Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves.

Moving left of boom: Early backdoor detection

Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment of backdoors, and why it’s not necessarily all bad news.

Question: The Threat Intelligence Index is full of #1s — Manufacturing being the #1 targeted industry. APAC being the #1 targeted geographic region. What was the #1 action we saw threat actors take?

Andy Piazza: The number one action on the objective we saw threat actors take was the deployment of backdoors at 21%; ransomware came in second at 17%; and business email compromise third at 6%.

Question: Interesting, why should we be paying close attention to this backdoor stat, in particular? Is this bad news for organizations?

Andy Piazza: Since we know that backdoors are often the precursor to ransomware events, I take this stat as a good sign, actually. It could mean that defenders are detecting these cases before the ransomware payload is actually deployed.

Question: Why is that so important?

Andy Piazza: Instead of playing catch-up against a barrage of threats, this means we’re moving left of boom and getting ahead of the actual real critical impacts.

Question: Aside from the upside of getting ahead of threat actors looking to deploy ransomware, what are the other implications — positive or negative?

Andy Piazza: I think this stat continues to deliver us positive news. Since we know that ransomware groups are using double extortion techniques where they’re stealing our intellectual property and threatening to release it on the internet, detecting the backdoors early gives us a huge opportunity as defenders to not only prevent the catastrophic impact of ransomware encrypting a bunch of systems — but intellectual property theft, as well. I think that’s a huge win for defenders and I want to see that trend continue.

Question: What advice can you offer organizations when it comes to staying vigilant against the latest threats?

Andy Piazza: We need to continue with our threat assessments and not only understand threat actors’ intentions and capabilities, but what those capabilities look like from our network. Are we able to detect and mitigate and respond to those quickly?

Conducting tabletop exercises with executives from all different business units is crucial to putting a plan into practice so they understand the impact to their systems during a ransomware event.

Beyond that, keep on with your risk mitigation through vulnerability management programs, penetration testing and advanced adversary simulation testing as well. It’s not enough to have a plan, you need to pressure test it — and regularly!

Download the Report

Understanding the anatomy of a ransomware attack

John Dwyer, Head of Research at IBM Security X-Force, spoke with us about how attackers are moving fast, and why we need to move faster.

Question: The speed with which threat actors are conducting attacks is astonishing. The Threat Intelligence Index noted that the time to execute attacks dropped 94% over the last few years. So, apparently, what used to take months now takes attackers mere days. Why does this matter?

John Dwyer: The rapid reduction in the ransomware attack timeline is concerning because it adds yet another pressure element for defenders: time. And the bottom line is, if attackers are moving fast, we have to be faster. It is absolutely critical for organizations to not only understand how ransomware attacks happen, but the timelines in which they occur.

Question: What is it about the timeline that can be useful to defenders?

John Dwyer: Understanding the timeline of an attack provides valuable contextual data points that defenders can use to build their detection and response strategies around. For example, if a defender detects an adversary moving laterally in their environment, they should have a general idea of how long they have before the ransomware is deployed. Their response needs to keep ahead of the attacker.

Question: Is it true that ransomware attackers aren’t only getting faster, but more efficient? And that there are perhaps more attackers?

John Dwyer: Based on the behaviors that we’ve been observing in incidents, we can deduce that not all attacks require a high level of skill. With a lowered barrier of entry to become a cybercriminal — with the advent of phishing kits and ransomware-as-a-service and the like — there’s more opportunity for more people to enter this marketplace, which means more ransomware attacks.

Question: So what can organizations do? How can they stand a chance in the face of this “more,” “faster,” “efficient” trifecta?

John Dwyer: Get into the mindset of your attacker. Work with your response provider to understand how ransomware attacks happen and the goals and objectives of the ransomware operator. Dig into adversaries’ goals and objectives. Based on that data alone, we can develop a very robust detection and response strategy and develop training exercises to ensure that your people, processes and technology are set up to prevent an incident from becoming a crisis.

Thwarting thread hijacking

Stephanie “Snow” Carruthers, Chief People Hacker at IBM Security X-Force Red, unpacked the rise in thread hijacking and other email-based threats.

Question: Well, it’s not such a surprise that phishing, for the second year, is the top infection vector.

Stephanie Carruthers: Yes, threat attackers love phishing! And with phishing kits, the incorporation of vishing techniques — where attackers follow up with a text or phone call — it’s getting easier (even as organizations and employees become more aware — don’t lose sight of those training exercises!).

Question: Tell me, what is thread hijacking? We read in the report that there was a 100% increase in thread hijacking attempts per month.

Stephanie Carruthers: Thread hijacking is a tactic where threat actors insert themselves into conversations you are having with people you know and trust. So, for instance, they might reply to a recent email thread between you and your sister where you’re talking about chipping in money for a birthday present. As you can imagine, people aren’t as vigilant when they’re in the middle of a private conversation with someone they think they know. It’s easier than you think to accidentally provide access to sensitive information, data or systems.

Question: Wow. And I can imagine that the implications can extend beyond just one person.

Stephanie Carruthers: For sure. Thread hijacking can be a long con, creating a chain reaction that leaves several victims in its wake.

Question: Why do you think there’s been such a rise in email-based threats like thread hijacking?

Stephanie Carruthers: I think there has been a rise in thread hijacking because it’s highly successful! Attackers are exploiting the trust placed in email, and their tactics are getting harder to identify.

Question: What can organizations do to better protect themselves against the impacts of these imposters?

Stephanie Carruthers: It’s important to evaluate the technology being used to detect, prevent and respond to cyber threats. However, it’s just as important to continuously run simulations against the technology in use in order to test, learn and improve!

Download the IBM Security X-Force Threat Intelligence Index 2023 to learn more about how threat actors are waging attacks, and read the Threat Intelligence Action Guide to learn what you can do to proactively protect your organization.

More from Threat Intelligence

img test

7 min read - test imgWhat is Lorem Ipsum? Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages,…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today