2023 Cyber Threat Failures: Lessons
Key Points
- The speaker uses IBM X‑Force’s 2024 Threat Intelligence Index (reviewing 2023) to turn last year’s security “failures” into learning opportunities.
- Identity‑based attacks dominate initial‑access vectors, with “valid account” misuse tied with phishing at roughly 30% of incidents and a 71 % year‑over‑year rise.
- Phishing remains a top delivery method, split between malicious attachments and link‑based lures, both primarily aimed at deploying malware that harvests credentials.
- The data shows attackers prefer stealing or abusing existing credentials because logging in is far easier than exploiting vulnerabilities from scratch.
- The presentation will conclude with actionable recommendations to mitigate these credential‑focused threats moving forward.
Full Transcript
# 2023 Cyber Threat Failures: Lessons **Source:** [https://www.youtube.com/watch?v=ii09M-VsuPg](https://www.youtube.com/watch?v=ii09M-VsuPg) **Duration:** 00:15:00 ## Summary - The speaker uses IBM X‑Force’s 2024 Threat Intelligence Index (reviewing 2023) to turn last year’s security “failures” into learning opportunities. - Identity‑based attacks dominate initial‑access vectors, with “valid account” misuse tied with phishing at roughly 30% of incidents and a 71 % year‑over‑year rise. - Phishing remains a top delivery method, split between malicious attachments and link‑based lures, both primarily aimed at deploying malware that harvests credentials. - The data shows attackers prefer stealing or abusing existing credentials because logging in is far easier than exploiting vulnerabilities from scratch. - The presentation will conclude with actionable recommendations to mitigate these credential‑focused threats moving forward. ## Sections - [00:00:00](https://www.youtube.com/watch?v=ii09M-VsuPg&t=0s) **Learning from 2023 Threat Failures** - The speaker reviews the 2023 X‑Force Threat Intelligence Index, highlighting identity, data security, application, and generative AI vulnerabilities, and offers actionable recommendations to turn those failures into stronger defenses for 2024. ## Full Transcript
I once heard a professional Rodeo writer
say that he learned more from his
failures than from his successes well
the good news if you can call it that is
that we had plenty of those failures in
2023 so let's take a look and see what
we can learn from those so that we can
do a better job going forward I'm going
to use in particular uh the xforce
threat intelligence index report for
2024 where it looks back at 2023 and
identifies the major trends that we see
in terms of threats and we're going to
take a look at identity and access
management data security applications
and generative Ai and then at the end of
the video you want to stick around till
then I'm going to give you some
recommendations on things we can do to
avoid these threats going forward and
actually put that learning into place
first of all a little bit about the
xforce so I mentioned this group they're
the ones that are the source of the
report that we're going to be using here
exforce is a global team from IBM they
operate in 17 different countries and
it's made up of ethical hackers incident
responders researchers and analysts all
coming together they have a large
empirical base of data so when they say
they see a trend they're saying a trend
that covers a lot of
space okay first up in terms of our
threat Trends is
identity and where we got a lot of
information on this from the xforce
report was looking at the initial access
factors and other words these are the
ways that someone tries to break into
your system from the start and what we
found from this is that valid accounts
or improper use of a valid account was
in fact number one in fact it was tied
with fishing for number one and only
slightly behind all of this uh almost a
roundoff error at 29% were public facing
apps so if you take all the different
valid account types that is local domain
cloud and group them together you you
get about 30% and you say well that's
tied for fishing why did you list that
one first here's why we're concerned
because we see over the previous year a
71% increase in this particular area so
that means again the bad guys are
focusing in on credentials now let's
take a look a little bit deeper into the
fishing so there's usually different
types of fishing attacks and generally
we grouped out in the report those that
involve attachments and those that
involve sending links
well what are those things intending to
do in some cases it's to plant malware
on your system in other cases it's to
steal your credentials and in fact if
you think about it a lot of this malware
that gets put on systems its purpose is
to steal credentials as well so a large
portion of all of this is really about
leveraging valid accounts even though it
may be fishing attacks so you take some
of these together and you can combine
this and then see that the bad guys
really are coming after your creds and
that's because they have learned it's a
lot easier to log in than it is to hack
in okay let's take a look at the top
impact item to organizations and that's
where data security comes in in
particular what we found is that data
theft and data leakage amounted to
32% of the top impact to organizations
