网络攻击在过去一年中在速度、规模和复杂性方面都有所增加，这在 2024 年 Unit 42 事件响应报告中得到了突出体现。我们继续看到威胁环境的演变速度超过大多数组织的跟进速度。在 2023 年的约 45% 的案例中，攻击者在入侵后不到 24 小时就窃取了数据。这意味着组织必须在数小时内做出响应才能阻止他们。对面向互联网的漏洞的利用增加到 39%，成为我们的事件响应案例中最常见的初始访问途径。这种激增与 2023 年席卷互联网的几个大型自动化入侵活动有关。攻击者组织更加严密，拥有专门针对攻击不同部分的团队。他们更了解并能够将 IT、云和安全工具用作攻击武器。而且他们效率更高，使用流程和剧本来快速实现他们的目标。为了说明这些动态如何在现实世界场景中发挥作用，让我们研究两个 Unit 42 事件响应案例，这些案例提供了宝贵的见解，了解当今的对手如何运作以及有效防御他们所需的策略。

💬 **速度和规模** 在短短 13 个小时内，一家电信运营商遭受了快速蔓延的勒索软件攻击的破坏，该攻击加密了数万个系统中的文件，窃取了敏感数据，并使他们一半的业务运营陷入停滞。客户紧急聘请 Unit 42 来遏制攻击，防止进一步的数据外泄，并帮助恢复其运营。在接到电话后的 2 小时内，Unit 42 开始评估情况，迅速发现 Black Basta 勒索软件是通过网络钓鱼电子邮件部署的，导致广泛的未经授权访问。鉴于攻击的速度，在 96 小时内将 Cortex XDR 快速部署到受影响的环境中对于遏制威胁至关重要，这使 Unit 42 的托管检测和响应团队能够开始 24/7 监控和威胁狩猎。作为其响应的一部分，Unit 42 将最初的赎金要求降低了 80%，并成功实施了解密密钥以恢复加密数据。进一步调查发现网络分割、凭据控制、端点安全和安全可见性方面的差距。为了减轻未来的风险，Unit 42 部署了额外的防火墙和访问控制技术，加强了客户防御不断发展的威胁行为者的速度和敏捷性。

📢 **复杂性** 在最近的一次合作中，Unit 42 响应了由威胁行为者 Muddled Libra 发起的复杂网络攻击。在超过一周的时间里，客户遭受了五次有针对性的攻击，这些攻击展示了对手适应和利用新路径的能力，甚至利用客户自己的安全工具进行横向移动和进一步入侵。Unit 42 迅速介入进行调查和响应，重点关注包括遏制和补救在内的整体安全方法。凭借对 Muddled Libra 策略的深入了解，Unit 42 进行了全面评估，以识别未经授权的访问并确定攻击的全部范围和影响。该团队建议客户采取立即行动，包括保护受损帐户、隔离受影响系统、重建 Active Directory、更改密码和加强防火墙。 为了优先恢复系统到安全状态，Unit 42 应用了补丁并加强了网络防御。这种合作不仅减轻了直接威胁，而且还帮助客户通过改进的实践、意识培训和定期安全评估来增强其长期安全态势。

🔥 **Unit 42 保留的意义** 在当今快速发展的威胁环境中，组织需要的不仅仅是反应式响应策略。他们需要一个能够主动识别漏洞并在事件发生时提供快速、战略性响应的合作伙伴。这就是 Unit 42 的用武之地。通过保留 Unit 42，组织可以获得丰富的专业知识和资源，这些资源不仅仅是恢复正常运营；他们获得了一个致力于长期转变其安全态势的合作伙伴。

📡 **无与伦比的可见性和专业知识** Unit 42 提供了对最新攻击趋势和策略的无与伦比的可见性，以及与之对抗的深厚专业知识。依托来自全球超过 80,000 家 Palo Alto Networks 企业客户的广泛遥测数据以及业界最大的威胁情报数据库之一，我们的团队拥有比任何其他网络安全公司更广泛的遥测数据。

📣 **行业领先的事件响应** 我们的事件响应团队被公认为业界最佳团队之一，每年处理超过 1,000 次网络安全合作。在 Forrester Wave 网络安全事件响应中被评为领导者，Unit 42 以其遏制和减轻事件的速度、精度和有效性而闻名。但我们不仅仅止步于此。我们的方法还侧重于帮助组织通过在事件发生后转变其安全策略和运营来建立弹性。

💡 **Palo Alto Networks 和 Precision AI 的力量** 利用 Palo Alto Networks 产品平台的先进功能，这些功能由 Precision AI 提供支持，我们带来了自动化和洞察力的水平，使我们以及我们的客户每次都领先于威胁行为者。这种人力专业知识和人工智能驱动的技术的结合确保了对网络安全的全面、主动方法。

Cyberattacks have increased in speed, scale and sophistication in the past year, as is highlighted in our 2024 Unit 42 Incident Response Report. We have continued to see the threat landscape evolve faster than most organizations can keep pace:

In about 45% of our cases in 2023, attackers exfiltrated data in less than 24 hours after compromise. This means that organizations must respond within hours to stop them.Exploitation of internet-facing vulnerabilities increased to 39% and became the top initial access vector in our incident response cases. This jump is related to several large, automated intrusion campaigns that swept across the internet in 2023.Attackers are more organized, with specialized teams for different parts of the attack. They’re more knowledgeable and able to use IT, cloud and security tools as weapons of offense. And they’re more efficient, using processes and playbooks to quickly achieve their goals.

