Top takeaways from Global Incident Response Threat Report

VMware recently released their annual ‘Global Incident Response Threat Report’ revealing the key cybersecurity trends based on events over the past year. 

The report dives into several threat areas including, ransomware attacks, lateral movement attacks, the risks posed by deepfakes, API security systems and Business Email Compromise (BEC).

It is critical for IT professionals to understand and learn from these trends as gaining knowledge from past cybersecurity incidents can enable organisations to better withstand a cybersecurity incident and prevent future attacks. 

In this blog, we detail the top takeaways outlined in the ‘Global Incident Response Threat Report’ report and how you can remediate against them. 

Attackers Using Lateral Movement to Gain Access to Sensitive Information

Lateral movement appeared in 25% of all attacks over the past year, with attackers leveraging: 

• Script hosts
• File storage
• PowerShell
• Business communications platforms 
• .NET

Many of the most sophisticated malicious attackers bide their time while within a compromised network by hiding in the common day to day noise. The attacker moves laterally within the network attempting to hide malicious payloads and other criminal activities while waiting for their opportunity to inflict the most damage in terms of launching a ransomware attack or stealing sensitive data.

Moving laterally within a network generally takes advantage of the lack of visibility within an organisation's cloud platforms, while also leveraging the businesses legitimate software and management tools.

Remediation: 

One of the best things an organisation can do to counter these types of attacks is to eliminate vulnerabilities such as outdated or unpatched software and systems that may be on your network or systems.

Exploits can remain hidden for long periods of time before being activated and organisations will be exposed if patches are not applied and updates are not maintained across all endpoints. 

The Imitation Game - Deepfakes on the Rise

There was a 13% increase in deepfakes compared to the year prior, with 66% of respondents stating that they have witnessed them in one form or another.

Email was the top delivery method for deepfakes with 78% of respondents having received them.

Following on from this was:

• Mobile messaging - 57%
• Voice - 34%
• Social - 34%

Deepfakes appear in many different forms from Business Email Compromise (BEC) to AI generated videos that make it appear as if the person in the video is doing something they have not actually done.

The VMware report shows increasing use in Business Email Compromise with 60% of attacks starting out as an email designed to appear from a known person making a legitimate request.

Remediation:

One of the best ways to defend against deepfakes is through employee education. To be effective, training must be consistent, engaging and give the workforce real life examples of what to look out for. 

Employees should also be encouraged to report suspicious signs immediately. Even if it turns out to be a false alarm. 

Increase in Cyberattacks Due to the Ukraine Invasion

The VMware report has stated that 65% of respondents recorded an increase of cyberattacks since Russia invaded Ukraine. For example in February of this year, a new type of malware was deployed in one of the largest targeted attacks in history. The attack was focussed solely on the destruction of critical information and resources.

Remediation:

The key to remember in this instance is that world events can sometimes cause an increase in cybersecurity risks. As such, IT professionals should monitor events and try to anticipate how the events may impact their organisations cybersecurity efforts. 

Zero-day Exploits

Zero-day exploits hit record levels last year, with an increase of 11% compared to the year prior. In total, 62% of respondents encountered this type of attack method.

Zero-day exploits can take almost any form as they can manifest as any type of software vulnerability. The exploits could take the form of missing data encryption, SQL injection, buffer overflows, missing authorizations, broken algorithms, URL redirects, bugs, or problems with password security.

This makes zero-day attacks difficult to proactively find meaning malicious attackers will have a hard time discovering them. But it also means that it’s difficult to protect against these vulnerabilities effectively as they can be impossible to anticipate. 

Remediation:

Although it can be difficult to defend against zero-day attacks, there are ways in which organisations can defend against them by:

• Keeping software and systems updated and patched at all times. 
• Staying informed on all publicised zero-day vulnerabilities and putting in security measures or responding to a threat before it gets exploited.

API Security Compromises

APIs, which allow two software components to communicate with each other, are

also increasingly under threat, with 23% of attacks compromising their security. 

The top types of API attacks include:

• Data exposure - 42%
• SQL injection attacks - 37%
• API based attacks - 34%

The results of the report show that malicious attackers are not only seeking to compromise the API security but are leveraging it to distribute additional, often destructive attack vectors known as progressive API attacks. 

Remediation:

One of the best ways to defend against an API attack is to conduct a penetration test on the APIs you hold.

An API penetration test consists of assessing the endpoints of the API and how they function from the web applications. The testing will then attempt to manipulate the endpoints to discover if they can be abused or exploited and how authorisation and authentication could potentially be bypassed. 

Ransomware Attacks

Ransomware attacks are an ever present threat to organisations and show no sign of stopping. 

The report states that 60% of respondents have experienced a ransomware attack over the past 12 months with the prominent cyber criminals continuing to extort organisations through double extortion techniques, data auctions (60%) and blackmail (63%). 

Remediation: 

When it comes to defending against ransomware attacks, as with any cybersecurity attack, there are two sides of the coin; the threat of attack and the defence against those attacks. One cannot exist without the other.

The greatest threat to any business is a cybersecurity breach and having a good defence plan will help keep your business safe from these breaches.

When building a plan to defend against attacks, your plan should include:

• Having a backup system in place;
• Keeping software and applications updated;
• Removing default user accounts from servers, network devices and software applications;
• Develop an incident response plan; 
• Train your employees on cybersecurity including social engineering attacks, password vulnerabilities and protecting work devices. 

Incident Response (IR) Professionals are Fighting Back 

Incident response professionals have been fighting back. According to the reports, 87% of incident response professionals were able to disrupt a malicious actor's criminal activities and 75% professionals state that they are finding success in deploying visual patching as an emergency mechanism.

Virtual patching, also known as vulnerability shielding, involves the use of a web app firewall or similar tool to disrupt an attacker's network path, shielding the vulnerability as a result.

How the Experts can Help

One of the best ways to reduce the likelihood of a successful data breach is through experience.

Secora offers a wide range of services that are tailored to your organisation's specific requirements:

• We can help you prepare for the worst-case scenario by simulating threats to your organisation.
• We can help improve your cyber security posture, reducing your exposure to a breach.
• We can simulate phishing campaigns to highlight cyber security awareness within your organisation and demonstrate how a breach may occur.

Partner with us today and our experienced penetration testing and cyber security consultants will go the extra mile to ensure your organisation stays secure during these testing times.