The threat landscape 2023: Top targets, top attack types, top geographies

Mitch Mayne: Every year the IBM Security X- Force team of cyber experts mine billions of data points to reveal today's biggest attack trends and patterns. In this episode, I speak with Michael Worley, one of the primary authors of this year's report. We'll dig into the guts of the X- Force Threat Intelligence Index to uncover the continuously changing cybersecurity landscape and understand how to defend better against the latest threats. Join us as we venture Into the Breach. So Mike, welcome to the podcast. We want to talk about the X- Force Threat Intelligence Index for 2023. So you made some changes this year in terms of how you analyze the data. Tell me what those changes were and more specifically what they mean to the organization's policymakers, individuals who read this report.

Michael Worley: Yeah, thanks for having me, Mitch. Some of the adjustments we made to the report this year are mainly intended to try to align the report a bit more with some cross- industry standards, things like MITRE ATT&CK, and basically help make this information more actionable for readers. So three main areas that we made those shifts in include changing how we track initial access vectors by just using MITRE ATT& CK's initial access sub- techniques. We switched from what we tracked in the previous years as top attacks. We broke those out into two different metrics, one being the actions on objectives, or what the specific steps we saw a threat actor take. And the second being the impact that those steps had on the victim organization. So those three things we just intended to try to get a little bit more granularity. We've added a couple of things to those lists. So just again, make it a little bit more actionable and more insightful for our readers.

Mitch Mayne: All right. So that sounds good. So it's actually stuff that they can actually use as opposed to just data for data's sake, which I think people enjoy. What is included in this year's report? I know that you had a vast amount of data at your fingertips over an extremely long period of time. Tell me about that. How much data was it and how long of a period of time does it encompass and how deep and rich is it?

Michael Worley: Yeah, all of the data that we collected from this past year throughout the whole year includes our incident response data. We drew some insights from our spam lake, which is just a honey net of email addresses we use to try to gather spam email and understand what spammers are doing and threat actors are doing with that. The long- standing vulnerability database that our colleagues had developed over 30 years. We looked at malware reverse engineering. We looked at network attack data from our MSS offering. We got insights from X- Force red penetration testing and adversary simulation teams, and then drew on the other proprietary research and analysis of threat actors and their methodology that the team has done all year long. And this data came from the impressive array of subject matter experts that I work with all across X- Force, bringing to bear all of those skills and experience and incident response, research, analysis, hunting, testing, and engineering. So it was a big project. A lot of people put a lot of time and effort into it.

Mitch Mayne: And IBM has pretty big reach too, right? So we're not talking just about a small section of data. We're talking about a lot of data. So that's kind of cool that we're getting this much breadth and depth here.

Michael Worley: Yeah.

Mitch Mayne: So speaking of smart people, Mike, you are kind of smart, I think. You have a background in intelligence anyway, including with the CIA. I'm curious how that shaped, because you're a new author to this, right? This is relatively your first time out there on writing the TII?

Michael Worley: This is my first TII, yes. I've been with IBM about two years.

Mitch Mayne: All right. So how did your background shape how you examined the data this year?

Michael Worley: One of the things that I was most proud of working in the intelligent community was developing a really big network of people across the entire community and across government to inform the best intelligence products that we could for senior policymakers and everyone. That was probably the most reminiscent of my time in the last six months or so is just drawing on, again, across the entire organization, pulling in SMEs from across X- Force and across IBM, getting their insights and relying on that broad base of experts really just to provide the best report that we could for our stakeholders within IBM, our clients and other readers as well.

Mitch Mayne: So we also should make mention that you are on vacation while you're recording this. So if we do hear some birds chirping in the background, I take it you're in some exotic location on a beach someplace.

Michael Worley: I am indeed, in Grand Cayman.

Mitch Mayne: I knew it. So Mike, going back to the report, what was your biggest aha moment in this year's report when you were examining all this data?

Michael Worley: To me, the digging deeper on vulnerability data that we have within our vulnerability database drew out what I think were some of the most interesting insights. My colleagues who track them and I wanted to provide those deeper insights to help provide context and put context around how vulnerabilities are usually reported. Not every vulnerability that is discovered and reported is a game changer, a world ender. Some of them are, and the attention and urgency given to them is important. But one of the findings that I thought was particularly interesting was the gap between the number of vulnerabilities and weaponized exploits that we've seen is growing. And it's an important one to highlight as it fell out of the data for several reasons. Defenders, I think, are a bit ahead now. A couple of years ago, more than one third of vulnerabilities had exploits compared to just about one in four this past year. And it's highlighted the continued importance of basic cyber hygiene. Patching when possible, protecting your networks and seal off the second most common initial access factor we saw last year and protect your networks from those vectors taking that way in.

