2023 Data Security Incident Response Report Get the Full Report

Threat Actors Adapt

Share this chapter

Organizations responded to the ransomware epidemic seriously, deploying a host of security measures that were far less common a few years ago than they are today. Multi-factor authentication (“MFA”) for email and remote access; endpoint detection and response (EDR) tools; patch management solutions; security incident and event management tools; immutable backups; and internal and third-party security operations centers to monitor host and network activity in real time — these solutions have been implemented with increasing frequency to combat the methods threat actors most commonly use to gain access to networks and enhance the ability to recover. Punch, counterpunch. The threat actors responded in kind, finding new ways to evade the measures that organizations put into place. A few of the tactics we observed in 2022 are:

MFA Bombing

After gaining an account’s username and password, threat actors repeatedly attempt to authenticate, which presents the employee with MFA requests. Employees sometimes acquiesce, hitting “Approve,” and the threat actor is in. Identifying more effective methods for authentication and training employees remains important.

Social Engineering

Threat actors continue to use social engineering, where they impersonate a customer, a member of the IT team, or some other trusted source in conversations with an organization’s employee. One group is notoriously effective. In some cases, these communications occur over months, with the threat actor gathering more information about the target over time; they then use that information to convince an employee to take some action, such as providing their credentials, approving a request to connect to the employee’s device, or providing confidential information about an organization’s customers. Technical safeguards are important, and so are administrative safeguards (e.g., employee training).

Evading EDR

While not common, some groups have developed methods to evade EDR tools. One example is the use of polymorphic malware like Qakbot. Exploiting “coverage deficits,” where the agent was not installed on all assets, is the more common method of “evading” an EDR tool. Asset management, comprehensive EDR deployment, proper EDR configuration, and 24/7 monitoring to detect follow-on activity are important.

SEO Poisoning

We also saw threat actors create fraudulent websites that mimicked a client’s legitimate website and then use search engine optimization tactics to make the fraudulent website show up prominently in search results. The website includes a sign-in feature, where deceived individuals would enter their credentials. The threat actor then uses the credentials to log into the customer’s account and perform unauthorized activity, such as making unauthorized purchases, creating new users, or exporting data. These incidents can be difficult to detect and combat, but there are service providers that can assist with responding to them.