Skip to main content

Highlights From the 2022 X-Force Threat Intelligence Index

The annual X-Force Threat Intelligence Index from IBM Security is always a sobering read, and the 2022 edition is no exception. Here, we highlight some of the key security findings, statistics and trends in the report.

Cyberattacks by the Numbers 

This year’s report outlines that phishing was the most common cause of cyberattacks in 2021. It also found a 33% increase in attacks caused by vulnerability exploitation of unpatched software, accounting for 44% of ransomware attacks in 2021. Of all the attacks, 21% are ransomware attacks and 11% are server attacks. A total of 41% of attacks use phishing as their attack method.
The report also highlighted that manufacturing became the most attacked industry in 2021, suffering 23% of ransomware attacks. In previous years, financial services and insurance companies were attacked the most. IT teams at manufacturing companies need to consider the fact that 47% of attacks on their industry used known vulnerabilities that hadn’t been patched. With that in mind, prioritizing vulnerability management, ie patching known vulnerabilities in their software to prevent hackers using them to penetrate their networks, should be at the top of organization’s security agendas moving forward.
Alarmingly, the report identified the cloud as a target for attack. It found a 146% increase in new Linux ransomware code and a shift to Docker-focused targeting. The report also found that the average lifespan of a ransomware group before shutting down or rebranding is 17 months. Law enforcement activity did result in a 9% decrease in ransomware activity, year-over-year. REvil (Sodinokibi) accounted for 37% of all ransomware attacks, with Ryuk accounting for 13%.

Microsoft, Apple and Google were the brands used most in phishing kits, most likely because of their popularity and the trust consumers have in them. The report also found that suspected Iranian nation-state threat actor ITG17 (MuddyWater), cybercriminal group ITG23 (Trickbot) and Hive0109 (LemonDuck) were among the most active threat groups in 2021.

Recovering From Attacks 

Apart from prioritizing vulnerability management, training staff to recognize phishing attacks, and moving to a zero-trust posture, what else can organizations do to stay secure?

One solution that many companies are adopting is immutable backups, often called snap sets. As the name suggests, these backups are fixed, meaning they can’t be changed. The advantage of immutable backups is that hackers can’t corrupt your backups. If your database gets corrupted by hackers, there is always a way to restore the data from the immutable backup. Not only does this get your database running again, but it also overcomes the problem of hackers corrupting your backups, which could prevent recovery.

At this stage, we can all breathe a sigh of relief—or can we? Immutable backups are great for recovering active data, but what they can’t do is restore the system and application software in your infrastructure that the hackers compromised. As a result, once the database has been restored successfully the hackers can simply reencrypt it using a different back door or ID that they previously embedded.

The solution to this problem is to make sure that not only the database restored, but trusted infrastructure components are also restored. In addition, it’s clear this needs to be done in a single process. Otherwise, the data will be restored, but back doors left in the infrastructure can be used again to corrupt the data. Restoring the data and the infrastructure at the same time means those backdoors are eliminated. For mainframe sites, the only realistic solution is using file integrity monitoring (FIM) software.

The common picture of a hacking attack often comes from TV or films where someone picks up a laptop and a few minutes later announces that they are in! The hack is underway. In truth, IBM’s Cost of a Data Breach Report 2021 found that the average time to detect a data breach was 212 days, with 75 more days to contain it. That gives the hackers a considerable amount of time to make any changes they want.

Given your site has immutable backups and you want to restore its data, how do you know exactly which snap set to use? How can you determine when the problem started and what parts of your trusted infrastructure, like executable programs and system parameters, have been compromised? Those hackers have had plenty of time to do reconnaissance, obscure the entry point and implement multiple back doors where they can establish control. The trouble is that you have no idea when your systems were last correct or which components are affected. And no one wants to read through 212 days’ worth of SMF records.

Most people focus on data recovery, but infrastructure recovery is equally important. Both can be compromised by hackers.

Additional Security Factors

Certainly, hackers aren’t the only problem. Insider attacks are a growing issue for many organizations. Internal hackers already have access, know what to attack, and how to cover their tracks. What if the malicious changes get implemented in a new release of software through your application development process? Remember the SolarWinds Sunburst attack? Your company will have no way to detect that the software layer itself is compromised. Depending on how long ago this happened, you could find that all the data in all your immutable backups are corrupted.

Another problem is that IBM’s pervasive encryption can be defeated at the program level. In-stream decryption passes the data to an application in the clear. An intercept placed in the application layer can siphon off valuable information one record at a time. Then, hackers can exfiltrate the data by sending it back to their servers, probably overnight.

Human error is another important factor. For example, the wrong copy of a rate table might be used in a new application release, or the wrong level module is picked up in the final build process. It may even be that someone forgets a step during production deployment.

File Integrity Monitoring 

One solution to these problems is to use a product like FIM+ from MainTegrity, which offers integrity monitoring to eliminate the need for trial-and-error when selecting the right backup to correct an attack. FIM+ regularly scans infrastructure components and knows when they were last correct. That knowledge, combined with real-time SMF data, allows the software to restore the appropriate snap set. The database and the compromised infrastructure components can be restored simultaneously.

If the hackers, or insiders, have attacked at the application level, products like FIM+ can highlight suspicious changes within a new application version or maintenance release. In-stream compare functions and overview reporting make controlling change and verifying results easier than ever before.

Attacks on mainframes and other platforms are not going away any time soon. Organizations need to take all the steps necessary to back up and be able to restore their data and infrastructure to prevent a successful attack on their mainframe.