IBM Security

Managed Security Services

IBM 2015 Cyber Security

Intelligence Index
Analysis of cyber attack and incident data from IBM’s worldwide
security services operations

Research Report
IBM 2015 Cyber Security Intelligence Index

Contents
The year the Internet fell apart

The numbers tell a new story

Over 62 percent of incidents target just three industries

Unauthorized access spurs nearly twice as many incidents in 2014

More than half of all attackers are “insiders”

Where is all this happening?

It’s not about “if” you’re going to be hacked; it’s about “when”

Put a halt to dangerous thinking

Why IBM Security?

For more information

Follow us

Authors

Glossary

Appendix

◀ Previous Next ▶
IBM 2015 Cyber Security Intelligence Index

About this report The year the Internet fell apart

By just about anyone’s standards, 2014 was a banner year for the
cyber security industry. Significant threats and massive breaches
IBM Managed Security Services continuously monitors billions of
events per year, as reported by more than 8,000 client devices in over
made front-page news on a regular basis, leaving businesses and
100 countries. This report is based on data IBM collected between consumers wondering whether their data could ever be considered
1 January 2014 and 31 December 2014 in the course of monitoring safe again.
client security devices as well as data derived from responding to and
performing analysis on cyber attack incidents. Because our client
Major vulnerabilities were found lurking in well-known applications,
profiles can differ significantly across industries and company size,
we have normalized the data for this report to describe an average many of which had been dormant for more than 10 years. Once
client organization as having between 1,000 and 5,000 employees, with discovered—and subsequently exploited—they left virtually every
approximately 500 security devices deployed within its network. industry vulnerable to serious threats, including the possibility
of intruders gaining full remote access to critical systems. IT
The Cyber Security Intelligence Index offers a high-level overview of
departments often found themselves unprepared to patch and
the major threats to businesses worldwide over the past year. Our
goal is to help you better understand the current threat landscape mitigate these threats, leaving the window for exploitation wide
by offering a detailed look at the volume of attacks, the industries open and leading to a “perfect storm” of zero-day attacks, system
most affected, the most prevalent types of attacks and attackers, and infiltration and subsequent data loss for many organizations.
the key factors enabling them. We provide insights into where and
how successful attacks can impact today’s technology-dependent
organizations and discuss how the threat landscape is evolving
from year to year, as companies work to better detect and insulate
themselves from future attacks. Learn more:
Three system-crippling threats

3 IBM Security ◀ Previous Next ▶

IBM 2015 Cyber Security Intelligence Index

while IBM has become more proficient at weeding out ineffective

attacks, the incident-to-attack ratio rose from .65 percent to
Learn more:
.91 percent.
Events, attacks and incidents defined

Many of the notable data breaches that occurred in 2014—some Get the picture: Annual security events,
of which devastated the victim organizations—were the result of attacks and incidents
attacks that exposed healthcare records, credit card data and
volumes of personally identifiable information. What’s more, they
ended up compromising the safety of these organizations and Over 62 percent of incidents targeted just
endangering the security of millions of individuals who are now three industries
exposed to the very real possibility of identity theft. The data for 2014 shows a marked departure from the trends
reported for both 2012 and 2013. While the finance and insurance
The numbers tell a new story category remains in its top spot as the most targeted industry, the
In 2014, the average organization monitored by IBM Security information and communications category took over second place
Services experienced approximately 81 million security events (see from manufacturing. And although retail held onto fourth place in the
Figure 1). Continual policy tuning allowed IBM security analysts rankings, that industry experienced 3.2 percent more incidents in
to filter out 11 percent of the security events, leading to greater 2014 than it did in the previous year (see Figure 2). That represents
efficiency on all levels and making it possible for them to shift their the largest percentage change among the four industries remaining
attention to those events meriting further analysis. But despite the from the previous year’s top five. As noted earlier, 2014 saw the
resulting reduction of “noise” at the event level, the average number compromise of a significant number of retail records. And as reported
of incidents held fast to 2013 levels at 2.10 per week. In other words,

