💥 **软件和API漏洞：** 2024年，软件和API漏洞成为攻击者进入目标组织防御的第一入口，占所有攻击事件的38.6%。攻击者利用自动化入侵工具针对软件供应链的关键部分发起攻击，例如Apache的Log4j日志框架和Oracle的WebLogic服务器，影响了政府、银行、航运公司、航空公司等机构。 为了应对这种类型的攻击，组织需要积极进行补丁管理，及时修复已知漏洞，并根据趋势和威胁情报预测未来可能出现的漏洞。然而，漏洞发现的速度远远超过了团队修复漏洞的能力，每年都会发现数千个漏洞，每个补丁都需要在部署到环境之前进行测试。此外，检测到漏洞还不够，团队需要能够优先处理最关键的漏洞，并实施防御措施来减轻低优先级漏洞的影响。

🔑 **盗取凭证：** 盗取凭证成为攻击者进入目标组织防御的第二大入口，占所有攻击事件的20.5%，比过去两年增长了5倍。攻击者利用盗取的凭证进入目标组织内部，然后进行数据窃取、勒索等恶意活动。 为了应对这种类型的攻击，组织需要采取多种措施来保护凭证，例如使用加密和密钥管理解决方案存储凭证、定期更换凭证、实施最小权限原则、进行凭证使用审计等。此外，组织还需要关注与盗取凭证相关的异常和可疑行为，使用AI和机器学习技术来提前检测攻击模式，帮助防御者精准响应。

🎣 **社会工程学和钓鱼攻击：** 社会工程学和钓鱼攻击仍然是攻击者常用的手段，占所有攻击事件的17%。攻击者越来越倾向于将攻击目标锁定在IT帮助台，而不是员工本身。他们会冒充真正的员工给目标的帮助台打电话，要求帮助重置密码或更改与帐户关联的电话号码。 为了应对这种类型的攻击，组织需要加强对IT和管理人员的培训，让他们能够识别和应对钓鱼攻击。此外，组织还需要实施持续身份验证和通信渠道监控，鼓励员工质疑异常情况并报告可疑行为。

⚔️ **恶意软件：** 恶意软件在2023年参与了所有记录的安全事件的56%，其中勒索软件占33%。攻击者使用数据破坏工具和技术，例如擦除工具，来破坏目标组织的数据。 为了应对这种类型的攻击，组织需要建立更全面的监控系统，能够检测和抵御通过后门和加密通道进行的隐蔽入侵。这些监控系统需要使用高级威胁检测技术，分析行为和模式，整合端点保护，并使用解密功能来识别隐藏的漏洞。

⏱️ **攻击速度：** 攻击速度越来越快，数据泄露可以在初始入侵后的几天甚至几小时内发生。 为了应对这种攻击速度，组织需要提高防御能力，增强可见性，采用零信任原则，缩短检测和响应时间。

🛡️ **增强可见性：** 组织需要对外部和内部攻击面进行全面的可见性。这包括对外部面向网络的资产进行目录编制，并使用多因素身份验证保护所有资产，禁止仅使用用户名和密码进行远程访问；对内部网络资产和端点进行目录编制，并实施EDR或XDR解决方案来监控和分析端点活动；定期进行漏洞评估，扫描未修补的软件、不安全的网络配置以及不必要的开放端口和服务。

🔐 **采用零信任原则：** 组织需要采用零信任架构，将攻击面降至最低，并减少漏洞的影响。零信任架构假设内部和外部流量都可能是威胁，实施严格的身份验证协议，例如多因素身份验证和单点登录，以及应用网络分段来防止网络中未经授权的横向移动。

🚀 **缩短检测和响应时间：** 组织需要采用扩展检测和响应（XDR）解决方案，提供一个统一的平台，捕获和关联来自端点、网络和云环境的安全遥测数据，并利用AI、机器学习和分析功能来增强SOC分析师的能力。

💪 **备份：** 组织需要建立完善的备份和恢复计划，确保在攻击发生后能够快速恢复业务。

🤝 **合作：** 组织需要与安全公司合作，获得最新的安全情报和威胁信息，并及时更新安全策略和措施。

🧠 **持续学习：** 组织需要持续学习和更新安全知识，并定期进行安全培训，提高员工的安全意识。

⚔️ **防御的未来：** 随着攻击者不断进化，防御者也需要不断创新，采用更先进的技术和策略来应对新的挑战。

💪 **防御者需要快速行动，才能在攻击者之前一步，保护组织的安全。**

Key Insights from Unit 42’s 2024 Incident Response Report

In the past year, we’ve seen threat actors making bigger moves faster to mount more sophisticated attacks against their targets.

