Connect with us

Hi, what are you looking for?


Network Security

“Onion-Layered” Attacks on the Rise, IBM Says

“Onion-layered” security incidents have been on the rise throughout 2015, according to the IBM X-Force Threat Intelligence Quarterly report for Q4 2015.

“Onion-layered” security incidents have been on the rise throughout 2015, according to the IBM X-Force Threat Intelligence Quarterly report for Q4 2015.

Released this week, IBM’s report (PDF) cites four key trends that have been observed this year, with onion-layered and ransomware attacks joined by attacks coming from inside an organization and by an increased management awareness of the need to address security threats proactively.

Onion Layered Atttacks

IBM explains that onion-layered security incidents involve a second, more damaging attack hidden behind a visible one. Usually, these attacks are carried by two actors, namely a script kiddie, an unsophisticated attacker launching highly visible attacks which can be easily caught, and a more sophisticated stealthy attacker who might expand their grip of the victim’s network without being detected for weeks or even months.

“As the name suggests, an ‘onion-layered’ security incident is one in which a second, often significantly more damaging attack is uncovered during the investigation of another more visible event,” the report said.

Such attacks demand large amounts of resources and time to investigate and mitigate, IBM says, given that stealthy attackers use sophisticated tools, are careful to cover their tracks, and use anti-forensic techniques to remain undetected. IBM also notes that anti-virus software alerts about malware on Internet-facing servers, unexpected reboots of servers and other unusual behavior, suspicious log records, and frequent user lockouts are signs that stealthy attackers have infiltrated a network.

Undetected attacks could prove highly damaging to companies, especially if the cybercriminals behind them manage to get hold of valuable data.  

“While the recovery of systems compromised by script kiddie attacks might take only a few days of an operation team’s time and effort, the job of finding a root cause, then fully understanding and remediating the work of the stealthy attackers could take months,” IBM said. Meanwhile, an undetected attacker could roam the network undetected, ultimately trying to gain access to the client’s crown jewels.

Advertisement. Scroll to continue reading.

Earlier this year, Corero Network Security warned that distributed denial-of-service (DDoS) attacks were being leveraged to circumvent cybersecurity solutions, disrupt service availability and infiltrate victim networks.

“The danger in partial link saturation attacks is not the ‘denial of service’ as the acronym describes, but the attack itself,” Corero said. “The attack is designed to leave just enough bandwidth available for other sophisticated multi-vector attacks with data exfiltration as the main objective, to fly in under the radar, while the distracting DDoS attack consumes resources.”

Based on investigations conducted by Mandiant/FireEye throughout 2014, the median number of days that attackers were present on a victim’s network before being discovered was 205 days.

IBM provided fundamental advice, suggesting that organizations keep systems updated and increase their visibility into the network, as well as build an internal security operations center, create operational procedures, and ensure an appropriate level of logging, in addition to periodically performing penetration testing exercises.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...