The vast majority of successful attacks on companies are conducted by cyber-criminals using phishing, network scans for exploitable systems, and strategic web site compromises, security-services firm SecureWorks found in an analysis of six months of incident-response engagements.
The analysis of 163 incidents found that 82 percent could be attributed to cyber-criminals, 11 percent to insiders and 7 percent to nation-state adversaries. The company attributed attacks to financially-motivated cyber-criminals if they included theft of funds, the copying of financial information or personal data, the use of computing power, or ransom of data.
While advanced attacks and zero-day vulnerabilities garner a lot of attention, phishing, exploitation of known vulnerabilities and using websites to launch attacks were the most common methods of compromise. The vast majority—88 percent—of attacks were opportunistic and not targeted, the report stated.
“There are a lot of companies focused on the advanced threats, but when we look at the companies, they don’t have the basics down,” Jeffrey Carpenter, director of threat intelligence and incident response consulting at SecureWorks, told eWEEK. “They are failing at some of the basic, basic components of defense.”
SecureWorks conducts nearly 800 incident-response engagements every year, about half of which were proactive—to check cyber-defenses—and the other half reactive—to help clients clean up after an attack, Carpenter said.
The study involves data from the 163 reactive incident response engagements SecureWorks did in the first half of 2016. The company emphasized that the focus on the victims means that the study reveals the actual attacks that threaten companies.
Malware typically entered a corporate network through the compromise of a vulnerable public-facing system, compromised employee credentials, delivered in an email, downloaded from a website or through a third-party contractor.
Phishing accounted for 38 percent of attacks, while scans for vulnerable systems that were then exploited accounted for 22 percent of attacks. Using a website to host exploits accounted for 21 percent of the attacks.
In one incident, for example, one large-scale manufacturing firm had numerous malware infections. While the company had deployed antivirus software, it did not prevent the attacks, but only created continuous alerts about the infections, SecureWorks stated in the report. Cyber-criminals quickly monetized the attacks by installing banking trojans, bitcoin mining software and remote access trojans.
SecureWorks found that the company had too many users with administrative privileges, still had systems running Windows XP and only a limited ability to respond to an attack.
While phishing is the top attack vector, many companies are not prepared to deal with it, Carpenter said.
“Training alone is not good enough,” he said. “No matter how much you train, you will always have someone who clicks.”
SecureWorks identified many areas where companies could improve their preventative measures, but Carpenter highlighted the need for a strategy balanced between prevention, detection and incident response.
Top preventative strategies included better and more consistent patching, managing user-account privileges and adding web application firewalls or content filters. Companies also have to implement a good endpoint security solution, improve logging and collection capabilities, and help incident responders, he said.
“No matter how many steps you take, you are always going to have an incident,” Carpenter said. “So you need to focus on response as well.”