Mitch Mayne: So I noticed that back doors and ransomware both came in as top attack objectives. I'm curious because I think back doors has kind of taken an uptick. I'm curious why you think that is and the follow- up question, of course, that everybody has is, is ransomware still as big of a threat as it was a year ago?

Michael Worley: So as I mentioned, this is one of the ways that we changed how we did our analysis this year. So tracking the action threat actors took this year and we added a little bit more granularity to help pull out trends from that data. And that's where some of the things like this deployment of back doors fell out. So deployment of back doors which allow remote access to systems was seen in just over one in five cases, 21% of cases that we responded to in 2022. The majority, more than two thirds of those cases, showed indications of failed ransomware attacks revealing that defenders were able to disrupt threat actors before further damage could be done. Generally, cyber criminals are following the money. So access to corporate networks and corporate environments can go for thousands of dollars on the dark web, making those factors a really profitable commodity for attackers. Those deployments also knocked ransomware. You mentioned ransomware, is it still as big of a threat. Of course it is. While they knocked ransom ransomware from its pole position it had been, ransomware had been the most commonly seen attack type since at least 2020, it's down to second this year in 17% of cases. But those back doors usually lead to ransomware attacks. As I mentioned, 67% of them showed indications of failed ransomware attacks. But basically that backdoor problem is just a precursor to the long- standing threat of ransomware, highlighting how that's not going anywhere.

Mitch Mayne: Ah yes, ransomware, too big to fail. Sounds like the backdoor is a good way in. I want to talk about how you took a closer effect at the effect of incidents, and this is something else you mentioned that you changed this year. The effect of incidents on victim organizations so that we can understand the impact that the attackers actually sought to have. How is this different than the objectives we just talked about, back doors, ransomware, and what did the research uncover?

Michael Worley: Yeah, we wanted to split out those specific actions that attackers took from how those actions affected victims in order to give readers and clients an understanding of the types of things and results from an incident that they should be preparing for. And right in line with just our discussion just now on ransomware, extortion emerged as the most common impact and seen in 27% of cases that we responded to. So the types of extortions we've seen have evolved in the last decade, building from simple data encryption through to ransom DDoS attacks and double and triple extortion, adding the threat of DDoS and leaking stolen data on top of initial encryption. But another thing that we saw in this past year and that we kind of see as the next evolution, I guess, of extortion is increased pressure on potential downstream victims. So this would be people like other business partners of the initial victim. Their data may be on their systems, and they get contacted by the ransomware actors and trying to add pressure to that initial ransom victim to just pay up.

Mitch Mayne: Okay. So that's actually really interesting. So threat actors are following up. And I think I read this also too like with hospitals. So they're finding the data that they've collected and it's like, " Oh, Mitch Mayne has been a patient at hospital XYZ. We have their data. Let's call Mitch and have him put some pressure on the hospital that we've just hacked." Something like that?

Michael Worley: Yes, exactly.

Mitch Mayne: That's absolutely crazy. So this stuff helps us understand what attackers are doing once they've actually gained access to a system. What did your research show in terms of how they're getting in?

Michael Worley: Yep. This was that third change I mentioned, adopting MITRE ATT& CK's initial access techniques, tracking how threat actors gain access. Phishing and vulnerability exploitation have consistently ranked as the top two initial access vectors in recent years, and they just swapped first and second place. And that held true this year. In 41% of incidents we responded to, phishing was the way in. Within those phishing incidents, spear phishing attachments were used at 62% of the time. Spear phishing links were used about a third of time. And spear phishing via service was in about 5% of those cases. We also saw threat actors using attachments alongside phishing via service or links in some instances. So chaining them together, using them just to try to really get in phish victims. And then vulnerability exploitation captured within the MITRE ATT& CK framework as exploitation of public- facing applications. That placed second among top infection vectors. And like I said, it's been a preferred method of compromise by attackers since at least 2019.

Mitch Mayne: Well, I'm going to poke on vulnerabilities in a moment, but I just have to ask this because this is something I think we say over and over and over in the industry, is phishing has been around for freaking ever, right? It's like why is it still on the top of the list?

Michael Worley: Phishing is just, there's always going to be someone who's going to click on something or open something that they shouldn't. And the entire range of cyber threat actors out there can range from some just simple hacking up to a state- sponsored kind of and well- resourced groups, but they're going to start with the easiest thing. They're going to start with the lowest time investment, and if they can get somebody to click on a link, which is going to happen at some point or another, why not?

Mitch Mayne: Well, so it's cheap and it works. So that's kind of what I'm hearing.

Michael Worley: Yep.

Mitch Mayne: All right. So let's go back to vulnerability specifically because this occupies a really big and kind of intricate section in the Threat Intelligence report. You did a really interesting analysis of the vulnerabilities this year. Again, kind of like phishing, it's a chronic inaudible in cybersecurity and there are so many vulnerabilities now. What did you uncover about how threat actors are using them or exploiting them to get access?

