Font Size: A A A

Case Studies

Incident response year

Why build new tools when existing ones work? seems to be the motto of cyber attackers, making 2018 a year of evolution rather than revolution in attack methods, according to a US-based cyber-security company which studied more than 1000 ‘incident response engagements’.

In previous years, government-sponsored, criminal, and hacktivist groups each had a distinct way of operating, according to Secureworks analysts. For example, the government-sponsored actors often invested time and resources into developing their own malware to use in highly targeted attacks, whereas financially motivated criminals used indiscriminate and broader-scale tactics. These groups’ methods rarely overlapped.

In 2018, those same groups often used overlapping tactics, such as leveraging unauthorised access to systems within a network to carry out attacks, making “living off the land” techniques, and making extensive use of publicly available malware.

Year after year, the same issues and security gaps are IT users’ blighting ability to identify and respond to threats, Secureworks suggests. For example, the security implications of adopting new technologies, or major changes to networks are not consistently addressed, creating longer-term problems; and suppliers and third parties can be compromised, if they provide an easier path to the ultimate target than a direct attack. In sum, according to the report, ‘threat actors are collectively maturing toward behaviours that take advantage of the systemic defensive gaps organisations leave open year after year’.

Secureworks says that its analysts often encounter baffled victims of hacks seeking to understand what has happened to them and sometimes asking “why would someone want to target OUR network?” The report adds: “The answer to that question depends on what assets they have. Every organisation has something of value to threat actors, such as money, intellectual property, computing resources, and personally identifiable information (PII).”

Business email fraud takes in business email compromise (BEC) and business email spoofing (BES); a growing part of financially motivated attacks that tend to have two victims. “One victim is the owner of an email account that is compromised, perhaps by stealing their password and using the credentials to access Outlook on Office 365. Their mailbox is monitored for opportunities to persuade a colleague to transfer money to the threat actor’s bank account. This colleague, who may be in the same organisation or may be in a role such as customer or supplier, becomes the second victim.”

Visit secureworks.com. See also the company’s blog.


Tags

Related News