{"id":167983,"date":"2022-07-26T03:00:07","date_gmt":"2022-07-26T10:00:07","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=167983"},"modified":"2022-07-25T16:01:48","modified_gmt":"2022-07-25T23:01:48","slug":"cyberthreats-incident-response-report","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2022\/07\/cyberthreats-incident-response-report\/","title":{"rendered":"Today\u2019s Cyberthreats: Ransomware, BEC Continue to Disrupt"},"content":{"rendered":"<p>When we created the <a href=\"http:\/\/start.paloaltonetworks.com\/2022-unit42-incident-response-report\">2022 Unit 42 Incident Response Report<\/a>, our goal was simple: to gather insights from our incident response cases and our security consultants\u2019 experience so organizations can benefit from them.<\/p>\n<p>By examining what we\u2019ve learned about attackers from helping organizations in hundreds of cases, you can prioritize your resources and focus your efforts to mitigate the risks that you deem most significant. The goal is to understand:<\/p>\n<ul>\n<li>What attackers are doing (or trying to do).<\/li>\n<li>How attackers are doing it.<\/li>\n<li>What contributes to attackers\u2019 success.<\/li>\n<li>What you can do to protect your organization.<\/li>\n<\/ul>\n<p>To answer these questions, Unit 42 analyzed hundreds of incident response (IR) cases over the past year to extract critical details and insights. We also conducted in-depth interviews with experienced consultants to learn what they believe organizations most need to know to be more <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2021\/09\/cyber-resilience\/\">resilient<\/a> and <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2022\/01\/threat-intel-informed-cybersecurity\/\">prepared<\/a>.<\/p>\n<p>The <a href=\"https:\/\/www.paloaltonetworks.com\/unit42\/2022-incident-response-report\">2022 Unit 42 Incident Response Report<\/a> provides our findings, shedding light on key attack tactics and trends that reveal how the threat landscape is evolving, so you can adapt your defenses to protect your organization\u2019s assets and operations.<\/p>\n<h2><a id=\"post-167983-_heading=h.x0tunhqgk0i7\"><\/a>What Attackers Are Doing (or Trying to Do)<\/h2>\n<p>Most attacks seem to be motivated by money. Commonly affected organizations are in industries that store, transmit and process high volumes of monetizable information. The finance, professional and legal services, manufacturing, healthcare, high tech, and wholesale and retail industries accounted for 63% of our IR cases.<\/p>\n<figure id=\"attachment_168079\" aria-describedby=\"caption-attachment-168079\" style=\"width: 570px\" class=\"wp-caption aligncenter\"><div style=\"max-width:100%\" data-width=\"570\"><span class=\"ar-custom\" style=\"padding-bottom:76.14%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-168079 size-full lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2022\/07\/Unit42-IR-Report-industries-Cropped.jpg\" alt=\"Top affected industries in 2022, according to Unit 42 incident response cases (in order): finance, professional and legal services, manufacturing, healthcare, high technology, wholesale and retail, education, hospitality\" width=\"570\" height=\"434\" \/><\/span><\/div><figcaption id=\"caption-attachment-168079\" class=\"wp-caption-text\">Figure 1. Top affected industries in 2022, according to Unit 42 incident response case data.<\/figcaption><\/figure>\n<p>Hackers can sell the data or hold it hostage to extract a payout because they know the organizations in these industries rely on the integrity and privacy of their information to operate and compete.<\/p>\n<p>&nbsp;<\/p>\n<h2><a id=\"post-167983-_heading=h.m6vygco3tk0j\"><\/a>How Attackers Are Operating<\/h2>\n<p>Ransomware and business email compromises (BEC) were the top incident types observed in our cases over the past year, accounting for approximately 70%.<\/p>\n<p>The top three access vectors that threat actors used to get into an organization\u2019s environment were phishing, the exploitation of known software vulnerabilities and brute-force credential attacks, primarily focused on remote desktop protocol (RDP) where victim\u2019s systems were directly exposed to the internet. These three were the suspected initial entry vectors of more than 77% of intrusions.<\/p>\n<figure id=\"attachment_168092\" aria-describedby=\"caption-attachment-168092\" style=\"width: 565px\" class=\"wp-caption aligncenter\"><div style=\"max-width:100%\" data-width=\"565\"><span class=\"ar-custom\" style=\"padding-bottom:100%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-168092 size-full lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2022\/07\/Unit42-IR-Report-initial-access-Cropped.jpg\" alt=\"Suspected Means of Initial Access: Phishing 37%, Software vulnerabilities 31%, Brute-force credential attacks 9%, Previously compromised credentials 6%, Insider threat 5%, social engineering 5%, abuse of trusted relationships 4%, others 3% \" width=\"565\" height=\"565\" \/><\/span><\/div><figcaption id=\"caption-attachment-168092\" class=\"wp-caption-text\">Figure 2. Suspected means of initial access according to Unit 42 incident response case data.<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<h2><a id=\"post-167983-_heading=h.lvdsl2pxk4uk\"><\/a>What Contributes to Attackers\u2019 Success<\/h2>\n<p>When investigating why breaches were successful, our team identified seven common contributing factors to successful attacks.