Another of those neat annual reports describing IT security threats has just come out. It’s the Secureworks 2019 Incident Response Insights Report. Secureworks is an interesting organization. A lot of its work is in incident response, where the client already has experienced an IT security incident and needs assistance.
In 2018, Secureworks recorded findings from more than 1,000 incident response engagements. Although the news from last year’s incidents is not of major new types of attacks, one message from the report is clear. An essential part of a security effort is to start with the basics. These include visibility into your network, keeping effective logs, using multi-factor authentication (MFA) and examining your business processes as well as technology.
As I said, this is not news. For security experts, this is old stuff. But the point is that even though these protective procedures are known, not enough organizations are actually carrying them out.
The Threat Landscape
The overall threat landscape illustrates how malicious cyberattacks have become big business. 85 percent of the incidents recorded by Secureworks in 2018 were financially motivated. Only seven percent were government sponsored.
This doesn’t mean that organizations particularly attractive to government-supported hackers shouldn’t worry. What risks an organization faces depend largely on what threat actors seek from them. Government hackers have gone after foundations who have supported civil-society organizations abroad, presumably because the malicious actors wanted to identify dissidents.
Overall, however, the financially-oriented exploits are most frequent today. The leaders include business email fraud (22%), ransomware (21%), digital currency mining (18%) and banking trojans (12%).
Ransomware accounted for fewer incidents this year, but they were larger. This was, to some extent helped by a new approach of distributing the ransomware across an organization, rather than attacking individual computers. This post-intrusion approach, where spreading across the network occurs after an initial entry, accounted for a majority of Secureworks’ ransomware incidents last year. When post-intrusion distribution was used, the number of impacted hosts per incident rose from 1.8 to 114.3.
Banking trojans, too, have been spreading across the network. Where before one computer once might have been infected with malware such as TrickBot, now many are. TrickBot has a new spreading feature based on an included list of common passwords. Thousands of computers in a large organization can be affected. In one case, such an attack cost an employee $50,000 when her bank account credentials were stolen. Perhaps you don’t want to access your bank from work.
The report contains several other stories of exploits and how they operate. For brevity, however, we will cut to the chase. Too many of the victims Secureworks helped last year were not adopting basic security practices, such as lists of their hardware and software, using multi-factor authentication or employing an overall security framework such as the CIS Controls. The authors emphasize that addressing the basics is the best way to stay safe.