and what's particularly concerning about
that number is that it's an increase
from 19% the previous year in 2022 so
we're not getting better at preventing
theft and leakage of data and how is
this happening well it turns out it
somewhat corresponds to what we also see
as a rise in this stuff called info
Stealers what is an info stealer okay
let's take here is a user and they've
got their data here on their system and
we've got a bad guy here and he is going
to send some sort of info stealer
software so this is some form of malware
that either they're going to send in an
email they may send in a link to the
good guy who clicks and then that causes
a download to occur they might even put
it out in a a publicly available app and
poison the app with this info stealer
capability so what happens is uh this
guy downloads or receives the
information and in their system once
it's infected then the execution occurs
and it goes and grabs information now
what could it get it could get sensitive
information that's important to the
organization it might also by the way
steal credentials so that's another
particular use of info Stealers then
once it collects that information it
sends it back to the bad guy so pretty
simple concept but we've seen uh in and
that's the exfiltration step of that but
what we've seen is that this has gone up
in the range of
266 per info stealer increases that's
why we think we're seeing a lot of this
dat of theft okay let's take a look at
Trends in application Security in
particular so we took a look at in the
exforce report the oasp that's the open
worldwide application security project
they produce a top 10 list of
application security vulnerabilities
very well respected very well done piece
of work so what we did with our exforce
report was take a look at which ones of
those are we seeing the most frequently
in the real world and it turned out
number one was
misconfiguration that is you set up a
system and you didn't configure it
correctly you didn't change some of the
defaults as you should have uh you left
exposed Services a number of things like
that that can go on in fact I did a
video on exactly this topic so you can
take a look at that if you'd like number
two on this list was identity and
authentication failures that is areas
where we we didn't we set really poor
passwords or we left the defaults in
place this was also a big one remember
this theme that keeps coming up again
and again is identity is one of the big
things that we're having failures in and
then also related Access Control this is
what came in number three at 15% now
what's interesting to me again with the
identity theme we take those two
together we're going to get
36% that are basically identity and
access management related things so if
you group those together they actually
move up to the number one category again
identity is a overriding theme of
failures in 2023 and therefore things
that we should learn on and improve on
in the future more about that in a few
minutes but we did have some good news
that security people we tend to be able
to find the dark cloud in every Silver
Lining but I'm going to give you a
silver lining for a second we did have a
few good things for instance zero day
attacks these are the ones where there's
a vulnerability in an application for
instance or an operating system and
there's no patch so you're just exposed
in these cases in in the case of zero
days which are particularly terrifying
to cyber security folks like me um we
actually had a decrease a significant
decrease in 2023 over 2022 it was down
72% wow that sounds like reason for
celebration well maybe not because the
the thought is the reason that they
these were down was because this stuff
was so darn easy to do they didn't need
to do the more exotic type of attacks
these are a lot more difficult to
develop and and figure those things out
but again if you can log in it's a lot
easier than trying to hack in so that
may be a false indicator of success
ransomware now this is one that's been
bothering a lot of organizations these
days we actually saw a slight decrease
12% in ransomware in real world cases
again is this reason for celebration
well maybe maybe not I would say take a
look at this number the next year and
make sure that the trend continues now
what I hope is that it will and what we
have seen is some early indications that
some of the larger organizations are
doing a better job of Defending against
ransomware attacks in the first place so
they're starting to get the message
which is a positive sign another
positive sign is organizations are
beginning more and more not to pay the
ransom why does that matter well if I'm
a ransomware attacker and I know I'm not
going to get paid well there's really no
point in launching this attack if
everyone stopped paying there wouldn't
be any more reason for ransomware so
those two Trends if they continue might
continue helping this but keep an eye on
this I I'm just going to say the battle
is far from one in this case now the
final topic I'm going to take a look at
is generative AI well as everybody knows
2023 was the year that we launched
chatbots and generative AI came on to
the scene in a big way it really
launched at the end of 2022 but 2023 was
when most people really uh became aware
of it and started leveraging that kind
