Each year, IBM X-Force analysts evaluate the data collected across all of our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that maps changes in the cyber threat landscape to uncover trends and help customers proactively take security measures in place. Among the many notable findings in the 2024 edition of the X-Force report, we recommend that security professionals and CISOs observe three main trends:
The Sharp Increase in Abuse of Valid AccountsKey to Major Ransomware Organizing MethodsOur analysis of the timing and form of generative artificial intelligence (GEN AI) impact on cybersecurityCybercriminals prefer to take the path of least resistance to achieve their goals, so it is worrying that for the first time in our study, misuse of valid accounts has become the preferred way for cybercriminals to enter the victim environment. The use of stolen credentials to access valid accounts surged by 71% from the previous year and accounted for 30% of all incidents that X-Force responded to in 2023, with phishing becoming the top infection vector.
As defenders improve their detection and prevention capabilities, attackers are finding that obtaining valid credentials is the "easier" path to achieving last year's goals. This isn't entirely surprising considering the large number of valid credentials that are easily accessible on the dark web. However, this "easy entry" of attackers is difficult to detect and requires a sophisticated response from organizations to distinguish between legitimate and malicious user activity on the network.
While the number of phishings is down 44% from 2022, phishing (whether via attachments, links, or as a service) also accounts for 30% of all incidents fixed by X-Force in 2023. The harm observed through phishing has dropped significantly, which may reflect the continued adoption of phishing mitigation techniques and the shift of attackers to the use of valid credentials.
In addition, X-Force observed a 100% increase in "kerberoasting" during incident response. Kerberoasting is a technique that focuses on compromising Microsoft Windows Active Directory credentials through Kerberos tickets. This indicates a technological shift in the way attackers acquire identities to perform their actions.
These changes indicate that threat actors have re-evaluated the value of credentials as reliable and preferred initial access vectors.
The misuse of valid accounts as a top-tier access technique has been accompanied by a proliferation of malware, known as infostealers, that are designed to steal information in order to obtain credentials. We've observed a 266% spike in infostealing malware, just as we've observed organizations that previously specialized in ransomware turn to infostealers.
Despite still being the most common targeted action (20%), X-Force observed a drop of 115%。This decline may be due to large organizations stopping attacks before ransomware is deployed, and choosing not to pay the ransom and rebuild while ransomware is prevalent. (Notably, an analysis of ransomware extortion** shows that ransomware activity has actually increased globally in 2023.) This seems to indicate that X-Force customers continue to improve their ability to detect and respond to the precursors of ransomware incidents. )
Although X-Force has observed a decline in ransomware attacks, ransomware-based attacks remained a driver of cybercrime last year, second only to data theft and breaches, as the most common impact observed in X-Force incidents. For example, X-Force responded to multiple incidents related to the CL0P Ransomware group's widespread data extortion attack by exploiting a previously unknown vulnerability in MoveIT, a commonly used managed file transfer (MFT) tool.
While zero-day vulnerabilities like this one have a bad reputation, the reality is that zero-day vulnerabilities represent only a small fraction of the vulnerability's attack surface – just 3% of the total number of vulnerabilities tracked by X-Force. In 2023, the number of zero-day vulnerabilities decreased by 72% compared to 2022, and only 172 new zero-day vulnerabilities were added. Despite the decline in the total number of zero-day vulnerabilities, organizations should still emphasize understanding their attack surface and identifying and patching vulnerabilities in their environment to prevent many attacks.
Last year will go down in history as a breakthrough year for the next generation of artificial intelligence. Policymakers, business executives, and cybersecurity professionals are feeling the pressure to adopt AI in their operations. Currently, the industry's craze for the adoption of next-generation AI has outstripped the ability to understand the security risks that these new features will pose. However, once AI adoption reaches critical scale, a general-purpose AI attack surface becomes a reality, forcing organizations to prioritize security defenses that can adapt to AI threats at scale.
To arrive at this conclusion, X-Force reflects on the technology enablers and milestones that have fueled cybercriminal activity in the past to **when we will see an indicator of AI attack surface maturity. This happens once the market share of a single AI technology approaches 50%, or the market consolidates into three or fewer technologies.
Additionally, despite the cybercriminals' interest in exploiting AI to carry out attacks, X-Force has not observed any concrete evidence of AI-designed cyberattacks to date. Phishing is expected to be one of the first AI malicious use cases that cybercriminals invest in, reducing the time it takes to craft a convincing message from days to minutes. However, while AI-based attacks are unlikely to occur in the near future, X-Force assesses that there will not be a surge in activity until the pace of AI adoption by enterprises matures.
The combination of an increase in infostealers and the misuse of valid account credentials to gain initial access exacerbates the identity and access management challenges for defenders. Cybercriminals' renewed focus on identity has highlighted the risks that organizations present on devices outside of their visible range, and they need to continue to emphasize good security habits among their employees. Corporate credential data can be stolen from compromised devices through credential reuse, browser credential storage, or access to corporate accounts directly from personal devices.
While "security fundamentals" don't get as much attention as "AI-designed attacks," the biggest security concerns for businesses still come down to basic and known issues, rather than novel and unknown ones. Identity has been used against businesses time and time again, and the problem will become even worse as rivals invest in AI to optimize their strategies.
The X-Force Threat Intelligence Index provides our unique insights to IBM customers, security industry researchers, policymakers,** and the broader community of security professionals and business leaders.
Learn more about the threat landscape and the latest cybersecurity trends in the report:
Analyze the most important initial access vectors, the most important target attacker behaviors, and the greatest impact on your organization, geographic and industry trends, recommendations on how your organization should respond, and where to start.