As we helped hundreds of clients assess, respond and recover from attacks, we collected data about those attacks and compiled them into our 2024 Incident Response (IR) Report.

Here are the data points that tell the story of last year's attacks and the steps defenders can take to protect their organizations.

To Block Attacks, Lock Down the Vectors

Attack vectors are the avenues by which attackers penetrate your organization’s defenses. Understanding how attackers get in can show you where to place controls to stop them.

The three most popular initial attack vectors we identified:

Software and API vulnerabilities: 38.6% of casesPreviously compromised credentials: 20.5% of casesSocial engineering and phishing: 17% of cases

Shoring up these weak points is no easy task, and it requires a combination of tools, expertise and routine processes.

Exploiting Software and API Vulnerabilities

Last year, software and API vulnerabilities provided the initial access vectors for 38.6% of attacks we investigated – more than any other vector.

These attacks result from large-scale, automated intrusion campaigns. Often, attacks targeted key parts of the software supply chain, like Apache’s Log4j logging framework and Oracle’s WebLogic server, affecting governments, banks, shipping companies, airlines and others.

The IR Report demonstrates that these types of exploits are not anomalies. Instead, they represent an attack trend. A proactive patch management program is key to addressing realized vulnerabilities promptly and anticipating future vulnerabilities based on trends and threat intelligence.

The challenge lies in an uncomfortable truth – vulnerabilities are discovered at a far greater rate than teams’ ability to patch them. Thousands of vulnerabilities are reported each year, and each patch should be tested before being deployed in your environment.

Two of the top five Common Vulnerabilities and Exposures (CVEs) exploited in 2023 were identified years before that (2020 and 2021), which illustrates a significant lag in patching known vulnerabilities.

Detecting vulnerabilities isn’t enough. Teams must be able to prioritize the most critical vulnerabilities and implement defenses to mitigate lower-priority vulnerabilities.

Continued Use of Previously Compromised Credentials

Previously compromised credentials provided the initial access vector in 20.5% of cases we investigated – a 5x rise over the past two years.

Compromised credentials overtook phishing and social engineering as an attack vector, and there is a persistent and active black market for them.

Good hygiene can limit the damage potential of stolen credentials, but controls must go beyond strong passwords and multifactor authentication (MFA).

Secure Credential Storage: Teams should store credentials using encryption and secret management solutions.Credential Rotation: Rotating credentials can help minimize the likelihood of an attacker having success using previously compromised ones.Least-Privileged Access: The principle of least privilege limits the damage incurred from compromised credentials by ensuring each staff member doesn’t have excessive access beyond what they need to do their jobs.Audit Logging: Audits of credential use can uncover potentially compromising activities and help comply with reporting standards.

As cybercriminal tactics evolve, teams must implement more dynamic and responsive security controls and policies. These include regular security audits, real-time threat detection and training programs aimed at credential-threat risk recognition and mitigation.

It’s equally important to recognize the anomalous and suspicious behavior that follows the use of compromised credentials.

As attackers act with greater sophistication and subtlety, AI and machine learning are becoming vital to detect attack patterns early and position defenders to respond with precision.

Targeted Social Engineering and Phishing

Previously, social engineering and phishing were the top attack vectors, accounting for 17% of the attacks we investigated last year.

Our experience shows that social engineering and phishing attacks are increasingly aimed at the IT help desk rather than employees themselves. Attackers will call the target’s help desk and impersonate a real employee, asking for help with resetting their password or with changing the phone number associated with an account.

Defending against human nature is still the hardest task. Often, admins prove just as susceptible to phishing attacks as other team members. That’s because high-performing organizations are built on people helping one another. We go against our own goals and self-interest when we ask people not to trust or help each other.

A multilayered defense slows attackers down, creates more opportunities for them to make mistakes, and gives your team the upper hand.

Train IT and admin staff to recognize and respond to phishing attempts.Perform continuous authentication and monitoring of communication channels.Encourage employees to question anomalies and report suspicious behavior.

