Better understanding leads the way to cybersecurity
An analysis of threat data, by Nicolas Drogou.
It doesn’t matter which sector your company operates in or how much data it churns: risks are a constant of our daily digital lives. Instead of viewing this as an endless struggle, I would like to share some insights on the current cybersecurity trends, but also shed some light on opportunities for businesses to create a durable approach to cybersecurity.
At Orange Cyberdefense, we have a vast array of data. In the past year, we have analyzed over 50 billion security events per day, solved more than 35.000 security incidents, and lead more than 170 incident response missions. With all of this information and expertise, we can see interesting overarching trends and how they can affect you, your business, your clients, and partners. Let’s dive into it!
Security incidents on the rise
First, it is worth noting that the number of qualified security events increased more than predicted. Among the 263,109 events in total, we identified 11.17% (29,391) as verified security incidents. In the previous year, this rate was 8.31%, which means we saw an increase of 34.4%, a clear sign of a significant rise in security incidents.
Another major trend is the increase in account anomalies. In the previous analysis, 15% of our incidents were classified as account anomalies and it was ranked in third place. This year, it has jumped up to second place at 22%. A possible explanation could be the unusual frequency and sheer magnitude of this year’s data leaks. Literally, hundreds of millions of accounts and credentials have been leaked and sold on the darknet. Additionally, the weak point in security remains the human factor, and we know people tend to reuse passwords, particularly when they are prompted to renew them every 100 days or so.
Hackers working 9 to 5
Another noteworthy change we observed is that malware incidents declined significantly. Previously, we had classified 45% of the incidents to be malware related. During 2019 this dropped to 22%. During the same period network and application, anomalies increased from 36% to 46%, making it the new top incident category in 2019. Does that mean malware is not a threat anymore? Generally, it is not, but it shows that endpoint-centered prevention can significantly reduce the risk. What we see here is very likely the immediate result of next-generation endpoint protection. While AI-based solutions have been around for a while now, their widespread application has taken some time and seems to be bearing fruit.
When looking at overall malware trends, we notice some striking patterns. The first two noticeable trends are the drops in attack activities during the beginning of April, mid-July, and early December. These are likely due to a trend we already observed in previous years: with cybercriminals getting more professional we see them adopting a nine-to-five-mentality. As odd as this seems hackers now take regular holidays. This may explain the drop in April when attacks slowed due to an early Easter holiday, as well as summer vacation and Christmas at the end of the year.
The crypto-mining effect
Ransomware had its highs and lows but remains a popular attack. For mining attacks it’s different. While both attack types showed a rise at the beginning of the year, mining attacks dropped and stayed low from April onwards. Ransomware dropped in April as well but rose to new peaks in May, October, and December. It’s also remarkable that Monero, Ethereum, Litecoin, and Bitcoin prices reached a new peak in early summer, but there was next to no effect on the frequency of mining attacks, while we had previously seen mining directly following the trade value of cryptocurrencies. This indicates that crypto-mining as a threat is declining and may not return in widespread campaigns.
The human factor remains the weak point
Social engineering remains hard to detect and gathering statistics is tricky. Social engineering encompasses all sorts of activities that usually precede the actual attack. It starts with researching target account owners or key management roles in different social media like LinkedIn or Facebook. For instance, targets could be manipulated to reveal details of operating systems, network setups, or even credentials via fake phone calls from fake service employees. All of this can happen outside of the company perimeter and as such is outside of our direct tracking capabilities.
Many businesses are needlessly exposing themselves and their employees to risk, due to a lack of cybersecurity culture amongst their end-user population. A lack of basic security awareness, poor insights into the current and rapidly shifting threats, and a general move towards choosing convenience over security are still fueling risks that could be easily mitigated by empowering people with proper knowledge.
But there are smart ways to tackle the situation. In our next article, we would like to explain what we see as a viable way forward.
For more insight into the cybersecurity threat landscape, read the Security Navigator report in full here.