What should security operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.

In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.

The report identified six action items:

1. Remove identity silos
2. Reduce the risk of credential harvesting
3. Know your dark web exposure
4. Establish secure AI and models
5. Implement a DevSecOps approach to planning and testing
6. Reduce the impact of an incident

I’m going to focus on the first three. Why? Because the last three are things you should be doing now irrespective of the results of the 2024 Threat Intelligence Index report and are much larger than the SOC. While the first three action items involve more than just the SOC, the call to action for the SOC is clear: focus on identity risk.

The report notes that 30% of all observed entry points to incidents in 2023 used valid credentials. The use of valid credentials is more damaging when accounts do not use enterprise identity systems with built-in controls. We need to make sure our insider risk capabilities are up to date. The SOC checklist includes:

• Centralized monitoring: Ensure the SOC continuously monitors user activities and access controls through a centralized identity management system. For high-risk systems off the enterprise identity platform, capture authentication activity. Ensure user and entity behavior analytics are in place with the appropriate use cases in the SOC detection platforms. Validate your identity visibility in the cloud, where abuse of permissions and privileges is more prevalent.
• Incident response: Establish protocols and playbooks for rapid response to incidents related to suspected insider risk, unauthorized access or compromised identities.
• Threat intelligence integration: Integrate threat intelligence sources into SOC workflows for threats targeting identity silos.
• Identity threat detection and response: If your organization doesn’t have identity threat detection and response (ITDR) capabilities, 2024 would be a great time to implement this additional control. The SOC should have telemetry, use cases, analytics and response playbooks in place for ITDR.

The best way to prevent attackers from using valid credentials for malicious activities is to prevent those credentials from being compromised in the first place. The SOC checklist includes:

• Authentication failures: The Identity and Access Management team should have controls in place to limit login attempts and even lockout accounts that repeatedly fail authentication. The SOC needs to have visibility into account status and logs and/or alerts noting accounts being disabled for failed authentication attempts. Ideally, those accounts are placed on SOC temporary watch lists even after accounts have been re-enabled.
• Multifactor authentication: The SOC needs visibility into multifactor authentication (MFA) failures. Additionally, the SOC should have the ability to force users to re-authenticate as part of response playbooks and/or the ability to invalidate sessions.
• Privileged access management: SOC visibility to privileged identity activity is key, especially changes of account entitlements to move from standard user access to privileged user status. This is especially important for systems not connected to Privileged Account Management (PAM) tools. Revisit your lateral movement use cases.
• Phishing incident response: Develop and conduct regular training exercises for SOC analysts to identify and respond to phishing attempts effectively.

SOC analysts aren’t going to spend time poking around the dark web. Their threat intelligence counterparts, however, are on the dark web and what they find can be invaluable for the SOC team. The SOC checklist here includes:

• Dark web monitoring: Intelligence on compromised credentials, session keys and leaked sensitive information needs to be incorporated into the appropriate watch lists. If the incident in which the account information was stolen is not evident, an immediate post-incident analysis should be launched, including threat hunting, digital forensics and other analysis to identify when and how the account data was compromised. Once the tactics, techniques and procedures (TTPs) used in the compromise are identified, detection analytics need to be updated to enhance future threat detection.
• Executive digital identity protection: Executive accounts, as well as accounts directly supporting executives, need to be on account lists used in high-risk identity use cases. Specific response playbooks for these accounts need to be in place.

The fact that valid credential misuse tied with phishing as the initial point of access to incidents in 2023 is a call to action for SOC teams to revisit their detection and response capabilities related to identities and insider risk. If the checklist in this blog puts some items on your to-do list, we have resources that can help.

To implement any of the actions above, you can request a no-cost threat management workshop for your organization.

If you’d like to get more details on these insights, check out the full 2024 Threat Intelligence Index report.

For help preparing for when, not if, a cyberattack occurs, learn more about our X-Force Cyber Range immersive simulations.

If you’re already in a great place for each of the checklist items, even better!