Organizations face three emerging threats that compromise identities, exploit the use of accomplices or insiders and evade current detection and defenses, according to security researcher Oliver Rochford.
During his insight stage talk at Infosecurity Europe, Rochford, security evangelist at Securonix, said that a growing number of criminal groups are acting as initial access brokers (IABs). These specialist groups form part of the “cybercrime as a service” economy on the dark web, focused on gaining access to systems and stealing credentials. Other cybercrime groups then buy the access.
“This frees up ransomware operators to develop their ransomware without having to worry about how to gain access to companies,” Rochford said.
Initial access brokers target specific types of organizations using “firmographics.” According to Rochford, ransomware groups are becoming more focused, turning their attention to companies that are likely to pay. They are avoiding critical national infrastructure and health care, as attacks on these are more likely to draw the attention of law enforcement agencies.
Yet, security researchers are also seeing an increase in accomplice-based ransomware and insider collusion. Here, employees offer their legitimate credentials to IABs or ransomware groups in return for a percentage of the payout. This can be as high as 40%, and Rochford cited one example where this would net the insider $500,000.
Accomplice-based attacks are harder to detect because they use legitimate rather than compromised credentials. But this is not the only step attackers take to mask their activities.
Securonix is seeing a growth in techniques that try to evade cyber defenses, including by avoiding the use of malware altogether. Instead, these attacks are known as “living off the land,” or file-less attacks. These use legitimate IT management tools such as PowerShell and BITS (background intelligence transfer service) and signed binaries. One report, according to Rochford, suggests that 91% of DarkSide ransomware attacks use legitimate, publicly available tools. These techniques are now also being used to attack cloud infrastructure.
According to Rochford, organizations can improve their defenses against these attacks. Multi-factor authentication, better monitoring, including behavior monitoring and threat detection. “We want to catch it early,” he said. “That gives a good chance to cripple the attack.”