of technology so this looked like to a
lot of people a new attack Vector the
good news is we haven't seen a ton of
attacks yet from generative AI yet is
the key word because what we have seen
by monitoring dark web forums is 800,000
mentions in
20123 about Ai and generative Ai and
chat GPT and things like this so the bad
guys are talking about this they're
experimenting with it if you think about
it this way so are the good guys we're
all trying to learn and assimilate what
this new technology means and what we
can do with it the good guys are doing
that the bad guys are doing it too so
this is one where uh again the story is
not fully told this level of activity
indicates we may yet still see something
coming in the future and by the way if
you say well chatbots have gotten better
about locking down so that you can't
just have it generate an attack for you
uh and and generally that's true for the
very well-respected chat Bots but there
are alternatives alternative chat Bots
that don't have any restrictions on them
at all if you ask them to write malware
they will do it if you ask them to write
fishing attacks they will do it and they
will not complain so even though we're
trying to lock down the respectable ones
some of these others Rogue ones will
always be out there so the bottom line
as my little friend here has to say
about generative AI stay
tuned at the beginning of the video I
said we would learn more from our
failures than from our successes and as
you can see 2023 has given us an ample
uh set of things we can learn from so
that's the good news I guess well
there's actually other good news in here
as well we looked at all of these things
that were attacks on critical
infrastructure and we found that 84% of
those attacks could have been prevented
by using some of the industry best
practices the things that in fact have
been tried in true methods we don't have
to do anything exotic or figure
something out we just need to do what we
know we should be doing and what are
some of those things so I'm going to
give you some recommendations that will
help protect you and your organization
remember identity was the big area here
uh as they say it's the new perimeter
and the bad guys figured it's easier to
log in than Hack in well that's because
we've made it too easy for them how
could we make that harder for them well
one thing we could do is start to
leverage something like multiactor
Authentication
you know use something not just that you
know like a password but something you
have like a phone that's been
pre-registered and something you are
like a biometric those things make it
harder on the bad guys to log in and
something else what's even better than a
really strong password how about no
password at all how about using a pass
key based on the phto industry standard
I did a video on that this allows us to
eliminate the need for users to remember
these complex passwords which they
always forget or end up simplifying and
and uh and then the bad guys are able to
guess them a pass key is a much stronger
way of doing this and it's actually
easier for the user to do as well how
about in terms of data what can we do to
secure our data well the most obvious
thing is encrypt
it if I encrypt it then if a ransomware
attack occurs and they say I've got your
data and I'm about to give it to the
world we say okay go ahead knock
yourself out because you can't read it
and neither will anybody else be able to
read it because we encrypted it well and
then the other type of ransomware attack
mainly is where the guy says I'm going
to take your data and I'm not going to
give it back to you unless you pay me
and in that case again we can say you
why don't you go ahead and get lost
because in fact I've got a good backup
for all of my data an immutable backup
so it can't be overwritten whenever the
ransomware hits the backup is still pure
and pristine so these things will help
us in these data oriented attacks and
how about with applications well again
the the things that we know we need to
do we need to patch applications and
operating systems keep them up to the
latest level of of software because what
happens many cases is there are security
patches that go in to those uh software
updates as well so if we're patched
we're in much more uh secure State also
Harden these systems that is remove the
defaults change them turn off unneeded
Services change all the default
passwords and user IDs and things like
that that will make our applications
more secure and when it comes to
generative AI the bad guys are learning
about this so should we we need to be
learning about how this technology Works
how it can be used and how it can be
abused so keep studying this keep
staying on top of it if you do these
kinds of things you'll be following
these industry best practices and you'll
do a much better job of keeping yourself
secure two things before you go one
download the report here you can get a
link and read the details and find out
more about what we learned in our
research and the second thing dust off
your crystal ball tell us what you think
is going to be in next year's report and
put it in the
comments thanks for watching if you
found this video interesting and would
like to learn more about cyber security
please remember to hit like And
subscribe to this channel