Backdoor access was the most common threat vector in 2022. According to the 2023 IBM Security X-Force Threat Intelligence Index, 21% of incidents saw the use of backdoors, outpacing perennial compromise favorite ransomware, which came in at just 17%.

The good news? In 67% of backdoor attacks, defenders were able to disrupt attacker efforts and lock digital doorways before ransomware payloads were deployed. The not-so-great news? With backdoor access now available at a bargain price on the dark web, businesses must be prepared to block more break-ins and implement strategies that keep attackers from coming back.

What is a Backdoor, and How Does it Get Unlocked?

A backdoor is an additional access route to a system or piece of software. Unlike more familiar front door routes, backdoors aren’t subject to typical security checks and screenings. Instead, these doors provide direct access for users who know where they are.

In practice, there are two common ways for backdoors to become unlocked. The first is by design. Software developers may intentionally add a backdoor for ease of access when it comes to feature testing and functional evaluation. These backdoors are legitimate parts of a software release, which means they won’t show up as a security concern. If backdoor code is left in place when software is shipped and installed, doors persist across all installed versions.

It’s also possible for attackers to leverage code vulnerabilities that haven’t been detected or patched to create their own persistent backdoors. In this case, these doors are virtually undetectable until attackers begin to move in earnest.

Where to Look for Backdoor Building

There’s no single part of system infrastructure that lends itself to ideal backdoor building. There are, however, several common points of compromise that security teams should search for evidence of backdoor operations.

First up are operating systems. If attackers can gain (or create) access to key OS functions, they can disrupt every aspect of business operations. Communication systems are next. These could include video and audio conferencing tools, collaboration software that has access to a host of critical data, or even routers that connect office desktops to the interest. Routers are especially worrisome, given their tendency to use default login and password details for access.

Enterprises must also recognize the role of remote work in backdoor break-ins. Consider an employee that works from home part-time and connects to company servers using a VPN. Even if the staff member is diligent in using a secure and encrypted connection, the technologies in their home — such as internet routers and mobile devices — offer a potential pathway for attackers to build backdoors and then move laterally to more critical systems.

Read the Threat Index

Keys to the Kingdom? Discovering Doors on the Dark Web

For many attackers, discovering backdoors or building their own is both time-consuming and expensive.

To streamline the process of security compromise, these malicious actors are turning to the dark web. Offered anonymity by The Onion Router (TOR), skilled attackers and those looking to buy their way into backdoors find common ground. Attackers with backdoor access simply wait until demand spikes, then post their solutions for sale on dark web marketplaces. Not only do these attacks typically come with detailed instructions, but threat actors may also offer technical support for issues that arise.

Solutions such as IBM’s X-Force dark web analysis provide a way for businesses to discover if backdoor builds are available for sale online. By regularly scanning the dark web for this data, companies can proactively identify potential security issues before attackers take action.

Closing Time: Tools of the Trade

While regular searches of the dark web can help companies discover potential backdoor risks, this approach isn’t enough on its own. The reason is simple: Not all backdoors make their way onto illicit marketplaces.

In some cases, attackers looking for openings stumble across weaknesses or vulnerabilities that allow them to create backdoors, and rather than keeping them to sell, they simply exploit them in the moment. In others, malicious actors may simply hold on to backdoor data until they see an opportunity.

To address this variation in attack approaches, enterprises must take a multi-prong approach to backdoor defense. In practice, this means implementing solutions such as:

Strategic Threat Assessment

X-Force strategic threat assessment can help companies get ahead of attack efforts. Equipped with a better understanding of current threat landscapes along with likely threat vectors, organizations can focus their efforts on bolstering specific defenses that limit the risk of backdoors.

Penetration Testing

Another key component in blocking backdoor break-ins is penetration testing. By partnering with experienced penetration testing teams, companies can discover where and how their networks are at risk — before attackers do it for them.

Zero Trust Access

Never trust; always verify. This is the central tenant of a zero trust approach. From user behavior analysis to multifactor authentication to secure single sign-on (SSO) and mobile device management (MDM), taking a zero trust approach limits the ability of attackers to compromise systems, even with the assistance of backdoors.

Managed Detection and Response (MDR)

Companies also need to consider what happens if attackers do get through the door. While the aim is to close and lock as many entrances as possible, no security approach is perfect. This means that eventually, cyber criminals will crack the code and crack open the door. Advanced MDR tools allow companies to improve incident response and reduce the time between attack detection and remediation.

The goal is to create a connected protective framework that is more than the sum of its parts. For example, while penetration testing can help identify potential backdoors and zero trust access can limit the number of potential users with access, solutions such as MDR shorten the time required for organizations to respond if incidents occur, in turn reducing total risk.

One Step Forward, Two Steps Back(door)?

Backdoor attacks are both popular and problematic, given their ability to fly under the security radar. But it’s not all bad news. By understanding how and why backdoors open organizations to risk and implementing tools capable of closing the gap, businesses can better block backdoor break-ins.

More from Intelligence & Analytics

ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

7 min read

SOCs Spend 32% of the Day On Incidents That Pose No Threat

4 min read - When it comes to the first line of defense for any company, its Security Operations Center (SOC) is an essential component. A SOC is a dedicated team of professionals who monitor networks and systems for potential threats, provide analysis of detected issues and take the necessary actions to remediate any risks they uncover. Unfortunately, SOC members spend nearly one-third (32%) of their day investigating incidents that don't actually pose a real threat to the business according to a new report…

4 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read