As governments and organizations standardize and harmonize their responses to better mitigate the increasing number of cyber-attacks, so do cybercriminals. In Europe, security decision-makers and businesses face similar attack techniques as their global counterparts. While the methodologies employed are identical because they all rely on the same digital technologies exploiting similar vulnerabilities, the motivations vary.
Global threat actors: motivations and playbooks
The threat actors can be distinguished into two major groups according to their motivation:
- Organized criminals act independently of geopolitics, typically have no specific ideology, and target everyone. Their primary aim is financial gain.
- State-sponsored groups have objectives, including espionage, Intellectual Property (IP) theft, fostering instability, etc., dictated by the governments they affiliate with.
Both groups follow well-known pathways to initial compromise, such as exploiting unpatched vulnerabilities, credential theft, social engineering and phishing attacks, and deploying malware with a preference for ransomware attacks.
European businesses face four distinct regional threats
A Forrester report found that throughout 2022, CISOs in European organizations faced four threats that differed from the global trends.
- The top targets of cyber-attacks are the manufacturing and engineering industries. This finding relates to the fact that Europe has a strong manufacturing sector. IP is valuable to state actors and criminal gangs; hence they become lucrative targets. The relative immaturity of Operational Technology (OT) security makes this situation even more problematic.
- Geography places a significant role in cybersecurity. Companies with operations located in areas with geopolitical tensions are more likely to be targeted by state actors for various political reasons. Organizations should be mindful of the actors’ motivations and capabilities.
- Adversaries leverage misinformation and use several techniques for exfiltration. Over a quarter (28%) of intrusion attempts on European organizations were successful.
- Ransomware gangs threaten to sell stolen data to interested parties using double-extortion practices. These groups also have “collectives” to foster collaboration. It is no longer a lone actor but rather a business.
State-sponsored vs Organized crime in Europe
State-sponsored attacks are a valid concern for European businesses, but organized crime is booming.
While Europe is not the key target of state-sponsored activities, security leaders must be aware of this problem. Africa, the Middle East and Turkey are most targeted by politically motivated actors, followed by Northern Europe. In Europe, organizations are predominantly plagued by financially driven threat actors located in Russia, Iran, and North Korea.
Organized cybercriminals have skilled up as cybercrime goes mainstream. With the cybercrime economy growing and becoming the third-largest global economy, criminal gangs are forming collectives to exchange knowledge and trade. Organized Crime as a Service is booming, taking several forms:
- Ransomware as a Service: It’s no longer just about encrypting data and locking employees out. Threat actors also leverage double-extortion tactics and threaten to sell the stolen data to interested parties if their victims do not pay the ransom.
- Phishing as a Service: Phishing attacks can be executed by (almost) anyone with an internet connection these days. AI-powered toolkits and methodologies are available for sale on cybercrime marketplaces.
Overall, we witness an increased collaboration between cybercriminal gangs, more like Crime as a Business. Cybercriminals have specializations, like any business and teams, and work together to achieve objectives ranging from petty scams to espionage.
The increasing risks of Operational Technology
Forrester’s data highlights that 16% of European security decision-makers treat securing OT environments as a top tactical priority. At the same time, IBM reports a 2,204% increase in reconnaissance against OT systems.
State-sponsored affiliated actors, including Electrum, Magnallium, and Xenotime, increasingly target manufacturing organizations. These actors gain initial access using credential theft, exploiting cloud vulnerabilities and malware. However, the positive sign is that security decision-makers at organizations that had experienced disruption or data ransom were more likely to prioritize ICS or OT security.
How can European businesses address cyber risks?
Businesses need help to integrate threat intelligence into their security programs. However, threat intelligence feeds listing initial compromise indicators must be more comprehensive. European organizations must evaluate their threat intelligence program through three lenses: tactical, operational, and strategic. This is essential because, besides recognizing the attackers' tactics, geography and politics are vital factors to consider when building cyber threat intelligence.
Therefore, businesses should base their threat intel program on four critical considerations:
- Focus on how threat actors targeting your organization drive different strategic choices for your security program.
- Partner with a strategic threat intelligence provider and use the intelligence to adjust your security program actions regularly.
- Identify and involve relevant threat intelligence stakeholders to collect and define intelligence requirements.
- Be critical of data sources since state actors use misinformation. Use trusted sources for intel, such as NCSC, ENISA, BSI, and ANSSI.
Focusing on the OT domain, security begins with knowing your environment. Therefore, the first step is to identify all your intellectual property and where it resides and consider how you can protect it with consistent data security policies.
Once you have achieved the desired level of visibility, the next step is to encrypt your critical data and implement a data loss prevention (DLP) strategy. Leveraging specialized DLP software offers multiple benefits for organizations. Finally, you should use data classification capabilities and centralized policy management to simplify detection and policy enforcement.
However, cybersecurity is not only about processes. It is also about the people and technology in your organization. European organizations should prepare their people for the possibility of a successful attack. There are several steps you can take in this direction:
- Use Forrester’s Ransomware Survival Guide to address your defences
- Prepare a disaster recovery plan for your teams so that you have a structured communication strategy
- Carry out simulation exercises and be sure to involve key stakeholders.
- Have a robust backup strategy and focus on testing. Data integrity is essential for disaster recovery and business continuity.
How Fortra can help you
Fortra has long been known for helping organizations become more secure and autonomous. To increase security maturity and decrease operational burden, we must address technology-based and people-based vulnerabilities together. That means securing infrastructure and data, consistently improving people's awareness of security risks, and supplementing their teams with additional security operations resources.
By doing this successfully, we will significantly increase an organization's security maturity in the areas that account for 75% of all attacks with just one cybersecurity partner while decreasing their operational burden. Fortra offers a wide range of cybersecurity solutions to help European organizations effectively protect against the evolving threat landscape.
To dig more into the topic, understand in greater detail the Forrester survey findings and learn how Fortra can help you, you may watch the on demand webinar, “Cybersecurity Threats In Europe: What You Need to Know and What to Do About Them.”