Learning from a Threat Report

Mikkel Planck

Mikkel Planck

Senior Network Security Specialist & Business Unit Manager

October 20, 2020 at 13:47

I just got my hands on the newest CrowdStrike first half year report 2020. I always read these reports carefully, since they describe what their incident response team (Overwatch) finds and catalogues. The team uses 3 different terms when cataloging:

  1. State sponsored – these threat as named, sponsored by states directly or indirectly, and are often very advanced threats, that serves specific targets.
  2. eCrime – these very often have a monetary incentive and can be very damaging to companies.
  3. Unattributed – basically anything else.

So, what’s there to report? One thing that caught my attention, is that accounted eCrime got a whooping 82% of all incidents, outpacing state sponsored attacks in momentum. Primarily “big game hunting” campaigns, which focus on locking company data down and demanding a ransom to open the data again. One of the reasons for the steep increase in this kind of attacks could be, the easy access to ransomware-as-a-service packages for a very little cost. Also, these are delivered as a service, much like Office365, Salesforce and other SaaS products, so there is a continued development of these tools, making them ever more advanced, and therefore changing the threat landscape continuously. If looking at the numbers as percentage, these kinds of attacks accounted for 69% in the second half of 2019, but were up to 82% in the first half of 2020, and are now by far the biggest category.

Earlier the financial, IT and communication industries have been the primary target for advanced attacks, but there is a tendency towards the manufacturing industry, who are now the target for the more advanced attacks and ranks second in the first half of 2020. Manufacturing also sees an increase in state sponsored attacks seeking strategic goals. With the ever more advanced operation environments, manufacturing is on the radar of eCriminals whether being for monetary purpose or states trying to steal IP or slow production. Unlike the financial services and IT industry, manufacturing has not invested nearly as much, due to not being as heavily regulated as these businesses, and this will make them an easier target for eCriminals. Also, the dependency on IT to run the core business (manufacturing), will make them a target, since the probability of them paying ransom will be very high.

Covid-19 was an all-new thing of 2020, and eCriminals wasn’t late to the party, when trying to use this to attack, awareness plays as important as ever in today’s threat landscape. Lots of people are sent home to work, and many companies have as little as possible staff onsite, and that opens up a whole new attack vector. This also changes who is getting hit, and especially who isn’t. One example being the aviation industry, that was hit about 80% less than pre-corona, which aligns very well with general activity there. Not all organizations have reached the level required to handle large-scale remote working, and personally I am quite convinced that remote working is the “new normal”. Many devices will now access company date from outside the company network, and that means that the bar for endpoint protection and response, will have to be set a great deal higher than we often see today. Unfortunately, some of the successful attacks we have seen in the recent year, could have been avoided, if the correct measures had been taken. In essence companies need to realize, that a fundamental change in how data is accessed and secured, already has taken place.

Fileless attacks are also mentioned. But what is a fileless attack? This can be one of the most devasting type of attack, and I am going to give an example here: A fileless attack - is an attack on a user account, where the attacker gets some level of access to the system. They can now use this account to move around in the system and start looking for ways to get even more access. In real life they have gained access to where the backup is stored, and can easily delete the backup, start encrypting your data, and your company is now a sitting duck. A fileless attack can be many things, so this was just one example and far from all can be stopped by traditional antivirus solution, that looks for certain pieces of code. But the important thing to remember here is, that monitoring user accounts and access to systems, should be a part of the cybersecurity toolbox for all companies. This will enable you to detect attacks much faster and act accordingly.

If you interested to hear more about the Threat Report, you are welcome to contact me directly: mikkel.plank@nixu.com

 

The manufacturing industry is a target for the more advanced attacks and ranks second in the first half of 2020.