With cybercriminals increasingly forming alliances, infosec leaders have to toughen their security strategies, but be ready for a worst-case scenario, says a Canadian managed security service provider.
That’s the conclusion of Cambridge, Ont.,-based eSentire in its Annual Threat Intelligence Report, which was released this morning.
“At the highest level, organizations need to develop a security strategy and have a plan which accounts for the harsh reality that—at some point—things will go wrong and threats will breakthrough,” says the report. “Regardless of what third-party security solutions and services are put in place, internal perspectives provide valuable enrichment and context; moreover, internal skills and knowledge often permit faster incident responses and more effective coordination with third-party experts.
“Do security diligence and hope for the best—but prepare for the worst.”
Among its predictions for 2020:
- Threat groups will specialize in their skill sets to complement the whole cybercrime community. “Essentially, the cybercrime market will become increasingly efficient in an economic sense” by increasing co-operation
- Threat actors will use cloud services — for example, using Azure and Google-based websites to host phishing lures and exploit kits — as an attack vector, even more, this year. Because these malicious websites use reputable hosts, there is a tendency for people and automated detection systems to implicitly trust them and to overlook the associated traffic. Plus, domain- and IP-based filtering solutions must leave these hosts accessible so businesses can access their data and services. “Defending against such attacks will require careful coordination between cloud providers and disciplined curation of cloud services by enterprise users”
- More CISOs will use deception techniques such as make admin credentials and isolated systems to simplify detection and to complicate matters for attackers. Companies could deploy intermediary systems that respond to reconnaissance in a way that increases the workload for attackers, thereby changing the economics of the attack business model
- With law enforcement and cybersecurity agencies getting more funding to expect more arrests
- And because this is an election year in the U.S. expect more politically-motivated cyber-attacks.
In an interview lead report author Keegan Keplinger said one thing that struck him the most in preparing the paper was how many enterprises “have simple security in place — they’ve got almost nothing. And in some cases, they had threat actors [in their environment] that they weren’t even aware of.”
Mark Sangster, an eSentire security strategist, said what stuck out for him was the finding that those behind ransomware attacks are increasingly taking what the report calls a “hands-on-keyboard” targeted approach and not merely relying on an automated attack.
Asked why defenders are still struggling Sangster said Canadian firms “see a lot of these issues as technical to solve” and not as a cultural problem that also needs awareness training. And, he added, far too many organizations here still don’t believe they will be targeted. “They think in linear terms — ‘We’re not a bank, we don’t have money.’ I hear it all the time: ‘We’re a Canadian manufacturing firm, who’d want to come after us?’ Well, I know of one that lost millions of dollars in fraudulent email invoice attacks.”
Sangster also said industry associations in the U.S. are three to five years ahead of their Canadian counterparts in educating businesses about cyber risks and how to face them.
Using data from customers, the report found that Emotet accounted for almost 20 per cent of confirmed malware incidents, reinforcing its role in the black market as the preferred delivery tool. Emotet was the most observed threat both on networks and on endpoints, achieving this dominance despite a midyear hiatus when the command and control servers were dormant.
In the past Emotet was a banking Trojan with its own delivery system, but in 2019, it primarily functioned as a downloader. While it contains some minimal Trojan and worming functionality, its main function today is to download and install other malware (e.g., AZORult, IcedID, ZeuS Panda, TrickBot, Qbot and others).