There are plenty of reasons to assume that most cyberattacks are the work of far-off bad guys with a political ax to grind or searching for fame and fortune. After all, we hear about them in news reports just about every day, leaving businesses and consumers wondering whether their data can ever be considered safe again. What’s not discussed, however, is that 55 percent of all attacks are carried out by malicious insiders or inadvertent actors, also known as insider threats. In other words, they were instigated by people you’d be likely to trust. IBM Security is releasing two reports to educate the public on these threats: the “IBM 2015 Cyber Security Intelligence Index” and the “IBM X-Force Threat Intelligence Quarterly – 2Q 2015.”

In the Cyber Security Intelligence Index, IBM Security Services reveals insights based on the continuous monitoring of billions of events per year. In 2014, organizations monitored by IBM Security Services experienced approximately 81 million security events, amounting to over 12,000 attacks and 109 incidents for each client. The Index proves statistically that every company is being compromised.

“Unauthorized Access” led all security incidents in 2014. For the two previous years, malicious code and sustained probes or scans dominated the security incident landscape. However, Shellshock and Heartbleed were game changers in 2014, which allowed Unauthorized Access incidents to rise to the top and account for 37 percent of all events in 2014, up 19 percent from 2013.

An Inside Job

The rise of social media, cloud, mobility and big data is making insider threats harder to identify while also providing more ways to pass protected information. If we break out the malicious insiders from the inadvertent actors, we see several profiles: disgruntled employees who exit the company but still have access to old privileges or create back doors before leaving; malicious insiders taking advantage of lax deprovisioning of expired or orphan accounts to attack valuable resources or with privileged access who sell information for financial gain; and the inadvertent insiders who do not mean harm but fall prey to social engineering schemes that grant access to outside attackers. There are even “quasi-insiders” who could be considered trusted third-party contract workers.

In the IBM X-Force Threat Intelligence Quarterly, we investigate how social engineering has turned an annoyance like spam into a legitimate attack vector, with for-profit operators creating and selling spam campaigns to trick inadvertent insiders to open an attachment or click on a link. Although the current volume of spam is comparable to that of 2013, the percentage of spam carrying malware jumped from 1 percent in early 2013 to around 4 percent in 2015, making this a high-growth channel for spreading malware.

The Bottom Line on Insider Threats

As the Index expressed, every organization is under attack. The 81 million security events experienced by IBM MSS clients — a subset of the billions of events IBM Security monitors daily — were filtered down with continual policy tuning by 11 percent to reduce the noise, allowing analysts to focus on true threats. But despite the resulting reduction of noise, the average number of serious incidents held fast to 2013 levels at 2.1 a week.

**Updated** Download the 2017 X-Force Threat Intelligence Index

Through rigorous practices, enterprises can better manage and scrutinize users and networks for both security and compliance. Network forensics can help companies better understand activity coming into and going out of the network, and the ability to reconstruct the activities that took place during a network compromise is essential to securing data and preventing further harm. Furthermore, monitoring privileged access is essential to managing the risk associated with user entitlements to sensitive data.

I encourage you to download and take advantage of the information in both the Index and the Threat Intelligence Quarterly. We’ll have additional information here on Security Intelligence in the coming weeks to continue the discussion. You can also watch our on-demand webinar, “Why Insider Threats Challenge Critical Business Processes.”

More from Threat Intelligence

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…