CDSA

The threat landscape is constantly changing, keeping even the most skilled security teams on their toes, making it critical for organizations and their teams to stay ahead of attackers’ latest activities, according to Fortinet.

During the recent webinar “Unleash Cyber Resilience Everywhere You Need It,” Tony Giandomenico, VP, cybersecurity consulting, proactive and reactive at Fortinet, outlined the latest threats and attack vectors directly from the company’s Incident Response team.

Giandomenico and Max Zeumer, product marketing director at Fortinet, also outlined effective strategies to defend an organization, and shared advice on achieving long-term resilience and guidance on how to maximize resources to mitigate risk.

“When we look at all of these different types of events that we focused on for the first half of [2023], most of the adversaries that we dealt with were financially motivated” and used ransomware, Giandomenico said.

“With that said, though, we still did see a bunch of other things, such as nation state actor attacks and what have you,” he noted. But he said: “As we go through all this and a lot of the data insights and some of the trends, I think it’s important just to add that additional context that most of these things were really around ransomware attacks.”
Many of the adversaries are “actually logging into the network [and] not necessarily hacking in these days,” he pointed out. In the first half of last year, in 61. 5 percent of “all of our investigations, the adversary already had access into the network; they already had the right username and password to log in,” he said.

Fortinet also saw many exploits on public-facing applications in the first half of 2023 – anything that is “externally kind of publicly available for the adversary to try to be able to exploit if there is a vulnerability there,” he said. “We did see that [in] almost 50 percent of the engagements.”

He also explored how attackers are getting the usernames and passwords to get into the environment. “Think about how many breaches have successfully occurred over the last few years. The majority of them are probably exfiltrated data that contains usernames and passwords. Some of them actually might be the same usernames and passwords that your employees may be using for your internal network.”

There are also “a lot of targeted phishing attacks … that are just kind of focused in on stealing credential information,” he noted. Meanwhile, some of the folks using two-factor authentication are using their phones as the actual second factor and “there are a lot of ways to be able to circumvent that type of technology,” he pointed out.

For one thing, he said: “We did see adversaries do what we refer to as SIM-jacking” of consumers’ mobile phone numbers, “so then, when that two-factor authentication or that kind of second factor would come in, it would be on the actual new SIM card.”

Much of the stolen data “eventually ends up … being sold by third parties such as access brokers on the darknet,” he added.

Moving on to the “defensive evasions” being done by hackers,” he said, “one of the number one way, outside of already having the valid account, is they’re 
impairing the defenses, or disabling, modifying specifically endpoint security controls.”

Key takeaways

Giandomenico went on to point to what he called the “key takeaways” from Fortinet’s findings.

First, organizations are failing to capitalize on early detection due to lack of adequate documented, rehearsed IR processes. Second, there is significant overlap between threat actors. That could be used to prioritize countermeasures and leveraging common countermeasures is most likely possible via an organization’s existing solutions.

Third, human-driven intrusions are increasing and remain effective despite (and because of) their simplicity, enabled by lower barriers to entry. Fourth, there are detection opportunities earlier in the “kill chain,” particularly in detecting lateral movements. In many cases, however, lateral movement could have been detected via simple logical detections and additional scrutiny of client-to-client communications.

Elaborating, he said: “I think it’s clear that organizations are kind of failing [at] being able to capitalize on some early detections because of lack of adequate documentation. They’re not rehearsing the IR processes.”

What works in fighting cyber-attacks is a combination of people, processes, and technology, he told viewers. So I think it’s combination of When you get out there and you invest in all that stuff, um, you’re going to be able to, you know, reach the innovation and everything else, and the integration that Max was talking about, that as you start to invest in these different types of technologies and integrators, that you’re still going to need that capability to be able to document that actual process.

He predicted that “human-driven intrusion will basically continue through 2024.” Therefore, he explained: “I think it’s important to make sure that you can build different types of mechanisms that are going to be able to identify when someone is going to get into the network that is a rogue user account…. Enhancing a lot of your multi-factor authentication, I think, is also good.”

Also a great idea: “Don’t let them get access to these credentials in the first place,” he said.