Now available: eSentire’s 2019 Annual Threat Intelligence Report

Recently released, eSentire’s 2019 Threat Intelligence Report: Perspectives from 2019 and Predictions for 2020 provides visuals, data and written analysis, as well as practical recommendations for readers seeking to understand and better respond to the cybersecurity threat landscape. By shining a light on cybercrime—including the players, their motivations, their tactics and their targets—we hope to bring data and insights to conversations often dominated by opinion and guesswork.

Key findings

Nation states: Most nationally sponsored cybersecurity incidents take the form of espionage through data exfiltration. Such activities regularly target military systems, businesses, infrastructure and organizations that store or process valuable information and often exhibit “low and slow” collection over a period of months or years.

Organized cybercrime: While nation state activity is significant, financially motivated organized cybercrime is responsible for the vast majority of cyberattacks. Taking a coarse view of cybercrime activity, we can broadly distinguish between two approaches:

• Relying on highly automated commodity malware, typically within opportunistic, untargeted campaigns
• Investing manual effort to infiltrate and compromise high-value targets

In particular, 2019 saw a surge in “hands-on-keyboard” ransomware, with many high-profile cases of downtime, disruption and—owing to a bug in the Ryuk decryptor – destruction.

Phishing: Phishing continues to be an effective, low-effort means of acquiring credentials that can be sold or put to use to gain initial system access. In 2019, phishing victims showed particular vulnerability to lures relating to email services, Microsoft Office 365 and financial services. Like other malicious activities, phishing continues to evolve as users become more resilient and defenses improve. In 2019, phishers employed several new tactics to obfuscate confirmation and identification, including CAPTCHA, RECAPTCHA, email validation and HTML page obfuscation. Additionally, phishers are increasingly leveraging trusted cloud hosting services and proxies – including LinkedIn, Mailchimp, SendGrid, Mailgun, Google, Microsoft and link shortening services—to bypass filtering solutions.

Initial access: In 2019, as in other years, threat actors employed several tactics to gain a beachhead in victim systems:

• Valid Accounts: Using legitimate credentials to access systems for malicious purposes
• Business Email Compromise (BEC): Including account takeover and account impersonation
• External Remote Services: Leveraging brute-force attacks and exploits to enter a system through an externally facing service (Remote Desktop Protocol is a frequent means of entry)
• Drive-By Compromise: Using web browser exploits and other tactics to gain system access through a user’s innocent and otherwise innocuous activity
• Malicious Documents: Usually with weaponized email attachments (frequently Microsoft Office files, but also malicious JavaScript) and often disguised as an invoice or other matter for urgent attention

Methodology

eSentire Threat Intelligence used data gathered from over 2,000 proprietary network and host-based detection sensors distributed globally across multiple industries. Raw data was normalized and aggregated using automated machine-based processing methods. Processed data was reviewed by a visual data analyst applying quantitative analysis methods. Quantitative intelligence analysis results were further processed by a qualitative intelligence analyst resulting in a written analytical product.