by Nick Kael
Posted on April 5, 2022
In 2021, cybercrime continued the precipitous increase that began in 2020, triggered by COVID-necessitated work-from-home, and inflicting trillions of dollars of damages on businesses, organizations and individuals worldwide.
In its recently issued 2022 Threat Intelligence Index, IBM analyzed billions of data points from cyberattacks conducted in 2021. All of the information contained in the 59-page report is interesting, and much of it is alarming. In this post we highlight a number of key findings.
The top five attack objectives in 2021 were:
The percentage of attacks categorized as ransomware decreased slightly in 2021, from 23% in 2020 to 21%. The number of ransomware attacks, however, held steady – other types of attacks increased more, which the IBM team attributes to intense of law enforcement heat on ransomware gangs.
Ransomware attacks are defined by their end goal, as mentioned above. But deploying the ransomware is just the final step of a multistage process that entails criminal activity at every step.
IBM’s team has identified five stages that characterize almost all ransomware attacks:
One of the most worrying trends noted by the IBM researchers is a move to “triple extortion.” With triple extortion, attackers use a three-pronged threat:
IBM also reported that attackers are increasingly threatening the victim’s business partners with exposure of their data to increase pressure on victims to pay up.
Infection vectors represent the first stage – that is, the initial access – for attack objectives, like ransomware. Last year’s top five infection vectors were:
A social engineering campaign simulation, in which IBM’s X-Force team sent emails masquerading as phishing attacks to unsuspecting users, yielded a shocking 17.8% clickthrough rate. Worse yet, when they added “vishing” (voice phishing, or phone calls) to the phishing campaign, the clickthrough rate rose to 53%. These high success rates – from the point of view of the cybercriminals, of course – go a long way to explaining why phishing has become the dominant infection vector for ransomware attacks.
Phishing is a high volume, low frequency approach, with a constant stream of sites that are deployed, gather credentials from or spread malware to a small number of victims, and are quickly shut down by hosting providers. As a moving target, phishing is notoriously difficult to tackle.
These trends have numerous implications for planning defense. For instance, understanding the stages of ransomware attacks enables organizations to implement countermeasures that might slow or stop the attack at each stage. Clearly, however, blocking initial access entirely is the most desirable approach.
Fortunately, there are effective ways to protect against each of the five primary infection vectors for initial access.
Relying on user training to protect against phishing attacks may reduce the number of clicks but is not a reliable protective strategy. The best way to protect against phishing is with Zero Trust based solutions, such as Remote Browser Isolation (RBI). Choose an RBI solution that opens recently created sites in read-only mode, so that users cannot enter credentials. RBI also prevents malware from infecting your network even if a user clicks to an infected website, since no website content reaches the endpoint.
Avoiding falling victim to a vulnerability exploit is considerably more complex, since each vulnerability is different. The first and most obvious is to ensure that security updates and patches are promptly installed. This is, of course, easier said than done: Keeping up with the constant stream of patches and updates is a challenge even for organizations with large IT teams, and most teams can barely keep up with the most pressing tasks. Patching can also be complex, since one change may have numerous ripple effects that break working processes. For these reasons, many companies fall victim to attacks via vulnerabilities that have been known for months or longer.
RBI also protects against vulnerabilities that impact websites and apps, such as the recent spate of use-after-free vulnerabilities that allow malicious code to be injected into endpoint memory that has been freed by a website or web app. RBI prevents websites and apps from interacting directly with resources from the user device, so no malicious code can reach them via the web.
Multi-Factor Authentication (MFA) is the best way to protect against breaches via stolen credentials. MFA isn’t foolproof – dedicated hackers have been able to foil MFA and even biometric-based MFA – but it will stop the vast majority of credential theft-based attacks.
Vulnerabilities in remote desktop access solutions such as RDP, RDS and VPNs have been massively exploited since the rapid coronavirus-triggered shift to work from home. Alternatives such as Zero Trust Network Access (ZTNA) provide a much greater level of security.
The later stages of ransomware attacks, in which attackers move laterally to explore networks to find weak spots and to collect and exfiltrate data, can be foiled by deploying microsegmentation and policy-based least privilege access techniques to sharply limit lateral movement on the company’s servers and access to sensitive data.
The digital world is an increasingly dangerous place, with cyberattacks on the rise, ransomware demands rising, and easy-to-use tools such as ransomware-as-a-service lowering the technology bar and expanding the pool of cybercriminals.
Traditional perimeter-based cybersecurity has been rendered obsolete by the shift to remote work and cloud-based resources. Protecting today’s complex, hybrid IT environment calls for a shift to a comprehensive Zero Trust approach, such as ZTEdge, a state-of-the-art Secure Access Service Edge solution designed specifically for the needs of midsize enterprises.
OWASP®, the Open Web Application Security Project®, recently updated their list of the Top 10 Web Application Security Risks. An online community led by the OWASP Foundation, the project was established in 2003 to provide developers and security professionals with resources to help improve web application security. Because virtually every organization today uses web apps, […]
This year’s DBIR confirms that when it comes to data breaches, users are not their employers’ worst enemies, but they may well be their enemies’ best helpers.
Secure Access Service Edge (SASE) and Zero Trust (ZT) security are two of the most important security concepts being talked about in the industry today. Are they the same? Or different? Interrelated in some way?