4 IBM Security ◀ Previous Next ▶

IBM 2015 Cyber Security Intelligence Index

last September, point-of-sale malware was responsible for one of the Taking one more look at the 2014 top industry list, it may be
largest retail security breaches ever reported. Clearly, point-of-sale interesting to note that all industries, with the exception of
systems have become extremely attractive as network entry points manufacturing, saw an increase in their percentage of total
for criminals—a trend that’s expected to continue to grow in 2015. incidents over 2013. This might prompt further investigation into
In another change from 2013 to 2014, the electric and utilities what the manufacturing industry is or isn’t doing differently from
category took over fifth place in the rankings, edging out sixth the other industries.
place health services by a small margin. Unauthorized access
and malicious code incidents made up nearly half of the incidents
targeting this year’s number five industry. And attacks against
the utility sector are a growing concern for governments globally. Learn more:
The Industrial Control Systems Computer Emergency Response Three confidence-breaking breaches
Team’s (ICS-CERT) January–April 2014 Monitor report disclosed
the compromise of a public utility via unauthorized access to its
control system network.2 The administrative software was remotely Unauthorized access spurs nearly twice as many
accessible and configured with a simple password mechanism, incidents in 2014
making it susceptible to compromise via brute force. In both 2012 and 2013, malicious code and sustained probes or
scans dominated our clients’ security incident landscape (see
Figure 3). But all that changed in 2014 when unauthorized access
incidents rocketed to the top, accounting for 37 percent of the
Get the picture: Incident rates across total—nearly doubling from 19 percent in 2013. Shellshock and
monitored industries Heartbleed were the game changers here, as mentioned earlier.
These findings prove that anyone who thinks they know what to
expect when it comes to cyber threats had better think again.
Organizations that have developed a dynamic and flexible security
posture will almost always find themselves better equipped to
handle these kinds of dramatic shifts.

5 IBM Security ◀ Previous Next ▶

IBM 2015 Cyber Security Intelligence Index

Meanwhile, the number of denial of service attacks, which account

for only four percent of the total, actually doubled over the previous
Get the picture: Categories of incidents
year. Over 50 percent of these denial of service incidents were
among top five industries
targeted at the retail industry—which may point to the possibility
that an increased emphasis on thwarting more high-profile threats
(such as point-of-sale malware) left a window open for attackers to
Looking at the other major types of incidents we saw in 2014, exploit opportunities along a less-travelled path.
malicious code dropped to second place, followed by sustained
probes or scans in third place. Although lower on the list than in More than half of all attackers are “insiders”
previous years, these threats are still significant; together they There are plenty of reasons to assume that most attacks are the
account for 40 percent of all the incidents observed. With an ever- work of far-off “bad guys” with a political axe to grind or in search of
expanding array of malware from which attackers may choose— fame and fortune. After all, we hear about them in news reports just
including viruses, worms, Trojans, bots, backdoors, spyware and about every day. But in 2014, 55 percent of all attacks were carried
adware—it seems fairly certain that malicious code incidents out by either malicious insiders or inadvertent actors (see Figure 4).
will continue to wreak havoc for the foreseeable future. What’s In other words, they were instigated by people you’d be likely to
more, point-of-sale malware, such BlackPOS and Backoff, and trust. And they can pose a significant threat, resulting in substantial
ransomware such as Cryptowall and Cryptolocker, are gaining financial and reputational losses.
in popularity as a result of their effectiveness in compromising
vulnerable targets. Attackers are typically interested in finding
the path of least resistance. And these methods are capable of
providing that. Get the picture: Who are the
“bad guys”?

