In this 45-minute webinar, Michelle Alvarez, the manager of the threat intelligence production team within IBM Security X-Force, joins R2i to walk you through the report. Listen in to hear her highlight the key findings and share additional information on newer threats, including the war in Ukraine. For a summary of the webinar, read on.
Surveying the cyber threat landscape
The Threat Intelligence Index is an annual report that IBM X-Force has published for over a decade. It’s one of the ways that IBM shares intelligence on the threat landscape with private and public organizations and the larger intelligence industry.
Each report analyzes billions of datapoints to determine the most notable threat actors, how they are getting into networks, what they are doing once they are inside, and what are the best practices to mitigate risk.
Cyber threats from Russia and the War in Ukraine
IBM published the 2022 Threat Intelligence Index on February 23. The next day, Russia invaded Ukraine. Many in the cybersecurity industry have had questions about the impact of Russia’s invasion on the cyber threat landscape.
Michelle shares a few takeaways in the webinar, and more information is available in IBM’s comprehensive virtual brief from subject matter experts on Russian state-sponsored groups, which details what IBM knows and what organizations can expect. To access the free brief, reach out to your R2i representative.
The war in Ukraine has triggered both pro-Russian and pro-Ukrainian activity. Most attacks are taking place in Ukraine itself, including many wiper malwares used against Ukrainian entities.
IBM is monitoring the situation to see if Russian-directed or Russian-sympathetic actors expand their scope beyond Ukraine. But activity within Ukraine, especially attacks on utilities, may have consequences in other countries, including Canada.
Some threat actors are targeting organizations for ideological reasons. For example, the hacktivist group Anonymous has stated the intention to target entities conducting business in Russia. Others may take advantage of the distraction of the conflict.
IBM recommends that every organization assess their individual threat profile. If your sector is a historical target of Russian activity, including the energy, healthcare, and financial sectors, it would be wise to reexamine your defensive posture.
Ransomware stays #1 for a 3rd year in a row
For the third year in a row, ransomware attacks were the most common cyber attack in 2021. Their share did decrease slightly, from 23% in 2020 to 21% in 2021, which may be because of increases in law enforcement.
Why is ransomware so popular? One reason may be that attackers can use double extortion, which has happened in many ransomware engagements IBM X-Force has been involved in since 2019. In double extortion, attackers don’t only encrypt your data, but also exfiltrate the data and threaten to leak it, which adds pressure to pay the ransom.
The second most common attack type was service access attacks, coming in at 14%. Some of these attacks may be failed ransomware incidents.
In third place were Business Email Compromise (BEC) attacks, which made up 8% of attacks and were especially prevalent in Latin America. Their frequency had decreased in 2020 but rose again in 2021. BEC attacks almost exclusively target organizations where multifactor authentication is not enabled.
Phishing and vulnerability exploitation are top infection vectors
In 2021, phishing was the infection vector for 41% of attacks, and vulnerability exploitation was the vector for 34%.
Phishing via phone call or voice mail has been found to be three times as effective. The strategy follows the basic principles of marketing: the more touchpoints you have with the consumer, the more likely they are to buy. As attackers increase their use of phones for phishing attempts, addressing the human side of cybersecurity and educating end users are increasingly important.
Vulnerability exploitation has increased 33% year over year. In 2021, IBM observed significant exploitation of the Apache Log4A vulnerability, which became the second most exploited vulnerability despite not coming out until December. The first and second most exploited vulnerabilities both involved Microsoft exchange.
Every year, the top ten most exploited vulnerabilities contain a mix of new and older vulnerabilities, some of them up to ten years old. This highlights the importance of addressing vulnerabilities. As long as they exist, attackers continue to exploit them.
The supply chain under attack
For the first time in ten years, finance and insurance services were not the most attacked industry. Manufacturing claimed the top spot in 2021.
Threat actors have recognized the delicate balance of the supply chain. They prefer to target organizations that are under high pressure to avoid downtime, since those are more likely to payout to resume operations, so manufacturing has been a prime target.
The wholesale industry also saw an increase in attacks, likely because of the role they play in the supply chain. While retail usually suffers more attacks than wholesale, in 2021 that pattern was reversed.
With supply chain challenges continuing, IBM experts anticipate that threat actors will continue to target manufacturing and other supply chain industries.
Finance and insurance services landed in the second-place spot. Their drop to second place is at least partly due to the great strides the industry has made in cyber defense and resilience in recent years.
Security: What is the best defense?
Michelle shares seven recommendations to respond to these trends:
- Develop a response plan to ransomware. Create immutable backups so you can recover your critical data, and drill your plan so it’s part of your team’s muscle memory. R2i also offers tools and consultations to assess and develop your cyber resilience.
- Implement multi-factor authentication. Multi-factor authentication can serve as a deterrent to BEC attacks, since it takes threat actors more effort to break through. Don’t let your organization be the low-hanging fruit.
- Build a layered defense against phishing. Attackers know that combining phone calls and emails is three times as successful. Organizations need multiple defense mechanisms, including end user education, to combat this.
- Refine and nurture your vulnerability management system. Vulnerability exploitation remains a top infection vector. Ensure that you respond to vulnerabilities quickly.
- Adopt zero trust principles. Zero trust principles can decrease risk of top attacks.
- Use security automation to enhance incident response. There is a positive correlation between shorter-length incidents and lower overall costs. Speeding up your response may lower costs.
- Use extended detection and response (EDR). EDR may give an advantage over attackers and can reduce costs.