F5 (NASDAQ: FFIV) announces the findings of the F5 Labs Application Protection Report for 2022, which sheds light on the relationship between target characteristics and attacker behavior so every organization can focus on the threats most applicable to them .
• The incidence of malware in data breaches continued to rise, accounting for nearly a third of known causes of breaches in the US in 2021.
• Ransomware events continued to increase in frequency and malware without encryption grew even faster. Both malware strategies made heavy use of exfiltration methods to remove data from victims’ environments.
• Cybercrime vulnerabilities decreased, from 19% in 2019 to 10% in 2021.
• Form hijacking attacks, such as Magecart, made up the largest share of web exploits and were largely focused on the retail industry.
• Access attacks were the most frequent cause of breaches.
• High business email compromise rates (24% of all breaches), combined with low reporting rates for credential stuffing and phishing attacks, suggest these types of attacks are difficult to detect and/or go undetected. denounce; It’s not that credential stuffing or phishing is low. grade threats.
• Cloud breaches most often occur due to misconfigurations, although the risk of third-party breaches for cloud customers is significant, web exploits or credential stuffing still apply in the cloud.
2021 data breach analysis.
• The use of malware in attacks continued to grow in 2021.
• In addition to the growth of ransomware, the use of malware without encryption grew significantly.
• The incidence of exfiltration techniques increased significantly, both in conjunction with malware and on their own.
• Decreased prevalence of vulnerabilities for cybercrime.
• Formjacking attacks were the predominant vulnerability leading to breach disclosures.
• Retail organizations and associations with online membership payment surfaces were by far the most prone to form hijacking attacks.
• The manufacturing sector saw significant growth in ransomware attacks.
• Access attacks were prominent against Finance and Insurance; Services professionals, scientists and technicals; and the Health and Social Assistance sectors.
• Malware attacks against Wholesale Trade stood out; Manufacturing; Services professionals, scientists and technicals; and the Finance and Insurance sectors.
Most of the key features of breaches decreased proportionally compared to 2020. The incidence of web vulnerabilities in breaches decreased by almost 33%. Business email compromise and ransomware, the two most common breach characteristics in both years, saw a small drop.
While ransomware continued to be a common tactic in data breaches in 2021, it was down slightly compared to 2020.
Ransomware would continue to grow at the expense of other monetization routes, and that the only types of victims who would not experience this type of attack would be those who had an even more direct and lucrative attack: formjacking. against retail targets.
Ransomware attacks against almost all types of organizations have continued to rise, and formjacking, while limited in scope, remains the clearest and most focused pattern of target attributes and attack techniques in data.
Some threat actors choose to exfiltrate data and sell it for fraudulent purposes; others prefer to rescue the data back to the victims. In both cases, monetization strategies are driving TTPs, as they often do with criminal threat actors.
The comparative decline in web vulnerabilities in general, and formjacking in particular, is a sign that attackers are adapting to controls, not a sign that web attacks are going away.
Backups – A robust ransomware strategy must start with the backup, but it cannot end there. The attacker’s previous behaviors, initial access, lateral movement, execution, persistence and exfiltration methods should also be controlled.
Application Isolation and Sandboxing – This type of control can help mitigate a number of approaches based on vulnerabilities seen in 2021, including Client Execution Exploitation, Public-Facing Application Exploitation, and Compromise Theft.
Protection against vulnerabilities – The most obvious form of vulnerability protection is the use of a web application firewall (WAF). Despite the declining prevalence of web vulnerabilities in data, a WAF remains critical to running a modern web application. It is also a requirement for the Payment Card Industry Data Security Standard (PCI-DSS), which has been the target of form hijacking attacks.
Network segmentation – This control objective can shut down a large number of attack vectors, five of which were observed in the 2021 data: Public Application Exploitation, Automated Exfiltration, Exfiltration via Web Services, External Remote Services, and Remote Services Exploitation.
Management of privileged accounts – Privileged accounts should be audited regularly to ensure they are deactivated when no longer needed.
Software updating (and really all vulnerability management) should be the cornerstone of any contemporary security program.
Vulnerability Scan – Organizations should scan regularly, preferably daily, and include both a public scan from the Internet to assess the appearance of an environment to attackers and an internal scan to understand the true scale of the problem.
code signing – Sub-Resource Integrity (SRI) headers can ensure that external scripts have not been modified when they are called at run time.
Restrict web-based content – The blocking of specific file types, known malicious IP addresses, external scripts and the like. This approach has the potential to shut down a wide range of attack vectors, including malicious script injection, phishing, and “malicious advertising.”
Network Intrusion Preventiond – This control is valuable as part of a defense in depth approach that also uses a WAF and other controls.
Anti-virus/Anti-malware – Similar to data backup as a ransomware strategy, this should not be the only check against malware, and should exist in a more holistic strategy.
Disable or remove feature or program – This recommendation is included here for its coverage rather than its frequency. While observed in only 12% of an Attack Chain, disabling or removing features or programs would mitigate five techniques observed in 2021 data: Scripting and Command Interpreter, Web Service Exfiltration, External Remote Services, Exploitation remote services and cloud instance metadata API
• Publicly disclosed breaches indicate that third-party data loss is the most likely source of a legally significant cloud incident.
• Open source intelligence and news reports indicate that access control misconfigurations are more likely to lead to data exposure than anything else.
• Scans of blocks of IP addresses known to be in the cloud indicate that outdated systems management practices are common across clouds.
• Many organizations approach cloud environments either as on-premises systems or as turnkey systems that can simply be consumed; both approaches are limited.
Multiple parties are responsible for handling data in a modern distributed cloud, and this is part of the problem. The cloud is not identical to on-premises infrastructure, nor is it an omnipotent technology service that one can consume as an end user.
Organizations that offer cloud-based aaS to other organizations are at particularly high risk of attack because they contain a lot of data from different organizations.
To learn more about the report and findings, download the F5 Labs Application Protection Report for 2022(PDF document of 47 pages in English, does not require registration).
Eddie is an Australian news reporter with over 9 years in the industry and has published on Forbes and tech crunch.