6 IBM Security ◀ Previous Next ▶

IBM 2015 Cyber Security Intelligence Index

What is an insider? An insider, in this case, is anyone who has Still, it’s important to note that more often than not, breaches caused
physical or remote access to a company’s assets. Those are tangible by insiders are unintentional. In fact, over 95 percent of these
items—including hard copy documents, disks, electronic files and breaches are caused by human error. That can mean accidentally
laptops—as well as non-physical assets, such as information in posting information on the company’s public-facing website,
transit. Although the insider is often an employee of the company, sending information to the wrong party via email, fax, or mail, or
he or she could also be a third party. Think about business partners, improperly disposing of clients’ records.
clients or maintenance contractors, for example. They’re individuals
you trust enough to allow them access to your systems. But insiders who set out to take advantage of the company they
work for can be much more dangerous. It’s more difficult to thwart
Of course you might consider it awkward to refer to your employees these insiders’ malicious actions because they’re willing to take
as a potential “threat.” But that’s just another reality of today’s extraordinary measures to circumvent access controls and are
workplace. And even hundreds of years ago, there were spies typically unconcerned with corporate policies or the potential
carrying out business-related espionage all over the world. The consequences of their actions.
truth is, individuals inside your organization may have an especially
keen understanding of the company’s weaknesses—or access
to “insider-only” areas. That gives them an obvious advantage,
since it’s unlikely they need to bypass protection systems to obtain Case in point: Attackers use one attack as a
sensitive information. They already have access. smokescreen to hide others

7 IBM Security ◀ Previous Next ▶

IBM 2015 Cyber Security Intelligence Index

Where is all this happening? during breaks gravitated to the remarkable destruction of Sony
While it’s important to understand who’s behind today’s cyber Pictures Entertainment’s network and files that hackers caused in
attacks, it’s also useful to see where the majority of those attacks November [2014].
are coming from—and where they’re landing. It is equally important
to consider the size of each country involved and the availability of “This hack wasn’t about stealing intellectual property and slinking
bandwidth within it. That goes a long way toward explaining why away, or pranking a former employer. These hackers broke in and
more than half of the attacks we saw in 2014 originated in the United fired up the wrecking ball.
States. And for many of the same reasons, the United States was
also the most attacked country in 2014 (see Figure 5). “The global chief information officers who gathered at the third
annual CIO Network in San Diego … are a chastened crew. When
asked who hasn’t been hacked, just one hand went up in the
audience, and that CIO got a lot of skeptical looks.”3
Get the picture: Where are these
attacks coming from? And where Over the past few years it’s become increasingly clear that the
are they taking place? conversation has changed from talking about “if you will be
hacked” to “when you will be hacked.” And more importantly, the
conversation then turns to what you should do about it.
It’s not about “if” you’re going to be hacked; it’s
about “when”
When The Wall Street Journal held the annual meeting of its CIO
Learn more:
Network earlier this year, it was clear from the outset that just about
A wolf in sheep’s clothing
all the CIOs present were of similar thinking: that being hacked is
inevitable. As the paper reported in February 2015: “Conversation

8 IBM Security ◀ Previous Next ▶

IBM 2015 Cyber Security Intelligence Index

Put a halt to dangerous thinking Why IBM Security?

If you’re asking, “Why would anyone want to come after us?” there’s Traditional security defenses are no match for today’s unrelenting,
a good chance that you’re already in trouble. It’s tempting to think well-funded attackers, while disruptive technologies introduce new
that if your organization isn’t that large or well known, or if you’re vulnerabilities to exploit. Organizations must accelerate their ability
not in one of the most frequently attacked industries, you may not to limit new risk and apply intelligence to stop attackers—regardless
have much to worry about. Unfortunately, that’s dangerous thinking. of how advanced or persistent they are. New analytics, innovation,
Companies of all sizes are at risk, as are those in all industries. As we and a systematic approach to security are necessary. And there are
noted earlier, the average organization monitored by IBM Managed very few companies able to meet those requirements on their own.
Security Services experienced approximately 81 million security That’s why Forrester Research has noted: “In order to be a true
events in 2014, which yielded two actual incidents each week. And partner, managed security services providers need to demonstrate
yes, those two incidents could have happened to your company. they can create business value as well as technical value for their
clients. (They) are assuming more and more of an active role in
When it comes to cyber security, there are four key questions that defending their clients, which requires forward thinking, excellent
every company should be asking its security team right now: execution, and an understanding of the client’s security business
drivers. These qualities will determine the ability of the managed
• How strong is my company’s current security program—and security services provider to meet current and future demands that
how does it compare with other companies in my industry? clients will ask of these service providers.”4
• What can we do to stop advanced threats from infiltrating
our systems?
• Are we doing everything we can to protect our most
valuable data? Case in point: Stress testing can take some
• How can we adopt new technologies—such as mobile and of the stress out of an attack
cloud—without compromising our security?

