Cybercriminals always seem to be coming up with new ways to hack into networks, deploy malware, gain the necessary network access, and steal private information. But they often rely on tried and true methods and security vulnerabilities and weaknesses to achieve their goals. That’s why security professionals need to be aware of the latest threats and the common methods of attack and how best to defend against them. Released on Wednesday, WatchGuard’s “Internet Security Report – Q2 2019” looks at some of the security threats that marked the second quarter of 2019 and offers advice on how to protect your organization.
SEE: Incident response policy (TechRepublic Premium)
For the quarter, malware strains detected by WatchGuard’s Firebox Feed dipped around 5% compared to the first quarter of the year but shot up by 64% over the second quarter of 2018. Zero day malware accounted for 38% of all malware detections for the quarter. WatchGuard discovered multiple campaigns that used Content Delivery Networks (CDNs) to host browser-hijacking malware. By using CDNs such as CloudFront and CloudFlare, cybercriminals try to prevent detection by security services that look only at the root domain, in this case, CloudFront.net.
Ransomware also was on the rise during the second quarter, exemplified by an attack against the city of Baltimore in May, an incident that severely impacted city services. Other city governments were also hit by ransomware attacks, prompting some to pay the ransomware demand in order to restore services. Attackers also hit three managed service providers (MSPs) using their own tools to deploy ransomware to their customers.
During 2017 and 2018, network attacks increased from the fourth quarter to the first quarter. In 2019, the opposite occurred as such attacks declined from the final quarter of 2018 to the first quarter of 2019. However, this trend was short-lived. Network attack volume more than doubled from the first quarter to the second this year, with more than 2.2 million incidents detected by WatchGuard. Some of the top network attacks employed such well-known methods as SQL injection, cross-site scripting, brute force logins, and exploiting security holes in Adobe Shockwave and Adobe Flash.
WatchGuard’s full report contains all the details and descriptions of the security threats that were detected for the quarter. How can organizations defend themselves in an environment where cybercriminals are working hard to infiltrate your networks and steal your data? In the report, WatchGuard offers several pieces of advice worth considering.
Deploy advanced malware detection tools
More than one-third of all malware detected across WatchGuard networks was classified as “zero day malware,” meaning it bypassed traditional signature-based anti-malware engines. Organizations must deploy advanced malware detection tools that use more than just signatures to detect modern-day threats. Services that use machine learning and AI can help quickly predict whether a payload is malicious or not, while behavioral detection tools can give a thumbs up or thumbs down after detonating malware in a controlled sandbox.
There is no such thing as too small a target
This quarter saw significant overlap in the most-widespread malware and the most prolific malware by volume. Automation has allowed cybercriminals to cast wider nets with their attacks, affecting organizations regardless of size. Even if you are a smaller organization, you still need to invest in protection and response tools to avoid becoming the next breach statistic.
Deploy and test backup solutions
Never put yourself in a situation where the only possible option to regain access to your files is paying the attacker. Automated backups are an important part of any layered security approach to allow you to recover from a devastating incident. That said, backups on their own aren’t enough. You must test your restoration process as well to ensure it will work when it becomes needed.
Train your users to spot phishing attacks
Most signs point towards a phishing email being the initial attack vector for the Baltimore attack. Cybercriminals love to pray on unsuspecting users, tricking them into willfully giving up their credentials or running malicious applications. While phishing awareness training will never reduce your click rate to zero, it will at least give your technical controls a fighting chance when the inevitable convincing email comes through.
Deploy tools that can detect a breach
The alleged perpetrator of the Baltimore ransomware attack posted images of documents indicating they had been on the network for at least a short while before executing the ransomware. Endpoint Detection and Response (EDR) agents can help identify suspicious behavior that slips past your other defenses and remediate them before they escalate into a devastating attack.
Use Multi-Factor Authentication (MFA) throughout your enterprise
These attacks abused stolen credentials to gain access to management tools. MFA is the only thing that really protects you against this sort of credential theft and abuse. Even if an attacker was able to learn one of your RMM (Remote Management Module) admin passwords, MFA solutions could prevent those attackers from being able to log in with that password. We highly recommend you implement MFA throughout your organization, including your enterprise login, RDP sessions, VPN, internal management systems, and SaaS applications.
Aggressively patch public-facing software
You should make sure to keep your Managed Service Provider software patched just to be safe. We also suggest you check your Windows and RDP patch levels at your and your customers’ sites. Microsoft recently fixed a very critical flaw in RDP, which could be one of the attack vectors used in these incidents, and exploit code has been made public for this flaw. Make sure you’ve patched BlueKeep.
Place stronger ACLs on remote management and use VPN
There are likely a number of network services that you have to expose publicly, both from your customer network and your own, in order to provide remote management services. As you are allowing for these management capabilities, consider their security as well. Apply the principle of least privilege and try to limit access to these network services to as few IPs or users as possible. For instance, don’t just open RDP access to the world if you can instead limit access to a few IPs.
Use advanced anti-malware services on your network and endpoints
Nowadays, you need to implement different types of anti-malware on both your network and endpoints. We recommend you use more modern anti-malware solutions that leverage behavioral analysis and machine learning to detect new malware variants that signatures might miss. You should also implement some sort of endpoint detection and response solution that roots out malware that does make it onto one of your endpoints.
“This edition of the Internet Security Report exposes the gritty details of the methods hackers use to sneak malware or phishing emails onto networks by hiding them on legitimate content-hosting domains,” said Corey Nachreiner, chief technology officer at WatchGuard Technologies. “Luckily there are several ways to defend against this, including DNS-level filtering to block connections to known malicious websites, advanced anti-malware services, multi-factor authentication to prevent attacks leveraging compromised credentials, and training to help employees recognize phishing emails. No one defense will prevent every attack, so the best way for organizations to protect themselves is with a unified security platform that offers multiple layered security services.”