Research from Trustwave Details New Trends in Cyberattacks

Social engineering, sextortion campaigns and retail attacks are on the rise as enterprises strengthen security efforts and increase incident response time

A new research report from Trustwave highlights an interesting evolution in the cybersecurity landscape. In the past year, cybercriminals have taken a decidedly more focused approach against targets by using better obfuscation techniques and improved social engineering skills, while organizations showed marked improvements in areas such as time to detection and response to threats. The 2019 Trustwave Global Security Report combines Trustwave’s internal research, logged security events, manual penetration tests, forensic and data-breach investigations, and network vulnerability scans over the course of 2018 to create a comprehensive report detailing the current state of cybersecurity.

Findings from this research serve as a valuable tool for IT teams, drawing awareness to both areas in which criminals are advancing and areas where organizations should improve their efforts. For instance, the top method of compromise in 2018 was social engineering. In both cloud and point-of-sale (POS) environments, an incredible 60 percent of Trustwave’s breach investigations attributed successful social engineering as the initial point of entry.

While research shows that attacks via email are lessening overall, sextortion spam is growing rapidly, and malware is becoming much more difficult to detect. Sextortion spam was almost nonexistent in 2017 and most of 2018, however, by the end of 2018 it spiked, eventually representing 10 percent of all spam identified that year. In this type of attack, criminals attempt to dupe victims into paying ransom to prevent the release of compromising materials or videos that don’t actually exist. This trend has continued into 2019, as sextortion scams have recently evolved to use legitimate online web platforms for collecting ransom during campaigns. Scammers continue to improve on crafting emails that are scarier and more believable, and the payments of ransom faster and easier to pass through before the victim has a chance to think twice about the sham.

With that said, spam containing malware has actually decreased from 26 percent to just six percent in 2018, as cybercriminal activity became more targeted. Malware also became harder to detect; 67 percent of malware analyzed used obfuscation to help avoid detection, leaping from 30 percent in the year before. Trustwave also noticed a spike in malware using encryption during data exfiltration, with encrypted HTTPS used by 10 percent of all malware we inspected, where zero samples were using encryption in 2017. This increased use of encryption and obfuscation during the delivery of the malware and exfiltration of stolen data makes the malware much harder to detect and prevent.

As criminals take a more focused approach with their targets, it would appear that cybersecurity awareness, training and general hygiene are continuing to pay off. While it will always be difficult to show a perfect scorecard, enterprises saw a great improvement in the median time duration from threat intrusion to containment, dropping from 67 days in 2017 to 27 days in the past year. In scenarios where the victims detected an intrusion themselves, the median time between intrusion and detection was less than two weeks. Compared to nearly two months between milestones when enterprises were notified of an intrusion from regulatory bodies, law enforcement or other third parties, the data highlights the importance of enterprise security teams and managed service providers closing the detection and response timeline before finding out from the outside world. More often than not, this limits the overall exposure and harm the attacker can do with unfettered access to an enterprise, its networks and data.

These vast improvements in enterprise response times can be attributed to wider adoption of technologies such as endpoint detection and response, stronger organization security maturity, and behavioral analytics.

While Trustwave’s research highlights key trends across the vast threat landscape, not all industries were breached equally. Like the previous year, retail continues to be the most targeted industry vertical, accounting for 18 percent of incidents. Payment card data has quickly become the most desirable acquisition for criminals, making up 36 percent of all breach incidents. As the retail industry as a whole has shifted to EMV chip-enabled payment cards at point-of-sale systems, magnetic stripe data attacks dropped from 22 percent of incidents in 2017 to only 11 percent in 2018. On the flip side, card-not-present data attacks took over as the number one data type targeted, accounting for one-quarter of all incidents. Following the retail industry, the finance sector experienced 11 percent of incidents while hospitality came in third with 10 percent. Each experienced a slight decrease from the year before, as retail threats rose.

Additional results outlined in the report will help enterprises and government organizations  develop a strategic approach to both preventing and combating data breaches and cyberattacks. As organizations invest in measures to prevent breaches, it remains critical to have processes and a skilled IT team in place to detect, contain, and manage threats should an attack occur. For a greater analysis into these findings and more, download the full Trustwave 2019 Global Security Report at www.trustwave.com/gsr.

by Karl Sigler, Threat Intelligence Manager, Trustwave SpiderLabs