 2022 ConnectWise MSP Threat Report, there was a 10-15% increase in ransomware incidents by quarter in 2021, with 56% of all incidents occurring in the second half of the year. When it comes to cyberattacks, preparation is the best prevention for MSPs that are increasingly becoming targets of threat actors. For MSPs and their clients that often lack resources to properly respond to incidents, the ConnectWise Incident Response Service provides an immediate life-line to skilled cybersecurity experts that accelerate incident resolution and help avoid mistakes that can be costly to business operations. “With a talent shortage, more sophisticated threat actors and more technologies to protect, cybersecurity incidents can quickly overwhelm an MSP and their end client and jeopardize protection of their client’s critical assets. Every second counts in a cyberattack, so having a team of security experts at a moment’s notice is a game-changing force multiplier for an MSP’s successful delivery of cybersecurity services. With this service, MSPs can confidently turn to ConnectWise to gain swift understanding and control of the situation to eradicate threats and prevent costly downtime.” Raffael Marty, General Manager, Cybersecurity, ConnectWise The ConnectWise Incident Response Service also aids in the recovery process with forensic examination of system data, user activity and artifacts of digital evidence to determine the extent of compromise and identify which threat actor might be involved. The ConnectWise Incident Response Service is available today to both ConnectWise partners and non-partners. About ConnectWise ConnectWise is the world's leading software company dedicated to the success of IT solution providers through our unmatched software, services, community. ConnectWise’s innovative, integrated, and security-centric platform – Asio™ - provides unmatched flexibility, automation, and scale that fuels profitable, long-term growth for our Partners. ConnectWise equips TSPs with cybersecurity solutions, unified monitoring and management solutions, and business automation solutions—all while providing industry-leading operational maturity offerings to accelerate business transformation.

Read More

NETWORK THREAT DETECTION

SecurityScorecard Ignites European Adoption of Security Ratings Through Partnership with Exclusive Networks

SecurityScorecard | April 07, 2022

SecurityScorecard, the global leader in cybersecurity ratings, today announced a Pan-European exclusive distribution agreement with Exclusive Networks, a global cybersecurity specialist for digital infrastructure, to accelerate adoption of security ratings throughout Europe. The partnership, with Exclusive Networks owned specialist value-added distributor Ignition Technology, enables European organisations to instantly rate, analyze and continuously monitor their security risk, to harden their security postures. "The evolving geopolitical landscape is causing CISOs throughout Europe to reevaluate their cybersecurity postures, requiring them to have greater visibility across their attack surface than ever before. As the threat landscape expands, Exclusive Networks' expertise in helping disruptive cybersecurity solutions like SecurityScorecard breakthrough in EMEA will dramatically scale the number of European organizations that will be able to instantly improve their security postures through much needed data, visibility and insights." Jan Bau, VP, EMEA Sales, at SecurityScorecard SecurityScorecard provides comprehensive security ratings, automated assessments, and guidance from industry experts, providing easy-to-understand A-F graded scorecards for improved communication, effective compliance reporting and more informed decision making. The solution allows organisations to automate and accelerate questionnaire exchange with over 20 compliance survey templates and questionnaires at scale. "Exclusive Networks is focused on meeting customer and partner demand across Europe for the most impactful cybersecurity solutions on the market today," said Sean Remnant, Chief Strategy Officer, Exclusive Networks. "SecurityScorecard provides our network of customers and partners with instant visibility into their security postures and that of their vendors and business partners, to fully understand their true cyber risk." Exclusive Networks is a global trusted cybersecurity specialist for digital infrastructure driving the transition to a totally trusted digital future for all people and organisations. Located in 43 countries, with the ability to service customers in over 170 countries across five continents, Exclusive Networks has a unique 'local sale, global scale' model, combining the extreme focus and value of local independents with the scale and service delivery of a single worldwide distribution powerhouse. About SecurityScorecard Funded by world-class investors including Evolution Equity Partners, Silver Lake Waterman, Sequoia Capital, GV, Riverwood Capital, and others, SecurityScorecard is the global leader in cybersecurity ratings with more than 12 million companies continuously rated. Founded in 2013 by security and risk experts Dr. Aleksandr Yampolskiy and Sam Kassoumeh, SecurityScorecard's patented rating technology is used by over 30,000 organizations for enterprise risk management, third-party risk management, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight. SecurityScorecard is the first cybersecurity ratings company to offer digital forensics and incident response services, providing a 360-degree approach to security prevention and response for its worldwide customer and partner base. SecurityScorecard continues to make the world a safer place by transforming the way companies understand, improve and communicate cybersecurity risk to their boards, employees and vendors.

Read More

Spotlight

Hear the word “hack,” and it’ll likely conjure up thoughts of computer hackers,forcefully making their way into a computer system to take or manipulate data. If you hear the term “growth hacker,” are you to extrapolate a similar concept with
growth?

Resources