FortiGuard Labs Threat Research
Looking back at the threat landscape of the first quarter of 2019 shows that cybercriminals are not just becoming increasingly sophisticated in terms of their attack methods and tools, they are also becoming very diverse. Attackers are increasingly using a broad range of attack strategies, from targeted ransomware to custom coding, to living-off-the-land (LoTL) or sharing infrastructure to maximize their opportunities, and using pre-installed tools to move laterally and stealthily across a network before instigating an attack.
The Fortinet report provides insight into each of these strategies, along with a deeper analysis of some of the more popular and malicious trends that cybersecurity professionals and systems administrators need to understand if they are to properly protect their networks.
Ransomware Far From Gone: In general, previous high rates of ransomware have been replaced with more targeted attacks, but ransomware is far from gone. Instead, multiple attacks demonstrate it is being customized for high-value targets and to give the attacker privileged access to the network.
Pre- and Post-Compromise Traffic: Research to see if threat actors carry out phases of their attacks on different days of the week demonstrates that cybercriminals are always looking to maximize opportunity to their benefit. When comparing Web filtering volume for two cyber kill chain phases during weekdays and weekends, pre-compromise activity is roughly three times more likely to occur during the work week, while post-compromise traffic shows less differentiation in that regard.
Majority of Threats Share Infrastructure: The degree to which different threats share infrastructure shows some valuable trends. Some threats leverage community-use infrastructure to a greater degree than unique or dedicated infrastructure. Nearly 60% of threats shared at least one domain indicating the majority of botnets leverage established infrastructure.
Content Management Needs Constant Management: New technologies getting a lot of attention from cybercriminals recently are Web platforms that make it easier for consumers and businesses to build Web presences. They continue to be targeted, even associated third party plugins.
Tools and Tricks for Living Off the Land: Threat actors increasingly leverage dual-use tools or tools that are already pre-installed on targeted systems to carry out cyberattacks. This “living off the land” (LoTL) tactic allows hackers to hide their activities in legitimate processes and makes it harder for defenders to detect them. These tools also make attack attribution much harder.
Practice Good Cyber Hygiene: At the risk of sounding like a broken record, security leaders need to ensure they prioritize and respond to threat intelligence on new vulnerabilities, especially those in newer technologies that provide access to wide swatches of users (e.g., CMS platforms). Attackers will scan for those vulnerabilities long after the patches are released to identify unprotected devices and systems.
Intentional Ransomware Defense: Detecting and preventing ransomware is becoming more of a “game of choice” rather than a “game of chance.” Security leaders need to understand what ransomware attacks are targeting—geography and vulnerabilities, prioritize patching, and establish backup, storage, and recovery activities.
Be Wary of Pre-installed Tools: Organizations must pay particular attention to pre-installed tools that can be exploited to escalate privilege and hide malicious code and attacks. Intent-based segmentation, which uses business logic to segment the network, devices, users, and apps, can prevent lateral movement of LoTL attacks—preventing them from accessing critical data and infrastructure.
Emphasize Threat Intelligence: Threat intelligence not only needs to analyze threats, but use that analysis to predict potential evolutionary points for that malware. Security leaders should also look for threat intelligence that is not only broad and deep, but that uses AI/ML capabilities to model future states. This external intelligence then needs to be combined with local data, such as using sandbox technology to detect and prevent these “new” threats from impacting their environments.
View the Fortinet Threat Landscape Index and subindices for botnets, malware, and exploits for Q1, 2019.
For a more detailed view into the changing threats and events driving the Fortinet Threat Landscape Index each week, check out our Weekly Threat Briefs. Learn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Learn more about the FortiGuard Security Rating Service, which provides security audits and best practices.
Read our Adversary Playbook about Silence Group - a cybercriminal organization that targets banks, specifically stealing information used in the payment card industry.
Read more about Fortinet’s Network Security Expert program, Network Security Academy program, and the FortiVets program.