Targeted cyberattacks surpass mass attacks for 2019

Cybercriminals are increasingly directing targeted attacks at specific organizations or individuals, says security provider Positive Technologies.

How to prevent data destruction from cybersecurity attacks

Many cyberattacks are conducted as part of mass campaigns, meaning a huge number of phishing emails or other malicious content are deployed in a scattershot way. In this approach, cybercriminals typically use generic, boilerplate messages with no particular victim in mind, hoping to trap as many people as possible.

In other cases, targeted attacks are used instead as a way of striking specific organizations and individuals. In this approach, criminals create more personalized messages with a smaller number of victims in mind, but the hope is that this tactic will be more successful and more lucrative.

SEE: Cybersecurity: Let's get tactical (free PDF) (TechRepublic) 

In 2019, the number of targeted attacks outpaced the number of mass attacks, showing that bad actors are adopting a more focused strategy, according to Positive Technologies. For its Cybersecurity Threatscape 2019 report released Thursday, the security provider found that among all the cyberattacks launched last year, 60% were targeted attacks, while 40% were mass attacks. The number of targeted attacks rose each quarter in 2019, ending up 19% higher than the total for 2018.

targeted-attacks-positive-technologies.jpg

Positive Technologies

The increase in targeted attacks last year was triggered by a few different factors, according to the report.

First, cybercriminals would rather not waste time on mass campaigns that don't promise huge earnings. Looking for a bigger payoff, attackers are increasingly joining forces with each other so they can better get through the security systems of large companies.

Second, each year gives rise to new groups of criminals that specialize in Advanced Persistent Threat (APT) attacks. For 2019, Positive Technologies said that its Expert Security Center (PT ESC) tracked APT attacks from 27 different groups, including major ones such as Cobalt, Silence, and APT28, and lesser-known newcomers. Last year, the PT ESC also had its first opportunity to analyze the Calypso APT group, which attacked government agencies in Brazil, India, Kazakhstan, Russia, Thailand, and Turkey.

Targeted attacks are also now higher on the radar of organizations as well as security providers.

"Companies are paying closer attention to cybersecurity and implementing and using special security tools (such as anti-APT solutions) to detect and prevent complex attacks," Alexey Novikov, director of PT ESC, said in a press release. "This makes it easier to detect malicious activity more accurately and significantly reduces dwell time. Because of this, information on individual incidents and particular tactics and tools used by different APT groups becomes public knowledge and can be used as intelligence to bolster countermeasures."

By using targeted attacks against organizations, criminals are mostly looking for personal data. Account credentials compromised a large amount of the information stolen last year--22% for organizations and 40% for individuals. Positive Technologies said it found a number of attacks in 2019 that stole credentials of the databases of one company to access systems in other companies. Known as credential stuffing, this type of attack hit such firms as State Farm, Dunkin' Donuts, and Japanese online stores UNIQLO and GU.

To protect your organization, users, and customers against cyberattacks, both targeted and mass attacks, Positive Technologies offers a variety of suggestions:

Use proven security solutions

  • Centrally manage software updates and patches. To prioritize update plans correctly, the most pressing security threats must be taken into account.
  • Install antivirus software with a sandbox to dynamically scan files and detect and block threats such as malicious email attachments before they're opened by employees. Ideally, antivirus software should simultaneously support solutions from multiple vendors and be able to detect signs of hidden or obfuscated malware, as well as block malicious activity across diverse data streams: Email, web traffic, network traffic, file storage, and web portals. Your software should be able to check files both in real time and retrospectively by automatically rescanning files when signature databases are updated as a way to detect previously unknown threats.
  • Use SIEM solutions. Use Security Information and Event Management (SIEM) solutions for timely detection and effective response to information security incidents. This will help identify malicious activity, prevent infrastructure hacking, detect attackers' presence, and foster prompt ways to neutralize threats.
  • Use automated tools for analyzing security and identifying software vulnerabilities.
  • Deploy web application firewalls as a preventive measure.
  • Detect sophisticated targeted attacks in real time and in saved traffic with deep traffic analysis. Using such solutions will allow you to detect previously unnoticed attacks and monitor network attacks in real time, including the use of malware and hacking tools, exploitation of software vulnerabilities, and attacks on the domain controller. Such an approach quickly identifies attacker presence in the infrastructure, minimizes the risk of loss of critical data and disruption to business systems, and decreases the financial damage caused by attackers.
  • Employ specialized anti-DDoS services.

Protect your data

  • Encrypt all sensitive information. Do not store sensitive information where it can be publicly accessed.
  • Perform regular backups and keep them on dedicated servers isolated from the network segments used for day-to-day operations.
  • Minimize the privileges of users and services as much as possible.
  • Use a different username and password for each site or service.
  • Use two-factor authentication where possible, especially for privileged accounts.

Do not allow weak passwords

  • Enforce a password policy with strict length and complexity requirements.
  • Require password changes every 90 days.
  • Replace all default passwords with stronger ones that meet the strict password policy requirements.

Monitor the security situation

  • Keep software up to date. Do not delay installing patches.
  • Test and educate employees regarding information security.
  • Make sure that insecure resources do not appear on the network perimeter. Regularly take an inventory of internet-accessible resources, check their security, and remediate any vulnerabilities found. Also, monitor the news for any new vulnerabilities--this gives you a head start in identifying affected resources and taking necessary measures.
  • Filter traffic to minimize the number of network service interfaces accessible to an external attacker. Pay special attention to interfaces for remote management of servers and network equipment.
  • Regularly perform penetration testing to identify new vectors for attacking internal infrastructure and evaluate the effectiveness of current measures.
  • Regularly audit the security of web applications, including source-code analysis, to identify and eliminate vulnerabilities that put application systems and clients at risk of attack.
  • Keep an eye on the number of requests per second received by resources. Configure servers and network devices to withstand typical attack scenarios such as TCP/UDP flooding or high numbers of database requests.

Help clients to stay safe

  • Improve security awareness among clients.
  • Regularly remind clients how to stay safe online from the most common attacks.
  • Urge clients to not enter their credentials on suspicious websites and to not give out such information by email or over the phone.
  • Explain what clients should do if they suspect fraud.
  • Inform clients of security-related events.

Also see