June 23, 2016 By Michelle Alvarez 2 min read

According to recent IBM X-Force Interactive Security Incident data, 6 percent of the more than 1,100 companies with reported security incidents since 2011 were repeat offenders — that is, they experienced a security incident more than once in less than six years. Attack types associated with these security incidents included distributed denial-of-service (DDoS), brute-force and SQL injection attacks, as well as malware and phishing.

During this period, at least one organization experienced a total of eight incidents — seven separate reported successful DDoS attacks against its website and one incident involving the compromise of customer accounts as a result of a brute-force attack on weak or reused passwords.

Several of these repeat offenders are attractive to attackers because of their niche target audiences; they allow attackers to serve malicious content to a targeted browsing population. Operators of such websites may not be as focused on security as larger, more mainstream entities. Their weak security posture makes them a sitting duck for cybercriminals.

Repeat Offenders by the Numbers

According to X-Force data:

  • More than 460 million records were compromised as a result of the 176 incidents associated with the 70-plus repeat offenders.
  • Of the 14 repeat offenders with three or more incidents tied to their name, eight were financial institutions.
  • Of the incidents for which the attack type was known, nearly 53 percent involved DDoS. Malware was the second-most popular attack vector, making up over 14 percent of incidents.
  • About 23 percent of the 176 incidents were claimed by Qassam Cyber Fighters, who targeted U.S. banks in an ongoing hacktivist DDoS campaign over an almost two-year period. This resulted in service interruptions and downtime for customers.

Shame on My Security Posture?

Is your security posture to blame? Not necessarily.

DDoS attacks can be mounted against any organization despite a strong security posture. Internet service providers and their partners aren’t always able to defend against a major DDoS attack. Attackers keep finding new DDoS techniques, so repeat victimization is almost expected. However, removal of these incidents from the equation still paints a concerning picture.

  • According to X-Force data, the most compromised organizations (there are two) experienced a total of four security incidents, including SQL injection malware, watering-hole and brute-force attacks.
  • Forty repeat offenders totaled more than 100 incidents.
  • Of the incidents for which the attack type was known, nearly 28 percent involved malware.

Multiple Incidents, Different Attack Types

Of the companies where more than one attack types was known, about half did not experience the same attack type. In other words, a targeted company may have experienced a SQL injection attack one year and a DDoS attack with an element of extortion the following.

The main takeaway here? History doesn’t always repeat itself. Design a security strategy for the future that not only incorporates lessons learned from past breaches, but also reduces risk from multiple attack vectors and protects critical assets.

Read the complete IBM 2016 Cyber Security Intelligence Index

More from X-Force

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Getting “in tune” with an enterprise: Detecting Intune lateral movement

13 min read - Organizations continue to implement cloud-based services, a shift that has led to the wider adoption of hybrid identity environments that connect on-premises Active Directory with Microsoft Entra ID (formerly Azure AD). To manage devices in these hybrid identity environments, Microsoft Intune (Intune) has emerged as one of the most popular device management solutions. Since this trusted enterprise platform can easily be integrated with on-premises Active Directory devices and services, it is a prime target for attackers to abuse for conducting…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today