There are plenty of reasons to assume that most cyberattacks are the work of far-off bad guys with a political ax to grind or searching for fame and fortune. After all, we hear about them in news reports just about every day, leaving businesses and consumers wondering whether their data can ever be considered safe again. What’s not discussed, however, is that 55 percent of all attacks are carried out by malicious insiders or inadvertent actors, also known as insider threats. In other words, they were instigated by people you’d be likely to trust. IBM Security is releasing two reports to educate the public on these threats: the “IBM 2015 Cyber Security Intelligence Index” and the “IBM X-Force Threat Intelligence Quarterly – 2Q 2015.”

In the Cyber Security Intelligence Index, IBM Security Services reveals insights based on the continuous monitoring of billions of events per year. In 2014, organizations monitored by IBM Security Services experienced approximately 81 million security events, amounting to over 12,000 attacks and 109 incidents for each client. The Index proves statistically that every company is being compromised.

“Unauthorized Access” led all security incidents in 2014. For the two previous years, malicious code and sustained probes or scans dominated the security incident landscape. However, Shellshock and Heartbleed were game changers in 2014, which allowed Unauthorized Access incidents to rise to the top and account for 37 percent of all events in 2014, up 19 percent from 2013.

An Inside Job

The rise of social media, cloud, mobility and big data is making insider threats harder to identify while also providing more ways to pass protected information. If we break out the malicious insiders from the inadvertent actors, we see several profiles: disgruntled employees who exit the company but still have access to old privileges or create back doors before leaving; malicious insiders taking advantage of lax deprovisioning of expired or orphan accounts to attack valuable resources or with privileged access who sell information for financial gain; and the inadvertent insiders who do not mean harm but fall prey to social engineering schemes that grant access to outside attackers. There are even “quasi-insiders” who could be considered trusted third-party contract workers.

In the IBM X-Force Threat Intelligence Quarterly, we investigate how social engineering has turned an annoyance like spam into a legitimate attack vector, with for-profit operators creating and selling spam campaigns to trick inadvertent insiders to open an attachment or click on a link. Although the current volume of spam is comparable to that of 2013, the percentage of spam carrying malware jumped from 1 percent in early 2013 to around 4 percent in 2015, making this a high-growth channel for spreading malware.

The Bottom Line on Insider Threats

As the Index expressed, every organization is under attack. The 81 million security events experienced by IBM MSS clients — a subset of the billions of events IBM Security monitors daily — were filtered down with continual policy tuning by 11 percent to reduce the noise, allowing analysts to focus on true threats. But despite the resulting reduction of noise, the average number of serious incidents held fast to 2013 levels at 2.1 a week.

**Updated** Download the 2017 X-Force Threat Intelligence Index

Through rigorous practices, enterprises can better manage and scrutinize users and networks for both security and compliance. Network forensics can help companies better understand activity coming into and going out of the network, and the ability to reconstruct the activities that took place during a network compromise is essential to securing data and preventing further harm. Furthermore, monitoring privileged access is essential to managing the risk associated with user entitlements to sensitive data.

I encourage you to download and take advantage of the information in both the Index and the Threat Intelligence Quarterly. We’ll have additional information here on Security Intelligence in the coming weeks to continue the discussion. You can also watch our on-demand webinar, “Why Insider Threats Challenge Critical Business Processes.”

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

4 min read

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

4 min read

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

12 min read

How to Report Scam Calls and Phishing Attacks

5 min read - With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…

5 min read