More attackers trying to sabotage incident response tactics

The security industry needs to become more clandestine in its approach to incident response, making it harder for attackers to know that they are being tracked.

At least that’s what researchers concluded in the fifth installment of VMware Carbon Black’s semi-annual Global Incident Response Threat Report, which also focused heavily on the impact of COVID-19 on security operations.

The study found that 33 percent of respondents encountered instances of attempted counter incident response (counter IR) – a 10 percent increase from its previous report, said Tom Kellermann, head of cybersecurity strategy at VM Carbon Black. Some 50 percent of the attacks were deletion of logs, while another 44 percent were diversions, including timestamp manipulations, subnet changes and authentication manipulations.

“Once the attackers delete logs and run the diversions they drop ransomware, often NetPetya-style ransomware,” Kellermann said. “We’ve found that these counter IR attacks are very aggressive and often quite destructive.”

Kellermann said the attackers are doing a lot of “island hopping,” when attackers look to leverage a company’s ongoing digital transformation activities to launch attacks on the company’s constituents and supply chain.

“We found that in 40 percent of the cases when island hopping occurs there will be a destructive attack,” Kellerman added.

Oliver Tavakoli, CTO at Vectra, pointed out that the bad actors often wipe out traces of the attack in advance of any IR. He said the techniques that Kellermann identified, such as suppression of logs and the destruction of systems have been a part of advanced attacks for quite a while.

“Sometimes attackers also use these techniques on broader and less sophisticated attacks to slow the pace of development of automated countermeasures and increase the active shelf-life of an attack,” Tavakoli said. “Other techniques involve actively evading already active IR, such as reacting to the fact that the security team is reaching into systems to collect information by moving the attack focus somewhere else.”

Tavakoli views Kellerman’s concern of attackers aggressively responding to active IR as less pervasive. However, while he said safeguarding the information necessary to analyze threats should be a top priority for security teams, if copies of that information are protected in a relatively secure vault, then attackers should not get tipped off that they are being tracked by IR.

COVID-19 Findings

The VMware Carbon Black study also had many other findings related to the COVID-19 pandemic that are of interest to security pros.

Overall, 53 percent of respondents encountered or observed an increase in cyberattacks exploiting COVID-19. Tops on the list of concerns were remote access inefficiencies (52 percent); VPN vulnerabilities (45 percent); and staff shortages (36 percent).

The study also found that more than half the attacks (51 percent) were on the financial sector. This correlates with the finding in the report that 59 percent of those surveyed said financial gain was by far the leading motivation for the attacks.

Another point of interest but not especially new to security teams fighting off nation-state attacks was the finding that 51 percent of respondents saw attacks from China increase. The other two aggressive nation-state actors were North Korea at 40 percent and Russia at 38 percent.

“The Chinese have exhibited a dramatic evolution in operational security and attack sophistication,” Kellermann said. “It can now be argued that their cyber capabilities rival those of Russia.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.