Cyber threats are constantly evolving. As recently as 2016, Trojan malware accounted for nearly 50% of all breaches. Today, they are responsible for less than seven percent.
That’s not to say that Trojans are any less harmful. According to the 2020 Verizon Data Breach Investigations Report (DBIR), their backdoor and remote-control capabilities are still used by advanced threat actors to conduct sophisticated attacks.
Staying ahead of evolving threats is a challenge that keeps many IT professionals awake at night. Understanding today’s most important cyber threats is the first step toward protecting any organization from attack.
5 top cyber threats
From the Verizon DBIR and other sources, the Center for Internet Security (CIS) identified the five key attacks that organizations should defend against:
1. Malware – There are many different types of malware, and most organizations will find themselves fighting different variants at different times. According to the DBIR, the most active malware variants today are known as password dumpers, used to steal credentials.
Phishing emails and direct install are the most common delivery vectors for this type of malware. Downloaders (backdoors and key loggers) are also notable malware threats.
2. Hacking – More than 80% of confirmed breaches involve hacking, through brute force or the use of lost or stolen credentials. The major attack vector is through web applications, which is on the rise in part due to the increasing popularity of cloud applications. Vulnerability exploitation, backdoors, and command and control functionality are also major hacking techniques.
3. Insider privilege & misuse – While external attackers generally pose a much greater threat than insiders, privileged users still represent a considerable risk. The 2020 DBIR did note a decrease in the number of insider attacks since last year.
However, these incidents can be very hard to detect and can extend for a long time when cleverly concealed. Also, insiders misusing resources or abusing their privileges can lead to the unintentional disclosure of information.
4. Targeted intrusions – Cyber espionage remains a major concern, although the majority of incidents seem to be moving away from government-sponsored actors to those seeking purely financial gain. Targeted intrusions differ from general hacking as the perpetrators will work hard to avoid detection and may change their approach as they continue to focus on their victim.
5. Ransomware – A form of malware, ransomware nevertheless deserves its own special mention. It is the third most common malware breach variety. Credentials can also be compromised in a ransomware attack. Automation of attacks through online services means that ransomware will likely remain a growing problem.
Attack tactics and techniques
Protecting an organization from attack requires more than just knowledge of the most common cyber threats. Each type of attack follows a series of tactics (the steps in an attack). There are many techniques an attacker can use at each step.
These attack vectors are identified in the industry-endorsed ecosystem that is developing around the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Model.
There are more than 260 techniques identified in the ATT&CK framework, which are mapped to 11 corresponding tactics.
Protecting against new threats
Of course, knowing the attack types, tactics, and techniques is just the beginning. The question is what to do about them? To help organizations along their cybersecurity journey, the Center for Internet Security (CIS) leveraged the information in the DBIR and the ATT&CK framework to create the CIS Community Defense Model (CDM).
The CDM identifies important attack types in the DBIR and matches them to the techniques required to execute the tactics used. It then goes a step further to map the safeguards found in the CIS Controls against the techniques found in each attack, and the security value of implementing the safeguards.
The CIS Controls are a prioritized and prescriptive set of safeguards that mitigate the most common cyber-attacks against systems and networks. The CIS Controls are further organized into three Implementation Groups (IGs) to help organizations decide which of the safeguards would provide the greatest value. This is determined by the size and nature of the organization, as well as how far along they are with their cybersecurity program.
Implementation Group 1 (IG1) for example, includes the safeguards that most organizations should be implementing to achieve basic cyber hygiene. The CIS Controls and the CIS Benchmarks, secure configuration guides for various technologies, are available at no cost to organizations worldwide.
Implementation, automation, and assessment
The complex nature of enterprise IT environments today requires advanced solutions for implementation and assessment. Implementation can be greatly assisted through the use of automated tools to remotely assess and upgrade important endpoints.
The CIS-CAT Pro Assessor is one such tool. It can save hours of configuration review by scanning against a target system’s configuration settings and reporting the system’s compliance to the corresponding CIS Benchmark.
Additionally, the CIS Controls Self-Assessment Tool (CIS CSAT) provides many benefits for tracking implementation of the CIS Controls that go beyond a simple spreadsheet. CIS CSAT is now available in an “on premise” version with advanced options for teams, called CIS CSAT Pro. These tools and more are available through CIS SecureSuite Membership.