Industry Trends

Attack Patterns Uncover Defensive Strategies

By Fortinet | July 12, 2019

This is a summary of an article written for ThreatPost by Fortinet’s Global Security Strategist, Derek Manky. The entire article can be accessed here.

In Fortinet's Q1 2019 Threat Landscape Report, threat analysts at FortiGuard Labs chose to dig into data from the company’s web filtering service. Here is what they found.

Weekdays vs. Weekends

When researchers looked at the web-filtering volume from two Cyber Kill Chain phases, comparing weekdays and weekends, they discovered that pre-compromise activity is roughly three times more likely to occur during the work week.

This is primarily due to the fact that most phishing attacks require someone to click on an email link or perform some other action, whereas post-compromise activities that use command-control services can occur anytime.

Every bit of insight that can be gained on how attackers work can be converted into improvements in security practices. In this case, it may make sense to consider differentiating weekday and weekend filtering practices.

Shared Infrastructure

Another interesting insight is the degree to which different threats share infrastructure (namely, URLs). In fact, nearly 60% of all analyzed threats shared public infrastructure. For example, IcedID, the 9th ranked threat by volume, shared nearly two-thirds of the domains it contacted with other threats.

Even more intriguing: when threats share infrastructure, they also tend to do so within the same stage in the Kill Chain. Similarly, while many different threats may share the same domain during, say, the exploitation phase of an attack, it would be unusual for that threat to also leverage that domain for its C2 traffic.

Security Tactics

It’s clear that cybercriminals share more than source code and sell technology on Dark Web commerce sites. They also share strategies and techniques. When that information is understood and incorporated into a security strategy, pattern and behavior marching can improve the ability to detect live threats. Attack vectors, like those just discussed, underscore the need for organizations to rethink their strategy to better future-proof and manage cyber risks.

This should start with organizations taking a layered approach to security across people, processes, and technology:

People – The vast majority of attacks still happen because someone clicks on a malicious link. Employees need to be continually educated on creating strong passwords, how to identify malicious URLs and email sources, and to not open or click on unfamiliar or unexpected email messages, links, or attachments. This should then be augmented with access management policies, including a zero trust policy, and intent-based segmentation so in the event of an incident, an attack is limited to a specific segment of the network.

Processes – Incident response plans need to include regular backups that are stored off-network, regular testing of those backups, and system restoration drills to ensure everyone knows their role so systems can be restored as quickly as possible.

IT teams must always know what assets are online, where those assets are, and then be able to prioritize their access to and consumption of resources based on which are most business-critical.

Technology – Security tools need to be chosen based on their ability to be integrated together and cross-automated so they can gather, share, correlate, and consume threat intelligence across the entire distributed network in real time.

“Deception technology is another tactic IT teams should make use of. Effective deception strategies make it harder for an adversary to determine which assets are fake and which are real, while tripwires embedded in these false signals increase the ability to detect an intruder. Finally, segmenting corporate networks limits exposure of critical data if there is a breach.”

–Derek Manky, ThreatPost, June 14, 2019

Adapt Your Security Strategies

Last quarter’s threat research from FortiGuard Labs offered important insights into how attackers are evolving and how you can leverage behavior patterns to see and circumvent threats. For example, initial attacks stages tend to occur during work hours, and those attacks also tend to share infrastructure. In response, IT security teams should be on the lookout for these and similar activity identifiers by adjusting their detection and filtering practices accordingly.

This is a summary of an article written for ThreatPost entitled, Hackers Favor Weekdays for Attacks, Share Resources Often, written by Fortinet’s Global Security Strategist, Derek Manky and published on on June 14, 2019. 

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief. 

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.