“Cyber criminals intensify attacks on user identities in UK” reports IBM

The X-Force Threat Intelligence Index is based on insights and observations amassed from monitoring over 150 billion security events per day in more than 130 countries. In addition, data is gathered and analysed from multiple sources within IBM, including IBM X-Force Threat Intelligence, Incident Response, X-Force Red, IBM Managed Security Services and data provided from Red Hat Insights and Intezer, which has contributed towards the 2024 report.

Emerging identity crisis

The report’s constituent data reveals that exploiting valid accounts has become the path of least resistance for cyber criminals, with billions of compromised credentials accessible on The Dark Web.

According to IBM, 50% of cyber attacks in the UK involved the exploitation of valid accounts as the ‘initial access vector’, while a further 25% of cases involved the exploitation of public-facing applications.

Across Europe, X-Force observed a 66% year-on-year rise in attacks realised by the use of valid accounts, in turn contributing towards Europe’s prevalence as the most targeted region of 2023 and the record number of attacks that X-Force has ever reported regionally.

The criminal ecosystem was also quick to adapt to the use of valid accounts by attackers. In 2023, X-Force observed a 266% increase in info-stealing malware, which is designed to steal personal and enterprise credentials, personally identifiable information and banking and crypto wallet information.

This “easy entry” for attackers is harder to detect, eliciting a costly response from enterprises. According to X-Force, major incidents worldwide caused by attackers using valid accounts were linked to nearly 200% more complex response measures initiated by security teams than the average incident, with the attack defenders needing to distinguish between legitimate and malicious user activity on the network.

In fact, IBM’s 2023 Cost of a Data Breach Report found that breaches caused by stolen or compromised credentials required roughly 11 months from detection to recovery. In point of fact, this is the longest response lifecycle among all infection vectors.

Identities being ‘weaponised’

Martin Borrett, technical director for IBM Security in the UK and Ireland, commented: “Our findings reveal that identity is increasingly being ‘weaponised’ against enterprises, exploiting valid accounts and compromising credentials. It also shows us that the biggest security concern for enterprises stems not from novel or cryptic threats, but from well-known and existing ones.”

Borrett continued: “Addressing cyber security challenges requires a strategic approach, emphasising the reinforcement of foundational security measures. Streamlining identity management through a unified Identity and Access Management provider and strengthening legacy applications with modern security protocols are crucial steps in mitigating risks.”

Further, Borrett noted: “Subjecting your system to rigorous stress tests by skilled offensive security teams will prove invaluable in uncovering potential weaknesses. This insight is pivotal for crafting a robust incident response plan that engages all teams, from IT professionals through to C-Suite executives.”

Julian David, CEO of techUK, explained: “In an era marked by the growing sophistication of cyber criminals who exploit legitimate accounts to breach business defences, IBM’s X-Force Threat Intelligence Index serves as a stark wake-up call. The report underscores a troubling pattern wherein half of the cyber attacks perpetrated in the UK rely on legitimate accounts for initial access, presenting significant challenges to businesses’ recovery endeavours.”

On that note, David stated: “In order to effectively combat this threat, businesses must adopt a strategic approach, integrating modern security protocols to mitigate risks and strengthening their defences against the ever-evolving landscape of cyber threats.”

Further key UK findings

In terms of the UK, additional key findings to emerge in the comprehensive IBM report include the following:

*malware made up 30% of security incidents observed in the UK

*ransomware (30%) and cryptominers (20%) were the top malware types encountered in the country

*the impact of attacks was evenly distributed with extortion, digital currency mining and data leaks each making up 25% of total impacts in the UK (this marks a shift from 2022, when half of the cases X-Force observed in the UK involved extortion (57%) – twice the global average – followed by data theft at 29%)

*the professional, business and consumer services industry was the most targeted sector in the UK, accounting for 39% of all cases

*energy (30%) and finance/insurance (17%) were the second and third most targeted industries in the UK respectively

*manufacturing was the most targeted industry in Europe, accounting for 28% of cases

*Europe overall experienced the highest percentage of incidents within the energy sector at 43%, as well as finance and insurance at 37%

Global report: major takeaways

Attacks on critical infrastructure reveal an industry ‘faux pas’. Worldwide, an alarming 69.6% of attacks that X-Force responded to were against critical infrastructure organisations, an alarming finding highlighting that cyber criminals are wagering on these high- value targets’ need for uptime in a bid to advance their objectives.

In 84% of attacks on critical sectors globally, compromise could have been mitigated with patching, multi-factor authentication or least-privilege principals, thereby indicating that what the security industry historically described as ‘basic security’ may be harder to achieve than has been portrayed.

Exploiting public-facing applications, phishing e-mails and the use of valid accounts were top causes of attacks on this sector. The latter poses an increased risk to the sector, with DHS CISA stating that the majority of successful attacks on Government agencies, critical infrastructure organisations and state-level Government bodies in 2022 involved the use of valid accounts. This highlights the need for these organisations to frequently stress test their environments for potential exposures and develop bespoke incident response plans.

Attacks on generative AI

X-Force analysis projects that, when a single generative Artificial Intelligence (AI) technology approaches 50% market share or when the market consolidates to three or less technologies, it could trigger at-scale attacks against these platforms.

X-Force assesses that once generative AI market dominance is established, the maturity of AI as an attack surface will be triggered, in turn mobilising further investment in new tools by cyber criminals.

Although generative AI is currently in its pre-mass market stage, IBM believes it’s paramount that enterprises secure their AI models before cyber criminals begin to seriously scale their activity.

Enterprises should also recognise that their existing underlying infrastructure is a gateway to their AI models that doesn’t require novel tactics from attackers to target, highlighting the need for an holistic approach to security in the age of generative AI (as outlined in the IBM Framework for Securing Generative AI).

Key recommendations

Based on the research, IBM X-Force has produced the following set of recommendations for today’s enterprises.

Reduce blast radius

Organisations should consider implementing solutions designed to reduce the damage that a data security incident could potentially cause by reducing the incident’s blast radius (ie the potential impact of an incident given the compromise of particular users, devices or data). This could include implementing a least-privileged framework, network segmentation and an identity fabric that extends modern security and detection and response capabilities to outdated applications and systems.

Stress-test environments and have a plan

Hire hackers to stress test the environment and identify the existing cracks that cyber criminals could exploit to gain access to networks and carry out attacks. Also, having incident response plans that are customised for the host environment is key to reducing the time to respond, remediate and recover from an attack. Those plans should be regularly drilled and include a cross-organisational response, incorporate stakeholders outside of IT and test lines of communication between technical teams and senior leadership.

Adopt AI securely

Organisations should focus on the following key tenets to secure their AI adoption: secure the AI underlying training data, secure the models and secure the use and inferencing of the models. It’s paramount to also secure the broader infrastructure surrounding AI models.

As stated previously, IBM recently introduced a comprehensive Framework for Securing Generative AI to help organisations prioritise defences based on the highest risk and potential impact.

*Download a copy of the 2024 X-Force Threat Intelligence Index

**Sign up for the 2024 IBM X-Force Threat Intelligence webinar on 21 March

***Connect with the IBM X-Force team for a review of the study findings