June 26, 2020 | By Guy Liberman Cyber Security Division Manager
TSOC Top Attack Vectors – 2020 (First Half)
In the first half of 2020, while organizations are trying to cope with COVID-19 repercussions cyber-attacks are not subsiding. As per our TSOC analysis, the top attack vectors for 2020 haven’t changed from 2019, but indeed become much more alarming. We have listed below the top attack vectors along with adequate remediation measures, against the identified risks.
The Good – Phishing
“Dear Sir,
You have won 1 million dollars
Dr. Evil.”
In the preceding years, there used to be a clear differentiation between spear phishing and widespread phishing campaigns. Based on our observation, we are seeing the boundary between targeted and general campaigns is getting diminished.
The time it takes for a generic phishing campaign to become an intimate call for action has reduced to 2-3 messages. In line with our examinations, Business Email Compromise (BEC) is still a leading attack vector with a massive impact, which escalates from a single email to a strategic man-in-the-email placement or domain take over.
What can you do, to mitigate against such risks?
- Block unused or unwanted device types & browsers across the organization
- Block auto forwarding rules outside of your domain
- Implement multifactor authentication (MFA)
- Educate end users and support them with means to identify and alert on suspicious activities
- Minimize response time and refine your investigation skills
- Enable geolocation monitoring for VIPs
The Bad – Drive by
Misled users have always been an easy target for cyber criminals, but lately, we are witnessing a rise in the use of legitimate looking applications and click baits which can deceive potential victims easily. This is troubling organizations across all industries.
As users are click-happy, a simple click downloading a file to the user’s workstation becomes an arduous task for the security operations team. As observed, at least 10% of those malicious drive-bys are identified as loaders or first stagers (which are part of multi-stage attacks), especially by known cyber criminal groups.
What can you do, to mitigate against such risks?
- Block downloads by default
- Implement any “3-letter” technology which will identify the macro, identify LOLBins malicious usage, or collect the data you need to understand what has happened
- Manage your applications end-end and do not let end users install, update, or manage the applications by themselves
- Follow the principle of least privilege – do not operate with high permissions daily, especially for end users – NO MORE LOCAL ADMIN
- Educate end users and support them with means to identify and alert for suspicious activities
- Minimize detection time and retrieval of artifacts and refine your investigation skills to reveal root cause analysis (RCA)
“The How did it happen to me”? – Misconfiguration
COVID-19 is constantly changing the way organizations are operating and enabling its employees to work remotely (work from home) and thus, the attack surface also has increased dramatically. As organizations are adapting itself with a rapid change for business continuity, they also open their avenues to new and unknown risks. Malicious actors will seek to abuse such un-handled risks especially during this time when the detection mechanisms may not be closely watched.
To increase distributed working, organizations are using cloud based services, which may not be aligned with the organization’s on-premise security standards. This enables the risk of credentials theft due to exposed interfaces or inadequate MFA deployments. During the cloud service provisioning, accidentally if the services or infrastructure setup get exposed, the impact can be fatal. It can be due to an unplanned network change, which may have gone under the radar of the change management process.
Adversaries are taking advantage of RDP ports left open, and now, post the current situation, new login portals are widely available for abuse by malicious actors. These are just examples of the chaos which misconfigurations can cause, if not carefully tackled.
What can you do, to mitigate against such risks?
- Plan wisely! Check all aspects from a hardening standpoint, before deployment
- Revive your neglected procedures as per proper change management which can further reduce exposures
- Measure your attack surface at all time and take countermeasures
- Make sure critical changes are being reviewed
- Treat your cloud and remote devices as if they are within your internal perimeter
- Mistakes happen, but detection and response time is crucial
- Protect your passwords – keep them complex and use MFA
- Protect external exposed websites or associated login pages which would eliminate threats even if it is just a kitty that wants to play.
- RDP should never be accessible from the internet
Some controls that also might be handy – it did save us:
- Alert on Mailbox Set to forwarding to External Inbox
- Reviewing global admin permissions set
- Monitoring LOLBins network communication
- Identifying unusual geo-locations for VIP
- Reviewing applications approved within O365
- Recognizing unusual email distribution lists
Visit our blog or Follow Us on Facebook for the latest news and insights on cybersecurity. Stay Safe with TrustNet!