SecureWorks, an incident response service provider, covered over 450 incidents last year and recently published its feedback. 85% of the incidents they responded to were financially motivated and a further 5% were seemingly government-sponsored attacks. The remaining attacks were accidental or deliberate actions of employees.
43% of the initial access gained was through threat actors exploiting vulnerabilities in internet-connected devices and credentials theft represented another 18% of initial system access. These credentials can be obtained through the dark web, brokers, credential stealing, brute-force attacks, or password spraying. In previous years, credentials theft was the number one approach to compromising a target, so the focus for security professionals needs to shift to patching vulnerabilities.
The rise in multi-factor authentication may mean that attackers are focusing on exploiting vulnerabilities that do not require authentication. Alternatively, it can be easy for an attacker to exploit proof-of-concept code that is published shortly after a vulnerability is publicly disclosed. This can lead to wide scale exploitation of any vulnerable devices in multiple targets simultaneously.
Despite ransomware attackers being increasingly imprisoned for their actions and the US government prioritising ransomware the same with it does terrorism, SecureWorks has not seen a reduction in ransomware attacks in 2021.
Many of the attacks that relied on credential theft and abuse occurred because the target organisation failed to implement multi-factor authentication mechanisms at all or properly. However, attackers have been able to bypass MFA by exploiting legacy authentication protocols (e.g. IMAP and SMTP) which are either still in use or haven’t been disabled. These protocols cannot enforce MFA and pose a significant security risk to businesses.
Even when MFA is implemented correctly, users may still eventually decide to approve an MFA request if attackers continuously send them due to “notification fatigue”. To mitigate this issue, consider implementing MFA that request a code from the user rather than a one-click solution.
If an enterprise is using cloud solutions, carefully investigate all of the security components and controls offered by the cloud provider to ensure logging and controlled access is offered by the cloud service. It may be attractive for businesses to implement these cloud solutions, but there are security considerations that must be accounted for before moving resources online.
To prevent cyberattacks going forward, SecureWorks recommends that IT and security professional regularly perform vulnerability scans, control access carefully and make use of IP lists, monitor newly registered domains that spoof or impersonate your company, improve your backup strategies and procedures to mitigate ransomware attacks, implement MFA properly, and implement DKIM and SPF authentication for email clients to avoid fake emails being sent by attackers.
Of course, you should also ensure your systems and software and kept up to date, use the principle of least privilege for account access, and ensure you implement an endpoint detection and response solution.
No comments:
Post a Comment