<\/p>\n<ol>\n<li>Lack of multi-factor authentication \u2013 50% of cases<\/li>\n<li>No endpoint detection and response (EDR) security solution to detect and respond to malicious network activities \u2013 44% of cases<\/li>\n<li>No or poor patch management procedures \u2013 28% of cases<\/li>\n<li>No mitigations in place to ensure account lockout for brute-force credential attacks \u2013 13% of cases<\/li>\n<li>A failure to review\/action security alerts \u2013 11% of cases<\/li>\n<li>Weak password security practices \u2013 7% of cases<\/li>\n<li>System misconfigurations \u2013 7% of cases<\/li>\n<\/ol>\n<p>In many cases, organizations we worked with had been taking the right steps <em>most<\/em> of the time \u2013 but attackers only need to find <em>one<\/em> gap to be successful. We saw cases where a bit of \u201cshadow IT\u201d \u2013 unauthorized devices \u2013\u00a0or a half-forgotten legacy system wound up putting the entire organization at risk.<\/p>\n<p>We see this list as a guide you can use to double-check that your key protections are in place.<\/p>\n<p>&nbsp;<\/p>\n<h2><a id=\"post-167983-_heading=h.5hwxru4ijm7b\"><\/a>What You Can Do to Protect Your Organization<\/h2>\n<p>Based on the themes that come up again and again in our IR cases, our consultants highlighted the top six things you can do to improve your organization\u2019s security posture and make it harder for attackers to succeed:<\/p>\n<ol>\n<li>Conduct phishing prevention and recurring employee and contractor security training.<\/li>\n<li>Disable any direct external RDP access. Ensure all external remote administration is conducted through an enterprise-grade virtual private network (VPN) with multi-factor authentication (MFA) required.<\/li>\n<li>Patch internet-exposed systems as quickly as possible (given leading practices for testing and responsible deployment) to prevent vulnerability exploitation.<\/li>\n<li>Implement MFA as a technical control and security policy for all users.<\/li>\n<li>Require that payment verification takes place outside of email to ensure a multi-step verification process.<\/li>\n<li>Consider a credential breach detection service and\/or attack surface management solution to help track vulnerable systems and potential breaches.<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<h2><a id=\"post-167983-_heading=h.9ln4s27nrtk6\"><\/a>Other Insights You\u2019ll Find in the 2022 Unit 42 Incident Response Report<\/h2>\n<p>In addition to the findings outlined here, the report includes in-depth spotlights on ransomware, BEC and cloud incidents \u2013 three types of incidents that we believe all organizations should prepare to defend against. We share actionable information on what attackers do once they\u2019ve breached a network. Our consultants predict how attackers may shift their tactics and goals in the coming year.<\/p>\n<p>Finally, our security experts take you far beyond the six fundamentals described above. We offer in-depth recommendations for how to improve your security posture, grouped so you can focus on the risks you most want to mitigate.<\/p>\n<p>Download the full <a href=\"http:\/\/start.paloaltonetworks.com\/2022-unit42-incident-response-report\">2022 Unit 42 Incident Response Report<\/a> to learn more, and register to attend the <a href=\"https:\/\/register.paloaltonetworks.com\/unit42incidentresponsereport22\">2022 Incident Response Report webinar<\/a> to hear our security experts discuss the key findings in the report and answer your questions live.<\/p>\n<p>&nbsp;<\/p>\n<h2><a id=\"post-167983-_heading=h.i2dxon1ibkiz\"><\/a>Get in Touch<\/h2>\n<p>Want help to prepare for or respond to a cyber incident? Call in the experts.<\/p>\n<p>If you think you may have been impacted by a cyber incident or have specific concerns about any of the incident types discussed here, please <a href=\"https:\/\/start.paloaltonetworks.com\/contact-unit42.html\">contact Unit 42<\/a> to connect with a team member. The <a href=\"https:\/\/www.paloaltonetworks.com\/unit42\/respond\/incident-response\">Unit 42 Incident Response team<\/a> is available 24\/7\/365. If you have cyber insurance, you can request Unit 42 by name. You can also take preventative steps by requesting any of our <a href=\"https:\/\/www.paloaltonetworks.com\/unit42\/assess\">cyber risk management services<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The 2022 Unit 42 Incident Response Report gathers learnings from hundreds of incident response cases to help security leaders and practitioners. <\/p>\n","protected":false},"author":663,"featured_media":168106,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[308,6717],"tags":[3967,7603,8155,6669,221,8345,586],"coauthors":[8779],"class_list":["post-167983","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-announcement","category-products-and-services","tag-best-practices","tag-business-email-compromise","tag-cloud-incident-response-services","tag-incident-response","tag-ransomware","tag-research-reports","tag-unit-42","sec_ops_category-must-read-articles"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2022\/07\/Brainstorm.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/167983","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/663"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=167983"}],"version-history":[{"count":9,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/167983\/revisions"}],"predecessor-version":[{"id":168134,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/167983\/revisions\/168134"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/168106"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=167983"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=167983"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=167983"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=167983"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}