Even as a steady drumbeat of headlines keeps the world's attention focused on cyber crimes such as ransomware and cryptojacking, in the dark corners of the internet, attackers are busy refining their craft.
According to the world's top incident response (IR) professionals, cyber attackers are honing their ability to remain undetected inside the enterprises they've breached, and evolving their attacks to counter defenders' response efforts.
This evolution coincides with mounting geopolitical tensions. Nation-states such as Russia, China, Iran and North Korea are actively operationalising and supporting technologically advanced cyber militias.
Most organisations remain woefully unprepared to combat such attacks. The majority have yet to create and implement proactive incident response plans, continuing instead to lean heavily on outdated legacy antivirus and firewall tools for protection.
In an effort to gauge the current attack landscape and to quantify the latest attack trends seen by leading IR firms, an enterprising vendor has begun releasing a quarterly Incident Response Threat Report.
This report aggregates both qualitative and quantitative input from leading IR partners, who on average participated in one incident response engagement per day over the course of 2017. The report offers actionable intelligence for business and technology leaders, fueled by analysis of the newest threats and expert insights on how to stop them.Key Findings
- The vast majority of cyber attacks originate from two nation-states: 81 percent of IR professionals say the majority of attacks come from Russia; 76 percent say the majority come from China. These foreign actors are seeking more than just financial gain or theft - 35 percent of IR professionals say attackers' end goal is espionage.
- Geopolitical tension is driving an evolution in cyber attacks against all verticals, but 78 percent of IR professionals say the financial industry is attacked most often; 73 percent say healthcare organisations and 43 percent say government.
- Nearly 60 percent of attacks now involve lateral movement, which means attackers aren't just going after one component of an organisation. They're getting in, moving around and seeking more targets as they go. Of note, 100 percent of respondents say they've seen PowerShell used for attempted lateral movement.
- Nearly half (46 percent) of incident response professionals say they've experienced instances of counter-incident response, another concerning sign that attackers have become increasingly sophisticated and are initiating longer-term campaigns - as well as a clear signal that incident response must get stealthier.
- More than a third (36%) of today's attackers now use the victim primarily for island hopping, meaning that not only is a target's data at risk, but so is the data at every point in their supply chain, including that of customers and partners.
If this report reveals anything, it's that business leaders can no longer get by thinking an attack won't happen to them. Attacks that were once reserved for sophisticated campaigns have become an everyday reality.
Attackers are using increasingly sophisticated techniques and can easily evade standard defences, IR partners noted. Perhaps most importantly, the consequences of geopolitical conflict can have a tangible impact on global organisations and our connected way of life.