In Fortinet’s Q1 2019 Threat Landscape Report, threat analysts at FortiGuard Labs selected to poke into data from the company’s web filtering service. Here is what they found.
Weekdays vs. Weekends
When researchers checked out the web-filtering volume from two Cyber Kill Chain phases, comparing weekdays and weekends, they found that pre-compromise activity is roughly 3 times more likely to occur throughout the workweek.
This is primarily because of the very fact that almost all phishing attacks require somebody to click on an email link or perform another action, whereas post-compromise activities that use command-control services will occur anytime.
Every bit of insight that can be gained on how attackers work is often converted into enhancements in security practices. During this case, it may make sense to think about differentiating weekday and weekend filtering practices.
Shared Infrastructure
Another fascinating insight is the degree to which different threats share infrastructure (namely, URLs). Nearly hour of all analyzed threats shared public infrastructure. For example, IcedID, the ninth-ranked threat by volume, shared nearly two-thirds of the domains it contacted with different threats.
Even more intriguing: once threats share infrastructure, they additionally tend to do so within an equivalent stage in the Kill Chain. Similarly, while many alternative threats might share an equivalent domain during, say, the exploitation part of an attack, it’d be uncommon for that threat to also leverage that domain for its C2 traffic.
Security tactics
It’s clear that cybercriminals share more than source code and sell technology on Dark web commerce sites. They conjointly share methods and techniques. Once that data is known and incorporated into a security strategy, pattern and behavior marching will improve the power to notice live threats. Attack vectors, like those, simply mentioned, underscore the need for organizations to rethink their strategy to better future-proof and manage cyber risks.
This should start with organizations taking a stratified approach to security across individuals, processes, and technology:
People – The overwhelming majority of attacks still happen because somebody clicks on a malicious link. Workers ought to be frequently educated on making robust passwords, how to determine malicious URLs and email sources, and to not open or click on unknown or unexpected email messages, links, or attachments. this could then be augmented with access management policies, as well as a zero-trust policy, and intent-based segmentation thus, within the event of an incident, an attack is restricted to a particular segment of the network.
Processes – Incident response plans need to embrace regular backups that are stored off-network, regular testing of these backups, and system restoration drills to make sure everybody is aware of their role thus systems can be restored as quickly as possible.
IT groups must always know what assets are online, where those assets are, then be able to prioritize their access to and consumption of resources based on which are most business-critical.
Technology – Security tools need to be chosen based on their ability to be integrated along and cross-automated so that they will gather, share, correlate, and consume threat intelligence across the entire distributed network in real-time.
“Deception technology is another tactic IT groups should make use of. Effective deception strategies make it more durable for an adversary to determine what assets are fake and that are real, while tripwires embedded in these false signals increase the power to detect an intruder. Finally, segmenting company networks limits the exposure of critical information if there’s a breach.”
Derek Manky, ThreatPost, June 14, 2019 Tweet
Adapt Your Security Ways
Last quarter’s threat research from FortiGuard Labs offered necessary insights into how attackers are evolving and the way you’ll be able to leverage behavior patterns to ascertain and circumvent threats. As an example, initial attacks stages tend to occur throughout work hours, and those attacks also tend to share infrastructure. In response, IT security groups should be on the lookout for these and similar activity identifiers by adjusting their detection and filtering practices accordingly.
Download Free Fortinet Resource
Get access to authentic content from one of the leading cybersecurity solutions experts in the world from the Philippines’ premiere technology provider.