Even as a steady drumbeat of headlines keeps the world’s attention focused on cybercrimes, such as ransomware and cryptojacking, in the dark corners of the internet, attackers are busy refining their craft. According to the world’s top incident response (IR) professionals, cyberattackers are honing their ability to remain undetected inside the enterprises they’ve breached, and evolving their attacks to counter defenders’ response efforts.
If this report reveals anything, it’s that business leaders can no longer get by thinking an attack won’t happen to them. Attacks that were once reserved for sophisticated campaigns have become an everyday reality. This evolution coincides with mounting geopolitical tensions. Nation-states such as Russia, China, Iran and North Korea are actively operationalizing and supporting technologically advanced cyber militias.
Most organizations remain woefully unprepared to combat such attacks. The majority have yet to create and implement proactive incident response plans, continuing instead to lean heavily on outdated legacy antivirus and firewall tools for protection.
In an effort to gauge the current attack landscape and to quantify the latest attack trends seen by leading IR firms, Carbon Black is introducing its Quarterly Incident Response Threat Report (QIRTR). This report aggregates both qualitative and quantitative input from leading Carbon Black IR partners, who on average participated in one incident response engagement per day over the course of 2017. Data from this report represents insight from active breach investigations where, in most instances, some combination of people, process and legacy security technology has failed.
Among some key findings from the report:
The vast majority of cyberattacks originate from two nation-states: 81% of IR professionals say the majority of attacks come from Russia; 76% say the majority come from China. And these foreign actors are seeking more than just financial gain or theft — 35% of IR professionals say attackers’ end goal is espionage.
Geopolitical tension is driving an evolution in cyberattacks against all verticals, but 78% of IR professionals say the financial industry is attacked most often; 73% say healthcare organizations and 43% say government.
Nearly 60% of attacks now involve lateral movement, which means attackers aren’t just going after one component of an organization. They’re getting in, moving around and seeking more targets as they go. Of note, 100% of respondents say they’ve seen PowerShell used for attempted lateral movement.
Nearly half (46%) of incident response professionals say they’ve experienced instances of counter incident response, another concerning sign that attackers have become increasingly sophisticated and are initiating longer-term campaigns — as well as a clear signal that incident response must get stealthier.
More than a third (36%) of today’s attackers now use the victim primarily for island hopping. In these campaigns, attackers first target an organization’s affiliates, often smaller companies with immature security postures. This means that not only is your data at risk, but so is the data at every point in your supply chain, including that of your customers and partners.
The full report includes specific case studies from leading IR firms Rapid7, Kroll, and Black Cipher and includes six tips from IR pros on how organizations can take a proactive approach to incident response.
Interested in learning more how you can put incident response best practices into use? At Cb Connect 2018 you’ll have the opportunity to connect with other like-minded security users and build your resume while you become Carbon Black Certified. Becoming Carbon Black Certified for Cb Defense, Cb Protection and/or Cb Response gives you the opportunity to: Earn continuing professional education (CPE) credits through (ISC)2, Strengthen your knowledge of the product, Continue to develop your skills in information. Learn more here.