If there is one word to aptly describe the security landscape, it would be evolution. Regardless of agenda, hackers, industrial spies, cyber terrorists, nation-state actors, and hacktivists alike are relentless in their efforts to identify and exploit weaknesses in organizations’ security postures. Attacks continue to become more evasive and thus, defenders must also evolve their approach to successfully thwart attempts to hijack security solutions.
This blog highlights some key findings from the VMware Carbon Black 2020 Cybersecurity Outlook Report, which uncovers the top attack tactics, techniques, and procedures (TTPs) seen over the past year and provides specific guidance on ransomware and other forms of destructive attacks.
The dataset used in the report is comprised of VMware Carbon Black Cloud customer footprint, VMware Carbon Black User Exchange, VMware Carbon Black Endpoint Standard Results (cross-referenced with internally developed tools and SIEMs), publicly available samples and detonations, and original dark web research. In total, over 2,000 samples were analyzed using the MITRE ATT&CK framework. Below are three key takeaways from the report:
- Attacker behavior continues to morph and become more evasive. Over the past year, the most common behaviors seen across all attack data mapped to the MITRE ATT&CK were: software packing and hidden windows.
- Ransomware’s resurgence cost billions in damages across all verticals in 2019. The energy/utilities and government sectors were particularly susceptible, suggesting that as geopolitical tensions rise, so do attacks on these sectors, which often serve as critical infrastructure and provide vital services to large populations.
- Wipers continue to trend upward, as adversaries (especially nation-state actors) prioritize data destruction over extortion of money.
The three points above are pertinent to the “Attacker Behavior” section of the report. A subsequent blog (part 2) will cover additional three points, which are pertinent to the “Defender Behavior” section of the report.
Top Malware Behavior
At 26%, software packing was the most common malware behavior found in 2019. According to MITRE, software packing is a method of compressing or encrypting an executable. Doing so changes the file signature, in an attempt to avoid signature-based detection. From the defenders’ perspective, it is important to familiarize applications that employ this technique to identify false-positives. It is also more beneficial to employ an endpoint protection platform (EPP) over point-in-time security to accurately record and analyze data.
At 22%, hidden windows was the second most common malware behavior. Adversaries will likely implement hidden windows to conceal malicious activity from the plain sight of users. By design, hidden windows allow system admins to execute administrative tasks without disrupting user work environments . However, adversaries may capitalize on this functionality to avoid alerting users to abnormal activity. To counteract, defenders can limit program execution using EPP or application whitelisting (specifying an index of approved software applications that are permitted to be active on a computer system). A more granular approach would include monitoring processes and command-line arguments for actions indicating hidden windows with EDR.
With the distribution percentages of 32% and 14% respectively, the energy/utilities and government suffered most from ransomware than other verticals in 2019. The list of targeted entities include 113 state/municipal governments, 764 healthcare providers, and 89 universities/school districts. Most notably, in September 2019, the US Treasury Department stated that state-sponsored hacking groups from North Korea attacked critical infrastructure, successfully drawing illicit funds that ultimately funded the country’s weapons and missile programs. As these types of attacks remain generally low cost to perform with a high rate of return, sectors that rely heavily on legacy security solutions will continue to be susceptible.
Surprisingly enough, wipers, which are deployed for purely destructive purposes, still rely heavily on common tactics like spear phishing, brute force attacks, and exploitation of unpatched, known vulnerabilities. In addition to data destruction, which will render stored data irrecoverable by forensic techniques, wipers may exhibit worm-like features, propagating across a network by leveraging additional techniques like valid accounts, credential dumping, and Windows admin shares. As an advice to defenders, they must utilize strong IT practices such as snapshots and redundant systems. Although they may seem like basic procedures, as the saying goes, an ounce of prevention is worth a pound of cure. If an ounce doesn’t suffice, incorporating behavioral-based EPP and an endpoint detection & response (EDR) component focused on east-west traffic would strengthen the security posture even more.
Stay tuned for part 2 (Defender Behavior), which will deep-dive into misaligned priorities between IT and security teams and why it is absolutely critical for organizations to treat security as a team sport.
Short on time and you want to see more data right away? Download the complete report: VMware Carbon Black 2020 Cybersecurity Outlook Report