“In terms of phishing, while I believe that the threat remains in the critical category for organizations, because many phishing campaigns seek account credentials as the primary outcome, if cybercriminals have access to valid account credentials via other means (as noted in the report), the need to run a phishing campaign will decline,” said Michael Sampson, principal analyst at Osterman Research. “If this trend continues, we could expect to see future phishing campaigns becoming ever more targeted as cybercriminals seek to compromise accounts that they can’t get via other means.”
Lack of basic security opened organizations to attacks
The report identified “security misconfigurations” as the top web application risk as they accounted for 30% of all application vulnerabilities, with “allowing concurrent user sessions” in the application being the top offense, which could weaken multi-factor authentication (MFA) through session hijacking.
Identification and authentication failures, at 21%, were the second leading risk including weak password policies such as Active Directory password policies (19%), usernames verifiable through errors (17%), Server Message Block (SMB) signing not required and URLs containing sensitive information at 8% each.
Apart from just being a concern, lack of security due diligence also contributed to a large number of actual attacks in 2023 as the report indicated that in 84% of critical infrastructure incidents, the initial access vectors could have been mitigated with basic security routines.
“For a majority of incidents on critical infrastructure that X-Force responded to, the initial access vector could have been mitigated with best practices and security fundamentals, such as asset and patch management, credential hardening, and the principle of least privilege,” the report added.
Decline in ransomware attacks
Ransomware incidents observed an 11.5% drop in 2023, which can be attributed to larger organizations being able to stop attacks before ransomware is deployed and sometimes also opting against paying and decrypting in favor of rebuilding if ransomware takes hold, according to the report.