The attack surface has expanded

We’ve seen in the first half of 2020 several incidents where vulnerabilities have become easier to exploit due to remote working and attacker groups becoming more aggressive in their behaviours.

Four key trends we’ve seen:

1. More hands-on keyboard intrusions in the first half of 2020 than seen in the whole of 2019, partially due to the increase in attack surface as a result of Covid-19.
2. E-Crime attacker groups continue to dominate the culprits, with big game ransomware yielding larger rewards.
3. Mimikatz, Cobalt Strike and PowerShell Empire continue to be the most used pen-testing tools in attacks.
4. Dharma Ransomware continues to be the most commonly deployed ransomware in E-Crime attacks in H1.

Thanks to our friends at CrowdStrike

…we’ve been able to take a look under the hood of real observations by their OverWatch team. A key stat observed was that for every state sponsored campaign observed, there were four eCrime intrusions. Why is this significant? In 2019, 69% of intrusions were attributed to eCrime. So far in 2020, 82% have been attributed to eCrime. The lucrative nature of big game ransomware has led to multiple high profile attacks, spurring other groups to exploit similar vulnerabilities.

A flurry of critical vulnerabilities in several leading VPN and Firewall products saw exploitation explode almost overnight. In one instance, only 24 hours after an initial public exploit was published, the NCSC stated that “if firms had not been able to take mitigation steps within 24 hours they should assume compromise”. A stark and concerning reminder that ever decreasing breakout times are creating challenging circumstances for blue teams. CrowdStrike found that between January and June 2020, the following 5 pen-testing tools were the most commonly used;

1. Mimikatz
2. Cobalt Strike
3. PowerShell Empire
4. PowerSploit
5. Meterpreter

Ensuring that security controls are tuned and able to recognise activity linked to these tools are a key recommendation from industry generally as well as the report. Leveraging a vendor agnostic matrix like the MITRE ATT&CK framework can provide customised insight into blind spots or areas of weakness with detection and response capabilities within your organisation. I’d really recommend digging into the Overwatch report in more detail. There’s plenty of industry specific observations and research to aid in assessing your information security program and defensive capabilities. Today’s eCrime groups operate like businesses, always looking for opportunities to adapt to circumvent new security measures. Unfortunately, no one can consider themselves immune from sophisticated or persistent cyber threats — regardless of whether they consider eCrime or state-sponsored adversaries to be their bigger threat.