Evolving Malware Capabilities

In 2023, malware was implicated in 56% of all documented security incidents, with ransomware accounting for 33% of these cases.

We found a few noteworthy shifts in the details:

Attackers are more frequently using data destruction tactics with wipers and other tools and techniques.About 42% of our investigations involved a backdoor, while 32% of malware-related matters had some kind of interactive C2 software. In 12% of cases, attackers used web shells to use a compromised server as a beachhead into an environment. These tactics afford intruders a foothold from which they can covertly conduct a wide range of malicious activity.Reverse tunnels are a favored technique among attackers. These connections lead out of the target environment and terminate on a system under the attacker’s control. This allows attackers more freedom without needing to install malware on the target system.Many operating systems have built-in support for encrypted tunnels that hackers can exploit. For example, the vast majority (85%) of organizations still leave Microsoft Remote Desktop exposed to the internet for at least 25% of the month.

Organizations need more comprehensive monitoring systems that detect and counteract stealthy infiltrations through backdoors and encrypted channels.

Comprehensive monitoring includes advanced threat detection technologies that analyze behaviors and patterns, integrate endpoint protection, and employ decryption capabilities to identify hidden exploits.

Speed Matters

One of the biggest takeaways from our report is the speed at which attacks take place. Data breaches can now occur within days or even hours of an initial compromise.

In 2022, the median time between compromise and exfiltration was nine days. By 2024, it was two days. In almost 45% of cases, attackers exfiltrated data less than a day after compromise. Nearly half the time, organizations must now respond within hours because reacting more slowly means reacting too late.

But, the capabilities of defenders can get a boost from advanced analytics and real-time monitoring. AI and machine learning can help filter out the noise and empower teams to detect and respond with lightning speed.

How Defenders Can Get up to Speed

Enhance Visibility

Gaining visibility across your external and internal attack surfaces is step 1:

Catalog external-facing assets and protect them all with MFA. Disallow remote access using only a username and password.Catalog internal network assets and endpoints, then implement EDR or XDR solutions to monitor and analyze endpoint activity.Conduct regular vulnerability assessments and scan for unpatched software, insecure network configurations and unnecessary open ports and services.

Palo Alto Networks Cortex XDR platform enables you to identify and quantify security vulnerabilities on any endpoint and application. It also evaluates the endpoints and applications impacted by a particular CVE, giving you the information you need to prioritize the most important vulnerabilities.

Adopt Zero Trust Principles

Mixing weak authentication controls, overprivileged accounts and improperly secured applications and information assets lead to critical breaches. This dangerous combination creates a straightforward pathway for attackers with an easy route in, as well as unfettered access to sensitive data and an unobstructed route for data exfiltration or other disruptive impacts.

Zero Trust architecture minimizes the attack surface and reduces breach impact by assuming that both internal and external traffic could be a threat.

Zero Trust principles involve implementing stringent authentication protocols, such as MFA and single sign-on (SSO), and applying network segmentation to prevent unauthorized lateral movements within the network.

Reduce Detection and Response Times

Over 90% of SOCs still rely on manual processes to manage threats.

Manual processes become less effective by the day. Many teams are still stuck in the mode of managing alerts because they do not have intelligent tools at their disposal.

Extended detection and response (XDR) with extended security intelligence and automation management provide a unified platform that captures and contextualizes security telemetry from endpoints, networks and cloud environments. These tools harness the power of AI, machine learning and analytics to act as a force multiplier for the SOC analyst.

With our new security co-pilots, you can reduce SOC complexity by receiving instant solutions to complex problems and actionable insights that guide you through recommendations step by step.

Get the Backup Your Team Needs

There is no one solution. Almost any security control can be overcome by a sufficiently motivated, skilled and resourced attacker. However, a perfectly executed intrusion is just as rare as a perfect defense.

A Unit 42 Retainer can give you the expertise and backup you need. Through Attack Surface and SOC Assessments, the Unit 42 team can assess and test your current playbooks and processes to create a roadmap for SOC excellence that empowers your business to thrive. Our Zero Trust Advisory Services will help you create and execute a roadmap for your Zero Trust journey.

Practice makes perfect. We’ll help your team prepare through exercises and simulations that keep them sharp. Why defend your organization alone? See how Unit 42 and the AI-powered Cortex security suite can help your team cultivate security excellence.

The post Incident Response by the Numbers appeared first on Palo Alto Networks Blog.