The 2017 IBM X-Force Threat Intelligence Index is a great overview of 2016’s threat landscape. With risk management in mind, we decided to take a deeper look at which months were most active in terms of vulnerability disclosures, cyberattacks, spam volume, financial malware infections and publicly disclosed security incidents. Interestingly, we found a trend among the different vectors where, in the later part of the year, and particularly in December, we saw an influx of criminal activity.

Should these findings play a role in how enterprises address security pain points? Or is it just fun to analyze the data and make speculations, knowing that a robust security immune system with solutions in place to address cyberthreats all year long is most important? Perhaps it is a combination of both.

Most Vulnerability Disclosures: October

The X-Force vulnerability database has been tracking public disclosures of software vulnerabilities since 1997. In 2016, the 20th year of documenting these threats, X-Force recorded the highest single year number in its history: 10,197 vulnerabilities.

October was the most active month for disclosures in 2016, as tracked by X-Force, with nearly 11 percent of vulnerabilities reported. The month of October actually appears repeatedly in the top two spots in terms of vulnerability disclosures over the last five years. In fact, of the total number of vulnerability disclosures for 2012 through 2016, October tops the chart with 11 percent of disclosures.

Figure 1: Month with most vulnerability disclosures, 2012 to 2016. (Source: IBM X-Force Vulnerability Database)

It’s no surprise, then, that the fourth quarter of 2016 revealed the highest number of disclosures for the year. In each of the past three years, vulnerability disclosures have ramped up during Q4, with 28 percent reported during these last three months of each calendar year.

So what’s behind this surge in disclosures toward the end of the year, especially in October? Do vulnerability researchers have a sales quota of sorts to meet? Are they trying to uncover as many vulnerabilities as they can before the holidays?

It’s a curious trend that may be in for a shake up in 2017. As of mid-May, there have already been 5,233 vulnerabilities disclosed, more half of the total for our record year, and we’re not even halfway through 2017. To put it in a different perspective, the X-Force vulnerability database revealed that Q1 2017 holds the record over the past five years for most vulnerabilities reported in the first quarter by nearly 53 percent.

Are attackers and researchers working harder? Perhaps. However, it’s more likely a testament to the proliferation of applications, operating systems and devices, which is contributing to the growing number of vulnerabilities.

Most Enterprise Attacks: December

Upon analyzing data from security clients, X-Force found that attackers are quite active and target more systems toward the end of the year. December saw the largest number of attacks in each of the last two years, making up 19 percent of the total number of attacks.

Figure 2: Month with the most attacks, 2015 to 2016. (Source: IBM X-Force Monitored Security client data)

IBM X-Force defines a cyberattack as a security event that has been identified by correlation and analytics tools as malicious activity that attempts to collect, disrupt, deny, degrade or destroy information system resources, or the information itself. In other words, cyberattacks are committed by bad guys attempting to act against your network and other enterprise assets by conducting command injection, manipulating data structures, inputting data or system resources, subverting access controls to gain privileges or committing other nefarious acts.

Is it fair to speculate that if there is a spike in vulnerability disclosures in October, as we witnessed, we would therefore see a rise in attack activity following in December? Maybe. However, we know that attackers often exploit tried-and-true older vulnerabilities, not necessarily the latest vulnerability.

Monitoring clients is just one way the X-Force team gauges the threat landscape. Does the end-of-the-year assault trend continue when we assess other sources? It sure does, at least with spam campaigns.

Largest Spam Volume: December

X-Force runs spam traps around the world, and monitors more than 8 million spam and phishing attacks daily. For the past two years, the most popular month for spam was December, making up 12 percent of total percentage of spam observed. This is likely the result of a barrage of holiday-themed spam campaigns launched during the month to take advantage of the season.

Figure 3: Month with the highest spam volume, 2015 to 2016. (Source: IBM X-Force)

For another interesting statistic, the highest volume of spam — 20.6 percent — hit on Wednesdays during 2016, with Thursdays following close behind at 19.6 percent. The lowest spam volume occurred over the weekends, with 6.5 percent and 3.9 percent of spam striking on Saturdays and Sundays, respectively.

Figure 4: Day with the highest spam volume in 2016. (Source: IBM X-Force)

This midweek ramp up is no surprise, since attackers want to increase their success rates by reaching the victims when they are most often online and ready to be lured into phishing and other nefarious schemes.

Most Financial Malware Attacks: March and December

When it comes to financial malware infections, it’s almost too close to call, with March seeing only a hair more infections (.1 percent) than December in 2016. Suffice to say that this end-of-the-year criminal activity streak extends to the financial malware vector.

Analysis of data collected from IBM Security’s antifraud protection product, Trusteer Rapport, revealed that the months of March and December saw the highest numbers of financial malware infections, with 10.6 percent and 10.5 percent, respectively.

Figure 5: Months with the highest financial malware infections (2016). (Source: IBM X-Force)

We’re not surprised to see December top the charts for most infections. We witnessed the onslaught of the Trickbot Trojan spreading its “joy” during the holiday season to Asia and Germany. Cybercriminals typically ramp up their infection campaigns during the holiday season to jump into the already busy period for financial and e-commerce entities.

Publicly Disclosed Security Incidents: February and March

According to X-Force Interactive Security Incident data, another hair separates the two months at the top of the list of the most publicly disclosed incidents reported. With 11.42 percent and 11.11 percent, respectively, February and March saw the most publicly disclosed incidents reported in 2016.

Figure 6: Highest number of reported public security incidents. (Source: X-Force Interactive Security Incidents)

Allow me to speculate here: The data we analyze from monitored clients, spam traps and malware infections is a strong indication of what is happening outside this giant telescope we possess. It stands to reason, then, that many organizations that publicly report their incidents are experiencing many attacks and compromises during the same time frame. If there’s an elevated number of attacks in December, then it’s plausible we would see an increase in reports of compromise a few months later — say, during February and March. This time lapse makes sense in light of the median time to discover a data breach, which has dropped from 416 days in 2012 to 146 days in 2015.

Protect Against Cyberattacks Year-Round

December is a notoriously lucrative time for attackers seeking to take advantage of increased online activity followed by reduced staff later in the month. A new, unpatched vulnerability that surfaces right before everyone goes on holiday might end up making you WannaCry, but this is clearly not the time to be lax about vulnerability management and patching.

Take note of the word “most,” used throughout the blog as an adverb and adjective rather than “all.” That is because cyberattacks, including network attacks, spam, phishing, malware campaigns and the like, occur throughout the year. Enterprises shouldn’t base their security strategies around the time of year. Instead, they should focus on building a holistic and integrated security immune system to protect against cyberthreats all year.

Download the 2017 IBM X-Force Threat Intelligence Index Now

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

How to Report Scam Calls and Phishing Attacks

With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…