Destructive attacks have held steady for the second quarter in a row, according to a new report, with nearly a third (31 percent) of victims now experiencing destructive attacks in the last 90 days.
Tom Kellermann, chief cybersecurity officer at Carbon Black, told SC Media UK that the continued trend is a big concern that points to wider geopolitical issues: "Destructive attacks are a feature of one in three incidents over the last three months, and were at a similar level for the previous three months. Whether this is down to bolder hackers in general or increased nation state involvement in attacks across the board, the pattern is of serious concern."
The financial and healthcare industries remain most vulnerable to this type of attack, but the threat to manufacturing companies has grown significantly, according to Carbon Black. In the past 90 days, nearly 70 percent of all respondents saw attacks on the financial industry, followed by healthcare (61 percent) and manufacturing (59 percent, up from 41 percent last quarter).
Another key finding in the Carbon Black Quarterly Incident Response Report is the continuation of ‘island hopping’ a theme also picked up late last year by the endpoint security security firm. According to the report, half (50 percent) of today’s attacks leverage the technique, which involves attacking neighbouring companies via their trusted partners, potentially compromising the entire supply chain. The name comes from a WW2 military tactic used by the US against Japan, where small strategic islands between the US and Japan were conquered and turned into military staging posts for an eventual attack on mainland Japan.
Kellermann continued: "Island hopping should be of particular concern to all enterprise boards - it is using your brand against your own community, to attack your own partners. It creates a real governance challenge. First we had security as an IT problem, then a risk problem, but now it is a brand problem, and boards need to be aware, and take action."
The report notes that visibility is a core challenge for companies of all kinds, with 44 percent of respondents stating that it was the top barrier to incident response - up 10 percent from last quarter.
In particular, behavioural visibility will be a key battleground, as attackers use increasingly ingenious methods of maintaining persistence, for example, 40 percent of report respondents encountered instances of secondary C2 used on a sleep cycle. Another noisier but effective counter IR tactic is destruction of logs, which increased 15 percent from last quarter to be encountered by 87 percent of report respondents.
"Attackers are leveraging trusted protocols, not just Powershell, but utilising process hollowing techniques as well as steganography - hiding data in other content types like images, videos, and network traffic - to avoid detection and stay stealthy for longer periods", said Kellermann.
"Attacks are now more like a home invasion than a simple burglary, and the old IR playbook just doesn’t work anymore. Rushing in and terminating command and control as soon as an intrusion is recognised is exactly what the attackers expect you to do. A top tip is to try an outbound penetration test, which will give some indication of where the attackers have gone next", he concluded.