The answers will help you understand where to turn next.

9 IBM Security ◀ Previous Next ▶

IBM 2015 Cyber Security Intelligence Index

When you engage with IBM for managed security services, you For more information
gain access to a full suite of capabilities that can help you extend To learn more about how IBM can help you protect your
protection from the back office to the front office. And we help organization from cyber threats and strengthen your IT security,
ensure that it’s all integrated and coordinated across your enterprise. contact your IBM representative or IBM Business Partner, or visit this
The IBM Managed Security Services Threat Research Group is website:
staffed by an elite team of our most experienced and skilled threat ibm.com/services/security
analysts. Dedicated to delivering industry-leading cyber threat
intelligence, the group provides up-to-date research on threats that Follow us
could negatively impact IBM customers.

Authors
Case in point: A disgruntled Nicholas Bradley, Practice Lead, Threat Research Group,
employee installs a backdoor to steal IBM Managed Security Services
company data
Michelle Alvarez, Researcher/Editor, Threat Research Group,
IBM Managed Security Services

At IBM, our IT security services can cover every corner of your

John Kuhn, Senior Threat Researcher, IBM Managed
network, from infrastructure to applications to devices. We monitor,
Security Services
in near real time, some of the most complex corporate networks in
the world. We develop some of the most sophisticated testing tools
David McMillen, Senior Threat Researcher, IBM Managed
in the industry, many of which are used by our competitors. And our
Security Services
team of highly skilled security professionals is constantly identifying
and analyzing new threats, often before they are even known by the
world at large. In fact, we maintain the largest single database of
known cyber security threats in the world.

10 IBM Security ◀ Previous Next ▶

IBM 2015 Cyber Security Intelligence Index

Glossary
Term Definition
Access or Activity detected that violates the known use policy of that Phishing A term used to describe when a user is tricked into browsing a
credentials abuse network or falls outside of what is considered typical usage. malicious URL designed to pose as a website they trust, thus
Attacks Security events that have been identified by correlation and tricking them into providing information that can then be used to
analytics tools as malicious activity attempting to collect, compromise their system, accounts, and/or steal their identity.
disrupt, deny, degrade, or destroy information system resources Security event An event on a system or network detected by a security device
or the information itself. Security events such as SQL Injection, or application.
URL tampering, denial of service, and spear phishing fall into Security device Any device or software designed specifically to detect and/
this category. or protect a host or network from malicious activity. Such
Breach or An incident that has successfully defeated security measures network-based devices are often referred to as intrusion
compromise and accomplished its designated task. detection and/or prevention systems (IDS, IPS or IDPS), while
Denial of service Attempts to flood a server or network with such a large amount the host-based versions are often referred to as host-based
of traffic or malicious traffic that it renders the device unable to intrusion detection and/or prevention systems (HIDS or HIPS).
perform its designed functions. Spear phishing Phishing attempts with specific targets. These targets are
Droppers Malicious software designed to install other malicious software usually chosen strategically in order to gain access to very
on a target. specific devices or victims.
Event An event is an observable occurrence in a system or network. SQL injection An attack used that attempts to pass SQL commands through
a website in order to elicit a desired response. One that the
Inadvertent actor Any attack or suspicious activity sourcing from an IP address website is not designed to provide.
inside a customer network that is allegedly being executed
without the knowledge of the user. Suspicious These are lower priority attacks or suspicious traffic that could
activity not be classified into one single type of category. These are
Incidents Attacks and/or security events that have been reviewed by usually detected over time by analyzing extended periods of
human security analysts and have been deemed a security data.
incident worthy of deeper investigation.
Sustained probe/ Reconnaissance activity usually designed to gather information
Keyloggers Software designed to record the keystrokes typed on a scan about the targeted systems such as operating systems, open
keyboard. This malicious software is primarily used to ports, and running services.
steal passwords.
Trojan software Malicious software hidden inside another software package
Malicious code A term used to describe software created for malicious use. that appears safe.
It is usually designed to disrupt systems, gain unauthorized
access, or gather information about the system or user being Unauthorized This usually denotes suspicious activity on a system or failed
attacked. Third party software, Trojan software, keyloggers, access attempts to access a system by a user or users who does not
and droppers can fall into this category. have access.
Outsiders Any attacks that sourced from an IP address external to a Wiper Malicious software designed to erase data and destroy the
customer’s network. capability to restore it.
Zero-Day An unknown vulnerability in an application or a computer
operating system.

