Palo Alto Networks Unit 42 Incident Response Report Reveals that Phishing and Software Vulnerabilities Cause Nearly 70% of Cyber Incidents
The 2022 Unit 42 Incident Response Report reveals trends, future implications and offers recommendations based on data gathered from a year's worth of investigations
In the report, Unit 42 identified that finance and real estate were among the industries that received the highest average ransom demands, with an average demand of nearly
"Right now, cybercrime is an easy business to get into because of its low cost and often high returns. As such, unskilled, novice threat actors can get started with access to tools like hacking-as-a-service becoming more popular and available on the dark web," said
Key trends covered in the report include:
Ransomware
A new ransomware victim is posted on leak sites every four hours. Identifying ransomware activity early is critical for organizations. Typically, ransomware actors are only discovered after files are encrypted, and the victim organization receives a ransom note. Unit 42 has identified that the median dwell time — meaning the time threat actors spend in a targeted environment before being detected — observed for ransomware attacks was 28 days. Ransom demands have been as high as
BEC
Cybercriminals used a variety of techniques in business email compromise wire-fraud schemes. Forms of social engineering, such as phishing, offer an easy and cost-effective way to gain covert access while maintaining a low risk of discovery. According to the report, in many cases cybercriminals are simply asking their unwitting targets to hand over their credentials — and getting them. Once they have access, the median dwell time for BEC attacks was 38 days, and the average amount stolen was
Attackers follow the money when it comes to targeting industries; however, many attackers are opportunistic, simply scanning the internet in search of systems where they can leverage known vulnerabilities. Unit 42 identified the top affected industries in incident response cases as finance, professional and legal services, manufacturing, healthcare, high tech, and wholesale and retail. Organizations within these industries store, transmit and process high volumes of monetizable sensitive information that attracts threat actors.
The report also reveals some statistics from IR cases that cyberattackers don't want you to know:
- The top three initial access vectors used by threat actors were phishing, exploitation of known software vulnerabilities and brute-force credential attacks focused primarily on remote desktop protocol (RDP). Combined, these attack vectors make up 77% of the suspected root causes for intrusions.
- ProxyShell accounted for more than half of all vulnerabilities exploited for initial access at 55%, followed by Log4J (14%), SonicWall (7%), ProxyLogon (5%) and Zoho ManageEngine ADSelfService Plus (4%).
- In half of all IR cases, our investigators discovered that organizations lacked multifactor authentication on critical internet-facing systems, such as corporate webmail, virtual private network (VPN) solutions or other remote access solutions.
- In 13% of cases, organizations had no mitigations in place to ensure account lockout for brute-force credential attacks.
- In 28% of cases, having poor patch management procedures contributed to threat actor success.
- In 44% of cases, organizations did not have an endpoint detection and response (EDR) or extended detection and response (XDR) security solution, or it was not fully deployed on the initially impacted systems to detect and respond to malicious activities.
- 75% of insider threat cases involved a former employee
Unit 42 Incident Response Services
Palo Alto Networks Unit 42 has an experienced team of security consultants with backgrounds in public and private sectors who have handled some of the largest cyberattacks in history. They manage complex cyber risks and respond to advanced threats, including nation-state attacks, advanced persistent threats, or APTs, and complex ransomware investigations. Unit 42 incident response experts are available 24/7 to help clients understand the nature of the attack and then quickly contain, remediate and eradicate it. They utilize a proven methodology and battle-tested tools developed from real-world experiences investigating thousands of incidents.
Further detail on future predictions, tips to stay safe, additional data points and more can be found in the "2022 Unit 42 Incident Response Report," which can be downloaded on the
About Unit 42
Palo Alto Networks Unit 42 brings together world-renowned threat researchers, elite incident responders and expert security consultants to create an intelligence-driven, response-ready organization that's passionate about helping you proactively manage cyber risk. Together, our team serves as your trusted advisor to help assess and test your security controls against the right threats, transform your security strategy with a threat-informed approach and respond to incidents in record time so that you get back to business faster. Visit paloaltonetworks.com/unit42.
About
At
View original content to download multimedia:https://www.prnewswire.com/news-releases/palo-alto-networks-unit-42-incident-response-report-reveals-that-phishing-and-software-vulnerabilities-cause-nearly-70-of-cyber-incidents-301593041.html
SOURCE
Kelly Kane, Senior Manager, Threat Communications, Palo Alto Networks, kkane@paloaltonetworks.com