Fool Me Once, Shame on You — Fool Me Eight Times, Shame on My Security Posture?

June 23, 2016
| |
2 min read

According to recent IBM X-Force Interactive Security Incident data, 6 percent of the more than 1,100 companies with reported security incidents since 2011 were repeat offenders — that is, they experienced a security incident more than once in less than six years. Attack types associated with these security incidents included distributed denial-of-service (DDoS), brute-force and SQL injection attacks, as well as malware and phishing.

During this period, at least one organization experienced a total of eight incidents — seven separate reported successful DDoS attacks against its website and one incident involving the compromise of customer accounts as a result of a brute-force attack on weak or reused passwords.

Several of these repeat offenders are attractive to attackers because of their niche target audiences; they allow attackers to serve malicious content to a targeted browsing population. Operators of such websites may not be as focused on security as larger, more mainstream entities. Their weak security posture makes them a sitting duck for cybercriminals.

Repeat Offenders by the Numbers

According to X-Force data:

  • More than 460 million records were compromised as a result of the 176 incidents associated with the 70-plus repeat offenders.
  • Of the 14 repeat offenders with three or more incidents tied to their name, eight were financial institutions.
  • Of the incidents for which the attack type was known, nearly 53 percent involved DDoS. Malware was the second-most popular attack vector, making up over 14 percent of incidents.
  • About 23 percent of the 176 incidents were claimed by Qassam Cyber Fighters, who targeted U.S. banks in an ongoing hacktivist DDoS campaign over an almost two-year period. This resulted in service interruptions and downtime for customers.

Shame on My Security Posture?

Is your security posture to blame? Not necessarily.

DDoS attacks can be mounted against any organization despite a strong security posture. Internet service providers and their partners aren’t always able to defend against a major DDoS attack. Attackers keep finding new DDoS techniques, so repeat victimization is almost expected. However, removal of these incidents from the equation still paints a concerning picture.

  • According to X-Force data, the most compromised organizations (there are two) experienced a total of four security incidents, including SQL injection malware, watering-hole and brute-force attacks.
  • Forty repeat offenders totaled more than 100 incidents.
  • Of the incidents for which the attack type was known, nearly 28 percent involved malware.

Multiple Incidents, Different Attack Types

Of the companies where more than one attack types was known, about half did not experience the same attack type. In other words, a targeted company may have experienced a SQL injection attack one year and a DDoS attack with an element of extortion the following.

The main takeaway here? History doesn’t always repeat itself. Design a security strategy for the future that not only incorporates lessons learned from past breaches, but also reduces risk from multiple attack vectors and protects critical assets.

Read the complete IBM 2016 Cyber Security Intelligence Index

Michelle Alvarez
Manager, IBM X-Force IRIS

Michelle Alvarez is the manager of the Threat Intelligence Production Team with IBM X-Force Incident Response and Intelligence Services (IRIS). She brings mo...
read more