11 IBM Security ◀ Previous Next ▶

IBM 2015 Cyber Security Intelligence Index

Three system-crippling threats

ShellShock: A more than Heartbleed: The Heartbleed Unicorn: Every release of
20-year-old vulnerability in vulnerability is a security Microsoft Internet Explorer
the GNU Bash shell (widely bug in OpenSSL, a popular (beginning with version 3.0)
used on Linux, Solaris and open source protocol used that’s run on any Windows
Mac OS systems) sparked extensively on the Internet. It operating system (beginning
the mobilization of attacks known as allows attackers to access and read the with Windows 95) allows remote code
ShellShock beginning in late September memory of systems thought to be protected. execution via a data-only attack. In this type
2014. This first vulnerability quickly gave Vulnerable versions of OpenSSL allow the of attack, the attacker changes key data
way to the disclosure of several additional compromise of secret keys, user names, structures used by the program’s logic,
vulnerabilities affecting the UNIX shell. passwords and even actual content. It is forcing the control flow into existing parts
IBM Managed Security Services (MSS) believed that this vulnerability has been in of the program that would be otherwise
observed a significant increase in focused existence for at least two years and has unreachable. Discovered in November
attacks targeting these vulnerabilities within quite possibly been exploited for just as long. 2014 by an IBM X-Force® researcher,
24 hours of their disclosure. The attacks Many companies have issued statements this is a complex and rare vulnerability.
came in waves, from different source IPs claiming that they have now remedied the Attackers can use it in “drive-by attacks”
and originating countries. In the two weeks vulnerability in their environment, but there to run programs remotely and take over a
following the disclosure, the US was on the is truly no way of knowing how much data user’s machine—even sidestepping the
receiving end of more recorded attacks has fallen into the wrong hands through Enhanced Protected Mode (EPM) sandbox
than any other country. This threat is a the exploitation of this bug. While the in Internet Explorer 11 and the Enhanced
good example of a growing trend on the Heartbleed bug itself was introduced on the Mitigation Experience Toolkit (EMET), a
attacker front called “malware-less” attacks. last day of 2011, it didn’t make its first public free Microsoft anti-exploitation tool.1 The
Attackers are looking to exploit existing appearance until April 2014, when it showed flaw is known to be at least 19 years old.
functionality in applications rather than up as an OpenSSL advisory. By the end of Similar to ShellShock, it’s yet another
risking malware detection that would thwart that month, IBM MSS had tracked over 1.8 serious vulnerability going unnoticed for an
their success. million attacks against customers. The three extremely long time despite all the efforts of
hardest hit countries were China, Russia the security community.
and the United States.

