Fortinet, a global leader in broad, integrated and automated cybersecurity solutions, today announced key findings of its latest quarterly Global Threat Landscape Report. The research reveals that cybercriminals continue to evolve the sophistication of their attack methods, from tailored ransomware and custom coding for some attacks, to living-off-the-land (LoTL) or sharing infrastructure to maximize their opportunities.
In Malaysia, ntpsec, attacks targeting vulnerable Apache Struts 2 servers and DoS vulnerability in Foxit Quick PDF library were the most prevalent exploits in Q1 2019. Windows 32-bit executables, weaponized Microsoft Office files and malicious Android apps were also prevalent to perform malicious activity while top prevalent botnet detected was Andromeda, which had a very large botnet infrastructure, despite it having been taken down by the FBI, Europol’s European Cybercrime centre (EC3) and others in December 2017.
“Organizations need to rethink their strategy to better future proof and manage cyber risks. It is important to leverage the cyberspace fundamentals of speed and connectivity for defence,” said Gavin Chow, Fortinet’s Network and Security Strategist. “Embracing a fabric approach to security, micro and macro segmentation, and leveraging machine learning and automation as the building blocks of AI, can provide tremendous opportunity to force our adversaries back to square one.”
Key highlights of Fortinet’s Threat Landscape Report:
Pre- and Post-Compromise Traffic – When comparing Web filtering volume for two cyber kill chain phases during weekdays and weekends, pre-compromise activity is roughly three times more likely to occur during the work week, while post-compromise traffic shows less differentiation in that regard. This is primarily because exploitation activity often requires someone to take an action such as clicking on a phishing email. Cybercriminals understand this and will work to maximize opportunity during the week when Internet activity is the most prevalent.
Majority of Threats Share Infrastructure – Nearly 60% of threats shared at least one domain indicating the majority of botnets leverage established infrastructure. When threats share infrastructure they tend to do so within the same stage in the kill chain. Understanding what threats share infrastructure and at what points of the attack chain enables organizations to predict potential evolutionary points for malware or botnets in the future.
Content Management Needs Constant Management – Adversaries tend to move from one opportunity to the next in clusters, targeting successfully exploited vulnerabilities and technologies that are on the upswing, to quickly maximize opportunity. It is critical that patches be applied immediately and to fully understand the constantly evolving world of exploits to stay ahead of the curve.
Ransomware Far From Gone – Overall, previous high rates of ransomware have been replaced with more targeted attacks, but ransomware is far from gone. Instead, multiple attacks demonstrate it is being customized for high-value targets and to give the attacker privileged access to the network. Security leaders need to remain focused on patching and backups against commodity ransomware, but targeted threats require more tailored defences to protect against their unique attack methods.
Tools and Tricks for Living Off the Land – Because threat actors operate using the same business models as their victims, to maximize their efforts, attack methods often continue to develop even after gaining an initial entry. To accomplish this, threat actors increasingly leverage dual-use tools or tools that are already pre-installed on targeted systems to carry out cyberattacks. This “living off the land” (LoTL) tactic allows hackers to hide their activities in legitimate processes and makes it harder for defenders to detect them. Smart defenders will need to limit access to sanctioned administrative tools and log use in their environments.
Need for Dynamic and Proactive Threat Intelligence
Improving an organization’s ability to not only properly defend against current threat trends, but also prepare for the evolution and automation of attacks over time requires threat intelligence that is dynamic, proactive, and available throughout the distributed network.