网络攻击在过去一年中速度、规模和复杂程度不断提升，Unit 42 2024 年第 4 季度应急响应报告对此进行了重点说明。我们持续见证着威胁环境的演变速度快于大多数组织的跟进速度。在 2023 年的约 45% 的案例中，攻击者在入侵后的 24 小时内就窃取了数据。这意味着组织必须在数小时内做出响应才能阻止他们。针对互联网漏洞的利用率上升至 39%，成为我们应急响应案例中主要的初始访问途径。这一跃升与 2023 年席卷互联网的几起大型自动化入侵活动有关。攻击者更加有组织，拥有专门针对攻击不同环节的团队。他们知识更渊博，能够将 IT、云和安全工具用作攻击武器。而且他们更加高效，使用流程和剧本快速达成目标。为了说明这些动态如何在现实场景中发挥作用，让我们来考察两个 Unit 42 应急响应案例，它们为我们提供了宝贵的见解，了解当今攻击者的运作方式以及有效防御他们所需的策略。

🗺️ **速度与规模** 在短短 13 个小时内，一家电信提供商遭受了快速蔓延的勒索软件攻击的重创，攻击者加密了数万台系统上的文件，窃取了敏感数据，并导致其一半的业务运营陷入停顿。该客户紧急联系了 Unit 42 来遏制攻击，防止进一步的数据泄露，并帮助恢复其运营。在接到电话后的 2 个小时内，Unit 42 开始评估情况，很快发现 Black Basta 勒索软件是通过钓鱼邮件部署的，导致了广泛的未经授权的访问。鉴于攻击速度之快，在 96 小时内将 Cortex XDR 快速部署到受影响的环境中对于遏制威胁至关重要，这使得 Unit 42 的托管检测和响应团队能够开始 24/7 的监控和威胁狩猎。作为其响应的一部分，Unit 42 将最初的赎金要求降低了 80%，并成功实施了解密密钥以恢复加密数据。进一步调查发现网络分段、凭据控制、端点安全和安全可见性方面的差距。为了减轻未来的风险，Unit 42 部署了额外的防火墙和访问控制技术，加强了客户防御不断发展的威胁行为者的速度和敏捷性。

🕵️‍♀️ **复杂性** 在最近的一次合作中，Unit 42 应对了一起由 Muddled Libra 威胁行为者策划的复杂网络攻击。在为期一周的时间里，客户遭受了五次有针对性的攻击，展示了攻击者适应和利用新途径的能力，甚至利用客户自己的安全工具进行横向移动和进一步入侵。Unit 42 迅速介入进行调查和响应，重点关注全面的安全方法，包括遏制和修复。凭借对 Muddled Libra 战术的深刻了解，Unit 42 进行了全面的评估，以识别未经授权的访问并确定攻击的全部范围和影响。该团队向客户建议了立即采取的行动，包括保护受损帐户、隔离受影响系统、重建 Active Directory、更改密码和加强防火墙。 由于优先恢复系统的安全状态，Unit 42 应用了补丁并加强了网络防御。这种合作不仅减轻了眼前的威胁，还帮助客户通过改进的做法、意识培训和定期安全评估来增强其长期安全态势。

🤝 **Unit 42 保留服务意味着什么？** 在当今快速发展的威胁环境中，组织需要的不仅仅是响应策略。他们需要一个合作伙伴，能够主动识别漏洞，并在事件发生时提供快速、战略性的响应。这就是 Unit 42 的作用。通过保留 Unit 42，组织可以获得丰富的专业知识和资源，而不仅仅是恢复正常运营；他们获得了致力于长期转变其安全态势的合作伙伴。

🚀 **无与伦比的可见性和专业知识** Unit 42 提供了对最新攻击趋势和战术的无与伦比的可见性，以及应对这些攻击的深厚专业知识。依托来自全球超过 80,000 家 Palo Alto Networks 企业客户的广泛遥测数据以及业界最大的威胁情报数据库之一，我们的团队可以访问比任何其他网络安全公司更广泛的遥测数据。