Return to text
1 Appendix
IBM 2015 Cyber Security Intelligence Index

Events, attacks and incidents defined Security

Events, attacks and incidents defined
A security eve
Security attack been identifie
and analytics
A security event that has been identified malicious act
by correlation and analytics tools as attempting to
malicious activity that is attempting to deny, degrade
collect, disrupt, deny, degrade or destroy information sy
Security event information system resources or the or the informa
information itself.
An event on a system or Security incident
network detected by a
security device or application. An attack or security event
www
that has been reviewed by
IBM security analysts and
deemed worthy of
deeper investigation.

According to the IBM Computer Security Incident Response Team, of all the security
incidents they work through and analyze, only three percent actually reach a level of
severity high enough to consider them “noteworthy”—with the most common
impact being data disclosure or theft.

Return to text
2 Appendix
IBM 2015 Cyber Security Intelligence Index

Figure 1

Annual security events, attacks and incidents

13 14
20 20

109 18,856 91,765,453 109 12,017 81,342,747

Incidents Attacks Events Incidents Attacks Events

Figure 1. Security events appear in many guises and, in many cases, extremely high volume. IBM Managed
Security Services’ highly skilled intelligence and operations teams work to translate those ever-increasing event
counts into actionable data and keep our clients from becoming overwhelmed.

Return to text
3 Appendix
IBM 2015 Cyber Security Intelligence Index

Figure 2

Incident rates across monitored industries

2013

23.80% 21.70% 18.60% 6.20% 5.80%

Finance and Manufacturing Information and Retail and Health and
insurance communication wholesale social services
2014

25.33% 19.08% 17.79% 9.37 % 5.08%

Finance and Information and Manufacturing Retail and Energy and
insurance communication wholesale utilities

Figure 2. While the finance industry retained its spot at the top of the list from 2013 to 2014, the information
and communication category switched places with manufacturing. Meanwhile, the energy and utilities category
narrowly edged out the health and social service category for fifth place. Of this group, only manufacturing
experienced fewer incidents in 2014 than in the previous year.

9.37%
5.08%

Return to text
4 Appendix
IBM 2015 Cyber Security Intelligence Index

Three confidence-breaking breaches

It was early 2014 when one In one of the largest recorded A leading operator of
of the largest arts and retail breaches to date, a general acute care hospitals
crafts retailers in the US major US retailer of home in the US disclosed in the
told customers of possible improvement goods fell summer of 2014 that it had
fraudulent activity on some US victim to a point-of-sale attack been the victim of one of the
payment cards that had been used at the that affected more than 2,000 stores. largest reported healthcare data breaches
chain’s stores. The company later confirmed Confirmed by the company in the fall of that year. The attack was credited to an
that a malware-related attack had resulted 2014, the breach exposed over 55 million Advanced Persistent Threat group based in
in a breach sometime between mid-2013 records of payment card data—a large East Asia. Sophisticated malware resulted
and February 2014, affecting certain quantity of which appeared to go up for sale in the compromise of Social Security
systems that process payment cards, and immediately on underground cybercrime numbers, names and addresses for some
may have affected more than 2.5 million sites. The incident also resulted in the theft 4.5 million patients.
cards. It also reported that an additional of more than 50 million email addresses.
400,000 cards may have been impacted at BlackPOS—a specific type of point-of-sale
a subsidiary. malware—was blamed for the breach.

Return to text
5 Appendix
 IBM 2015 Cyber Security Intelligence Index

Figure 3

Categories of incidents among the top five industries

2013 2014

38% Malicious code 37% Unauthorized access

20% Sustained probe/scan 20% Malicious code

25.33%
19% Unauthorized access 20% Sustained probe/scan
19.08 %

17.79% 12% Suspicious activity 11% Suspicious activity

%
9% Access or credentials abuse 8% Access or credentials abuse

2% Denial of service 4% Denial of service

Figure 3. In 2014, unauthorized access topped the list of incident categories affecting the top five industries
named in this report, replacing malicious code, which was the top category in 2013.

Return to text
6 Appendix
IBM 2015 Cyber Security Intelligence Index

Figure 4

Who are the “bad guys”?

