IBM’s annual X-Force Threat Intelligence Index, an analysis of data collected from network sensors and incident investigations, is filled with a dizzying array of numbers about breaches of security controls.
But there is arguably only one most important: the one that shows us how the most successful attacks begin. And the answer for 2022 is — again — phishing.
The report released today says phishing was the leading infection vector last year, identified in 41 percent of incidents. Of those phishing attacks, 62 percent were spear-phishing.
Exploitation of public-facing applications — because, for example, they were insecure or unpatched — accounted for 26 percent of the incidents.
Abuse of legitimate accounts was identified in 16 percent of the observed incidents. These are cases where adversaries obtain and abuse the credentials of existing accounts as a means of gaining access. These incidents included cloud accounts, default accounts, domain accounts, and local accounts.
Exploiting remote services was the fourth most common attack vector, used in 12 percent of successful attacks. The report states that not every vulnerability exploited by threat actors results in a cyber incident. The number of incidents resulting from vulnerability exploitation in 2022 decreased by 19 percent from 2021, after increasing by 34 percent from 2020. IBM believes this late 2021 swing was driven by a widespread Log4J vulnerability.
Infection by malicious macros has fallen out of favor, the report said, possibly due to Microsoft’s decision to block macros by default. To compensate, attackers are increasingly using malicious ISO and LNK files as a primary tactic for distributing malware via spam.
Among other interesting numbers:
— Credit card information as a target in phishing kits has decreased significantly. Last year, only 29 percent of phishing kits targeted credit cards. This suggests that phishers are prioritizing personally identifiable information (PII), the report says;
– Although ransomware incidents declined only slightly (4 percentage points) from 2021 to 2022, defenders were more successful at detecting and stopping ransomware. Despite this, attackers continued to innovate, with the average time taken to complete a reported ransomware attack being reduced from two months to less than four days;
Last year, backdoor deployment emerged as the top action taken by attackers after gaining access. Twenty-one percent of incidents involved backdoor installation. The report noted that approximately 67 percent of backdoor cases were related to ransomware attempts, where defenders were able to detect the backdoor before the ransomware was deployed. The boom in backdoor deployment can be partially attributed to their high market value, the report said. Threat actors sold existing backdoor access for up to US$10,000 last year, compared to stolen credit card data that can sell for less than US$10 today;
The second most common action after gaining network access was the deployment of ransomware. One particularly harmful way ransomware operators distribute their payloads across a network is by compromising domain controllers, the report notes;
– The most common effect of cyberattacks in 2022 was extortion, achieved primarily through ransomware or commercial email compromise attacks. Europe was the most targeted region for this method, representing 44 percent of extortion cases, as threat actors sought to exploit geopolitical tensions. Data theft and credential harvesting were the second and third most common impacts;
— Thread hijacking saw a significant increase in 2022, with attackers using compromised email accounts to reply to ongoing conversations while posing as the original participant;
The proportion of known exploits relative to vulnerabilities declined by 10 percentage points from 2018 to 2022, due to the fact that the number of vulnerabilities reached another record high in 2022. to exist and spread. On the other hand, the reduction in vulnerabilities with known exploits is evidence of the benefits of a well-maintained patch management process, the report says;
– Don’t forget to close the doors (or, more precisely, the ports) for USB-based attacks. In 2022, IBM sees the spread of raspberry robin worm Plugging in infected USB devices through employees. By the beginning of August, Raspberry Robin accounted for 17 percent of the infection attempts seen by X-Force;
On the operational technology (OT) side, industrial control system (ICS) vulnerabilities discovered in 2022 decreased for the first time in two years (457 in 2022, compared to 715 in 2021 and 472 in 2020). An explanation, the report says, can be found in the ICS lifecycle and how they are typically managed and patched. Attackers know that many ICS components and OT networks are still at risk from legacy vulnerabilities, with demands for reduced downtime, longer equipment lifecycles, and older, less supported software. The infrastructure typically lasts many years longer than standard office workstations, extending the lifetime of ICS-specific vulnerabilities that IT exploits.
Among the report’s recommendations for infosec leaders:
– Organizations should develop incident response plans adapted to their environment. Those plans should be regularly tested and revised as the organization changes, with a focus on improving response, treatment and recovery times;
Prioritizing asset discovery at the perimeter, understanding an organization’s exposure to phishing attacks, and reducing those attack surfaces further contribute to overall security. Extend asset management programs to include source code, credentials, and other data that may already exist on the Internet or the dark web;
– Data sources have proper visibility that would indicate the presence of an attacker.
Full report can be downloaded here. registration required.