Cyber security market research shows that while businesses made progress with efforts to protect themselves in 2022, the current cyber threat landscape is evolving at a rate that demands a change in approach and stronger security posture.
This is according to a webinar organised to discuss cyber security hindsight and 2023 highlights by cyber security company Arctic Wolf, in partnership with ITWeb.
This research is based on data sourced from the company’s security services, customers using its security operations cloud solution, its incident response organisation as well as threat intelligence from data scientists within Arctic Wolf Labs.
Arctic Wolf South Africa’s senior systems engineer Andre den Hond, together with Jason Oehley, regional sales manager, explained key findings of the report, including lessons learnt from 2022 and trends that will shape 2023 and market response.
Webinar moderator James Francis said in 2022, thanks to improved security, there was a reduction in the amount of classic ransomware attacks or those based on the threat to encrypt and steal data for money. But he noted, however, that the research also shows a 20% increase in data theft extortion campaigns based on multi-step encryption attacks – a new form of ransomware.
Threat actors are changing their tactics and businesses must adapt.
Francis said conventional ransomware, which remains the most serious threat to businesses, takes advantage of errors in the security estate. These errors are “piling up” and criminals are looking to manipulate vulnerabilities within more intricate areas of business or blindsides that are often not considered.
Having affirmed that external exposure accounted for 72% of Root Point of Compromise or RPOC in 2022, Den Hond said there were more than 25 200 known vulnerabilities published, according to the National Vulnerability Database, a subset of the US Institute of Standards and Technology.
“Four out of the five of these specific vulnerabilities were actually published in 2021 already… this shows you that threat actors have a preference in terms of the vulnerabilities they choose to exploit. The reason they go after these known vulnerabilities is because they are very well researched and public exploits are validated, so it takes the guesswork out of exploitation.”
Last year, the average ransomware demand across industries in North America was US$500 000… in South Africa, ransomware demand is similar for a local institution.
Ransomware demands vary across industries and are based on victims’ size, revenue generated and the importance of their data. “And, in some cases, it is also based on the insurance policy maxim. These ransomware groups are getting very clever and they sift out cyber insurance policies to better inform their ransom demand. In most cases, they are claiming the maximum cyber insurance payout that the organisation, their victim, has been insured for.”
Ransomware as a service
Den Hond said in 2022 there was a significant increase in ransomware as a service, whereby ransomware operators on-sell their tools, infrastructure, encryption technology and back-end services to less proficient cyber criminals who then target organisations.
“It essentially hides the threat actor from the actual victim and the profits from these ransomware attacks are actually shared between the actual ransomware operator, which is providing the ransomware as a service, as well as their affiliates – the less technically proficient cyber criminals.”
Research also showed clear links between ransomware groups, which has given rise to re-extortion.
In its research, Arctic Wolf performed blockchain analysis to understand how payments take place.
Den Hond added: “This is how ransomware payments typically take place, through crypto-currency. So by analysing the connections in the blockchain, we are able to establish connections between the ransomware groups. What typically happens is something that is referred to as re-extortion.”
In the event of an attack where the organisation decides to pay the ransom, the ransomware organisation provides a decryption key, for example, but typically leaves a back-door in place. This is handed over to another ransomware group it is affiliated with and then re-extortion of the same customer takes place after the initial attack.
“We are also seeing a significant increase in on-premises software targeted by ransomware groups, because, typically, on-premises software is not updated as often as it should be.”
Den Hond noted a significant increase in successful business e-mail compromise (BEC) attacks over 2021.
“These BEC attacks are difficult to detect because they seldom use malware or malicious URL, which can be detected by standardised defences, so it’s one of the reasons for the increase in attacks.”
Finance, insurance and business service industries are among the most targeted with BEC attacks.
According to Den Hond, this is because these industries use e-mail as a tool when it comes to payment and finance.
Oehley said research highlighted four key areas of concern, including cloud security, ransomware, acknowledging vulnerabilities and staffing concerns.
There is a general increase in the adoption of cloud technology globally. This is also true in South Africa and more companies are beginning to review their cloud security capability and strategy.
Based on what companies have at present in their technology infrastructure, 58% of respondents are looking to either add security or upgrade what they currently have.
Added to a list of challenges with cyber security technology and adoption are end-point security, a skills shortage and end-user awareness.
These factors, together with ransomware and increased external exposure, mean companies have to strengthen their security posture.
Arctic Wolf research also predicted geopolitical instability and economic stress will drive an increase in cyber crime; initial access techniques will evolve, allowing for more exploitation; ransomware and extortionware as a service will advance; high-impact software vulnerabilities will continue to be exploited; and cloud-based security controls will increase.
Research also highlighted the biggest obstacles companies face in achieving cyber security objectives as lack of expertise (50%), lack of budget (40%) and lack of visibility into emerging threats (40%).
To achieve a strengthened security posture, Arctic Wolf recommended that companies understand their overall attack surface (create a full inventory of assets), monitor critical log sources (impose visibility and gain insights), implement multi-factor authentication (implement counter-measures against MFA fatigue), employ a zero trust security strategy (focus on the user, not the perimeter, limit all access until verified) and understand the shared responsibility model in cloud (the cloud provider is responsible for the security of the cloud, the customer is responsible for security in the cloud).
Arctic Wolf is focused on the role of Open-XDR and the offer of Concierge Delivered Security Operations, which incorporates managed detection and response, managed risk and managed security awareness.