45% 31.5%
Outsiders Malicious
insiders 23.5%
Inadvertent
actor

Figure 4. While outsiders were found to be responsible for 45 percent of the attacks recorded in 2014, 55
percent of attacks were carried out by those who had insider access to organizations’ systems.

Return to text
7 Appendix
IBM 2015 Cyber Security Intelligence Index

CASE Attackers use one attack as a smokescreen

POINT to hide others
in

Industry: Finance was down, customers were unable to perform

transactions, resulting in financial loss for the
Approach: Attackers launched an attack to create company. And second, the fraudulent wire transfers
additional traffic as a diversion to keep attention away resulted in millions of dollars stolen from accounts.
from other targeted attacks. Brand reputation was severely damaged and
hundreds of customers moved their financial accounts
How it happened: Attackers took advantage of a “low elsewhere, having lost trust in the company and
and slow” distributed denial-of-service attack tool to fearing future compromise.
saturate the company’s web server resources. Because
the traffic appeared legitimate, it passed undetected Lessons learned: Traditional defenses such as
and failed to set off any warnings that there might be a firewalls and intrusion-prevention systems are no
problem. But by the time the company discovered the longer enough to protect against distributed denial-
problem, the attackers had already begun to capitalize of-service attacks. A managed web defense service
on malware previously installed on vulnerable systems. can help prevent these attacks by routing traffic
They proceeded to perform fraudulent wire transfers away from an organization’s infrastructure during an
while all the company’s IT resources were completely attack, keeping websites running without disrupting
focused on the initial incident. operations. What’s more, by implementing an
advanced malware solution, an organization should be
Damage done: The company suffered financial able to prevent mass-distributed malware infections
damage on two levels. First, while the website and detect legacy threats.

Return to text
8 Appendix
IBM 2015 Cyber Security Intelligence Index

Figure 5

Where are these attacks coming from?

And where are they taking place?
Canada
7% took place here
Germany
Japan
10% originated here
15% originated here
24% took place here

United States France

50% originated here 9% originated here
59% took place here 4% took place here China
16% originated here

Australia
6% took place here

Figure 5. The largest number of attacks both originated (50 percent) and took place (59 percent) in the United
States in 2014. Next in line were China, where 16 percent of all attacks originated, and Japan, which was the
target of 24 percent of the year’s attacks.

Return to text
9 Appendix
IBM 2015 Cyber Security Intelligence Index

A wolf in sheep’s clothing

In April of this year, IBM announced it had uncovered a That’s when social engineering techniques take over. A live, English-
sophisticated—and unusually successful—campaign that had speaking “operator” answers the call with the name of the bank that
already stolen upwards of $1 million from large and medium-size the user expects. Unaware that they’re participating in a fraud, users
companies in the US. Launched by a gang of Eastern European typically share their banking details, setting off a large wire transfer
cyber criminals using a combination of phishing, malware to withdraw funds from the relevant account.
and phone calls, the scheme has been named “Dyre
Wolf” by IBM researchers, making reference to the After the transfer has been completed, the attackers
now-popular Dyre or Dyreza malware used in the quickly move the money from one bank to another
attacks. And although other attacks may have made to avoid detection. The attackers have even been
a bigger impact or gained wider notoriety, few have known to initiate denial of service sprees against their
demonstrated the kind of sophistication that Dyre victims, paralyzing their web capabilities and making
Wolf has displayed. it virtually impossible to discover the theft until many
hours later.
The attackers target individuals working in specific
companies by sending spam email with unsafe The group behind this project has developed a
attachments. That’s how they get a variant of the Dyre complex campaign that’s incredibly effective at stealing
malware into the companies’ computers. Once installed, large sums of money. Its infrastructure, manpower and
the malware then lies in wait until it becomes obvious that the the knowledge of banking systems and their websites clearly
user is trying to log onto a bank website. At that point, it immediately demonstrate that the group is well-funded, experienced and
creates a fake screen telling the user that the bank’s site is intelligent. And that’s what makes Dyre Wolf a significant threat.
temporarily unavailable and offers instructions to call a specific
phone number.