To illustrate how these dynamics play out in real-world scenarios, let’s examine two Unit 42 incident response cases that provide valuable insights into how today’s adversaries operate and the strategies that are needed to defend against them effectively.

Speed & Scale

In just 13 hours, a telecom provider was devastated by a fast-moving ransomware attack that encrypted files across tens of thousands of systems, exfiltrated sensitive data, and brought half of their business operations to a standstill. The client urgently engaged Unit 42 to contain the attack, prevent further data exfiltration, and help restore their operations. Within 2 hours of being called, Unit 42 began assessing the situation, quickly uncovering that the Black Basta ransomware had been deployed via a phishing email, leading to widespread unauthorized access.

Given the speed of the attack, rapid deployment of Cortex XDR across the impacted environment within 96 hours was critical to containing the threat, allowing Unit 42’s Managed Detection and Response team to begin 24/7 monitoring and threat hunting. As part of their response, Unit 42 negotiated an 80% reduction from the initial ransom demand and successfully implemented the decryption keys to recover encrypted data. Further investigation revealed gaps in network segmentation, credential control, endpoint security and security visibility. To mitigate future risks, Unit 42 deployed additional firewalls and access control technologies, reinforcing the client's defenses against the speed and agility of evolving threat actors.

Sophistication

During a recent engagement, Unit 42 responded to a sophisticated cyberattack orchestrated by the threat actor Muddled Libra. Over one week, the client endured five targeted attacks that showcased the adversary’s ability to adapt and exploit new pathways, even leveraging the client’s own security tools for lateral movement and further compromise.

Unit 42 was swiftly brought in to investigate and respond, focusing on a holistic security approach that included containment and remediation. Drawing on deep knowledge of Muddled Libra’s tactics, Unit 42 conducted a comprehensive assessment to identify unauthorized access and determine the full scope and impact of the attacks. The team advised the client on immediate actions, including securing compromised accounts, isolating affected systems, reconstructing Active Directory, changing passwords and hardening firewalls.

With the priority of restoring systems to a secure state, Unit 42 applied patches and reinforced network defenses. This collaboration not only mitigated the immediate threat but also helped the client enhance their long-term security posture through improved practices, awareness training and regular security assessments.

What It Means to Have Unit 42 on Retainer

In today’s rapidly evolving threat landscape, organizations need more than just a reactive response strategy. They need a partner who can proactively identify vulnerabilities and provide a quick, strategic response when incidents occur. This is where Unit 42 comes in. By having Unit 42 on retainer, organizations gain access to a wealth of expertise and resources that go beyond simply returning to normal operations; they gain a partner dedicated to transforming their security posture for the long term.

Unmatched Visibility and Expertise

Unit 42 delivers unparalleled visibility into the latest attack trends and tactics, combined with deep expertise in countering them. Backed by extensive telemetry data from more than 80,000 Palo Alto Networks enterprise customers worldwide and one of the industry’s largest threat intelligence databases, our team has access to broader telemetry than any other cybersecurity company.

Industry-Leading Incident Response

Our incident response team is recognized as one of the best in the industry, handling more than 1,000 cybersecurity engagements annually. Named a leader in The Forrester Wave for Cybersecurity Incident Response, Unit 42 is known for its speed, precision and effectiveness in containing and mitigating incidents. But we don’t just stop there. Our approach also focuses on helping organizations build resilience by transforming their security strategies and operations post incident.

The Power of Palo Alto Networks and Precision AI

Leveraging the advanced capabilities of Palo Alto Networks product platforms, powered by Precision AI, we bring a level of automation and insight that keeps us, and our clients, steps ahead of threat actors every time. This combination of human expertise and AI-driven technology ensures a comprehensive, proactive approach to cybersecurity.

Exclusive Offer for Palo Alto Networks Customers

Recognizing the growing need for rapid, expert intervention in today’s threat environment, Unit 42 is pleased to offer our no-cost Unit 42 Rapid Incident Response Retainer program, exclusively to qualified Palo Alto Networks customers. This retainer ensures that when every second counts, you have a trusted partner ready to jump into action, minimizing impact and helping you recover with confidence.

Having Unit 42 on retainer means more than just access to top-tier incident response; it means having a partner committed to your organization’s security success. Don’t just react to threats, stay ahead of them with Unit 42.

The No-Cost Unit 42 Rapid IR Retainer

For qualified Palo Alto Networks customers, the Unit 42 Rapid Incident Response Retainer offers a suite of benefits:

The initial 250 hours of Unit 42 Incident Response servicesA 2-hour response time SLA for incident response24/7/365 access to the Unit 42 Incident Response teamExpertise in threat intelligence from Unit 42

Contact your Palo Alto Networks account manager to put Unit 42 on speed dial. If you believe you are under attack, contact Unit 42 directly.

The post Unit 42 Incident Response Retainers Enhance Organizational Resilience appeared first on Palo Alto Networks Blog.