Cyber security is a constant arms race.
In 2021, businesses globally spent more than $150 billion on security and risk management. Much of this investment has gone towards more advanced security solutions such as machine-learning and AI-powered threat analytics designed to deal with the latest threats. As such, businesses might feel that they are adequately protected.
But organizations must remember that the criminal community has also been busy innovating and investing in its own capabilities. It has never been easier for threat actors to access the latest tools and techniques through an increasingly well-organised underworld economy.
Our Cyber Threat Landscape Report 2022 analyzed threat data from security events last year to determine the greatest threats facing organizations today – and how they can be prevented.
Most common malware threats
There has always been a steady stream of new malware to watch out for, but the criminal community appears to have upped its game in recent years, and we have seen a continual spike in the number of attacks and the diversity of variants in the wild.
More advanced malware strains have become a common sight as they are widely accessible on the dark web, and threat actors such as the Hafnium Group have made zero-day exploits more readily available as well.
The Dridex malware family was by far the most prominent strain of last year, accounting for more than half of all incidents we saw. This banking trojan is usually spread via mass email campaigns. Dridex has been around for more than a decade but has been continually refined by criminal groups to carry out different range of attacks. As a result, current security systems often fail to detect and prevent this malware.
Cyber attackers have also continued to heavily favor ransomware as an effective way of bypassing reactive security defences and quickly inflicting damage on their victims.
One common misconception is that ransomware drops directly onto a system as part of the initial attack. This is typically not the case; most ransomware is a secondary or third step in the attack chain. Usually, the initial malware attack is a worm or dropper.
The STOP malware is a great example of a ransomware family we observed over the last year that follows these steps. This variant specifically spreads severe worms and then targets file extensions of files such as Microsoft Office documents, databases, and archives, and is notable for only encrypting the first 5 MB of each file before swiftly jumping to the next asset.
REvil was another significant ransomware family in 2021, despite the group behind it being largely dismantled by efforts from international law enforcement. This ransomware is noted for its delivery through advanced tactics such as zero-days, PowerShell scripts, and fileless attacks, allowing it to slip through common defenses and encrypting files before it can be caught.
Attack techniques being used
Despite its prevalence, malware is just a tool and only forms one part of the cyber threat landscape. Threat actors have been continually innovating their attack techniques to defeat the latest defensive solutions.
Supply chain attacks were one of the most prominent trends of 2021. For example, the REvil group using an unpatched zero-day in the Kaseya VSA product to hit more than 1,500 companies. Such attacks will continue to gain traction as an effective way of sidestepping traditional defenses.
Similarly, there has been a greater focus on the cloud as a means of evading strategies implemented around on-premises security. The interconnectivity of the cloud environment means a single outdated cloud component can establish an attack path for breaching the entire organization.
Deep learning is winning the cyber arms race
The use of prominent malware and advanced attack techniques last year point to a common trend – cybercriminals are favoring fast-moving and high impact attacks. This stands in contrast to the previous preference for low-and-slow stealth tactics that prioritise long dwell times.
Tactics such as zero-day exploits and supply chain attacks enable threat actors to quickly bypass defenses and gain access to the heart of the target’s infrastructure. Meanwhile, tools such as fast-acting ransomware can inflict devastating damage immediately after the network is compromised.
This means organizations need to be able to detect threats before they are able to enter the network and begin execution. Deep learning (DL) offers one of the most effective ways of achieving this. It is an advanced form of AI that uses a unique neural net approach to accurately identify threats as quickly as 20 milliseconds after they arrive at the network. This means even the fastest of attacks are blocked before they ever have a chance to execute within the environment.
DL solutions are independently trained on billions of raw data files allowing it to accurately predict and identify dangers such as zero-day threats.
Pivot from mitigation to prevention
The increased emphasis on speed is giving cyber criminals a major advantage over organizations that have invested in reactive attack mitigation strategies. Many enterprises have built their security stacks around tools such as Endpoint Detection and Response (EDR) solutions that function by detecting malicious behaviour within the network. Detection tools attempt to block the activity and alert the security team to investigate and fully remediate the threat.
While tools such as EDR have an important place in the security strategy, they cannot be used as a frontline defense against attacks. Mitigating threats within the network is no longer effective when attackers are using tactics designed to evade early detection and ransomware that can begin encrypting seconds after execution.
Defending against these attacks means switching from mitigation to prevention. DL-powered analytics is the security weapon with the best chance of achieving this and winning the cyber arms race.
This opinion piece is from Chuck Everette, the director of cybersecurity advocacy at Deep Instinct, a deep learning cybersecurity firm whose investors include Nvidia, Samsung, LG and BlackRock.