🛡️ **行业领先的应急响应** 我们的应急响应团队被公认为业界最佳团队之一，每年处理超过 1,000 起网络安全事件。在 Forrester Wave 的网络安全事件响应领域被评为领导者，Unit 42 以其遏制和减轻事件的速度、精确性和有效性而闻名。但我们并不止步于此。我们的方法还侧重于帮助组织通过在事件发生后转变其安全策略和运营来建立弹性。

🧠 **Palo Alto Networks 和 Precision AI 的力量** 利用由 Precision AI 提供支持的 Palo Alto Networks 产品平台的先进功能，我们带来了自动化和洞察力的水平，使我们以及我们的客户始终领先于威胁行为者。这种人类专业知识和 AI 驱动的技术的结合确保了对网络安全的全面、主动的方法。

🏆 **Palo Alto Networks 客户的独家优惠** 认识到当今威胁环境中对快速、专业干预的日益增长的需求，Unit 42 很高兴为符合条件的 Palo Alto Networks 客户提供免费的 Unit 42 快速应急响应保留计划。这种保留确保了在分秒必争的情况下，您拥有一个值得信赖的合作伙伴，随时准备采取行动，最大程度地减少影响，帮助您充满信心地恢复。

🦸 **Unit 42 的保留意味着什么？** 保留 Unit 42 不仅仅意味着可以获得顶尖的应急响应服务；这意味着拥有一个致力于您组织安全成功的合作伙伴。不要仅仅对威胁做出反应，而要与 Unit 42 一起领先于威胁。

🤝 **免费的 Unit 42 快速 IR 保留计划** 对于符合条件的 Palo Alto Networks 客户，Unit 42 快速应急响应保留计划提供了一系列好处： - 初始 250 小时的 Unit 42 应急响应服务 - 2 小时应急响应 SLA - 全天候 365 天访问 Unit 42 应急响应团队 - Unit 42 的威胁情报专业知识

😎 **联系您的 Palo Alto Networks 帐户经理，将 Unit 42 加入您的快速拨号列表。如果您认为自己正在遭受攻击，请直接联系 Unit 42。**

Cyberattacks have increased in speed, scale and sophistication in the past year, as is highlighted in our 2024 Unit 42 Incident Response Report. We have continued to see the threat landscape evolve faster than most organizations can keep pace:

In about 45% of our cases in 2023, attackers exfiltrated data in less than 24 hours after compromise. This means that organizations must respond within hours to stop them.Exploitation of internet-facing vulnerabilities increased to 39% and became the top initial access vector in our incident response cases. This jump is related to several large, automated intrusion campaigns that swept across the internet in 2023.Attackers are more organized, with specialized teams for different parts of the attack. They’re more knowledgeable and able to use IT, cloud and security tools as weapons of offense. And they’re more efficient, using processes and playbooks to quickly achieve their goals.

To illustrate how these dynamics play out in real-world scenarios, let’s examine two Unit 42 incident response cases that provide valuable insights into how today’s adversaries operate and the strategies that are needed to defend against them effectively.

Speed & Scale

In just 13 hours, a telecom provider was devastated by a fast-moving ransomware attack that encrypted files across tens of thousands of systems, exfiltrated sensitive data, and brought half of their business operations to a standstill. The client urgently engaged Unit 42 to contain the attack, prevent further data exfiltration, and help restore their operations. Within 2 hours of being called, Unit 42 began assessing the situation, quickly uncovering that the Black Basta ransomware had been deployed via a phishing email, leading to widespread unauthorized access.

Given the speed of the attack, rapid deployment of Cortex XDR across the impacted environment within 96 hours was critical to containing the threat, allowing Unit 42’s Managed Detection and Response team to begin 24/7 monitoring and threat hunting. As part of their response, Unit 42 negotiated an 80% reduction from the initial ransom demand and successfully implemented the decryption keys to recover encrypted data. Further investigation revealed gaps in network segmentation, credential control, endpoint security and security visibility. To mitigate future risks, Unit 42 deployed additional firewalls and access control technologies, reinforcing the client's defenses against the speed and agility of evolving threat actors.

