The threat landscape is constantly evolving and becoming more sophisticated. As recent headlines indicate, criminals are increasingly using a variety of new exploits and attack strategies that are often enhanced with automation and artificial intelligence. Attacks are targeting critical infrastructure, healthcare, information technology, financial services, and energy as high-priority sectors.
Part of the catalyst for this is that rapid network growth from initiatives like work from anywhere has expanded the attack surface. Cybercriminals have more lucrative opportunities to exploit old and new vulnerabilities by targeting poorly secured home networks that connect to corporate resources.
Ransomware, in particular, offers a low-investment, high-profit business model. And the creation and growth of Ransomware-as-a-Service (RaaS) and more sophisticated toolkits make it possible for less-technical criminals to be effective. In the past, FortiGuard Labs tracked a few primary ransomware groups, but now we are tracking many ransomware groups that are similar in terms of prevalence. An entire cybercriminal ecosystem has developed with more stakeholders, and malware is now bought and sold like a commodity. At FortiGuard Labs, we're seeing an increase in more destructive wiperware and zero-day threats.
Derek: These threats are becoming more challenging because the growing attack surface, more applications, and more complexity provide more attack vectors for cybercriminals. Of course, threats still come through email and phishing/social engineering techniques, which are known issues, but the threats we don't know about are more challenging.
Renee: I agree, and many organizations don't necessarily know where all the risks are within their environments. For example, zero-day threats may be coming in from technologies they have in their environment. And this brings home the fact that you need to ensure that you have the right risk mitigation and planning in place. Even though many threats are more sophisticated, it doesn't mean you also still don't have that low-hanging fruit out there as well. It's essential to keep up with your patch management to deal with known vulnerabilities.
I equate it to leaving your doors and windows open instead of locking them to prevent robberies. It just compounds the problem. Many organizations don't have enough staff and resources, so they're barely keeping their head above water now. And then you have all these unknown threats that complicate those issues even more.
Protecting against advanced persistent threats and unknown threats is easier said than done. Because it's unknown, you may not have any signatures or heuristics to know exactly how it works. But when you have certain capabilities like sandboxing and deception technology, you can see how things happen in your environment before the cybercriminals act.
Derek: Stopping and protecting against threats are temporary measures. Even if you manage to stop the threat in its tracks, you can bet it will come back again soon because they're constantly changing. This situation is why we need to lean toward mitigating risk and detecting zero-day threats with a whole layered defense strategy. A big part of that is having deeper-dive capabilities with real-time protection with in-line sandboxing. If you don't have in-line sandboxing in place, malware is only detected after the fact, which could be minutes or hours later, meaning the damage could already be done.
Renee: You also can work on detecting and stopping threats using deception technologies. In this case, once the attacker enters or leaves, it sets off the trap. And as far as mitigating some of the threats, like I said before, you need to be doing cyber hygiene to protect against low-hanging fruit.
Derek: Dwell time is how long a threat can persist on a system, and often it's way too long. The other factor we talk about in the Threat Landscape Report is the rate of exploit. That is the time from when a new threat or exploit comes out to the point that it is weaponized. And we're not talking about weeks anymore; it's between 24 to 48 hours that you have to respond. The entire attack chain is happening much more quickly now. The time from getting into a system and getting out of the system is happening faster. This speed of exploit is why you need automated defenses that can detect these activities.
Renee: Exactly. If you don't know about it, you can't fix it. You need to ensure that you have the right detection and monitoring capabilities so you know when you have a problem.