Guido Grillenmeier, Chief Technologist, Semperis explains:
“2022 delivered more proof than anyone anticipated that cyberwarfare is real. And that it does not care about physical country-borders. Attacks in countries far-far-away can impact you tomorrow.
“While it's good to see that government agencies are increasing the pressure on ransomware gangs up to the point of making them disappear, there is no sanction for their criminal work in their host-countries. So, unfortunately, a few weeks or months later they reappear as we've seen this year, for example, with REvil and Conti.
“Furthermore, the level of teamwork amongst different gangs has increased, up to the point that ransomware-as-a-service is now a common theme. In essence, 2022 has proven again that cyber security professionals need to prepare for the worst. Invest in proper security tools, with ITDR (Identity Threat Detection & Response) on the top of your list. And have a DR plan ready - don't start designing it when your lights are out”.
What’s in store for 2023?
Looking ahead Sean Deuby, Semperis Principle Technologist, North America, advises, “I expect to see continued growth in cybercrime, across all fronts, not just in 2023 but for years to come. According to the Statista Cybersecurity Outlook, the global cost of cybercrime is expected to surge in the next five years, rising from $8.44 trillion in 2022 to $23.84 trillion by 2027, averaging anywhere from 21% to 36% yearly growth. This trend carries a clear message: Keep working on security basics and on closing the most common attack paths.
“There are many ways to strengthen your defenses, but the most productive step that organisations can take this year is to prioritise identity-focused security. Gartner drew a lot of attention late last year to identity threat detection and response (ITDR) solutions. Most attacks involve identity and, regardless of their initial access point, threat actors typically go through Active Directory (AD) to gain ground in your environment. So, a great place to start is evaluating and reducing your AD attack surface. One of the easiest ways to do that is by using free tools like Semperis Purple Knight, which helps you spot gaps and vulnerabilities that often have existed for years, and Forest Druid, which helps you identify your most important identity assets and the access paths to them.”
The Semperis Security Research Team explains why an attack path often start with identity and credential theft.
Identity and credentials theft continue to be at the core of most attacks. The initial stages of a breach might include a phishing attack on a company employee, followed by privilege escalation into a different high-privileged user or service account, which is then followed by lateral movement throughout the corporate network using the compromised user's identity to exfiltrate sensitive data, perform sensitive actions or even harm mission-critical data. A different approach might include exploiting vulnerabilities in an external facing data asset (e.g., a web server) and then breaking out of that and moving laterally throughout the corporate network, using the compromised data-assets service account and privileges. In both cases, identity plays a key role and is therefore targeted by most threat actors.
Ransomware as a Service (RaaS) continues to be a top security threat. We expect to see such incidents increase due to several factors, including the ongoing war in Ukraine (a large percentage of RaaS crime rings are either directly operated or allowed to operate by Russian authorities) and the macro-economic reality of global inflation. This extremely lucrative and horribly effective type of cybercrime creates an exponential growth in the number of ransomware incidents, as attackers can simply purchase off-the-shelf, ready-made code online and invest most of their efforts at identifying and compromising companies who are willing to pay a lot of money to restore access to critical data and infrastructures.
In addition, as more and more organisations continue to migrate to cloud-based services, we expect both Azure AD and hybrid identity environments to be targeted in growing numbers. This isn't because cloud-based services are less secure than on-premises services but rather because most organisations aren't aware of the different approach that cloud-based services require to properly maintain and secure the identity environment.