In the digital era we live in, cybersecurity is a crucial priority for all organizations. The threat of cyberattacks is always looming, and the techniques used by attackers are constantly evolving. The speed at which criminal organizations develop new attack strategies is increasing day by day, and the proliferation of geolocated criminal groups calls for appropriate countermeasures to deal with malicious attacks.
In this context, Netskope conducted a revealing investigation that highlights the importance of preparing to defend against the most pervasive techniques. Researchers found that the primary criminal groups are based in Russia and Ukraine, while the main geopolitical threat groups originate from China. Wizard Spider, the leading group that attempted to target users of the Netskope Security Cloud platform, is considered the author of the notorious, ever-evolving TrickBot malware. Other groups that have been characterized by their use of ransomware include TA505, the malicious actor behind the Clop ransomware, and FIN7, a group that used the REvil ransomware and created the Darkside ransomware. Geopolitical threat groups are led by memupass and Aquatic Panda.
The attack vectors are, as always, linked to specific social engineering techniques:
Combatting Spearphishing with Early Defenses:
Spearphishing represents a sophisticated threat as attackers attempt to deceive specific users or groups within an organization. To effectively counter it, you should:
- User Education: Provide cybersecurity awareness training to help users recognize phishing messages and suspicious links.
- Advanced Anti-Phishing Solutions: Implement phishing detection and prevention tools that analyze incoming messages and detect signs of phishing, regardless of their source.
Carefully Analyze Malicious Links and Files:
Attackers often exploit malicious files to spread malware. To address this threat, organizations should:
- Static and Dynamic Analysis: Use a mix of static analysis (examining the file without running it) and dynamic analysis (controlled execution in a sandbox environment) to identify potential threats.
- Risky File Extension List: Define a list of high-risk file extensions and closely inspect files with these extensions before downloading.
Detect and Prevent Data Exfiltration through C2 Channels:
Command and control (C2) channels allow attackers to maintain control over infected systems. To defend against this threat, it is crucial to:
- Secure Web Gateway (SWG): Implement an SWG to monitor and block traffic to known C2 infrastructures. This can prevent communication with malicious servers.
- Intrusion Prevention System (IPS): Use an IPS to identify common command and control patterns, blocking suspicious attempts to communicate with external resources.
A careful evaluation of the defenses implemented by an organization and the coordination of technologies that act before, during, and after an attack attempt to prevent and counter attacks form the basis of an increasingly rigorous routine that aims to create a framework to limit the exposure gradient.
The full report "Cloud and Threat Report: Top Adversary Tactics and Techniques" is available here.