Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves.

Moving Left of Boom: Early Backdoor Detection

Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment of backdoors, and why it’s not necessarily all bad news.

Question: The Threat Intelligence Index is full of #1s — Manufacturing being the #1 targeted industry. APAC being the #1 targeted geographic region. What was the #1 action we saw threat actors take?

Andy Piazza: The number one action on the objective we saw threat actors take was the deployment of backdoors at 21%; ransomware came in second at 17%; and business email compromise third at 6%.

Question: Interesting, why should we be paying close attention to this backdoor stat, in particular? Is this bad news for organizations?

Andy Piazza: Since we know that backdoors are often the precursor to ransomware events, I take this stat as a good sign, actually. It could mean that defenders are detecting these cases before the ransomware payload is actually deployed.

Question: Why is that so important?

Andy Piazza: Instead of playing catch-up against a barrage of threats, this means we’re moving left of boom and getting ahead of the actual real critical impacts.

Question: Aside from the upside of getting ahead of threat actors looking to deploy ransomware, what are the other implications — positive or negative?

Andy Piazza: I think this stat continues to deliver us positive news. Since we know that ransomware groups are using double extortion techniques where they’re stealing our intellectual property and threatening to release it on the internet, detecting the backdoors early gives us a huge opportunity as defenders to not only prevent the catastrophic impact of ransomware encrypting a bunch of systems — but intellectual property theft, as well. I think that’s a huge win for defenders and I want to see that trend continue.

Question: What advice can you offer organizations when it comes to staying vigilant against the latest threats?

Andy Piazza: We need to continue with our threat assessments and not only understand threat actors’ intentions and capabilities, but what those capabilities look like from our network. Are we able to detect and mitigate and respond to those quickly?

Conducting tabletop exercises with executives from all different business units is crucial to putting a plan into practice so they understand the impact to their systems during a ransomware event.

Beyond that, keep on with your risk mitigation through vulnerability management programs, penetration testing and advanced adversary simulation testing as well. It’s not enough to have a plan, you need to pressure test it — and regularly!

Download the Report

Understanding the Anatomy of a Ransomware Attack

John Dwyer, Head of Research at IBM Security X-Force, spoke with us about how attackers are moving fast, and why we need to move faster.

Question: The speed with which threat actors are conducting attacks is astonishing. The Threat Intelligence Index noted that the time to execute attacks dropped 94% over the last few years. So, apparently, what used to take months now takes attackers mere days. Why does this matter?

John Dwyer: The rapid reduction in the ransomware attack timeline is concerning because it adds yet another pressure element for defenders: time. And the bottom line is, if attackers are moving fast, we have to be faster. It is absolutely critical for organizations to not only understand how ransomware attacks happen, but the timelines in which they occur.

Question: What is it about the timeline that can be useful to defenders?

John Dwyer: Understanding the timeline of an attack provides valuable contextual data points that defenders can use to build their detection and response strategies around. For example, if a defender detects an adversary moving laterally in their environment, they should have a general idea of how long they have before the ransomware is deployed. Their response needs to keep ahead of the attacker.

Question: Is it true that ransomware attackers aren’t only getting faster, but more efficient? And that there are perhaps more attackers?

John Dwyer: Based on the behaviors that we’ve been observing in incidents, we can deduce that not all attacks require a high level of skill. With a lowered barrier of entry to become a cybercriminal — with the advent of phishing kits and ransomware-as-a-service and the like — there’s more opportunity for more people to enter this marketplace, which means more ransomware attacks.

Question: So what can organizations do? How can they stand a chance in the face of this “more,” “faster,” “efficient” trifecta?

John Dwyer: Get into the mindset of your attacker. Work with your response provider to understand how ransomware attacks happen and the goals and objectives of the ransomware operator. Dig into adversaries’ goals and objectives. Based on that data alone, we can develop a very robust detection and response strategy and develop training exercises to ensure that your people, processes and technology are set up to prevent an incident from becoming a crisis.

Thwarting Thread Hijacking

Stephanie “Snow” Carruthers, Chief People Hacker at IBM Security X-Force Red, unpacked the rise in thread hijacking and other email-based threats.

Question: Well, it’s not such a surprise that phishing, for the second year, is the top infection vector.

Stephanie Carruthers: Yes, threat attackers love phishing! And with phishing kits, the incorporation of vishing techniques — where attackers follow up with a text or phone call — it’s getting easier (even as organizations and employees become more aware — don’t lose sight of those training exercises!).

Question: Tell me, what is thread hijacking? We read in the report that there was a 100% increase in thread hijacking attempts per month.

Stephanie Carruthers: Thread hijacking is a tactic where threat actors insert themselves into conversations you are having with people you know and trust. So, for instance, they might reply to a recent email thread between you and your sister where you’re talking about chipping in money for a birthday present. As you can imagine, people aren’t as vigilant when they’re in the middle of a private conversation with someone they think they know. It’s easier than you think to accidentally provide access to sensitive information, data or systems.

Question: Wow. And I can imagine that the implications can extend beyond just one person.

Stephanie Carruthers: For sure. Thread hijacking can be a long con, creating a chain reaction that leaves several victims in its wake.

Question: Why do you think there’s been such a rise in email-based threats like thread hijacking?

Stephanie Carruthers: I think there has been a rise in thread hijacking because it’s highly successful! Attackers are exploiting the trust placed in email, and their tactics are getting harder to identify.

Question: What can organizations do to better protect themselves against the impacts of these imposters?

Stephanie Carruthers: It’s important to evaluate the technology being used to detect, prevent and respond to cyber threats. However, it’s just as important to continuously run simulations against the technology in use in order to test, learn and improve!

Download the IBM Security X-Force Threat Intelligence Index 2023 to learn more about how threat actors are waging attacks, and read the Threat Intelligence Action Guide to learn what you can do to proactively protect your organization.

More from Threat Intelligence

The Trickbot/Conti Crypters: Where Are They Now?

23 min read - Despite Conti shutdown, operators remain active and collaborative in new factions In IBM Security X-Force, we have been following the crypters used by the Trickbot/Conti syndicate, who we refer to as ITG23, since 2021 and demonstrated the intelligence that can be revealed through tracking their use in a blog we published last May. One year on, ITG23 has experienced many organizational changes, splintering into factions and forging new relationships. Despite these events, ITG23 crypters remain fundamental to tracking post-ITG23 factions…

23 min read

ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

7 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read