CRD #8
On encryption levels, exploitation times, cloud attacks, AI usage policies & more.
The Cybersecurity Research Digest cuts through the bias and marketing fluff to bring you relevant and objective insights backed by data.
Featuring highlights for security leaders from validated research sources released between 15-21 October 2024, followed by a list of all monitored reports.
More targeted by ransomware, but fewer reach encryption
Microsoft’s endpoint data reveals a 2.75x increase in the number of organizations targeted by ransomware over the past two years. However, the company’s Digital Defense Report notes a significant improvement: ransomware attacks reaching the encryption stage have decreased threefold.
Notably, in 90% of cases where attacks did reach the ransom stage, remote encryption originated from unmanaged devices, underscoring the importance of enrolling devices into management systems or excluding unmanaged devices from critical networks.
The report, however, does not clarify whether the decline in encryption events is linked to the growing trend of ransomware actors shifting focus more toward data exfiltration as am extortion tactic.
Nation-state and criminal collaboration increasing, with financial motives on the rise
Microsoft’s comprehensive Digital Defence Report provides an overview of their take on global cybersecurity challenges as a whole, including the influence of AI and geopolitical developments. On the latter, the report highlights increased coordination among state actors, with countries like North Korea and Iran increasingly using ransomware for financial gain as part of their offensive operations. Regarding Russia, the report confirms overlaps between cybercriminal gangs and state-sponsored operations aimed at geopolitical objectives.
Vulnerability trends: faster time-to-exploit and more zero-days
Mandiant (Google) analyzed 137 vulnerabilities disclosed in 2023 that were actively exploited in the wild, finding that 70% were zero-days (i.e., vulnerabilities known and used before patches are released). This reflects a steady rise in the ratio of zero-days versus n-days (i.e., vulnerabilities exploited after patches are available).
The analysis also shows a sharp decrease in the time-to-exploit (TTE) following vulnerability disclosures. Five years ago, the average TTE was 63 days, but last year’s data shows it dropped to just 5 days (compared to 32 days in 2021-22), demonstrating the increasing maturity and capabilities of threat actors. As an alternative indicator, exploitation was most likely to occur within the first month of a patch being made available for an already disclosed vulnerability.
Interestingly, despite the shorter TTE, the authors note that while there may be a correlation between exploit release and media attention, it does not necessarily predict exploitation. Other factors, such as the complexity and value of the exploit, also likely play a significant role.
Cloud attacks: BEC and cryptominers prevail, ransomware less frequent
Based on IBM's product telemetry and incident response data, analysis shows that the majority of "actions on objective" by threat actors who gain access to cloud environments involve business email compromise (39%) or the installation of cryptominers (22%).
Interestingly, ransomware and data destruction rank much lower, accounting for only 5% and 6% of incidents, respectively. The focus on BEC—likely offering the greatest balance between effort and reward—is unsurprising, as insurers consistently report it as the most costly attack for their clients.
AI usage protocols developed, but not followed
The use of GenAI tools like ChatGPT in the workplace is undeniably growing, and security leaders are working to address the associated data confidentiality risks. Recent studies involving medium and large enterprises show that about 60-70% of organizations have implemented some protocols to regulate how data is shared with public large language models (LLMs).
However, the effectiveness of these measures is in question, as the studies reveal that employees frequently disregard policies by continuing to share sensitive data with the models. The reasons for this likely vary: survey data shows that employees report being simply unaware of the policies, while others may prioritize the benefits of usage over security concerns. The difficulty in monitoring such policy violations likely contributes to this issue as well. Additionally, the absence of high-profile sensitive data leaks from public LLM providers has likely not yet sufficiently raised broader awareness of such risks.
The case for dividing the CISO role into technical and business functions
A global survey of over 500 cybersecurity leaders highlights the evolving role of CISOs beyond the technical, with 79% stating that the time and effort required to keep up with regulatory changes is "not sustainable." Citing pressures from rapid developments related to regulations like NIS2, DPA, and SEC rules, a notable 84% believe the CISO role should be split into separate technical and business-focused positions. Nearly half also noted that the expanding scope of responsibilities is likely to result in higher turnover.
Reports monitored: 15-21 October 2024
To take a deeper dive in the topics most relevant for you, we've listed all the research reports that were published during the observed period.
About
evisec's Cybersecurity Research Digest provides security leaders verified strategic insights via a carefully curated weekly summary of evidence-led, unbiased and objective cybersecurity research publications. Read more about our service here.
✉️ Suggestions or want to collaborate? Get in touch via LinkedIn or email (henry@evisec.xyz)
