Top Initial Attack Vectors: Passwords, Bugs, TrickeryUse of LOLBins, GitHub Tools and Cobalt Strike Also Widespread, Researchers Say
Here are the top three tactics attackers have been using to break into corporate and government networks: brute-forcing passwords, exploiting unpatched vulnerabilities, and social engineering via malicious emails.
So says security firm Kaspersky, in a new incident response report analyzing investigations it undertook during 2020.
The top-level takeaway is bad news: Attackers are continuing to use previously seen tactics to gain entry to corporate networks, followed by using recognizable tools to reconnoiter and gain high-level access to systems, after which they often unleash ransomware, steal data or pursue another criminal scheme. For ransomware attacks in particular, the time between intrusion and culmination - when files get forcibly encrypted - can be hours, or just a few days.
In many cases, damage has already been done before a victim has had time to investigate. In the report, Kaspersky says that while 53% of the incident response investigations it led were launched after suspicious activity was detected, in 37% of cases, files had already been forcibly encrypted, while 7% of the time data leakage had been discovered, and in 3% of cases, an organization suspected that funds had gone missing.
Luckily for some firms, about 10% of investigations turned out to be false positives - as in, suspicious activity from network sensors, endpoint protection products or suspected data leakage turned out to not be malicious.
Attackers' Top Goals
For the rest, however, one-third of intrusions led to ransomware infections - in a sign of just how prevalent this type of attack has become - while 15% resulted in data leakage, which could potentially also be tied to ransomware attackers stealing data to try and force victims to pay a ransom. In addition, 11% of intrusions resulted in attackers retaining persistent access to a network, meaning they might continue the attack later.
"Ransomware adversaries employ almost all widespread initial access scenarios," Kaspersky says. "Attacks starting with brute force are easy to detect in theory, but in practice only a fraction of them were identified before impact."
Challenges: Old Logs, Accidental Evidence Destruction
In nearly half of cases, how exactly attackers broke in remained a mystery.
"We identified the initial vector in 55% of cases," Kaspersky says. "Very old incidents, unavailable logs, (un)intentional evidence destruction by the victim organization and supply-chain attacks were among the numerous reasons for failing to identify how adversaries initially gained a foothold in the network."
Kaspersky didn't immediately respond to request for comment about exactly how many incident response and digital forensics investigations it undertook last year.
Talk Tools, Because Attackers Do
One challenge for security teams is that attackers continue to rely on a number of tools that can be used legitimately by IT teams. In many cases, attackers are also using easily accessible - and very effective - offensive tools that can be obtained for free.
Kaspersky says that "almost half of all incident cases included the use of existing operation system tools like LOLbins" - referring to legitimate OS binaries that attackers could turn to nefarious use - plus "well-known offensive tools from GitHub - e.g., Mimikatz, AdFind, Masscan - and specialized commercial frameworks such as Cobalt Strike."
Essential Defenses: Back to Basics
To block attackers' use of such tools, Kaspersky recommends defenders "implement rules for detection of widespread tools used by adversaries," and whenever possible, "eliminate usage of similar tools by internal IT teams," as well as test the speed and effectiveness with which the organization's security operations center can spot, trace and block the use of such tools.
Another takeaway from the report is that eliminating known vulnerabilities and - wherever possible - locking down access by implementing two-factor authentication appears to drive many attackers to look elsewhere.
"When attackers prepare their malicious campaign, they want to find low-hanging fruit like public servers with well-known vulnerabilities and known exploits," Kaspersky says. "Implementing an appropriate patch management policy alone reduces the likelihood of becoming a victim by 30%, and implementing a robust password policy reduces the likelihood by 60%."
Recommendations that organizations have strong password policies, widespread use of multifactor authentication - especially for accounts with administrative-level access, as well as for remote desktop protocol and VPN connections - and robust vulnerability management programs aren't anything new.
But the widespread lack of these essential information security program attributes is a reminder that to be more effective, many organizations need to get back to basics.