What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index? – Security Intelligence

5 minutes, 59 seconds Read

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

Corporate Executives Have a Closed Meeting With the Goverment Officials in the Negotiations Room. Serious Business People Solving Problems.
Corporate Executives Have a Closed Meeting With the Goverment Officials in the Negotiations Room. Serious Business People Solving Problems.

The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.

In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.

The report identified six action items:

  1. Remove identity silos
  2. Reduce the risk of credential harvesting
  3. Know your dark web exposure
  4. Establish secure AI and models
  5. Implement a DevSecOps approach to planning and testing
  6. Reduce the impact of an incident

I’m going to focus on the first three. Why? Because the last three are things you should be doing now irrespective of the results of the 2024 Threat Intelligence Index report and are much larger than the SOC. While the first three action items involve more than just the SOC, the call to action for the SOC is clear: focus on identity risk.

Remove identity silos

The report notes that 30% of all observed entry points to incidents in 2023 used valid credentials. The use of valid credentials is more damaging when accounts do not use enterprise identity systems with built-in controls. We need to make sure our insider risk capabilities are up to date. The SOC checklist includes:

  • Centralized monitoring: Ensure the SOC continuously monitors user activities and access controls through a centralized identity management system. For high-risk systems off the enterprise identity platform, capture authentication activity. Ensure user and entity behavior analytics are in place with the appropriate use cases in the SOC detection platforms. Validate your identity visibility in the cloud, where abuse of permissions and privileges is more prevalent.
  • Incident response: Establish protocols and playbooks for rapid response to incidents related to suspected insider risk, unauthorized access or compromised identities.
  • Threat intelligence integration: Integrate threat intelligence sources into SOC workflows for threats targeting identity silos.
  • Identity threat detection and response: If your organization doesn’t have identity threat detection and response (ITDR) capabilities, 2024 would be a great time to implement this additional control. The SOC should have telemetry, use cases, analytics and response playbooks in place for ITDR.

Read the Threat Intelligence Index report

Reduce the risk of credential harvesting

The best way to prevent attackers from using valid credentials for malicious activities is to prevent those credentials from being compromised in the first place. The SOC checklist includes:

  • Authentication failures: The Identity and Access Management team should have controls in place to limit login attempts and even lockout accounts that repeatedly fail authentication. The SOC needs to have visibility into account status and logs and/or alerts noting accounts being disabled for failed authentication attempts. Ideally, those accounts are placed on SOC temporary watch lists even after accounts have been re-enabled.
  • Multifactor authentication: The SOC needs visibility into multifactor authentication (MFA) failures. Additionally, the SOC should have the ability to force users to re-authenticate as part of response playbooks and/or the ability to invalidate sessions.
  • Privileged access management: SOC visibility to privileged identity activity is key, especially changes of account entitlements to move from standard user access to privileged user status. This is especially important for systems not connected to Privileged Account Management (PAM) tools. Revisit your lateral movement use cases.
  • Phishing incident response: Develop and conduct regular training exercises for SOC analysts to identify and respond to phishing attempts effectively.

Know your dark web exposure

SOC analysts aren’t going to spend time poking around the dark web. Their threat intelligence counterparts, however, are on the dark web and what they find can be invaluable for the SOC team.  The SOC checklist here includes:

  • Dark web monitoring: Intelligence on compromised credentials, session keys and leaked sensitive information needs to be incorporated into the appropriate watch lists. If the incident in which the account information was stolen is not evident, an immediate post-incident analysis should be launched, including threat hunting, digital forensics and other analysis to identify when and how the account data was compromised.  Once the tactics, techniques and procedures (TTPs) used in the compromise are identified, detection analytics need to be updated to enhance future threat detection.
  • Executive digital identity protection: Executive accounts, as well as accounts directly supporting executives, need to be on account lists used in high-risk identity use cases. Specific response playbooks for these accounts need to be in place.

The fact that valid credential misuse tied with phishing as the initial point of access to incidents in 2023 is a call to action for SOC teams to revisit their detection and response capabilities related to identities and insider risk. If the checklist in this blog puts some items on your to-do list, we have resources that can help.

To implement any of the actions above, you can request a no-cost threat management workshop for your organization.

If you’d like to get more details on these insights, check out the full 2024 Threat Intelligence Index report.

For help preparing for when, not if, a cyberattack occurs, learn more about our X-Force Cyber Range immersive simulations.

If you’re already in a great place for each of the checklist items, even better!

More from Risk Management

Obtaining security clearance: Hurdles and requirements

3 min readAs security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Ransomware payouts hit all-time high, but that’s not the whole story

3 min readRansomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

GenAI: The next frontier in AI security threats

3 min readThreat actors aren’t attacking generative AI (GenAI) at scale yet, but these AI security threats are coming. That prediction comes from the 2024 X-Force Threat Intelligence Index. Here’s a review of the threat intelligence types underpinning that report.Cyber criminals are shifting focusIncreased chatter in illicit markets and dark web forums is a sign of interest. X-Force hasn’t seen any AI-engineered campaigns yet. However, cyber criminals are actively exploring the topic. In 2023, X-Force found the terms “AI” and “GPT” mentioned…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.

Subscribe today

This post was originally published on 3rd party site mentioned in the title of this site

Similar Posts