The digital threat landscape is always changing. This year is an excellent (albeit extreme) example. With the help of Dimensional Research, Tripwire found out that 58% of IT security professionals were more concerned about the security of their employees’ home networks than they were before the outbreak of coronavirus 2019 (COVID-19). Slightly fewer percentages of respondents expressed concerns for an increase in ransomware, phishing and social engineering attacks as well as for secure configurations of remote systems at 45% and 41%, respectively.
Security challenges associated with COVID-19 aren’t the only ones with which organizations must contend going forward. Via its managed security services, incident response services, penetration testing engagements and vulnerability management services, IBM Security observed that numerous digital threats gained prominence over the course of 2019. Three threats in particular stood out to IBM in its 2020 X-Force Threat Intelligence Report: those targeting operational technology (OT), ransomware and phishing.
The OT Threat Landscape
In the data it had collected since 2018, IBM X-Force found that digital attacks targeting industrial control systems (ICSes) and operational technology increased by over 2000%. Many of those attacks involved a combination of exploiting known vulnerabilities in supervisory control and data acquisition (SCADA) and ICS hardware components along with password spraying attacks leveraging brute force login techniques.
IBM noted that these tactics highlight the digital security challenges confronting organizations in their attempts to secure their OT environments:
X-Force IRIS security assessments delivered to our customers through 2019 highlighted the vulnerability of OT systems, which often use legacy software and hardware. Keeping production systems that can no longer be patched and are riddled with older vulnerabilities that have long become public means that even if OT systems are not internet facing, unpatched OT systems might be easy prey. In cases of lateral movement, after an attacker gains the first foothold, these systems can be accessed from inside the network and harmed by relatively simple exploitation techniques.
Researchers on the X-Force team therefore forecast that attacks against OT/ICS targets will continue to grow in 2020 as malicious actors develop more exploit code for industrial assets.
Tripwire President Subhajit Bagchi explained that these findings should have bearing on organizations’ digital security efforts going forward, especially in light of the changes wrought by COVID-19:
Apart from reporting a twenty-fold increase in digital attacks on OT systems, the IBM X-Force Report also found an astounding ten-fold increase in breaches due to misconfiguration. It also found that the bad actors were increasingly using scan and exploit as an attack vector of choice. As COVID-19 accelerates the digital transformation of businesses processes and workforce, it is time for us to refocus our attention to assessing compliance to policies in the world of telework, refining secure configuration management programs, and implementing tools to continuously discover and address known vulnerabilities in IT and OT assets.
Over the span of 2019, X-Force IRIS responded to ransomware attacks at organizations spread across 13 different industries in 12 different countries and five continents. Researchers determined that 19% of attacks involved ransomware in the first half of 2019, up from 10% compared to H2 2018. These attacks continued to grow over the rest of the year. Indeed, the team witnessed a 67% increase in ransomware incidents in Q4 2019 compared to the previous quarter.
IBM X-Force attributed that growth in events to campaigns targeting various types of organizations. In particular, malicious actors had no issue targeting municipal entities such as the city of Baltimore, the state of Louisiana and the government of Nunavut. These and other attacks prompted mayors in the United States to make the joint decision that they’d no longer meet attackers’ ransom demands in connection to a ransomware event.
Ransomware operations leveraged various attack vectors to prey upon their targets. No technique was more popular than vulnerabilities involving the Windows Server Message Block (SMB) protocol. Malicious actors abused that method to propagate through targets’ networks in approximately 80% of ransomware attack attempts.
Researchers with IBM X-Force found that phishing was the attack vector most frequently used by malicious actors for gaining initial access. This vector was behind 31% of the attacks detected by X-Force IRIS in 2019. That being said, these findings marked a decline for phishing attacks given the fact that these campaigns comprised nearly half of all initial access attempts in the attacks analyzed by IBM a year earlier.
The X-Force team took a deeper look at this development and found that malicious actors had begun embracing other methods of initial access in 2019. For instance, researchers found that 30% of attackers had committed themselves to exploiting vulnerabilities as a means of gaining initial access. Some developed zero-day attacks, but the majority of attackers relied on exploit code for publicly disclosed vulnerabilities, some of which had been around for years.
Some vulnerabilities stood out above the rest. Indeed, X-Force found that two CVEs in particular—2017-0199 and 2017-11882—accounted for 90% of the security flaws exploited by attackers in spam campaigns. (They also dwarfed the use of any other Microsoft Word RCE bug at a ratio of approximately 5:1.) No doubt digital attackers turned to these vulnerabilities in particular because they required minimal user interaction.
The use of stolen credentials wasn’t too far behind in third place at 29% of all initial access attempts. Sometimes, that stole information came from a third-party website or unrelated data breach. In other instances, malicious actors made off with that data using a phishing attack.
Digital Security for the Rest of 2020
IBM’s trends discussed above highlight the need for organizations to harden their digital security posture against the evolving challenges they’re sure to face over the remainder of 2020.
Tripwire’s Irfahn Khimji explains that this process should begin with organizations updating any legacy software deployed in their environments:
Security professionals have been communicating the risk legacy software presents for many years, yet many organizations have been slow to modernize their applications. Since the majority of attacks rely on exploit code for publicly disclosed vulnerabilities, organizations should be seriously reevaluating their strategies to modernize their applications. Based on the costs of the various recent breaches, the cost of modernizing an organization’s critical applications is minimal. It is some short-term expense that can provide significant cost savings in the long run.
Organizations shouldn’t end there, either. They should also broaden their security investments to emphasize the security basics.Via security configuration management, log management, vulnerability management and file integrity monitoring, for instance, they can provide broad protection against a variety of digital threats that might wish to target them later this year.
Learn how Tripwire’s solutions can prepare for these and other security issues.