Threat diversification and sophistication has pushed the limits of IT security professionals in defending organizations of all sizes, across all verticals. The cybersecurity skills shortage has reached an all-time-high, with 53 percent of organizations agreeing they have suffered from this gap.
In the wake of the skills drought, 91 percent of security professionals believe most organizations are vulnerable to a significant cyber-attack, and 94 percent believe cybercriminals have the upper hand on cybersecurity professionals. These concerns keep 49 percent of IT security professionals awake at night, especially since IT and security teams suffer breach burnouts, alert fatigue, inadequate security tools and lack of visibility across the infrastructure.
While some of the biggest threats to organizations include brute force, password stealers, unpatched vulnerabilities and other network-based attacks on endpoints, emails are also a major concern for IT and security teams. Finance, c-level marketing and HR are the main targets of spear-phishing emails, with security rules broken most by senior management (57 percent).
Threats Organizations Face
Some of the biggest threats and attacks aimed at organizations – regardless of size and industry vertical – involve internet-exposed services, such as RDP, SSH, SMB, HTTP. Brute force attacks on RDP services account for over 65 percent of all network-based attacks, according to Bitdefender telemetry. Cybercriminals often probe internet-facing services and endpoints for RDP connections that let someone outside the organization dial in remotely. Once inside the targeted machine, they try to take down the security solution and manually deploy threats such as ransomware or lateral movement tools designed to infiltrate and compromise additional machines within the infrastructure.
If not properly configured and secured, RDP can act as a gateway within the organization, effectively enabling threat actors to access sensitive internal resources. Brute forcing passwords is one way to go, as cybercriminals use trial and error to obtain information such as a user password or other credentials or even send multiple distributed requests to a server, seeking a pair of valid credentials. Cybercriminals also try to exploit unpatched vulnerabilities in RDP services to perform remote code execution, and seize control over those gateways. For instance, a recent wormable security flaw in Microsoft RDP service that allows attackers to take remote control of vulnerable systems (BlueKeep - CVE-2019-0708) is one of the most recent such attack vectors used by threat actors to compromise organizations.
These types of attacks are industry-agnostic – the organization merely needs to hold a publicly exposed server. If successful, attackers can move laterally across the infrastructure and compromise other servers or endpoints in an attempt to ensure persistency, access and exfiltrate highly confidential data, or even deploy destructive threats meant to cripple the organization or cover their tracks.
Threat actors also prefer attacks targeting web servers via SQL or command injection, as they could enable remote code execution capabilities on the machine and use it as a gateway or lateral movement pivot within the organization.
SMB exploits have also become a common attack tactic for threat actors, as these SMB servers often sit on Windows domain-based network architectures, allowing all employees to copy documents from these network shares. Consequently, compromising these SMB servers through exploits such as EternlBlue or DoublePulsar lets attackers use them as entry points to breach the organization, move laterally, search for other high-value hosts and even schedule tasks remotely on a computer from the network that has an exposed share.
Active Directory compromise is also a priority for cybercriminals. Recent investigations have even revealed that threat actors can successfully compromise an organization’s AD server in less than two hours. Using a tainted email attachment opened by a financial institution’s employee, the cybercriminal gang successfully managed to compromise select machines in the infrastructure, stealthily moving within the infrastructure and deploying persistency and lateral movement tools. When cybercriminal gangs focus on targeting and compromising particular verticals, they have an intimate understanding of how those infrastructures work, where critical assesses may reside and what cybersecurity defenses the company might have in place.
Most attacks occur using free open-source tools, meaning there is a low barrier-to-entry for cybercriminals. However, threat actors seeking to carry out highly targeted attacks need advanced networking knowledge and custom tools to perform an APT (Advanced Persistent Threat).
Organizations need to focus on deploying and using network attack defense technologies designed to identify and categorize network behaviors that may indicate lateral movement, malware infections, web-service attacks, malicious traffic caused by botnets or TOR/Onion connections and even privacy breaches caused by leaks of passwords or sensitive data.
Avoid Breaches With Network Attack Defense
Behavioral technologies, multiple events correlation and network analytics are increasing the chances for organizations to avoid breaches and data theft. Solutions that provide incident response narratives with prescriptive recommendations for addressing threats are the future of IT security, and help address the acute security skills shortage that plagues the industry.
Automated, real-time network traffic inspection and prevention technologies that don’t bog down network traffic can scan the data in streaming mode, blocking threats at the first sign of a malformed data packet. This means the malicious traffic does not even reach the local application or machine, effectively stopping the attack before any payload lands.
Using an event correlation engine fed by proprietary and third-party IoC (Indicators of Compromise) feeds, network attack defense technology can identify and categorize suspicious network behavior. Also, using several machine-learning algorithms to identify specific attack vectors - such as protocols or device specific anomaly detection – while learning the normal behavior of network traffic, can help organizations defend against threats at the network level.
Moreover, having the ability to integrate this network-based threat intelligence with EDR (Endpoint Detection and Response) capabilities can help organizations protect their network as whole, giving them visibility across the entire technology stack, from the network to the operating system. More importantly, a network defense technology that integrates with EDR capabilities can spot complex events while supporting new lateral movement detections from MITRE. This lets organizations paint a complete picture of their overall cybersecurity posture across the entire infrastructure.
Network attack defense technologies can detect and block new types of threats earlier in the attack chain, while correlating multiple attack vectors using both signatures and behavior-based machine learning. Adding network attack defense capabilities to your arsenal can improve your overall security posture by keeping one step ahead of the volume of threats and vectors for attack.