Jan 1, 2022
0 0

What the Rise in Cyber-Recon Means for Your Security Strategy

Written by

Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
Expect many more zero-day exploits in 2022, and cyberattacks using them being launched at a significantly higher rate, warns Aamir Lakhani, researcher at FortiGuard Labs.
As we move into 2022, bad actors are ramping up their reconnaissance efforts to ensure more successful and more impactful cyberattacks. And that means more zero-day exploits are on the horizon.
When seen through an attack chain such as the MITRE ATT&CK framework, campaigns are frequently discussed in terms of left-hand and right-hand phases of threats. On the left side of the attack chain are pre-attack efforts, which includes planning, development and weaponization strategies. The more familiar execution phase of attacks is on the right side, such as building and launching malware to corrupt systems, steal data or hold networks hostage.
We need to start paying more attention to the left-hand side.
As just noted, left-side attacks are things like gaining initial access, performing reconnaissance and the weaponization of vulnerabilities. Recognizing and stopping cyberattackers closer to the left side of the MITRE ATT&CK framework in many cases could make their efforts less effective, and give blue-team defenders multiple opportunities to mitigate a threat campaign.
Because much of their work happens before an attack, advanced persistent threats (APTs) spend much time on the left. Their activities include identifying a vulnerable network, gaining unauthorized access and remaining undetected for an extended period. APTs are typically allied with nefarious organizations that have abundant resources, such as state-sponsored actors or nation-states directly.
Expect to see a greater emphasis on “left-hand” activities from financially motivated cybercriminals too, as incident volumes rise and more gangs compete for a slice of the profits. Like nation-state-funded APT groups, these efforts will include spending more time and effort on reconnaissance and discovering zero-day capabilities, to further their efforts.
Cybercriminals understand spending more time in pre-attack reconnaissance means a greater chance of success when they launch their attack campaigns. In many situations, they can reuse the same techniques in their recon phase against multiple organizations, so although they’re putting more effort upfront, they increase their chance of success and make their attacks more modular.
Not only will more vulnerabilities be discovered, but the attacks that exploit them will become more readily available to other attackers and incorporated into other attack kits. The growth of malware-as-a-service will naturally converge with the rise in new vulnerabilities.
So, not only will bad actors discover and weaponize more zero-day vulnerabilities, but those exploits will also be launched at a significantly higher rate due to the multiplicative effect of many cybercriminal affiliates simultaneously launching attacks.
Bad actors will be able to launch attack types with greater frequency, and the destructiveness of those attacks will increase, as well. As it stands, FortiGuard Labs researchers found an almost 11x increase in ransomware in the 12 months between July 2020 and June 2021. Ransomware will remain a centerpiece of the landscape, and the expansion of crimeware will continue.
Ransomware attackers already combine encryption with distributed denial-of-service (DDoS), hoping to overwhelm IT teams so they cannot take last-second actions to mitigate an attack’s damage. Adding a “ticking time bomb” of wiper malware, which could not only wreck data but destroy systems and hardware, creates additional urgency for companies to pay up quickly. Wiper malware has already made a visible comeback, targeting the Olympic Games in Tokyo, for example.
Given the level of convergence seen between financial cyberattack methods and APT tactics, it’s just a matter of time before destructive capabilities like wiper malware are added to ransomware toolkits. This could be a concern for critical infrastructure, supply chains and emerging edge environments.
Enterprises need to be aware that an increase in new cybercriminals armed with advanced technologies will increase the likelihood and volume of attacks. Standard tools must be able to scale to address potential increases in attack volumes. These tools also need to be enhanced with artificial intelligence (AI) to detect attack patterns and stop threats in real time.
Critical tools should include anti-malware engines using AI detection signatures, endpoint detection and response (EDR), advanced intrusion prevention system (IPS) detection, sandbox solutions augmented with MITRE ATT&CK mappings and next-gen firewalls (NGFWs). In the best-case scenario, these tools are deployed consistently across the distributed network (data center, campus, branch, multi-cloud, home office, endpoint) using an integrated security platform that can detect, share, correlate and respond to threats as a unified solution.
Cybercriminals are opportunistic, and they’re also growing increasingly crafty. We’re now seeing them spend more time on the reconnaissance side of cyberattacks. They’re using left-side attacks to make the right-side attacks more effective. That means more destructive – and therefore more lucrative – ransomware attacks. It also means more frequent attacks, sometimes accompanied by DDoS hits to overwhelm IT security teams. And wiper malware is another nightmare these teams must prepare to contend with.
Organizations today need an intelligent, holistic and scalable security strategy to defeat these advanced attack types. Visibility and communication across the network are crucial because they enable an immediate and coordinated response. This is the level of defense enterprises need today – and we mean today, not at some vague point down the road. Gather and integrate your tools now to ensure your network can withstand the coming storm.
Aamir Lakhani is cybersecurity researcher and practitioner at FortiGuard Labs.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.
Share this article:
Researchers from CrowdStrike disrupted an attempt by the threat group to steal industrial intelligence and military secrets from an academic institution.
Jason Kent, hacker-in-residence at Cequence Security, discusses sneaky shopping bot tactics (i.e., domain parking) seen in a mass campaign, and what retail security teams can do about them.
Campaign exploits misconfigured Docker APIs to gain network entry and ultimately sets up a backdoor on compromised hosts to mine cryptocurrency.

This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
1.8M+ attacks, against half of all corporate networks, are attempting to exploit #Log4Shell, including with a new r… https://t.co/dDky1faadm
2 weeks ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.


Article Categories:

Comments are closed.