The volume of threats that security teams see on a daily basis can make it especially difficult to look at the big picture when it comes to developing an effective cybersecurity strategy. To see through the flood of data and alerts, organizations depend on actionable threat intelligence to help them understand and mitigate risks. Looking at long-term trends can also help organizations make effective decisions for allocating resources to prevent costly breaches, ransomware and destructive attacks.

IBM’s annual X-Force Threat Intelligence Index presents an overview of the threat landscape and cybersecurity risk trends of the past year, based on IBM X-Force analysis of data from hundreds of millions of IBM Security-protected endpoints and servers, spam sensors, IBM Security managed services, red team, and incident response engagements.

IBM X-Force research teams came together to look at the trends that shaped the information security landscape in 2019, following the data to highlight the most prominent trends that can help organizations better assess risk factors, understand relevant threats and bolster their security strategy in 2020 and beyond.

Among the findings in this year’s X-Force Threat Intelligence Index, a few stand out: the most common attack vectors, the evolution of ransomware and malware, and the risks posed by accidental breaches caused by factors such as misconfigurations, inadvertent insiders, and old, continually exploited software vulnerabilities. New data from 2019 also showed a trend toward attacks on operational technology (OT), posing threats to industries such as energy and manufacturing. Finally, this year’s report provides geographic insights to show how threats vary by country or region.

Download the report

Attackers Are on the Path of Least Resistance

With access to billions of compromised records over the past decade, rampant credential reuse and an ever-growing number of unpatched vulnerabilities to prey on, attackers took the path of least resistance through a number of ways to gain access and compromise organizations’ security.

According to data in this year’s report, initial infection vectors used by attackers were fairly evenly divided between phishing attacks, unauthorized use of credentials and exploitation of vulnerabilities. Out of the top attack vectors in 2019, 31 percent of attacks relied on phishing (down from about half of attacks in 2018). The share of attacks using stolen credentials in 2019 was close behind at 29 percent. Meanwhile, attacks on known vulnerabilities increased significantly as a share of the top attack vectors, up to 30 percent in 2019 versus 8 percent in 2018.

Ransomware — The Bane of the Decade

Ransomware attacks have been an increasing issue in the past five years, and in 2019, this threat evolved into an all-out digital hostage crisis. When companies are not paying millions for a decryption key, they may see their data destroyed or published on the internet, or they may even become the victims of a destructive attack as retaliation for not paying criminals.

Our data shows a considerable rise in ransomware incidents in 2019, almost doubling between the second half of 2018 (10 percent) and the first half of 2019 (19 percent). Ransomware affected companies in a large variety of industries, in both the public and private sectors and 12 countries across the globe. Top targets for these attacks were retailers, manufacturing and transportation, sectors where downtime is detrimental to operations, which adds to the pressure to pay. Another potential reason could include the ease of exploitation of legacy systems and lax security programs in some sectors.

Healthcare organizations also faced the wrath of ransomware in 2019, and with attacks on the industry affecting a large number of facilities, the threat to human lives compelled organizations to pay to regain operational capabilities.

Organized Cybercrime Driving Rise in Attacks

One of the biggest drivers of ransomware becoming a prolific threat to organizations in 2019 was the move of organized cybercrime gangs from the banking Trojan realms into the enterprise attack arena. Banking Trojan operators are already known to be professional, sophisticated attackers who operate as a business. These capabilities, combined with access to already-compromised networks and an ability to spread to pivotal assets, have given ransomware like Ryuk, DoppelPaymer, LockerGoga, Sodinokibi and MegaCortex the ability to extort victimized organizations for millions of dollars. Those who did not pay up often faced arduous recovery processes that were no less costly or faster.

Law enforcement continues to discourage companies from paying ransoms as a way to reduce the profitability of high-stakes attacks and deter attackers in the long run.

Of note in 2019 was code innovation in the malware arena. Attackers in this sphere constantly evolve their code to bypass security controls. According to data from Intezer, banking Trojans and ransomware showed the most innovation in their genetic code, with an increase in new (previously unobserved) code from 2018 to 2019. Some 45 percent of banking Trojan code was new in 2019, compared to 33 percent in 2018, while 36 percent of ransomware code was new in 2019, compared to 23 percent in 2018.

Misconfigurations and Insider Threats Expose Billions of Records

With over 8.5 billion records leaked or compromised in 2019, it was a big year for lost data. But could these numbers have been lower? Our analysis finds that of the more than 8.5 billion records breached in 2019, 86 percent were compromised via misconfigured assets, including cloud servers and a variety of other systems. The same issues affected only half of the records breached in 2018. As organizations move to the cloud, security must remain a high priority, especially when it comes to proper configuration, access rights and privileged account management (PAM).

More records exposed equals more credentials up for grabs that can be used as an initial entry point into businesses. It is high time for organizations to pay closer attention to these potential security gaps and favor automation to limit human error and misconfiguration.

Other Highlights From the Report

OT attacks hit an all-time high. Malicious activity targeting operational technology assets, most notably industrial control systems (ICS), increased 2000 percent year-over-year in 2019, marking the largest number of attempted attacks on ICS and OT infrastructure in three years.

Tech and social media giants were the top spoofed brands in 2019, with attackers using various cybersquatting tactics to gain the trust of potential victims.

Nearly 60 percent of the top 10 spoofed brands identified were Google and YouTube domains, with Apple (15 percent) and Amazon (12 percent) coming in next. Facebook, Instagram, Netflix and Spotify were also among the top 10 spoofed brands.

With nearly 10 billion accounts combined, the top 10 spoofed brands listed in the report offer attackers a wide target pool, increasing the likelihood of credential theft and account takeover.

North America and Asia were the most targeted regions. For the first time this year, the X-Force Threat Intelligence Index included geo-centric insights on the threat trends we’ve seen on a regional basis. North America and Asia suffered the largest data losses, having seen 5 billion and 2 billion records compromised, respectively.

Discover More in the X-Force Threat Intelligence Index

IBM X-Force research for this report has a truly global reach, based on insights and observations from monitoring over 70 billion security events per day in more than 130 countries. For more insights about the global threat landscape and the threats most relevant to your organization, download the X-Force Threat Intelligence Index and sign up for the webinar to dive deeper into the findings from this year’s report.

Download the latest X-Force Threat Intelligence Index

Learn more about IBM Security X-Force’s threat intelligence and incident response services.

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today