Cybersecurity company Webroot has released its third annual Nastiest Malware list which shows ransomware making a comeback in addition to other threats.

Phishing and botnets are still popular attack methods and threats across the board are also becoming more sophisticated and harder to detect.
Topping the list of worst ransomware threats is Emotet, Trickbot and Ryuk (dubbed the ‘Triple Threat’) delivered via the Emotet botnet. This is one of the most successful of 2019 in terms of financial damage. These strains have shifted their focus to more reconnaissance-based operations. They assign a value to the targeted network post infection and then send the ransom for that amount after moving laterally and deploying the ransomware.
Ryuk is the second stage payload for Emotet, infections that are typically delivered by Trickbot resulting in the mass encryption of entire networks. Dridex is also now being used as an implant in the Bitpaymer ransomware infection chain and is also being delivered as a second stage payload of Emotet.
Phishing attacks continue to impersonate big brands including Microsoft, Facebook, Apple, Google and PayPal. But campaigns have also become more personal, with extortion emails using compromised passwords claiming to have captured inappropriate behavior.
The growth of cryptominers has slowed, thanks to a drop in currency values, but they haven’t gone away. Major campaigns in 2019 include Hidden Bee — which has now evolved into payloads inside JPEG and PNG images through stenography and WAV media formats flash exploits. There’s also Retadup — a cryptomining worm with over 850,000 infections, Retadup was removed in August by Cybercrime Fighting Center (C3N) of the French National Gendarmerie after they took control of the malware’s command and control server.
“It comes as no surprise that we continue to see cybercriminals evolve their tactics. They may be using the same strains of malware, but they are making better use of the immense volume of stolen personal information available to craft more convincing targeted attacks,” says Tyler Moffitt, security analyst at Webroot. “Consumers and organizations need to adopt a layered security approach and not underestimate the power of consistent security training as they work to improve their cyber resiliency and protection.”

The Next Big Step Towards Cybersecurity Incident Prevention

In the 90s, when you thought about computer security, you might have thought first of antivirus programs installed on individual computers. This mindset has persisted to the present day, where even enterprise-level security efforts are heavily focused on individual devices or hosts.

Your average security operations center (SOC) expends a great deal of energy installing endpoint detection and response (EDR) software on devices, and instrumenting computers within enterprise environments to log their activities and share those logs to a central manager or security incident and event management (SIEM) system for analysis.

The idea of individual computers as the optimal unit for observation and protection is sticky, and still valuable, but the next big step in enterprise cybersecurity requires that CISOs think about a bigger, more holistic target for observation and protection: the enterprise network itself.

Network Visibility Is The Missing Piece

In Gartner’s SOC Visibility Triad, the three cornerstones are endpoint visibility, log analysis (SIEM), and network detection and response. While two of these are widely deployed and used in the SOC, the network is too often underutilized as a data source for security analytics.

Recent survey results from the SANS Institute on the state of incident response (IR) and the state of security operations (SecOps) as a whole strongly suggest that network visibility is the biggest gap for modern cybersecurity. For organizations that want to move up the security maturity curve and reduce their chances of hitting the headlines for a data breach, the next step is clear.

This article will highlight a few of the data points from the SANS IR survey indicating why and how enterprises should take the critical step of integrating network visibility into their IR and SecOps initiatives.

Over 50% Of Incident Response Professionals Want, But Have Difficulty Accessing, Network Data

Incident response pros see the value of network visibility, but too often they just can’t get at it. Over half of respondents said they want network data for IR, but that it is difficult or impossible for them to access. This makes it harder to stitch together the sequence of events involved in an incident or data breach, and hinders the IR team’s ability to progress from detection to containment to remediation of an incident.

Organizational Silos And Lack Of Budget For Tools Are Among The Top Impediments To Successful IR
After the always looming skills shortage, two of the top impediments cited by IR professionals were lack of budget for new tools (48%) and organizational silos (28%). These impediments feed and amplify each other in totally unnecessary ways as budget is expended on duplicate efforts for different teams. If teams broke down silos and shared tools, they could see even greater operational efficiencies at no additional cost.

For example, many organizations already have network monitoring tools in use by their IT departments. Sharing that data with the incident response team could fill this visibility gap without biting into the budget. Reducing the organizational siloing between security operations, IR, and network operations teams can offer relief against the budgetary complaint and the lack of network visibility.

Integrating the tools and datasets in use by these teams is rapidly shifting from a nicety to a requirement for forward-thinking enterprises, but moving past decades of divided workflows and distinct team cultures isn’t always easy. You can learn more about how today’s enterprises are bridging the gap between NetOps and SecOps in this strategic report from EMA Research.

Network-Based Detection Tools Get The Highest Satisfaction Rating

In the SANS survey on the state of security operations in 2019, network-based detection tools outranked “host-based tools that depend on agents being present on every endpoint” for satisfaction. This strongly implies that many SecOps teams do have access to network data that could be shared with other teams! For organizations where SecOps and IR are siloed from each other, a huge opportunity exists to share the network visibility wealth.

After reviewing the data gathered from hundreds of incident response professionals and cybersecurity executives, the theme that SANS identified for their report was: “It’s time for a change,” and the change to which they refer is the accelerated adoption of network visibility by IR teams.

We couldn’t agree more. In fact, network visibility forms the foundational level of the SOC Visibility Triad, a framework from Gartner to help enterprises secure their modern environments. Learn about your options for network detection and response (NDR) and how they complement and extend other sources of security visibility in this overview blog.

Published on