Here are the three worst breaches, 2022 attacker tactics and techniques, and the security controls that can provide effective enterprise security protection against them.
#1: Two RaaS Attacks in 13 Months
Ransomware as a service is a type of attack in which ransomware software and infrastructure are rented out to attackers. These ransomware services can be purchased on the dark web from other threat actors and ransomware gangs. Common purchasing plans include buying the entire tool, using existing infrastructure while paying per infection, or letting other attackers perform the service while sharing the revenue.
In this attack, the attackers are one of the most prevalent ransomware groups that specialize in third-party access, and the targeted company is a medium-sized retailer with dozens of sites in the United States. I’m a trader.
Attackers used ransomware as a service to compromise victims’ networks. They were able to abuse the third-party credentials to gain initial access, move laterally, and hold the company to ransom. It was all just a few minutes.
The speed of this attack was extraordinary. In most RaaS cases, attackers typically remain on the network for weeks or months before demanding a ransom. What is particularly interesting about this attack is that the company was held for ransom in minutes. No discovery or weeks of lateral movement were required.
A log investigation revealed that the attacker targeted a server that was not present on this system. After all, the victim had been compromised and held for ransom 13 months before this second ransomware attack. The first group of attackers then monetized the first attack by selling not only the captured ransom money, but the company’s network information to her second ransomware group.
In the 13 months between the two attacks, the victims made network changes and removed servers, but the new attackers were unaware of these architectural changes. The scripts they developed were designed for earlier network maps. This explains how quickly they were able to attack. They had a lot of information about the network.The main lesson here is that ransomware attacks can be repeated by different groups.
“A RaaS attack like this is a great example of how complete visibility can enable early warning. Cloud-native SASE platform Like Cato Networks, we support all edges and provide complete network visibility into network events that may be invisible to other providers or under the radar as innocuous events. It also enables full contextualization of events, enabling early detection and remediation.
#2: Critical Infrastructure Attacks Against Radiation Warning Networks
Attacks on critical infrastructure are becoming more common and more dangerous. Compromises in water supplies, sewage systems and other infrastructure can put millions of people at risk of human crises. These infrastructures are also becoming more vulnerable, and attack surface management tools for OSINT such as Shodan and Censys make it easier for security teams to find such vulnerabilities.
In 2021, two hackers were suspected of targeting the Radiation Warning Network. Their attack relied on two of his insiders who were working for a third party. These insiders disabled the radiation warning system, severely weakening the ability to monitor radiation attacks. The attackers were then able to remove critical software and disable radiation gauges (part of the infrastructure itself).
“Unfortunately, scanning for vulnerable systems in critical infrastructure has never been easier. Many such organizations have multiple layers of security, but the entire attack lifecycle You’re trying to protect your infrastructure with point solutions rather than one system that allows you to see the holistic view, where a breach is not just a phishing issue, a credential issue, or a vulnerable system issue , is always a combination of multiple compromises by threat actors.” Kato Networks.
#3: A 3-step ransomware attack that started with phishing
A third attack is also a ransomware attack. This time, the next he consisted of three steps.
1. Infiltration – The attacker was able to gain access to your network through a phishing attack. The victim clicked a link that generated a connection to an external site, thus downloading the payload.
2. Network activity – In the second stage, the attacker moved laterally through the network for two weeks. During this time, I used her malware to harvest administrator passwords and fileless her in memory. Then, on New Year’s Eve, I ran the encryption. This date was chosen because (understandably) it was assumed that the security team would be on vacation.
3. Outflow – Finally, the attacker uploaded data from the network.
In addition to these three main steps, additional sub-techniques were used during the attack that prevented the victim’s point security solutions from blocking this attack.
“A multiple choke point approach that looks at attacks horizontally (so to speak), rather than as a series of vertical, disjointed problems, is a way to enhance detection, mitigation, and prevention of such threats. On the contrary, the underlying technology for implementing a multiple chokepoint approach is full network visibility with a cloud-native backbone and a single-pass security stack. ZTNA-basedsaid Etay Maor, senior director of security strategy at Cato Networks.
How do security point solutions stack up?
It’s common for security professionals to succumb to the “single point of failure fallacy.” However, cyberattacks are sophisticated events, and he who is the cause of the breach rarely involves a single tactic or technique. Therefore, effective mitigation of cyberattacks requires a comprehensive outlook. A security point solution is a solution to a single point of failure. These tools can identify risks, but they can lead to violations and cannot connect the dots that actually led to violations.
Be careful in the coming months
An ongoing security research conducted by the Cato Networks Security Team has identified two additional vulnerabilities and exploit attempts that we recommend including in your future security plans.
1.Log4j
in the meantime Log4j debuted in December 2021, and the hype hasn’t died down. Log4j is still used by attackers to exploit systems, as not all organizations have been able to patch her Log4j vulnerabilities or detect Log4j attacks. They recommend prioritizing Log4j mitigations.
2. Misconfigured firewalls and VPNs
Security solutions such as firewalls and VPNs have become access points for attackers. Patching them is becoming increasingly difficult, especially in the age of clouding architectures and remote work. We recommend that you exercise extreme caution as these components become increasingly vulnerable.
How to minimize your attack surface and gain network visibility
To reduce the attack surface, security professionals need network visibility. Visibility relies on her three pillars:
- Actionable information – can be used to mitigate attacks
- Reliable information – minimizes the number of false positives
- Timely information – to ensure mitigation before attacks have impact
Once an organization has complete visibility into activity on its network, it contextualizes the data to determine whether witnessed activity should be allowed, denied, monitored, restricted (or otherwise taken action), and enforces this decision. can do. All of these elements should apply to all entities, including users, devices, and cloud apps. That’s what SASE is all about.
