Many organizations underestimate the value of their data to skilled and organized cybercriminals, said security provider eSentire.
Keeping up with cybercriminals can be a never-ending challenge for organizations and security professionals. As hackers and attackers come up with increasingly more clever and devious ways to infiltrate an organization, your critical and sensitive data becomes more vulnerable to compromise. In its Annual Threat Intelligence Report for 2019, eSentire offers several recommendations on how to better protect and secure your business data.
SEE: The 10 most important cyberattacks of the decade (free PDF) (TechRepublic)
Though nation states continued to launch cyberattacks, organized cybercrime was actually responsible for the vast majority of attacks in 2019, according to eSentire. Financially motivated, organized cybercriminals rely on partnerships, code-sharing, and service marketplaces to become more efficient. These type of criminals also are using more secure and encrypted consumer applications to communicate with each other, making it harder to follow their activities.
Among the cybercrimes described in the report are:
- Stealing financial credentials (e.g., banking Trojans) to sell or to use to extract money
- Tricking people into transferring funds (e.g. Business Email Compromise schemes)
- Appropriating resources to create things of value (e.g., coinminers)
- Demanding ransoms (e.g., employing cryptographic ransomware or threats to release stolen information)
- Stealing something of value to be sold directly (e.g., intellectual property theft)
- Stealing something to be used to create something of value (e.g., industrial espionage)
The advanced trojan known as Emotet accounted for almost 20% of confirmed malware incidents last year, eSentire said, marking it as the preferred delivery method by the black market (Figure A). Emotet was the most observed threat on networks and endpoints despite a mid-year hiatus when its command and control servers were dormant. To launch their attacks, cybercriminals use Emotet based credential harvesting to compromise legitimate email accounts and impersonate trusted sources.
The report also uncovered other types of attacks in 2019.
- Dominating ransomware families. A number of successful ransomware attacks against enterprises, governments, service providers, and large businesses can be attributed to just six ransomware families.
- Healthcare and construction industries are most vulnerable to phishing attacks. While the healthcare and hospital industry as a whole has improved its resilience against malware attacks, it continues to be the most vulnerable, followed closely by construction.
- Cloud services gaining traction for phishing campaigns. Cloud services like Google and Microsoft Azure are being used to host malicious pages and trusted proxies to redirect users. The lures that scammers use most frequently to convince people that their messages are legitimate are email services, Microsoft Office 365, and financial services.
“A recurring conclusion of the report’s case studies is that simplistic approaches to security can leave dangerous gaps in an organization’s defenses,” Keegan Keplinger, research lead for eSentire, said in a press release. “Anecdotally, we have found several cases of surprisingly large organizations with valuable data and critical infrastructure with little more than an anti-virus program running on their endpoints prior to our engagement. Even complete network coverage can miss something as straightforward as an attacker returning to an organization with successfully phished credentials.
“These organizations appear to underestimate the sophistication of modern cybercriminals, as well as the value the data holds to them,” Keplinger added. “Having the strategic insight about what attackers are capable of, what kind of tools they are using, and how valuable your data and infrastructure can be is fundamental to understanding the lengths you have to go to protect them.”
How to protect valuable data
To help you better secure and protect your most valuable data, eSentire offers the following recommendations:
- Develop a security strategy to prepare for the worst. At some point things will go wrong, and threats will break through. Regardless of the security solutions you have in place, the right internal perspectives can provide valuable enrichment and context. The right internal skills and knowledge often foster quicker incident responses and more effective coordination with third-party experts. Do security diligence and hope for the best, but prepare for the worst.
- Train your people and enforce best practices. Cybersecurity is no longer the domain of a few skilled experts. Everyone in an organization needs to be aware of the general risks and be familiar with best practices. The more familiar your people are with phishing tactics, real-world phishing examples, and phishing avoidance habits, the more resilient your organization will be. Create an environment where they’re no exceptions—many impersonation scams rely on people dutifully responding to urgent and unusual requests from executives—and where good practices (like verifying identity by another channel) become second nature.
- Limit your threat surface. eSentire’s research indicates that organizations with more distributed locations and systems are more vulnerable than those with only a small number of locations. Once an organization has six or more locations, it is a near certainty that it will experience a security incident in any given year. The more systems are connected, the more systems are exposed, and it is more difficult to introduce and enforce secure habits within the employee base.With this in mind, organizations should adopt restrictive policies governing which systems are externally exposed. If a system does not need to be accessible externally, then do not give it exposure. To defend against known vulnerabilities, organizations should adhere to strict patching guidelines. By patching systems, organizations can remove specific vulnerabilities before exploits can take advantage. Any delay between the development of an exploit, and the release and subsequent application of a patch creates a window of opportunity for attack.
- Invest in a modern endpoint protection platform. Faced with polymorphic malware, managed attack campaigns, fileless attacks, unavoidable windows of vulnerability, and the ever-present human element, endpoint protection provides a vital and necessary layer of defense. Modern endpoint protection platforms utilize a cloud-native architecture, which shifts management and some of the analysis and detection workload to the cloud.
- Employ defense in depth. Beyond using a modern endpoint protection platform, organizations should pursue additional activities as part of a comprehensive strategy of defense:
1. Recognize the limitations of antivirus solutions, and do not rely on antivirus alone to protect against modern threats. Employ multiple endpoint solutions with next-generation antivirus being one of them.
2. Because organizations with more distributed locations, and systems are considerably more vulnerable than those with only a small number of locations, take special care—especially during times of aggressive growth—to harden endpoints and exposed systems.
3. Excluding fileless attacks, most malware hits an organization through malicious email attachments or links, both of which require human interaction to initiate the malicious activities. Organizations should try to mitigate this risk through regular user awareness training (continuous simulated phishing exercises and a process for reporting suspicious emails) and technical controls (spam filtering, URL rewriting and attachment sandboxing, allowing only email attachments that contain trusted file types, and restricting the execution of files from temp directories).
4. Permissive application policies and a failure to enforce more restrictive policies both can make an organization more vulnerable. Therefore, you should support the efforts of your IT teams to manage applications and strictly enforce policies.
To compile its report, eSentire Threat Intelligence gathered data from more than 2,000 proprietary network and host-based detection sensors across multiple industries around the world. Intelligence analysts for the company scrutinized the data to help create and offer their recommendations.