It’s that time again! Our Quarterly Threat Report: Q4 and 2018 Wrap-Up was just released, unveiling the biggest trends that happened the last quarter of 2018 and throughout the year. As we spring ahead into a new season, it’s important to know where we came from so we can be better prepared for what’s ahead.
In this post, we’ll review three major findings based on data from Project Sonar, our Project Heisenberg honeypot network, and our Managed Detection and Response (MDR) customer base, which leverages our security experts and cloud SIEM, InsightIDR, to unify security data and identify compromises in real-time.
1. An uptick in PowerShell use across all industries
In order to evade traditional signature-based endpoint detection, attackers are turning to built-in administration services like Windows PowerShell. With many forms of malware invoking PowerShell commands as part of the attack, it’s more important than ever to have visibility into the scripts running across your endpoints. For most security teams, it’s quite challenging to centralize and investigate this type of activity. Perhaps that’s why PowerShell use was also among the top findings in our Q3 2018 Threat Report.
- Understand what the PowerShell commands are doing
- Uncover the processes running around the same timeframe to see whether it’s a coordinated attack or just a standard operation
- Detect connections to/from the host
- Detect connections to/from the user
From there, you can understand what’s actually happening to determine whether it’s legitimate. InsightIDR adds detection and investigation value to organizations by applying user behavior analytics (UBA) and attacker behavior analytics (ABA) to your security data. In fact, InsightIDR has over 100 rules for PowerShell alone to help you find stealthy malware and compromised assets.
2. Malicious behaviors at the asset level
Q4 2018 was the first time we’ve seen malicious behaviors at the asset level take the lead for threats among larger organizations. The most prevalent threat events this past quarter included triggers from InsightIDR’s ABA alerts, malicious hashes on assets, and multiple country authentications.
Asset-level behaviors often take place through a combination of threat techniques, the main one being phishing. As detailed in our Q3 Threat Report, phishing attacks are on the rise, making credentials easier than ever to obtain. To do this, attackers send an email that directs users to a spoofed login page for a web service, such as Dropbox, DocuSign, or Microsoft, so they can steal credentials and then impersonate a company employee. These suspicious authentications were the top attack vector in Q4.
If attackers have control over an asset via malware, their typical next steps are to lift any available credentials off the machine and laterally move elsewhere on the network.
Quarter after quarter, phishing has been the No. 1 attack vector because it’s cheap, easy, and effective. Once the user is phished and credentials are exposed, an attacker has multiple options to gain further network access. This is why it’s so important to have visibility into your endpoints and any authentication activity across your network.
3. DDoS attacks: A distraction and a clue
No cybersecurity trend report from 2018 would be complete without mentioning the persistence of distributed denial-of-service (DDoS) attacks. DDoS is both a useful distraction tool and remains profitable in the stresser/booter black market industry. While a DDoS attack will be hard to miss, it may disguise the presence of other techniques that fly under the radar, such as PowerShell usage or credential-based attacks.
This is where the connection between these three key themes comes full circle—you need to be looking for all three, as each can give a clue about another.
Carrying into 2019, there were six main takeaways from the Q4 Threat Report that organizations can leverage to strengthen their posture and stay ahead of the curve this year:
- Focus first on threats in your industry. It’s easy to look at threats from other industries, but often the ones that will affect you the most already exist in your industry, so start there.
- Don’t discount new threats. Just because a threat is new doesn’t mean you shouldn’t be watching for it yet. While it could take months or years for it to reach your company or industry, once you have a hold on the most important and prevalent threats to you, keep an eye out and put up defenses for new and emerging threats, too.
- Old threats are still relevant. Old threats and attack vectors are often the easiest for attackers to go back to. Even if they’re not in the news right now, be sure to be on the lookout for them.
- Two-factor authentication will only take you so far. 2FA is not the be-all and end-all. You still need ABA rules to catch things like phishing and PowerShell usage, since those can execute regardless of credential access. 2FA will always be a core element of any security strategy, but it can’t protect everything.
- Train your employees, but verify. Security awareness training programs are fantastic and crucial to have, but user error is often unavoidable. That’s why you need to have detections on the endpoint to pick up on spoofs and phishing to protect your users and your assets.
- Add out-of-the-box detections to your SIEM. As attacks evolve, so must your detections. It’s important to regularly tune your SIEM and implement detection methodologies on top of your static SIEM rules, such as adding InsightIDR’s UBA and ABA detections, to find malicious activity accurately and earlier in the attack chain.
The interconnectedness of advanced attacks poses both a challenge and an opportunity for security professionals. With the right detections, rules, and alerts in place alongside human investigation, you can better identify attacks and keep your company safe.