Over the last few months, we’ve warned that the situation caused by the COVID-19 pandemic has caused a rise in cybersecurity incidents, attacking the endpoint. To give just two examples, we’ve seen how dangerous banking Trojans are using content related to the pandemic as a lure, or how cyberattackers are exploiting vulnerabilities is remote work tools because of how widely used they are these days.
This increase in the number of incidents, as well as the risk they pose to organizations, cannot be put down to COVID-19 exclusively; since last year, the experts at our laboratory have been observing that threats are continuing to evolve and proliferate. This can be seen in the recently published Threat Insights Report 2020 .
Data, not intuition_
In total, the report represents 1.2 petabytes of data per million endpoints, 70,000 malware alerts, and 426 million executables analyzed. All this data was then compiled and analyzed by the security laboratory. Thanks to this labor, the laboratory was able to analyze and break down the following aspects:
- Perceptions based on data, not intuition. Endpoint security requires huge amounts of data to be gathered and analyzed. This data then feeds everything, from the artificial intelligence that analyzes behaviors and discovers patters, to threat hunting services, which are responsible for intercepting threats before they can attack.
In cyberdefense, endpoint data provides a visibility that is essential to be able to offer first-rate protection and see what is happening on every device, network, and connection, and thus detect changes, trends, and anomalies in the global threat landscape. Without this high level of visibility, today and in the future, cybercriminals will be able to move around networks with ease.
- Global hotspots: The attackers or the attacked? According to the data compiled in the report, Thailand is top of the list of the 20 countries with most detections per endpoint (40.88), and Spain is at the bottom (0.07). The Middle East and South America have the highest concentration of targets.
The figures lead to a striking conclusion: These countries are attractive targets for cyberattackers because there are many exposed and poorly protected systems, meaning hackers can attack more frequently and more successfully. What’s more, it can be assumed that these are not the final targets, but rather compromised systems that will be used to target other systems around the world.
- Persistence of file-based attacks. Cybercriminals use common file extensions to carry out their activity. Behind each is a vulnerability in the design of the file that can be exploited with all sorts of techniques (phishing, for example).
In the ranking of extensions accessed in 2019 those with the highest number of unique access events logged are .pdf, .odf, .job, .pem, and .mbd. Others such as .xls, .doc and .ppt are also in the top twenty.
- The limits of whitelisting These days, with the rise of zero-trust based security, many cybersecurity professionals don’t protect whitelisted applications, believing them to be secure. Whitelists, like blacklists, have their limits; not only are new threats able to bypass whitelisted applications, but they are able to specifically exploit this software.
Luckily, active monitoring of all software and processes goes beyond the limits of whitelisting. If all endpoint activity is monitored, malware can be identified and cannot run, and goodware cannot be used illegitimately.
- Fileless attacks, a nascent threat. There are certain productivity tools, browsers, or ubiquitous operating system components that tend to be on whitelists, which means that they would never be classified as suspicious, let alone malware. This makes them the ideal vectors for deploying fileless attacks, live hacking, Living-off-the-Land (LotL) attacks, among others. Because of this, it is necessary to have anti-exploit technology to protect against such abuses.
As the data collected shows, the top three most commonly exploited applications are Firefox, Microsoft Outlook, and Internet Explorer.
- One solution, multiple layers. Not all cyberthreats are created equal, and when the system stops one, it may let others slip past. This is why a combination of local signature-based tools, cloud-based technologies, and context-based behavioral analysis is required to properly detect and respond to cyberthreats.
Beyond full endpoint protection_
These aspects demonstrate that, with the constant evolution and increase in cyberattacks, cybersecurity professionals must look beyond the traditional and leave purely reactive strategies behind in order to adopt a more proactive approach. Protecting the endpoint as it has always been protected is not enough; today’s threats are multiplying and changing so fast that companies cannot manually handle their cyberdefense.
This is why it is a good idea to have advanced cybersecurity solutions that prevent, detect, and respond to any kind of known and unknown malware, and fileless and malwareless attacks. This is the response that Cytomic EPDR offers; as well as integrating these preventive endpoint technologies, it makes up a single solution that also contains EDR capabilities and the Zero-Trust Application Service.