This report looks at general trends in cyber-attack and business network security that have been emerging over the last year. We believe these findings are important for businesses to consider, in large part because they can help you defend your business from the latest threats.
Intended as a high-level summary, this report does not delve into specific scenarios that have become more prevalent recently, such as Covid-19 scams. However, in many cases we do supply links for further reading.
If you are looking for information on cyberthreats and scams that leverage Covid-19 to gain the trust of employees, read our special report.
#1 The highest priority of cyberattacks is business disruption.
You might have heard that ransomware is on the rise. It is. 2019 and early 2020 have shown a clear and increasing prevalence of attacks to target disruption with the intent to ransom. CrowdStrike Services reported in their 2019 Cyber Front Lines Report that over one-third of incidents they investigated last year intended to disrupt organization IT functionality — either through ransomware, malware, or denial of service attacks.
In early 2020 we are seeing further escalation, with public utilities, municipalities, and service provider networks being ransomed. This is important for businesses because business continuity plans can deter many, but not all, of these attacks.
Bottom Line: Continuity Planning should, therefore, add a ransomware scenario to be effective.
#2 Business cybersecurity detection improving
Businesses continue to detect and deter more attacks than ever before. In fact, detection is an important element to keep in mind when addressing the also-increasing number of cyberattacks because many of these are reported after early identification and defeat. Judging from the increasing sophistication of attacks, however, we believe attacks are increasing at a larger rate than detection capabilities.
Bottom Line: Sharp increases in the reported number of cyber attacks mean that security professionals are doing an incredible job but also indicates a growing threat.
#3 And yet dwell time is still increasing
Another note on sophistication. Dwell time records the time from initial entry to the trigger — whether the trigger is pulled by the defenders (in the case of discovery) or attacker (in the case of ransomware). This figure is particularly skewed by trends because of the wide variance between attack types.
Bottom Line: SMBs are especially prone to pick up malware and adware that can sit for years in many cases. The average dwell time for these attacks was 798 days according to Infocyte’s Mid-market Threat and Incident Response Report. However, ransomware dwell time averaged just 43 days.
#4 To avoid detection, attacks often use malware, either alone or in combination with other techniques.
Malware often abuses trusted processes to hide. Meanwhile, additional algorithms will attack security software, in some cases uninstalling or disabling the software, or indirectly by obfuscating the data that could lead to a detection. More sophisticated attacks may resort to multiple techniques to avoid detection for months, or years.
Bottom Line: In almost three out of four cases malware is deployed.
#5 Third-party service providers are being targeted to compromise their customers in larger-scale attacks.
From NotPetya to more recent actions by hacker group Sodinokibi (aka REvil), the hacking community is learning how to leverage service providers as an entry point for large-scale attacks. But there is a key difference.
For the perpetrators of NotPetya Maersk was the goal, and the subsequent damage to IT assets across the globe was ‘good fortune.’ More recent threats like Sodinokibi are scaling across a multitude of small targets with active intent to ransom as many businesses in the same provider network.
Bottom Line: Take time to consider the security practices of every service provider you do business with.
#6 Attackers are automating and simplifying complex tasks with the biggest ‘gains’ in Active Directory reconnaissance.
With one compromised account, hackers have historically faced a significant grind as they track down all linked accounts and ultimately plot their course to the next target, whether that is sensitive information, security software, or administrative controls. Not only has this been a time-consuming, methodical, and boring leg of the journey; it has also required skill and experience.
Bottom Line: New tools such as BloodHound have simplified and automated this process, making attacks easier, cheaper, and faster to deploy.
It should be noted that BloodHound can also be used by security companies as a tool to identify network weaknesses so that they can harden those weaknesses.
If you have any questions about how to protect your IT assets please contact Platte River Networks 303-835-9202 or david@platteriver.com