Secureworks Incident Response Research Report: 2019 Findings
Secureworks, a Top 100 MSSP, has released a new Incident Response Insights Report 2019 . The report analyzed data from more than 1,000 incident response and breach investigations in 2018. The report aims to provide organizations with insights into evolving cyber threat tactics and ways to improve their ability to prevent, detect and respond to cybersecurity incidents.
Here’s what you need to know:
The song remains the same. The same issues and security gaps that impede organizations’ ability to identify and respond to threats show up year after year. Here’s the hit list:
- Gaps in basic security controls and organizations’ visibility of their own environments continue to allow threat actors to gain access.
- Security implications of adopting new technologies or major changes to networks are not consistently addressed.
- Suppliers and third parties are likely to be compromised if they provide an easier path to the ultimate target than a direct attack.
Evolution not revolution. Last year is to be considered as one of evolution rather than revolution in attack methods, Secureworks said. In previous years, government-sponsored, criminal, and hacktivist groups each had a distinct way of operating. Their activities rarely overlapped. Not so anymore. Now tactics such as leveraging unauthorized access to systems within a network to carry out attacks, implementing living-off-the-land techniques, and using commodity malware, services, and exploits are in every hacker’s tool bag.
Secureworks analysts identified the following highlights from incident response engagements in 2018:
- Business email fraud, ransomware, digital currency mining, and banking trojan activities constituted over 60% of the total attack methods.
- Ransomware attacks tended to be more serious in impact than in previous years, with threat actors increasingly trying to gain access to entire networks to deploy payloads across a large number of systems.
- Many government-sponsored actors conduct entire intrusions using publicly available tools and techniques, whereas others adopt increasingly sophisticated approaches to gain access to systems.
- The threat actors are collectively maturing toward behaviors that offer them the highest chances of success and that take advantage of the systemic defensive gaps organizations leave open year after year.
Four recommendations. For the most part, threat actors use the tactics that they know will work mainly because organizations still struggle with cybersecurity’s basics, Secureworks concluded. This is what organizations should focus on to improve their security posture:
- Build a security program around an existing industry standard framework. It ensures that the organization addresses many of the security gaps, and not just the systems that have already been compromised.
- Implement MFA on all externally facing services. Every service available on the Internet, including cloud applications such as Office 365/Outlook, external VPNs, and SSO pages, should require users to provide a one-time password in addition to their regular password.
- Increase visibility. Incident response efforts are often hampered by a lack of visibility in the environment.
- Conduct preparedness exercises. Involving the whole business in incident response processes and preparedness can ensure a coordinated effort to mitigate attacks. It can also identify gaps in processes and procedures.
“Constantly changing IT environments, corporate priorities, and relationships with third parties continue to create cybersecurity challenges year after year,” Secureworks wrote. “To reduce risk exposure, organizations should close the gaps they can control and make the company less of a target. The next best step on an organization’s cybersecurity journey may be to take a step back and reassess its ability to execute the fundamentals.”