An Overview of the Fortinet Threat Landscape Report for Q1 2019
Looking back at the threat landscape of the first quarter of 2019 shows that cybercriminals are not just becoming increasingly sophisticated in terms of their attack methods and tools, they are also becoming very diverse. Attackers are increasingly using a broad range of attack strategies, from targeted ransomware to custom coding, to living-off-the-land (LoTL) or sharing infrastructure to maximize their opportunities, and using pre-installed tools to move laterally and stealthily across a network before instigating an attack.
The report provides insight into each of these strategies, along with a deeper analysis of some of the more popular and malicious trends that cybersecurity professionals and systems administrators need to understand if they are to properly protect their networks.
Ransomware Far From Gone: In general, previous high rates of ransomware have been replaced with more targeted attacks, but ransomware is far from gone. Instead, multiple attacks demonstrate it is being customized for high-value targets and to give the attacker privileged access to the network. LockerGoga is an example of a targeted ransomware conducted in a multi-stage attack. There is little about LockerGoga that sets it apart from other ransomware in terms of functional sophistication, but while most ransomware tools use some level of obfuscation to avoid detection, there was little of it used when analyzed. This suggests the targeted nature of the attack and a predetermination that the malware would not be easily detected. In addition, like most other ransomware, the main goal of Anatova is to encrypt as many files as possible on the victim system, except that it systematically avoids encrypting anything that can impact the stability of the system it is infecting. It also avoids infecting computers that look like they are being used for malware analysis or as honeypots. Both of these ransomware variants demonstrate that security leaders need to remain focused on patching and backups against commodity ransomware, but targeted threats require more tailored defenses to protect against their unique attack methods.
Figure 1: Fortinet Threat Landscape Index (top) and subindices for Botnets, Exploits, and Malware (bottom).
Practice Good Cyber Hygiene: At the risk of sounding like a broken record, security leaders need to ensure they prioritize and respond to threat intelligence on new vulnerabilities, especially those in newer technologies that provide access to wide swatches of users (e.g., CMS platforms). Attackers will scan for those vulnerabilities long after the patches are released to identify unprotected devices and systems.
Intentional Ransomware Defense: Detecting and preventing ransomware is becoming more of a “game of choice” rather than a “game of chance.” Security leaders need to understand what ransomware attacks are targeting—geography and vulnerabilities, prioritize patching, and establish backup, storage, and recovery activities.
Be Wary of Pre-installed Tools: Organizations must pay particular attention to pre-installed tools such as PowerShell, VB, IronPython, and other tools that can be exploited to escalate privilege and hide malicious code and attacks. Intent-based segmentation, which uses business logic to segment the network, devices, users, and apps, can prevent lateral movement of LoTL attacks—preventing them from accessing critical data and infrastructure.
Emphasize Threat Intelligence: Threat intelligence not only needs to analyze threats, but use that analysis to predict potential evolutionary points for that malware. Security leaders should also look for threat intelligence that is not only broad and deep, but that uses AI/ML capabilities to model future states. This external intelligence then needs to be combined with local data, such as using sandbox technology to detect and prevent these “new” threats from impacting their environments.
Establishing and maintaining proper defenses in a rapidly evolving threat landscape requires understanding threats before they happen, and that requires reliable and timely threat intelligence. Improving an organization’s ability to not only properly defend against current threat trends, but also prepare for the evolution and automation of attacks over time requires threat intelligence that is dynamic, proactive, and available throughout the distributed network. This knowledge can help identify trends showing the evolution of attack methods targeting the digital attack surface and to pinpoint cyber hygiene priorities based on where bad actors are focusing their efforts. The value and ability to take action on threat intelligence is severely diminished if it cannot be actionable in real time across each security device. Only a security fabric that is broad, integrated, and automated can provide protection for the entire networked environment, from IoT to the edge, network core and to multi-clouds at speed and scale.
View the Fortinet Threat Landscape Index and subindices for botnets, malware, and exploits for Q1, 2019.
For a more detailed view into the changing threats and events driving the Fortinet Threat Landscape Index each week, check out our Weekly Threat Briefs. Learn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Learn more about the FortiGuard Security Rating Service, which provides security audits and best practices.
Read our Adversary Playbook about Silence Group - a cybercriminal organization that targets banks, specifically stealing information used in the payment card industry.