UK’s Department for Digital, Culture, Media and Sports has published the 6th edition of its annual cybersecurity breaches survey on GOV.UK.
We sifted through this year’s report to compile the top 6 takeaways. Let’s go.
1. COVID-19 has impacted security measures
Fewer businesses are now deploying security monitoring tools (35% vs. 40% last year) or undertaking any form of user monitoring (32% vs. 38%).
2. The move to work from home has made cybersecurity harder
- Only 35% of businesses are deploying monitoring tools compared to 40% in 2020.
- 32% of large businesses have unsupported versions of Windows.
- 83% of businesses say they have up-to-date malware protection compared to 88% in 2020.
3. Fewer businesses are detecting breaches
Compared to 46% of businesses in 2017, only 39% said that they detected any breach or attack. This can be attributed to fewer organizations deploying security controls and their limited ability to monitor remote employees.
4. Phishing remains the most common threat vector
83% of attacks on businesses and 79% on charities were in the form of phishing. These are consistent with the attack vectors reported in 2019 and 2020.
5. Despite the pandemic, threat actors have been relentless
4 in 10 businesses and 1 in 4 charities were hit by a security breach/attack in the last 12 months.
6. Prime targets are attacked more frequently
Of the businesses and charities that reported a security breach/attack, a quarter of them were hit at least once a week,
The data from this survey reinforces what we’re seeing globally:
- Growing mid-market companies are being increasingly targetted. These organizations have lean security teams and not enough bandwidth to sift through voluminous logs and identify early signs of targeted threats.
- Large organizations continue to be targeted with sophisticated ransomware and supply chain attacks.
You can read the full report here.
There’s no silver bullet. We can recommend four easy-to-implement active defense strategies that address security challenges around phishing and remote work access. These deception-based active defense recommendations are easy to implement, do not require complex tooling, and detect threats early.
Defend against phishing attacks with ‘Email Decoys’
Email decoys are fake email accounts that intercept attackers attempting to mount social-engineering/spear-phishing attacks on high-value personnel.
Seed these decoys on social media and other Internet-facing assets where attackers scour for spear-phishing targets. These email decoys are enumerated by hackers and added to their target lists for sending spear-phishing emails. There is no reason for anyone to send any emails to the decoy email addresses. Therefore, any email sent to these addresses is a high-fidelity indication of an attack.
You can integrate these with your SIEM to find other targets. Additionally, you can integrate with proxies to block access to spear-phishing domains.
Detect threats targeting remotely accessible services
Enabling employees to work from anywhere requires security teams to use VPNs, Citrix servers, and expose applications to the Internet.
Attackers target vulnerabilities in these remote access services to get into your network. Use that against them.
Deploy Internet-facing decoys that resemble vulnerable applications, databases, and servers. E.g., you can easily set up decoys that have the recent Citrix and ManageEngine vulnerabilities, making them attractive targets for the attackers.
Attackers looking for these assets during recon will discover and engage with the decoys as well. Any attempt to seek out these assets will alert you of incoming threats with low alert volume.
Stop attackers using stolen credentials
Attackers use credential stuffing and stolen credentials to break into organizations. These are hard to detect because the activity seems legitimate. You have two simple active defense plays here:
- Create a couple of Internet-facing VPN decoy portals. Attackers logging into them with stolen credentials will be detected instantly.
- Plant decoys of web apps that you use to detect credential stuffing.
Build visibility into remotely distributed endpoints
As you’ve seen in the survey finding, fewer organizations have visibility into endpoints because now they are outside the perimeter. Consider using endpoint deception to build this visibility, detect attacks early, and stop lateral movement.
Plant endpoint decoys like fake files, processes, passwords, and cookies on the work machines of all your remote employees.
An attacker on your employees’ machines will encounter these decoys and will be caught.
Endpoint deception follows the end-user, so even when they’re working from home, your ability to detect threats is not diminished. You gain visibility into home networks that are compromised without having to deploy appliances or network traffic monitoring choke-points.
Active defense is emerging as a viable approach to dealing with advanced attacks. MITRE has a new knowledge base dedicated to active defense. If you want to understand why this approach is gaining prominence in infosec circles, read this.
For more on using active defense and deception for remote work security, check out the white paper.
The bright side of the DARKSIDE ransomwareBy now, you’ve probably been bulldozed with solution briefings, white papers, vendor pitches, and webinar invitations to discuss how this ransomware could have been stopped. We’ll do things a little differently. We’ll of course include our resources at the end of this post, because obviously we don’t want to be left behind. But we’ll first […]By Sudarshan Pisupati
Ransomware, the limits of prevention, and active defenseWe’re almost halfway through 2021, and there seems to be a ransomware resurgence. Or that’s what the headlines will have you believe. On the contrary, the opposite might be true. According to a Sophos survey, ransomware attacks seem to have gone down in 2021. Only 37% of the organizations surveyed have said they experienced a […]By Amir Moin
Using deception to shield the insurance sectorInsurance companies are under siege from cyberattacks. We take a look at some of the key pieces of an insurer’s infrastructure the adversaries target and how you can use deception to build active defenses.By Sudarshan Pisupati
- Detect zero-days, APTs, and insider threats
- 10x the detection capabilities with 1/2 the team
- Get started in minutes, fully functional in hours