Backdoor access was the most common threat vector in 2022. According to the 2023 IBM Security X-Force Threat Intelligence Index, 21% of incidents saw the use of backdoors, outpacing perennial compromise favorite ransomware, which came in at just 17%.

The good news? In 67% of backdoor attacks, defenders were able to disrupt attacker efforts and lock digital doorways before ransomware payloads were deployed. The not-so-great news? With backdoor access now available at a bargain price on the dark web, businesses must be prepared to block more break-ins and implement strategies that keep attackers from coming back.

What is a backdoor, and how does it get unlocked?

A backdoor is an additional access route to a system or piece of software. Unlike more familiar front door routes, backdoors aren’t subject to typical security checks and screenings. Instead, these doors provide direct access for users who know where they are.

In practice, there are two common ways for backdoors to become unlocked. The first is by design. Software developers may intentionally add a backdoor for ease of access when it comes to feature testing and functional evaluation. These backdoors are legitimate parts of a software release, which means they won’t show up as a security concern. If backdoor code is left in place when software is shipped and installed, doors persist across all installed versions.

It’s also possible for attackers to leverage code vulnerabilities that haven’t been detected or patched to create their own persistent backdoors. In this case, these doors are virtually undetectable until attackers begin to move in earnest.

Where to look for backdoor building

There’s no single part of system infrastructure that lends itself to ideal backdoor building. There are, however, several common points of compromise that security teams should search for evidence of backdoor operations.

First up are operating systems. If attackers can gain (or create) access to key OS functions, they can disrupt every aspect of business operations. Communication systems are next. These could include video and audio conferencing tools, collaboration software that has access to a host of critical data, or even routers that connect office desktops to the interest. Routers are especially worrisome, given their tendency to use default login and password details for access.

Enterprises must also recognize the role of remote work in backdoor break-ins. Consider an employee that works from home part-time and connects to company servers using a VPN. Even if the staff member is diligent in using a secure and encrypted connection, the technologies in their home — such as internet routers and mobile devices — offer a potential pathway for attackers to build backdoors and then move laterally to more critical systems.

Read the Threat Index

Keys to the kingdom? Discovering doors on the dark web

For many attackers, discovering backdoors or building their own is both time-consuming and expensive.

To streamline the process of security compromise, these malicious actors are turning to the dark web. Offered anonymity by The Onion Router (TOR), skilled attackers and those looking to buy their way into backdoors find common ground. Attackers with backdoor access simply wait until demand spikes, then post their solutions for sale on dark web marketplaces. Not only do these attacks typically come with detailed instructions, but threat actors may also offer technical support for issues that arise.

Solutions such as IBM’s X-Force dark web analysis provide a way for businesses to discover if backdoor builds are available for sale online. By regularly scanning the dark web for this data, companies can proactively identify potential security issues before attackers take action.

Closing time: Tools of the trade

While regular searches of the dark web can help companies discover potential backdoor risks, this approach isn’t enough on its own. The reason is simple: Not all backdoors make their way onto illicit marketplaces.

In some cases, attackers looking for openings stumble across weaknesses or vulnerabilities that allow them to create backdoors, and rather than keeping them to sell, they simply exploit them in the moment. In others, malicious actors may simply hold on to backdoor data until they see an opportunity.

To address this variation in attack approaches, enterprises must take a multi-prong approach to backdoor defense. In practice, this means implementing solutions such as:

Strategic threat assessment

X-Force strategic threat assessment can help companies get ahead of attack efforts. Equipped with a better understanding of current threat landscapes along with likely threat vectors, organizations can focus their efforts on bolstering specific defenses that limit the risk of backdoors.

Penetration testing

Another key component in blocking backdoor break-ins is penetration testing. By partnering with experienced penetration testing teams, companies can discover where and how their networks are at risk — before attackers do it for them.

Zero trust access

Never trust; always verify. This is the central tenant of a zero trust approach. From user behavior analysis to multifactor authentication to secure single sign-on (SSO) and mobile device management (MDM), taking a zero trust approach limits the ability of attackers to compromise systems, even with the assistance of backdoors.

Managed detection and response (MDR)

Companies also need to consider what happens if attackers do get through the door. While the aim is to close and lock as many entrances as possible, no security approach is perfect. This means that eventually, cyber criminals will crack the code and crack open the door. Advanced MDR tools allow companies to improve incident response and reduce the time between attack detection and remediation.

The goal is to create a connected protective framework that is more than the sum of its parts. For example, while penetration testing can help identify potential backdoors and zero trust access can limit the number of potential users with access, solutions such as MDR shorten the time required for organizations to respond if incidents occur, in turn reducing total risk.

One step forward, two steps back(door)?

Backdoor attacks are both popular and problematic, given their ability to fly under the security radar. But it’s not all bad news. By understanding how and why backdoors open organizations to risk and implementing tools capable of closing the gap, businesses can better block backdoor break-ins.

More from Intelligence & Analytics

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today