Published by Hamish Krebs, Executive Director of Digital Forensics and Incident Response 24 May 2024
In an increasingly connected world, cyber incidents continue to be a fact of life for individuals and organisations alike. To best protect yourself, your organisation and your people it’s important to understand how criminals are evolving and changing their tradecraft.
CyberCX’s annual report, Digital Forensic Incident Response 2023 Year In Review, reveals the latest cyber trends affecting organisations – both businesses and government – and the techniques attackers are using to gain access to systems and sensitive data.
Based on data taken from the cyber incidents CyberCX responded to last year, here are the key trends the largest team of digital forensics investigators and incident responders in the region are seeing:
- Business Email Compromises (BEC), where attackers compromise email accounts typically through phishing, are continuing to grow, with a 37% increase during 2023. While BECs do not receive the same level of attention as ransomware and data extortion attacks, they can still cause significant financial and psychological damage to victims, with one incident we saw recording a loss of $500,000 AUD.
- Multi-factor authentication (MFA) isn’t stopping BEC. As security becomes an increasing priority for businesses, security controls such as MFA are becoming widely adopted. In response to this, CyberCX has found attackers are adapting and developing new techniques to bypass these mechanisms.
- “Data extortion only” as a cyber extortion tactic was more common 2023, with the number of cases involving a threat actor stealing data only and not deploying ransomware more than tripling.
- Remote access solutions with valid credentials became the number one initial access method for cyber extortion incidents, surpassing vulnerability exploitation. In other words, attackers are simply entering a valid username and password on an external remote service such as a VPN to gain access to systems.
- Fewer businesses are paying ransoms. We observed a roughly 50% drop in payments by victims of cyber extortion last year. Of those who didn’t pay, 53% have not seen their data leaked publicly or on dedicated leak sites (up from 46% in 2022).
Unsurprisingly, financial gain was the main motivator for attackers in 2023, far ahead of espionage, hacktivism and retaliation.
Five ways to protect your organisation online
With these trends reflecting an evolution in the attacker tradecraft, how do organisations – large and small, government and businesses – ensure they have the right security controls and practices in place?
At a minimum, organisations should adopt the following five strategies to strengthen their defences:
1. Implement strong security controls and defence in depth
While mitigation strategies set out in the ACSC’s Essential Eight may seem simple, in practice care and attention is required to ensure that your organisation is adequately secured against the latest threats. Timely application of operating system and application patches, application control, improved network visibility and monitoring, and secure backups are key aspects of any cyber security and IT operations teams responsibilities.
2. Use phishing-resistant MFA
As our report makes clear, using MFA isn’t always enough to stop Business Email Compromise (BEC). We recommend using a phishing-resistant MFA, like FIDO2 keys or Windows Hello for Business, to ensure session hijacking cannot bypass your controls. Unlike traditional MFA, this approach incorporates multiple layers of protection and advanced techniques such as biometric authentication, to ensure enhanced security.
3. Fortify all remote access points
With so many people shifting to remote work or choosing to work between the office and home, it is increasingly important that remote access is adequately secured and monitored. Ensure all users are enrolled in MFA, and any legacy remote access methods are decommissioned before they can be abused. Wherever possible, don’t allow users to login to your systems from unmanaged devices. Additionally, remote access devices themselves are under attack from threat actors, so ensure that these are always patched, and that any vendor guidance to investigate a potentially compromised appliance is taken seriously.
4. Conduct regular scanning for leaked credentials
Infostealers, a type of malware designed to covertly collect sensitive and personal information, are one of the most common ways attackers gain valid credentials to VPN accounts. Credential stealing malware is even more successful on home computing systems where security is not a priority. Ensure attackers can’t use these credentials on your systems by enforcing MFA and other conditional access policies on all internet facing systems.
5. Clean up your organisation’s data
Simply put, whenever you store any kind of information, that information can be vulnerable to cyber criminals. Don’t make it easy for attackers to steal your data. Audit what you’ve got before it comes back to bite you, and don’t hold onto data you don’t need anymore. Corporate share drives are still one of the main targets for data theft due to their lack of controls and content.
There’s an old cyber security adage that cyber criminals only have to be right once, but we have to be right every time. Cyber criminals and adversaries are opportunistic, creative, persistent and highly adaptive. As we improve our defences, so too do criminals change and evolve their tradecraft. That’s why to best prepare your organisation against cyber criminals, it’s important to watch their tactics and trends closely and adjust your defences accordingly.
Download the report to gain access to the full insights and recommendations for businesses from CyberCX’s Digital Forensic Incident Response team.
Looking to step up your cyber security game?
- Be prepared with a Digital Forensics Incident Response retainer
- Proactively hunt in your network with a Compromise Assessment