Threat Analysis Unit Multi-Cloud Security

VMware Threat Landscape Report Blog

2020 VMware Threat Landscape Report: See What Evaded Perimeter Defenses

VMware 2020 Threat Landscape Report Blog

The pandemic of 2020 has forever changed the way we work, live, learn, and play. Many of us are now accessing applications from the network edge in remote work sites, home offices, and dining room tables. Threat actors immediately took advantage of this new reality, using pandemic anxiety as a trigger for social engineering attacks. These attacks increasingly focused on the delivery of ransomware, especially targeting high-profile victims. In addition, there has been a resurgence of dated exploits, likely targeting poorly maintained computers. We know this because we’ve seen it.

Today, VMware released its inaugural threat landscape report that CISOs and security professionals can use to get a better sense of current threats that are evading perimeter defenses. The report was compiled by the VMware Threat Analysis Unit — a team of highly skilled malware analysts and security professionals at VMware. This is a report summary of key data and findings observing millions of networks/ network segments from July 2020 to December 2020. It highlights threats that evaded perimeter defenses and were identified by VMware sensors placed inside the perimeter.

This report specifically details the top detected threats that VMware technology identified after these threats evaded today’s perimeter security controls.

The Threat from Email is Alive and Well

Surprisingly — or not surprisingly — email continues to be used as the most common attack vector to gain initial access. Analysis shows that more than four percent of all business emails analyzed contained a malicious component. Malicious email authors are clever and relentless, and they are constantly developing new, or at least different, ways to deceive and attack. Although the malicious payloads found in email-based attacks frequently change, the vast majority of cybercriminals were observed using three basic strategies: malicious attachments, links to malicious web pages, and enticements to perform transactions. Perimeter security solutions such as anti-virus, anti-malware, and anti-phishing tools are ineffective against advanced, email-based threats, and thus malicious actors will continue to use email as an attack vector.

Attackers Prioritize Evasion Above All

We observed that defense evasion is the most encountered MITRE ATT&CK ® tactic used by malware, followed by execution and discovery. A threat actor’s first order of business is to evade detection. Malicious actors are getting better at evasion and are increasingly turning to rare or esoteric file types to increase the likelihood of evading unsophisticated security technologies. Once evasion is achieved, it’s essential the malware becomes persistent within your environment by executing malicious artifacts that enable it to commence discovery of system processes and network assets.

Pervasive Use of Remote Desktop Protocol for Lateral Movement

More than 75 percent of lateral spread events observed were conducted using Remote Desktop Protocol — often using stolen credentials to log in to other hosts on the network. While there are several different ways to laterally propagate, logging into hosts via RDP using either exposed clear-text passwords via the network, valid accounts, or brute-forced credentials is still the most common technique.

By providing visibility and authoritative context, this report should encourage enterprise security teams to think more boldly about how they secure users, applications, and data in today’s modern, multi-cloud world. There are just too many surfaces to defend, too many silos, and too little context. No longer can security professionals simply harden network defenses and hope the perimeter holds. The reality is that once malicious actors are able to penetrate the perimeter, they basically have free reign to spread laterally and infect more devices, more applications, and more business systems.

Enterprise security for modern networks requires solutions that interconnect, leveraging the infrastructure to provide authoritative context from distributed security services that have connected control points to disrupt threats already in your network. This is an area where VMware security can help.

Download the report today to gain insights into threats evading perimeter defenses and consider how you can apply VMware advanced threat detection and prevention capabilities to better secure East-West traffic inside the data center.