The increased number of targeted attacks on businesses should no longer be troubling. What is troubling though is the troves of data breaches and the number of successful attacks that could easily have been prevented. IBM X-Force has released its annual Threat Intelligence Index report for 2020. The report provides a comprehensive global view of the past year’s emerging cybersecurity threats and attacker tactics. Data was analyzed from hundreds of millions of protected endpoints along with data derived from the use of spam traps and honeynets. Spam traps detect and analyze tens of millions of spam and phishing attacks daily from around the world. Honeynet networks are created with intentional vulnerabilities to invite attacks in an effort to study attacker activities and methods.
Among the highlights in this year’s X-Force Threat Intelligence Index include:
- 8.5 billion records breached in 2019, giving attackers access to more stolen credentials.
- 150,000 vulnerabilities disclosed to date. Organizations are not maintaining good security practices and cybercriminals are exploiting this.
- Ransomware attacks up 67% in Q4 2019. Hackers are creating innovative methods for implementing ransomware.
- Operational technology (OT) attacks surged 2,000% year-over-year. Threat actors continue to shift their sights to attack connected industrial and medical devices.
- Internet of Things (IoT) attacks on the rise. With more than 38 billion devices expected to be connected to the internet in 2020, the IoT is shaping up to be one of the threat vectors that can affect both consumers and enterprise operations by using simplistic automated attacks.
- Retail industry attacks increased. The number two industry, after financial services, retail was targeted for payment card data and valuable loyalty program data.
- North America the biggest geographic target. Asia, Europe, the Middle East and South America trailed North America in the number of attacks.
How were the attacks carried out?
Nearly 90 percent of all attacks were comprised of three major methods of attacks.
- Phishing emails accounted for 31 percent of all attacks. Down from 2018 when it comprised nearly 50 percent. Phishing emails are used to obtain sensitive information by disguising the emails as being from a trustworthy entity and tricking the recipient to download or open an attachment to execute the ransomware.
- Scan and exploit came in a very close second at 30 percent. Attackers increasingly scanned target environments for vulnerabilities to exploit – up from only 8 percent of total attack methods in 2018.
- Use of stolen credentials where attackers use previously obtained credentials to access target organizations came in at a close third at 29 percent. Often these credentials may be stolen from a third-party site or obtained via a phishing attempt against the targeted organization.
What type of attacks did hackers deploy once they infiltrated a network?
The primary attacks utilized were destructive malware. Wielded by both cybercriminals and nation-states, destructive malware is malicious software rendering infected systems inoperable. Historically, destructive attacks typically came from nation-state adversaries. However, IBM X-Force IRIS investigations observed an increase in financially motivated ransomware.
Most notable in the report, IBM Security observed a 67 percent increase in ransomware engagements compared to Q4 2018. Ransomware is a type of malware where the hackers threaten to publish the victim’s data or perpetually block access to it unless a ransom is paid. The top attacks were against file and directory shares throughout the network and accounted for over 80 percent of the attacks.
The return on their investment is big.
Ransomware attacks are launched against a variety of organizations. Municipal and public institutions, as well as local government agencies and healthcare providers, suffered ransomware attacks. Attacks on these types of organizations often caught them unprepared to respond, more likely to pay a ransom.
Within five months, ransomware attacks amassed more than $3.7 million. In another instance, an attack on nursing homes in the United States led to a $14 million ransom demand.
Who is being attacked?
To measure and evaluate the top 10 rankings, the volume of attacks observed for each sector, not the breaches, are counted. The most frequently targeted industries have been determined based on attack and security incident data from IBM’s X-Force managed networks, data and insights derived from their incident response services, and publicly disclosed incidents.
Finance and Insurance
In the mid-2010’s the financial sector dropped as they increased security and there were easier organizations to target. However, at the top of the list for four years running, the finance and insurance sector has been the most attacked industry. According to the 2019 X-Force data, actual breaches of the finance and insurance sector have been small. This suggests that finance and insurance companies tend to experience a higher volume of attacks relative to other industries but are likely to have more effective tools and processes in place to detect and contain threats before they turn into major incidents.
Retail experienced the second largest number of network attacks in 2019. Affected by 16 percent of all attacks on the 10 industries, it is a marked increase from fourth place in 2018.
The retail sector is prime for desired consumer personally identifiable information (PII), credit card and financial data, shopping history, and loyalty program information. Cybercriminals typically use this data to take over customer accounts, defraud customers, and reuse the data in various identity theft scenarios.
The largest vulnerabilities were through point-of-sale (POS) malware and e-commerce payment card skimming, each aiming to siphon payment card information during a transaction via physical payment terminals or online.
Transportation is essential to any country’s critical infrastructure. Attacks included ground transportation, maritime, and air transport. As the third-most attacked in 2019, the attacks have been decreasing, dropping in frequency from 13 percent in 2018 to 10 percent in 2019.
Airlines and airports are increasingly being targeted by cybercriminals and nation-state adversaries seeking to track travelers of interest or monetize travelers’ personal information and selling it on the dark web.
