Know thy enemy: The evolving behaviors of today’s cybercriminals
Organizations in the energy/utilities, government, manufacturing, and healthcare sectors have witnessed an increase in cyberattacks over the past year. In fact, recent research found that nearly 1,000 government agencies and healthcare institutions experienced attacks in 2019. As these industries evolve and become more digitized, attackers have the opportunity to access more data than ever before.
In order to understand cybercriminals’ motives and gameplay, we need to understand their evolving behaviors:
Malware behaviors
A recent example of malware evolution can be seen in software packing and defensive evasion (e.g., hidden window). Software packing is a method of compressing or encrypting a file or program, while defense evasion consists of techniques that attackers use to avoid detection throughout their compromise.
Attackers may implement hidden windows to conceal malicious activity from users’ sight as not to alert them to adversary activity on the system. For example, at first glance, defenders may see what initially appears to be ransomware, but upon further inspection they might discover that the decryption component is removed or ineffective, and that destruction is the malware’s ultimate goal.
Ransomware behaviors
Ransomware continues to be a dangerous cyber threat and has gotten more pervasive. Defenders have observed an increase in the number of ransomware variants as well as new ransomware behaviors witnessed on a recurring basis. Out of the ransomware samples analyzed in 2019, 95% exhibited defense evasion behaviors. Moving forward, we should expect to see continued use of defense evasion methods, especially from nation-state threat actors engaging in extortion.
Wiper attacks
Wipers continue to trend upward as adversaries begin to realize the futility of purely destructive attacks. Burglaries are escalating into home invasions. Wiper attacks include attacks like data destruction and access mining. Access mining is a tactic where an attacker leverages the footprint and distribution of commodity malware and uses it to mask a hidden agenda of selling system access to targeted machines on the dark web.
Data destruction was the top wiper behavior within the last year, and we’ll continue to see this behavior in 2020 and beyond, as evidenced by the recent tensions in the Middle East region. Many of these groups rely heavily on common tactics like spear phishing, brute force attacks and internet-facing systems with unpatched known vulnerabilities.
Protecting against the evolving enemy
Start by asking yourself whether your teams are appropriately staffed? If the answer is yes, then are your teams working collaboratively? Both security and IT teams often feel that being understaffed can greatly impact their ability to perform and adds to the tension between teams.
Executing a consolidated IT management and security strategy will help break down silos and empower both teams to tackle security as a team sport. This strategy will also help IT and security professionals feel optimistic that shared responsibility will become the norm and, eventually, help them become better aligned across many critical areas of the business.
To tackle modern cybercrime we must modernize how we conduct incident response to prevent an escalation to destructive attacks. Assume that the adversary has multiple means of gaining access into the environment. Shutting off one entry point may not actually remove them from your network. In fact, it will very likely have the opposite effect: it will notify the attacker(s) that you’re onto them.
1. Watch and wait. Do not start blocking malware activity and shutting off access. Do not immediately terminate the connection to the command and control server. To understand all avenues of re-entry you must monitor the situation to fully grasp the scope of the intrusion, to effectively develop a means of removing the adversary from the environment.
2. If you must deploy agents, do so in monitor-only mode. If you began blocking or otherwise impeding the cybercriminals’ activities, they will catch on and change tactics, potentially leaving you blind to their additional means of re-entry.
Attackers will continue to evolve their attack behaviors and defenders must shift their thinking but also their people, processes, and technologies to deal with them. If nothing else, we should use these attacks as a reminder that it’s time security becomes intrinsic to how we build, deploy and maintain technology.