Source URL: https://blog.talosintelligence.com/incident-response-trends-q3-2024/
Source: Cisco Talos Blog
Title: Talos IR trends Q3 2024: Identity-based operations loom large
Feedly Summary: Credential theft was the main goal in 25% of incidents last quarter, and new ransomware variants made their appearance – read more about the top trends, TTPs, and security weaknesses that facilitated adversary actions.
AI Summary and Description: Yes
**Summary:** The text discusses the increasing prevalence and sophistication of identity-based attacks, with an emphasis on credential theft through various tactics such as password spraying and phishing. It highlights the challenges of detecting these threats, as adversaries often exploit valid accounts to launch internal attacks. The analysis underscores the importance of security fundamentals like multi-factor authentication (MFA) and proper endpoint detection configurations in mitigating risks associated with these cyber threats.
**Detailed Description:**
– **Increase in Identity-Based Attacks:**
– Threat actors are increasingly conducting identity-based attacks, with credential theft being a primary goal in 25% of incident response engagements.
– Techniques include living-off-the-land binaries (LoLBins), open-source applications, and common infostealers, showcasing the ease of executing these attacks.
– **Methods of Attack:**
– Credential harvesting techniques are varied and include:
– Password spraying: Using common passwords against multiple accounts to avoid lockouts.
– Brute force attacks and adversary-in-the-middle (AitM) phishing.
– Insider threats leveraging valid account credentials for malicious activities.
– **Consequences of Account Compromise:**
– Once compromised, adversaries can create accounts, escalate privileges, and execute social engineering attacks like business email compromise (BEC).
– The speed of these operations is alarming; for example, successful account access was achieved shortly after a phishing attempt.
– **Ransomware Trends:**
– Ransomware incidents accounted for nearly 40% of engagements, with emerging variants like RansomHub and their dual models for extortion.
– Noteworthy engagements involved exploiting known vulnerabilities, especially in networked devices like the ESXi hypervisor.
– **Targeted Sectors:**
– The education, manufacturing, and financial sectors were identified as heavily targeted by adversaries, correlating with past trends as well.
– **Initial Access Challenges:**
– A significant 66% of access engagements were through valid accounts, and 20% were via vulnerable public-facing applications.
– Networking equipment remains an attractive target for sophisticated actors.
– **Security Hardening Recommendations:**
– Misconfigured MFA, lack of MFA, and MFA bypass were observed in nearly 40% of incidents, emphasizing the need for strong authentication measures.
– Security weaknesses such as improperly configured endpoint detection and response (EDR) solutions contributed to successful compromises.
– **Overview of MITRE ATT&CK Techniques:**
– Highlighted techniques involved in identity-based attacks and other engagements, including:
– Valid accounts usage for initial access and rely on reconnaissance tactics for credential gathering.
– Defense evasion tactics, illustrating common methods adversaries use to bypass security measures.
– **Conclusion:**
– This report serves as a critical reminder for organizations to bolster their security measures against evolving identity-based threats. Emphasizing the implementation of multi-factor authentication, strong password policies, and comprehensive endpoint security configurations can significantly mitigate risk exposure. Furthermore, continuous monitoring of known vulnerabilities and proactive measures to secure network devices are essential aspects of a robust security posture.