Media & Entertainment
The media sector was at 10 percent of all attacks on the top 10 sectors in 2019 up from 8 percent in 2018 and includes telecommunications, as well as companies that produce, process and distribute news media and entertainment.
Often attacked by both cybercriminals and nation-states, breaches of media and entertainment are used to influence public opinion, control information flows, or protect the reputation of organizations or countries. Nation-state groups can view negative media as a threat to their national security. Cybercriminals are finding attacks on media and entertainment as financially lucrative as they can hold stolen pre-aired media and research for ransom.
Professional services are comprised of various organizations provide specialized consulting services to other sectors such as legal, accounting, HR, and specialized customer support. Professional services accounted for 10 percent of all attacks on the top 10 industries, down from 12 percent in 2018.
Based on publicly disclosed breaches, professional services had the greatest number of records breached out of all industries in the IBM X-Force rankings.
This industry also includes technology companies, which have been increasingly targeted because of the third-party access they possess that can be leveraged by attackers attempting to breach the larger and potentially more secure organizations they serve.
The most notable attackers seem to be a nation-state sponsored group appearing to originate from China.
At 8 percent of attacks on the top 10 industries, unchanged year-over-year, the government sector has risen to the sixth position in 2019 from seventh in 2018.
Government is a high-value target for nation-states seeking to influence and gain an advantage, hacktivists seeking to expose compromising information or prove their technical prowess, and cybercriminals seeking monetary gain through extortion or stolen data.
Municipal governments have been directly targeted to collect extortion money from organizations that are less secure than those in the private sector. In 2019, more than 70 government entities were hit with ransomware between January and July.
Education tied with government attacks in 2019 at 8 percent up from 6 percent in 2018. Offering intellectual property (IP) to PII, education organizations are viable for both cybercriminals and nation-states.
Phishing emails are the predominant method. Reported breaches in October 2019 alone show at least 500 US schools were infected, mostly by ransomware. Nation-states, primarily from China, Russia, and Iran compromised university networks and then used them as a staging ground to infect media organizations and military contractors.
Tied with both the government and education sectors at 8-percent, manufacturing dropped from 10 percent in 2018. While possible this sector has seen fewer attacks, the decrease may be due to lack of regulatory reporting requirements not subject to legal disclosure.
Traditionally weak, manufacturing security has in recent years strengthened security making it more difficult for attackers to successfully compromise networks. Phishing emails are the predominant method attackers to gain access followed by using SQLi injection attacks on publicly accessible web servers that are not fully patched or running older server operating systems.
Fund diversion is the top payload for cybercriminals. Nation-states use the compromises to plant backdoors or malware in the products.
The energy sector remained unchanged from 2018 with 6 percent of attacks on the top 10 industries in 2019 and are targeted due to their importance to critical infrastructure.
While customer data, financial material, trade secrets, and proprietary technology information is found in energy organizations, disruption and destruction of Industrial Control Systems (ICS) provide access to nation-states seeking to control operations within a targeted facility. This is extremely effective in cyberwarfare. Successful compromises of ICS can have devastating effects on energy sector resources. Similar attacks have been used by Russia to target power plants in Ukraine.
Healthcare, accounted for 3 percent in tenth place of the top 10 industries, down from eighth position and 6 percent of attacks in 2018. Healthcare has been on a steady decline in recent years bolstering its security posture to protect data and devices.
Cybercriminals, motivated by financial gain, are the primary attackers against healthcare industry networks and medical devices. Aiming to sell medical records on the dark web, or to encrypt data and network-connected devices for ransomware.
Although disruption in a crisis when hospitals are affected can be detrimental, there has been no indication of nation-state interest in this sector.
What can you do?
- Develop a culture of security. Turn your employees into security assets instead of security liabilities. Educating what to look for especially in phishing emails, strengthening security, and protecting data using prescribed data protection practices. Their knowledge and vigilance could cut down on 60% of all breaches.
- Create a proactive security plan. This can be accomplished in most cases with the use of technology by protecting your organization from outside threats as well as those from the inside. Perform security monitoring and penetration testing from both the outside and the inside of your network.
- Utilize Multifactor Authentication (MFA), entering a texted security code, or a second layer of authentication such as biometrics is also one of the most effective methods of prevention. This is especially useful in credential re-use where stolen credentials are reused on other attacks from end-users re-using the same user ID and password combinations.
- Implement a secure data backup and disaster recovery. While it may not be possible to effectively guarantee 100 percent prevention of a compromise, utilizing effective data backup and disaster recovery plans can guarantee minimal to no loss in the event of a compromise.
- Find a business partner for your IT needs. Today’s IT Managed Service Providers must be proactive in their ability to assess and prevent new threats. An innovative and systematic approach to security is necessary. Very few IT companies can meet those requirements.
Computer Business is a full-service information technology (IT) company offering a comprehensive suite of IT services ranging from complete IT Managed Services and Security to innovative custom-designed solutions. Computer Business has a worldwide client base in a broad range of industries including health care, law enforcement, financial, legal, technology, real estate, logistics, government/municipalities, B2B and B2C, and the U.S. military.
To learn more visit ComputerBusiness.com or contact a Computer Business Consultants security specialist at 800-778-0838.