Cyber Security

Cybersecurity Incident Response: Lessons Learned from 2021

Cybersecurity Incident Response: Lessons Learned from 2021
Written by ga_dahmani
Cybersecurity Incident Response: Lessons Learned from 2021

SecureWorks announced the themes and trends of recorded cybersecurity incidents in 2021 so you can better protect your business in 2022.

Image of SIEM tools.
Image: iStock/weerapatkiatdumrong

Large incident response service providers have unique insights into threats and trends in cyberattacks. They can see how attackers’ modus operandi evolve over time and can provide a unique view.

SEE: Security Incident Response: Critical Steps for Recovering from Cyber ​​Attacks (TechRepublic)

SecureWorks covered more than 450 security incidents in 2021 and published your feedback on it. Incident responses are always thought-provoking on how to increase security and are a great source for current threats.

Most incidents were financially motivated

A whopping 85% of incidents handled by SecureWorks in 2021 were financially oriented, while government-sponsored threat attacks only accounted for 5% of activity. About the remaining 9% consists of deliberate or accidental employee actions that caused security incidents (Figure A).

Figure A

Image: SecureWorks.  Types of threat actors observed in incident response engagements.
Image: SecureWorks. Types of threat actors observed in incident response engagements.

initial commitment

Threat actors gained 43 percent of initial access by exploiting vulnerabilities on Internet-facing devices. Credential theft was second at 18% of the initial access observed. Credential theft encompasses credential theft, but can also refer to credentials purchased on the dark web or from initial access brokers, or obtained through brute force or password spray attacks.

This is a real change from what SecureWorks saw in 2020: credential-based access was the most common way to get an initial engagement at a target company (Figure B).

Figure B

Image: SecureWorks.  Observed initial access vectors, 2020 and 2021.
Image: SecureWorks. Observed initial access vectors, 2020 and 2021.

Several reasons could explain this situation, according to SecureWorks. To begin with, the increased use of multi-factor authentication could have led attackers to avoid credential theft and seek instead to exploit vulnerabilities that do not require any authentication. Another reason could be that it is quite easy to exploit proof-of-concept code released shortly after the public disclosure of the vulnerabilities. That ability to quickly have code that exploits a vulnerability, coupled with bulk target scanning, can quickly lead an attacker to perform large-scale exploitation of vulnerable devices at multiple companies at the same time.

Finally, publicly released proof-of-concept code to exploit a vulnerability on Internet-enabled devices can also lead to more incident response cases, as happened with the ProxyLogon vulnerability in March 2021.

Threat Trends

These are the latest trends detected by SecureWorks in cybersecurity threats.

Ransomware is here to stay

As all of computer security has observed in 2021, ransomware is a very active threat and will likely remain so. SecureWorks incident response data indicates no reduction in ransomware activity, despite the The US government puts ransomware on a similar priority as terrorism and several ransomware attackers caught in 2021.

Misconfigured MFA and user behavior are concerns

Credential theft and abuse is the second most used method of gaining access to a targeted company, but most of these accesses are successful because the victim organizations did not implement MFA and only relied on single-factor authentication.

MFA can significantly reduce the abuse of valid credentials obtained by attackers, but it must be implemented correctly.

Attackers find ways to bypass MFA to reach their targets. One method is to exploit legacy authentication protocols like IMAP and SMTP for example. These protocols may be in use in enterprises or may not have been disabled, which is a major concern regarding MFA as these protocols cannot enforce it.

Even if MFA is implemented correctly, user behavior can be a problem and help attackers. Successful attacks have been witnessed in the wild with attackers bypassing MFA due to multiple MFA push notifications leading users to finally approve one of the push notifications.

Poor knowledge of MFA authentication could also help attackers. The phenomenon of “notification fatigue” causes users to accept any application that requests MFA. Using MFA notifications that prompt for a code from the user instead of a one-click option (accept or decline) is one way to mitigate that risk.

Be very careful with cloud solutions

While it seems attractive to shift resources to managed cloud solutions, which provide security controls offered by the cloud provider, it has to be done right.

A careful inspection of all components and security controls offered by the vendor should be performed. The fundamentals of security must be there, starting with controlled access and the recording of activities carried out in the cloud service.

How to prevent cyber attacks in 2022

SecureWorks provides top 20 recommendations in its report.

  • Perform regular vulnerability scans. Exploitation of vulnerabilities has been the most used initial access method by attackers. Audits of Internet-facing web content and systems should also be performed frequently.
  • Monitor newly registered spoof domains on the Internet. Careful monitoring of all new domains that impersonate or try to abuse a company and its brands could help uncover attempted attacks before they even really start.
  • Control access carefully and create IP allow lists. Network segmentation must also be done in the company’s IT infrastructure, so that an attacker who gains access to one part of the network cannot gain access to another.
  • Improve backup strategies and procedures. Ransomware attackers typically try to render backups useless in addition to encrypting company data, so having good off-network backup and storage strategies is a must. SecureWorks also raises the issue of restoring backups of data that are known to be clean: if done too quickly, it could destroy evidence needed for good incident response.
  • Implement MFA correctlyand completely disable and remove default or generic accounts.
  • Implement DKIM and SPF authentication for email. This is to prevent fake emails sent by attackers posing as the company.

General recommendations apply as usual: keep your systems and software up to date, implement an endpoint detection and response solution, and apply the principle of least privilege for account access.

Divulgation: I work for Trend Micro, but the opinions expressed in this article are my own.

About the author


Leave a Comment