Below is a highlight of the key takeaways from the first half of 2020 outlined in the latest Threat Landscape Report from Fortinet’s FortiGuard Labs.
By Derek Manky at Fortinet. No one could have predicted the degree and magnitude of change we would experience, both within and outside of the cybersecurity industry, in 2020. The first half of the year has demonstrated the dramatic scale at which cybercriminals and nation state actors are willing and able to leverage the global pandemic as an opportunity to launch targeted cyberattacks around the world. They have exploited the fear of individuals and the uncertainties of the pandemic as an attack strategy. And while these attacks cover a spectrum of strategies, they have heavily targeted the sudden expansion of new teleworkers – literally millions of remote workers expanded the digital attack surface almost overnight – along with their vulnerable home networks and devices and unprotected browsers.
At the same time, other attacks continued apace. For example, cybercriminals also continued their use ransomware, relying more than ever on Ransomware-as-a-Service, but this time with a twist. Not only is valuable data being encrypted and held for ransom, an encrypted version of that data is also being posted online, with the threat that if a ransom is not paid, all of the company’s data – ranging from customer information to intellectual property – will be released for public access.
1H in Review: Key Takeaways from the FortiGuard Labs Global Threat Landscape Report
During the first half of 2020, evolving working environments and increased reliance on personal device usage opened the door to increased cyber threat activity. Below, are some of the most prevalent cyber trends from Q1 and Q2 uncovered in the current Global Threat Landscape Report:
- From opportunistic phishers to scheming nation-state actors, cyber adversaries found multiple ways to exploit the global pandemic for their benefit at an enormous scale. This included phishing and business email compromise schemes, nation-state backed campaigns, and ransomware attacks.
- Well-known threats such as ransomware have not diminished or disappeared during the last six months, they continue a more targeted nature. Instead, COVID-19 themed messages and attachments were used as lures in a number of different campaigns. Other ransomware was discovered rewriting the computer’s master boot record (MBR) before encrypting the data. In addition, there was an increase in ransomware incidents where adversaries not only locked a victim organization’s data but stole it as well and used the threat of widescale release as additional leverage to try and extort a ransom payment.
- Web-based malware became the most common vehicle for delivering malware, commonly being used as part of phishing campaigns and scams. This attack vector outranked email as the primary delivery vector used by cybercriminals for the first time in a while.
- For cyber adversaries, the development of exploits at-scale and the distribution of those exploits via legitimate and malicious hacking tools continue to take time. Even though 2020 looks to be on pace to shatter the number of published vulnerabilities in a single year, vulnerabilities from this year also have the lowest rate of exploitation ever recorded in the 20-year history of the CVE List. Interestingly, vulnerabilities from 2018 claim the highest exploitation prevalence (65%), yet more than a quarter of firms registered attempts to exploit CVEs from 15 years earlier in 2004.
- Exploit attempts against several consumer-grade routers and IoT devices were at the top of the list for IPS detections. While some of these exploits target newer vulnerabilities, a surprising number targeted exploits first discovered in 2014 – an indication the criminals are looking for exploits that still exist in home networks to use as a springboard into the corporate network.
- In addition, Mirai (2016) and Gh0st (2009) dominated the most prevalent botnet detections, driven by an apparent growing interest by attackers targeting older vulnerabilities in consumer IoT products.
- The 10th anniversary of Stuxnet came and went in June, bringing our attention back to operational technology (OT) security threats, such as the latest Ramsay espionage framework, geared towards compromising industrial environments. Another development was the use of ransomware in an operational technology (OT) setting.
What Does This Mean for CISOs Now?
CISOs should leverage the intelligence provided in this report to evaluate and update current security measures to ensure that these attack vectors and strategies are properly protected against.
Secure the Endpoint Devices of Remote Workers – The first step is to revisit remote workers to ensure that appropriate security measures are in place to protect data, applications, and resources in use in remote locations, as well as to ensure that they do not become a conduit for malware finding its way into the corporate network. This starts with ensuring that proper security is in place on end-user devices, especially protecting browser activity since web-based malware, delivered through phishing campaigns and other scams, outranked the more traditional email delivery vector in the first half of 2020.
Endpoint devices should be protected with more than just traditional antivirus (AV) and endpoint protection security. New endpoint detection and recover (EDR) solutions like FortiEDR are not only able to identify sophisticated attacks, but also prevent any unknown application, such as malware, from executing until it has been analyzed.
Review ransomware security measures – Organizations should already have a robust ransomware strategy in place. This should include the ability to strip out malicious content in an email using content disarm and reconstruction tools. Networks need to be segmented as part of a ZTNA strategy to limit the resources that can be impacted. Full data backups need to be stored offline and off network to ensure rapid recovery. And data inside the network needs to be encrypted so that it cannot be used or exposed by cybercriminals. This needs to be coupled with a full response strategy that is practiced regularly to eliminate downtime.
Ensure all VPN traffic is being inspected – With the increase in attacks targeting home routers and its connected devices, such as DVRs, it is critical that VPN connections include full inspection looking for malware originating from the home networks of remote workers. This requires having firewalls in place capable of not only managing a dramatically increased volume of VPN traffic, but also the heavy processing load required to inspect encrypted traffic.
Bolster security in OT environments – Increased attacks on OT environments require having security in place that restricts the resources that users, devices, applications, and workflows can access. Fortinet’s full zero-trust network access (ZTNA) solution combines access control and network security solutions designed to secure OT environments and systems, such as SCADA and ICS systems, with networking functions such as access points and network segmentation. This ensures that even if malware manages to circumvent edge security strategies, it will still be limited to a tiny segment of the OT network.
Use the Report to Take Critical Countermeasures
This is just a brief overview of the full Threat Landscape Report for the first half of 2020 now available from FortiGuard Labs. CISOs and other security professionals are strongly advised to read the report, review its recommendations, and take appropriate measures to counter the trends it details.
It is common knowledge that attacks and data breaches attempts are inevitable. Therefore, in addition to specific recommendations above, organizations should focus their efforts at a strategic level on developing a security framework that highlights prevention and incident response while also leveraging AI capabilities to decrease the economic impact of a breach. Research conducted by the Ponemon Institute concluded that, the global six-year average, cost of a data breach amounts to $3.78 million. Although, the financial consequences of a data breach can vary based on several factors, including root causes, network size, and the type of data held by an organization, this cost is only likely to rise as more targeted attacks occur.
As always, the best defense against cyberthreats is good information. Leveraging critical threat intelligence, such as this latest edition of the Fortinet Threat Landscape Report, enables organizations to refocus and refine their resources and strategies so they can remain a step ahead of today’s threat landscape.