Sophistication

During a recent engagement, Unit 42 responded to a sophisticated cyberattack orchestrated by the threat actor Muddled Libra. Over one week, the client endured five targeted attacks that showcased the adversary’s ability to adapt and exploit new pathways, even leveraging the client’s own security tools for lateral movement and further compromise.

Unit 42 was swiftly brought in to investigate and respond, focusing on a holistic security approach that included containment and remediation. Drawing on deep knowledge of Muddled Libra’s tactics, Unit 42 conducted a comprehensive assessment to identify unauthorized access and determine the full scope and impact of the attacks. The team advised the client on immediate actions, including securing compromised accounts, isolating affected systems, reconstructing Active Directory, changing passwords and hardening firewalls.

With the priority of restoring systems to a secure state, Unit 42 applied patches and reinforced network defenses. This collaboration not only mitigated the immediate threat but also helped the client enhance their long-term security posture through improved practices, awareness training and regular security assessments.

What It Means to Have Unit 42 on Retainer

In today’s rapidly evolving threat landscape, organizations need more than just a reactive response strategy. They need a partner who can proactively identify vulnerabilities and provide a quick, strategic response when incidents occur. This is where Unit 42 comes in. By having Unit 42 on retainer, organizations gain access to a wealth of expertise and resources that go beyond simply returning to normal operations; they gain a partner dedicated to transforming their security posture for the long term.

Unmatched Visibility and Expertise

Unit 42 delivers unparalleled visibility into the latest attack trends and tactics, combined with deep expertise in countering them. Backed by extensive telemetry data from more than 80,000 Palo Alto Networks enterprise customers worldwide and one of the industry’s largest threat intelligence databases, our team has access to broader telemetry than any other cybersecurity company.

Industry-Leading Incident Response

Our incident response team is recognized as one of the best in the industry, handling more than 1,000 cybersecurity engagements annually. Named a leader in The Forrester Wave for Cybersecurity Incident Response, Unit 42 is known for its speed, precision and effectiveness in containing and mitigating incidents. But we don’t just stop there. Our approach also focuses on helping organizations build resilience by transforming their security strategies and operations post incident.

The Power of Palo Alto Networks and Precision AI

Leveraging the advanced capabilities of Palo Alto Networks product platforms, powered by Precision AI, we bring a level of automation and insight that keeps us, and our clients, steps ahead of threat actors every time. This combination of human expertise and AI-driven technology ensures a comprehensive, proactive approach to cybersecurity.

Exclusive Offer for Palo Alto Networks Customers

Recognizing the growing need for rapid, expert intervention in today’s threat environment, Unit 42 is pleased to offer our no-cost Unit 42 Rapid Incident Response Retainer program, exclusively to qualified Palo Alto Networks customers. This retainer ensures that when every second counts, you have a trusted partner ready to jump into action, minimizing impact and helping you recover with confidence.

Having Unit 42 on retainer means more than just access to top-tier incident response; it means having a partner committed to your organization’s security success. Don’t just react to threats, stay ahead of them with Unit 42.

The No-Cost Unit 42 Rapid IR Retainer

For qualified Palo Alto Networks customers, the Unit 42 Rapid Incident Response Retainer offers a suite of benefits:

The initial 250 hours of Unit 42 Incident Response servicesA 2-hour response time SLA for incident response24/7/365 access to the Unit 42 Incident Response teamExpertise in threat intelligence from Unit 42

Contact your Palo Alto Networks account manager to put Unit 42 on speed dial. If you believe you are under attack, contact Unit 42 directly.

The post Unit 42 Incident Response Retainers Enhance Organizational Resilience appeared first on Palo Alto Networks Blog.