The Secureworks Counter Threat Unit (CTU) has found that most real-world security incidents start with much smaller organisational issues.
Given the current landscape involving risks of advanced AI threats dominating the cybersecurity industry, this finding emphasises the importance of businesses focusing on cyber hygiene to improve their network defences.
Secureworks helped contain and remediate more than 500 real-world security incidents in 2022, with the company’s CTU researchers analysing the data from these events to understand trends and emerging threats.
One of the key findings of this research is that incidents involving business email compromise (BEC) have doubled, knocking ransomware off the top spot as the most common type of financially-motivated cyber threat to companies.
The Secureworks CTU was able to link the growth in BEC to a significant increase in successful phishing campaigns, making up 33% of incidents where the initial access vector (IAV) could be established. This was almost three times higher than in 2021 (13%).
Exploiting vulnerabilities in internet-facing systems was an equally popular entry point for both nation-state and cybercriminal attackers, accounting for one-third of incidents where IAV could be established.
Threat actors generally didn’t need to use zero-day vulnerabilities, instead opting for publicly disclosed vulnerabilities to target unpatched machines, including ProxyLogon, ProxyShell and Log4Shell.
Ransomware incidents saw a 57% decrease but remain a core threat.
Secureworks notes this could be because of changing tactics or equally due to fewer threats as law enforcement ramps up its activity around high-profile attacks such as Colonial Pipeline and Kaseya.
However, it could also be because gangs may be targeting smaller organisations that are less likely to engage with incident responders (meaning they would fall outside the scope of Secureworks’ report).
“Business email compromise requires little to no technical skill but can be extremely lucrative. Attackers can simultaneously phish multiple organisations looking for potential victims, without needing to employ advanced skills or operate complicated affiliate models,” says Mike McLellan, Director of Intelligence at Secureworks.
“Let’s be clear, cybercriminals are opportunistic -- not targeted. Attackers are still going around the parking lot and seeing which doors are unlocked.
“Bulk scanners will quickly show an attacker which machines are not patched. If your internet-facing applications aren’t secured, you’re giving them the keys to the kingdom.
“Once they are in, the clock starts ticking to stop an attacker turning that intrusion to their advantage.
“Already in 2023, we’ve seen several high-profile cases of post-intrusion ransomware, which can be extremely disruptive and damaging.”
Hostile state-sponsored activity rose to 9% of the incidents analysed, an increase from 6% in 2021.
Secureworks says 90% of these were attributed to threat actors affiliated with China.
Further, financially motivated attacks comprised most of the incidents investigated outside of state-sponsored activity, making up 79% of the total sample, which is lower than previous years.
The CTU says this could be connected to the Russia/Ukraine conflict disturbing supply chains, such as the files connected to the Conti ransomware group being leaked, an incident that took months for the group to reconfigure and recover from and could have affected ransomware’s overall decline.
“Government-sponsored threat actors have a different purpose to those who are financially motivated, but the tools and techniques they use are often the same,” McLellan adds.
“For instance, Chinese threat actors were detected deploying ransomware as a smokescreen for espionage. The intent is different, but the ransomware itself isn’t.
“The same is true for the initial access vector (IAVs); it’s all about getting a foot in the door in the quickest and easiest way possible, no matter which group you belong to.
“Once a state-sponsored actor is through that door, they are very hard to detect and even harder to evict.
“As states such as China, Russia, Iran, and North Korea continue to use cyber to advance the economic and political goals of their countries, it is even more important that businesses get the right controls and resources in place to protect, detect, and remediate attacks.”
Secureworks’ report also shows that crucial security controls in the cloud are either misconfigured or missing entirely, possibly due to organisations rushing to migrate to the cloud during COVID-19.
Multi-factor authentication (MFA) fatigue attacks involve an attacker bombarding a user with access requests in an attempt to frustrate them to the point that they grant access just to stop the notifications. The CTU notes these attacks were also on the rise.
Secureworks advises businesses to ensure they have in-depth visibility and intelligence-driven detection throughout their host, network and cloud environments.
These recommendations are designed to stop future recurrences and include centralised log retention and analysis across host, network and cloud resources, as well as reputation-based web filtering and network detection for suspicious domains and IPs.