Michael Worley: Yeah, so like I said, it was the second most common way that threat actors used to get in, and that has kind of gone up and down the last couple of years. The number of incidents resulting from that in 2022 decreased 19% from 2021, which was actually a rise of 34% from the year prior, which was probably driven by things like Log4j and whatnot. But overall, every year we see a new record number of vulnerabilities discovered, and that's a trend that's persisted over the last decade to the benefit of defenders. However, analysis of that database showed the proportion of known viable exports to reported vulnerabilities decreasing in recent years. So going back to 2018, there was a high in the last couple of years in the data that we looked at of 36%. That was in 2018. That went down to 34% down to 28, 27, and to the most recent low this year of 26%. And overall, our vulnerability database shows about 78, 000 known exploits. So you apply those against poorly managed or unpatched systems, and that provides opportunities for threat actors to try what exists basically before investing the time and resources necessary to try to develop a new exploit.

Mitch Mayne: So again, going back to the whole point, they're cheap and easy, right?

Michael Worley: Yeah. I mean, in certain cases. And certain things need to line up. You need to find the right vulnerability that needs to be unpatched, et cetera. But if those things work and they do, then again, it's easier to go with what you know and what you've got than having to go and develop a whole brand new way in.

Mitch Mayne: Yeah, I guess why develop a new one when the old one works just fine. Let's talk about who attackers are going after now, what industries they're focusing on and what geographies they're focusing on.

Michael Worley: So we most commonly responded to incidents in the manufacturing sector. That accounted for just about a quarter of all the cases we responded to last year. And this was the second year in a row for manufacturing in first place. And second place has been finance and insurance for the last two years. But actually that spread was just about 1% in 2021, and it's just about 6% in 2022. So it was about 25% of cases were manufacturing, 19 or so are finance and insurance. So deployment of back doors and ransomware attacks, all things we've already kind of talked about here, were most common in the manufacturing sector, and they just have really little appetite for any downtime. So they present as a really prime target for such attacks. And then in terms of where we responded to incidents, Asia- Pacific was the most attacked region in our dataset, accounting for 31% of IR cases, with Europe falling closely behind at 28%. Those two regions saw higher proportions of cases compared to the prior year as well, increasing 5% and 4 percentage points perspectively.

Mitch Mayne: So we're looking at manufacturing hitting the top list again for the exact reason that you said, extremely low appetite for downtime. So we have talked about how what's in the data and what threat actors are doing, who's being targeted, how compromises are happening. Let's talk a little bit about what organizations can do to stay safer. What counsel do you have for individuals who are listening to this who are looking for steps to take to protect themselves?

Michael Worley: So we closed the report with a handful of recommendations. This year, I think tried to narrow them down a little bit, but I think they're really actionable and some of them are going to sound really familiar. But as we've already talked about, some of the most familiar ones are, if they're not followed, it can still lead a threat actor to an easy way in. So overall, I think there are a couple that I would just run through. First, managing assets and visibility. So you know what's in your environment and what you're able to see across your networks that is going to be needed to help identify bad actors. Second, knowing your adversaries. Understanding which threat groups are most relevant to you helps tailor your security efforts. Third, challenging assumptions and by assuming compromise. Offensive testing will help show how attackers can get in and how well you're positioned to find them. Fourth, incorporating intelligence to improve your abilities in each of those areas I just mentioned. Managing your assets, visibility, knowing your adversaries. And then finally, being prepared. Having IR plans ready to go, drilled, and making sure that all business units, not just security related ones, understand what they'll need to do in the case of an incident. But a lot more details in the report on these as well as everything else we've talked about so far.

Mitch Mayne: And I would be remiss, of course, if I didn't get a little spoiler alert on this. I know that there is an additional piece of data or additional document actually that's coming out that deep dives specifically into each of those areas that you said, how people can stay safer. So that's coming up as well, so people can actually read all about that if they want to. Particular interest to me was the one about think differently, and that whole notion that security is a point in time and it's a destination. It's like we've gotten here. It's really a journey and we should assume that the attackers are already in the network. And our question shouldn't be is how do we keep them out, but what can we do to stop them now that they're here? Mike, thank you so much for being on Into the Breach today. I appreciate your time. So thank you again, especially since you're on vacation, man.

Michael Worley: Yeah, thanks for having me and interrupting my time on the beach.

Mitch Mayne: Well, back to the beach, my friend, and we appreciate it again, and we'll chat soon.

Michael Worley: Take care.

Mitch Mayne: A special thanks to our guest, Mike Worley, for his time and insight for this episode. If you want to hear more stories like this, make sure to subscribe to Into the Breach on Apple Podcasts, Google Podcasts, and Spotify. You've been listening to Into the Breach, an IBM production. This episode was produced by Zach Ortega and her music was composed by Jordan Wallace. Thanks for venturing Into the Breach.