Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves.

Moving left of boom: Early backdoor detection

Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment of backdoors, and why it’s not necessarily all bad news.

Question: The Threat Intelligence Index is full of #1s — Manufacturing being the #1 targeted industry. APAC being the #1 targeted geographic region. What was the #1 action we saw threat actors take?

Andy Piazza: The number one action on the objective we saw threat actors take was the deployment of backdoors at 21%; ransomware came in second at 17%; and business email compromise third at 6%.

Question: Interesting, why should we be paying close attention to this backdoor stat, in particular? Is this bad news for organizations?

Andy Piazza: Since we know that backdoors are often the precursor to ransomware events, I take this stat as a good sign, actually. It could mean that defenders are detecting these cases before the ransomware payload is actually deployed.

Question: Why is that so important?

Andy Piazza: Instead of playing catch-up against a barrage of threats, this means we’re moving left of boom and getting ahead of the actual real critical impacts.

Question: Aside from the upside of getting ahead of threat actors looking to deploy ransomware, what are the other implications — positive or negative?

Andy Piazza: I think this stat continues to deliver us positive news. Since we know that ransomware groups are using double extortion techniques where they’re stealing our intellectual property and threatening to release it on the internet, detecting the backdoors early gives us a huge opportunity as defenders to not only prevent the catastrophic impact of ransomware encrypting a bunch of systems — but intellectual property theft, as well. I think that’s a huge win for defenders and I want to see that trend continue.

Question: What advice can you offer organizations when it comes to staying vigilant against the latest threats?

Andy Piazza: We need to continue with our threat assessments and not only understand threat actors’ intentions and capabilities, but what those capabilities look like from our network. Are we able to detect and mitigate and respond to those quickly?

Conducting tabletop exercises with executives from all different business units is crucial to putting a plan into practice so they understand the impact to their systems during a ransomware event.

Beyond that, keep on with your risk mitigation through vulnerability management programs, penetration testing and advanced adversary simulation testing as well. It’s not enough to have a plan, you need to pressure test it — and regularly!

Download the Report

Understanding the anatomy of a ransomware attack

John Dwyer, Head of Research at IBM Security X-Force, spoke with us about how attackers are moving fast, and why we need to move faster.

Question: The speed with which threat actors are conducting attacks is astonishing. The Threat Intelligence Index noted that the time to execute attacks dropped 94% over the last few years. So, apparently, what used to take months now takes attackers mere days. Why does this matter?

John Dwyer: The rapid reduction in the ransomware attack timeline is concerning because it adds yet another pressure element for defenders: time. And the bottom line is, if attackers are moving fast, we have to be faster. It is absolutely critical for organizations to not only understand how ransomware attacks happen, but the timelines in which they occur.

Question: What is it about the timeline that can be useful to defenders?

John Dwyer: Understanding the timeline of an attack provides valuable contextual data points that defenders can use to build their detection and response strategies around. For example, if a defender detects an adversary moving laterally in their environment, they should have a general idea of how long they have before the ransomware is deployed. Their response needs to keep ahead of the attacker.

Question: Is it true that ransomware attackers aren’t only getting faster, but more efficient? And that there are perhaps more attackers?

John Dwyer: Based on the behaviors that we’ve been observing in incidents, we can deduce that not all attacks require a high level of skill. With a lowered barrier of entry to become a cybercriminal — with the advent of phishing kits and ransomware-as-a-service and the like — there’s more opportunity for more people to enter this marketplace, which means more ransomware attacks.

Question: So what can organizations do? How can they stand a chance in the face of this “more,” “faster,” “efficient” trifecta?

John Dwyer: Get into the mindset of your attacker. Work with your response provider to understand how ransomware attacks happen and the goals and objectives of the ransomware operator. Dig into adversaries’ goals and objectives. Based on that data alone, we can develop a very robust detection and response strategy and develop training exercises to ensure that your people, processes and technology are set up to prevent an incident from becoming a crisis.

Thwarting thread hijacking

Stephanie “Snow” Carruthers, Chief People Hacker at IBM Security X-Force Red, unpacked the rise in thread hijacking and other email-based threats.

Question: Well, it’s not such a surprise that phishing, for the second year, is the top infection vector.

Stephanie Carruthers: Yes, threat attackers love phishing! And with phishing kits, the incorporation of vishing techniques — where attackers follow up with a text or phone call — it’s getting easier (even as organizations and employees become more aware — don’t lose sight of those training exercises!).

Question: Tell me, what is thread hijacking? We read in the report that there was a 100% increase in thread hijacking attempts per month.

Stephanie Carruthers: Thread hijacking is a tactic where threat actors insert themselves into conversations you are having with people you know and trust. So, for instance, they might reply to a recent email thread between you and your sister where you’re talking about chipping in money for a birthday present. As you can imagine, people aren’t as vigilant when they’re in the middle of a private conversation with someone they think they know. It’s easier than you think to accidentally provide access to sensitive information, data or systems.

Question: Wow. And I can imagine that the implications can extend beyond just one person.

Stephanie Carruthers: For sure. Thread hijacking can be a long con, creating a chain reaction that leaves several victims in its wake.

Question: Why do you think there’s been such a rise in email-based threats like thread hijacking?

Stephanie Carruthers: I think there has been a rise in thread hijacking because it’s highly successful! Attackers are exploiting the trust placed in email, and their tactics are getting harder to identify.

Question: What can organizations do to better protect themselves against the impacts of these imposters?

Stephanie Carruthers: It’s important to evaluate the technology being used to detect, prevent and respond to cyber threats. However, it’s just as important to continuously run simulations against the technology in use in order to test, learn and improve!

Download the IBM Security X-Force Threat Intelligence Index 2023 to learn more about how threat actors are waging attacks, and read the Threat Intelligence Action Guide to learn what you can do to proactively protect your organization.

More from Threat Intelligence

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today