Return to text
10 Appendix
IBM 2015 Cyber Security Intelligence Index

CASE Stress testing can take some of the stress

POINT out of an attack
in

Industries: All Damage done: The data contained in the table was
detailed enough to allow cyber criminals to pose as
Approach: Hackers targeted a specific company the company’s employees and attempt to gain credit
with a tool known as “SQLninja,” which is designed to in their names. In addition, the stolen data tables with
allow an attacker to inject an SQL database and gain the employee information were lost forever because
full administrator access. the company hadn’t developed or implemented data
recovery or disaster plans. As a result, the website had
How it happened: Once they gained control of the to be completely rebuilt—at great expense—to bring
system, the attackers found the path to an unsecured the company back online and put it back in business.
data table containing privileged employee information,
including Social Security numbers, dates of birth, Lessons learned: It’s vital that organizations perform
residential addresses and email addresses. They security stress tests and proper data validation on
were able to retrieve the entire table and then delete homegrown web-based applications that have access
the master on the server. With the full list in their to back-end SQL databases. Creating redundant
possession, they posted a snippet of the data to an backups of all data in-house and keeping them offline
online pastebin, (a web application used to store plain can lead to quick recovery, while subscribing to or
text). Thus proving that their efforts were successful, creating a robust disaster recovery plan can limit the
they followed up with an email to the company’s CEO financial loss that comes with having to start over and
demanding a monetary ransom for the return of the rebuild lost assets.
data. Then, as a final act of defiance, the attackers also
found the path to the root web server and defaced it
by posting an image of their cybercrime logo.

Return to text
11 Appendix
IBM 2015 Cyber Security Intelligence Index

CASE A disgruntled employee installs a backdoor

POINT to steal company data
in

Industries: All Damage done: Thousands of customer records

were compromised and hundreds of thousands of
Approach: A disgruntled network administrator dollars were spent on notification and response, legal,
installed a backdoor (or intentional flaw) on the server investigative and administrative expenses, reputation
in order to bypass security mechanisms and continue management and credit monitoring subscriptions.
to have unauthorized access after being dismissed.
Lessons learned: Monitoring employee activity—and
How it happened: Unhappy with management and using applications designed for anomaly detection—is
the lack of pay increase following his annual review, critical to identifying misuse and suspicious activities.
a network administrator installed a backdoor on the Every user’s access should be managed throughout
company’s server. He gave the process a common his or her entire employment, and not just when they
system file name to disguise the malware and make leave the company. It’s also important to ensure that
it appear to be a widely used administration tool. The hosts used by former employees are taken offline
employee was eventually dismissed but retained immediately, that a backup is made on an external
unauthorized access to sensitive customer information storage device and that it’s completely rebuilt from
and confidential documents for weeks afterward. trusted media before being reconnected to the
network and passed on to another employee.

Return to text
12 Appendix
 © Copyright IBM Corporation 2015

IBM Corporation
IBM Global Technology Services
Route 100
Somers, NY 10589

Produced in the United States of America

May 2015

IBM, the IBM logo, ibm.com and X-Force are trademarks of International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available
on the Web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every
country in which IBM operates.

THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED,
INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and
conditions of the agreements under which they are provided.

The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent
1
IBM X-Force Researcher Finds Significant Vulnerability in Microsoft or warrant that its services or products will ensure that the client is in compliance with any law or regulation.
Windows
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and
2
ICS-CERT Monitor, January – April 2014, page 1. response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system
3
“Cybersecurity in the wake of Sony,” The Wall Street Journal, or product should be considered completely secure and no single product, service or security measure can be completely effective in
February 10, 2015. preventing improper use or access. IBM systems, products and services are designed to be part of a comprehensive security approach, which
will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM
4
The Forrester Wave™: Managed Security Services: North DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR
America, Q1 2014. ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Please Recycle

SEW03073-USEN-00