The recently released VMware Carbon Black Global Incident Threat Report found that incidents of counter incident response (IR) are occurring in 82 percent of IR engagements.
Counter IR involves several tactics, which include: disabling anti-malware scan interface, clearing/deleting logs, using alternative authentication, masquerading, and other nefarious strategies and tactics.
These counter IR techniques are largely facilitated by lateral movement—estimated to occur in more than 62 percent of attacks—which in turn facilitates island hopping, seen by respondents in 55 percent of IR engagements.
“The nature of today’s attacks is shifting how the cybersecurity industry conducts IR,” says Tom Kellermann, Head of Cybersecurity Strategy, VMware, and co-author of the report. “Nowadays, if you turn on the lights on an attacker, you’re going to be dealing with an escalation.”
According to Kellermann, the significant percentage (37 percent) of attacks noted in the report originating from North America is a smokescreen, as island hopping attacks may look like they’re coming from the U.S. when in actuality they are originating from compromised U.S. infrastructure.
“In customer IR cases, we are also seeing ransomware double- extortion groups leverage open source technology solutions like ownCloud to exfiltrate sensitive data from target networks.”
Greg Foss, Senior Cybersecurity Strategist at VMware
Armed with threat intelligence, IR professionals must shift defenses and fight back.
Here are five new best practices that modernize threat hunting taken directly from the recent VMware Carbon Black Global Incident Threat Report.
1. When discussing an intrusion, set up secure communication channels.
Today’s attackers will often attempt to monitor communications—especially those of the security team. For Foss, that means “the first and arguably most important step is to set up out-of-band communication channels so that you can discuss and share information without giving away that you are actively looking into their activities.”
2. Assume the adversary has multiple avenues back into the organizations.
Resisting the urge to shut them out will pay dividends in the long run. Be patient, wait, watch, learn, and only strike when you are reasonably sure about the scope and breadth of the intrusion.
3. To combat alert fatigue, baseline your organization.
Overworked security teams are using tools to detect more than ever; yet doing so can overwhelm these teams even more, while drowning out what’s important. To amend this, Foss suggests an organization map out where their most important assets lie—and then build out controls and tune security systems around those priorities. From there, security teams can begin a broader inventory management process, bucketing certain assets into logical groupings for more effective IR.
4. Build the capacity to detect and respond across workloads.
“In the transition to a remote, cloud-run working environment,” Kellermann says, “workload security is imperative. Otherwise, these environments become a one-stop-shop for island hopping and other methods to commandeer the network.” This means protecting cloud environments, containers, and microservices where most of the work is happening nowadays—the applications that exist between a system’s networks and its endpoints.
5. Segment personal and professional networks.
Amid COVID-19 the corporate perimeter has expanded in employee homes, ushering in a deluge of new attacks on home routers and networks, which is only made more challenging with the lack of visibility security professionals have into those networks (especially while they, too, work from home).
Download the latest VMware Carbon Black Global Incident Threat Report.
Our cybersecurity research and strategy team comprises some of the best minds in information security. With a strong pulse on how geopolitical activity intersects cybersecurity, our experts provide key insights on global attack trends and bring those stories to life with threat reports, webinars, blogs, and more content to help our customers, partners, and the entire industry.
Get additional insights by downloading global threat intelligence from our Threat Research Reports.