Executive summary
Our annual report is a compilation of unique insights derived from hundreds of projects spanning incident response (IR), resilience assessments, and simulated attacks conducted throughout fiscal year 2023. The report includes the most notable trends and strategic insights gained through customer-experienced scenarios, and the most notable tactics, techniques, and procedures employed by various threat actors. The report also includes key preventative strategies that have proven highly effective in combating emerging threats, offering a comprehensive roadmap for strengthening your cybersecurity defenses.
Key findings
The field report is a compilation of findings from Sygnia’s Incident Response, Adversary Tactics, Enterprise Security, MXDR, Compromise Managers and Legal teams, each of which will be published individually in the near future. Key findings include:
1. Threat Landscape Outlook
Sygnia’s Incident Response (IR) team has identified significant shifts in ransomware strategies over the past year. Ransomware groups have shifted from encryption-focused attacks to data exfiltration and extortion strategies, employing tactics that enable faster monetization and perfecting new ways to cripple and pressure organizations. Additionally, bypassing multi-factor authentication (MFA) has become a common tactic, with a high percentage of organizations already implementing this best practice policy. Identity and cloud-based breaches are on the rise, with new techniques used to exploit and cause severe damage to networks worldwide.
2. The attacker's perspective
Sygnia’s Adversary Tactics team shares key improvements and developments from the past year that impact threat actors’ operations and identifies the most common TTPs they have used in customer environments. A marked increase in the number of systemic misconfigurations exploited has been observed, highlighting the need for innovative and effective mitigation strategies.
3. The defender's perspective · Preparation
There has also been a return to basics in the cybercriminal community, evidenced by the simplicity of some of the top cyberattacks of 2023. The dual challenge of SEC compliance and CISO accountability is complicating things for organizations, as new regulations are already having an impact on major incidents. The rise of AI in cybersecurity will mark a turning point in attack strategies, reducing the time needed to execute attacks and increasing their specific capabilities.
4. The defender's perspective · Detection
Sygnia’s MXDR department looks at the impact of key technological advancements, market dynamics, and user adoption on MXDR, which will have a profound impact on the landscape to 2024. Trends will combine with emerging technologies to drive the XDR market.
5. The executive perspective
After conducting countless simulation exercises in 2023, our team of experts brings their collective intelligence to bear on the most common challenges, pitfalls, and elements that customers globally underestimate. They also advise executives on how to build a security team, prioritize security budget, and measure the effectiveness of a cybersecurity program.
Sygnia’s legal team identifies the top three emerging themes of 2023: the expanding role of the CISO and increasing responsibility, new SEC disclosure requirements and their implications on the regulatory landscape and global collaboration, and emerging trends in third-party attacks and their impact on risk management.
Sygnia’s annual field report goes beyond theoretical recommendations and includes practical approaches to achieving a robust defense without additional investments in technology. Learn how to effectively leverage your existing security assets and estate, ensuring a powerful defense against cyber threats.
Annual field report: Threat landscape perspective
Sygnia Incident Response (IR) teams dealt with hundreds of incidents in 2023, from small-scale intrusions to large-scale APT campaigns and complex ransomware incidents. We can conclude that the driving force of cybercriminal groups remains maximizing monetization in the face of growing capabilities of the average security stack, pushing threat actors towards new capabilities and techniques to overcome new obstacles.
Key points of view from the ground include:
Shifts in ransomware strategies and campaigns, as ransomware groups prioritize data exfiltration in pursuit of faster monetization and use aggressive negotiation methods to pressure victim organizations into paying ransom demands.
Bypassing multi-factor authentication (MFA) has become a common tactic, and with a high percentage of organizations already implementing multi-factor authentication (MFA) as a best practice, it is crucial to establish a layered security approach for when MFA fails as an obstacle.
Identity and Cloud-Based breaches are on the rise, with threat actors taking advantage of opportunities in unmonitored IT areas to move laterally between organizational applications and gain access to sensitive data. This is facilitated primarily because these systems are accessible from anywhere in the world, unlike local network devices.
What were the main challenges for 2023?
Increase in extortion attacks through data exfiltration
In 2023, there was a significant shift in the ransomware landscape, as some ransomware groups moved away from encryption in favor of data exfiltration and extortion. Less sophisticated threat actors can carry out these attacks on data cores even without access to high-quality ransomware encryptors. Furthermore, traditional threat actors often opt for these low-cost intrusions over full-blown double extortion attacks, as they require less effort and are often just as lucrative.
This shift underscores the need for substantial adjustments to ransomware preparedness strategies. Organizing sensitive company data in advance makes it easier to detect in the event of an exfiltration, and knowing exactly what data has been stolen enables a more informed response to ransom demands.
Aggressive bailout negotiation aimed at customer confidence
Threat actors’ ransom negotiation tactics have changed dramatically over the past few years. In 2023, we have observed a shift in extortion tactics, as threat actors repeatedly attempted to exploit the trust between the company and its customers. In these cases, threat actors deliberately contact customers or publicize the breach through public channels to pressure the victim into complying with the ransom demand.
This tactic is highly effective, as the customer is often left wondering whether the company cares enough about them to pay the threat actor and protect their information. In turn, the victim company risks damaging trust with its customers, potentially losing them if it does not respond quickly and effectively.
Managing these rescue negotiations requires a robust and mature approach, avoiding the common pitfalls that often severely damage customer relationships. Engaging in disaster war games provides a more informed and knowledgeable starting point, and establishes a plan for handling the business dilemmas that can arise during these events.
Increase in ESXi encryptions in ransomware incidents
ESXi and virtualization appliances, the holy grail of on-premise ransomware incidents, remain highly lucrative targets that allow attackers to control significant parts of the infrastructure from just a few locations. This trend has been consistent for several years, as threat actors continue to improve their techniques to maximize impact and destruction with minimal effort. In early 2023, the prominent “ESXiArgs” ransomware campaign highlighted ransomware groups’ growing interest in virtual infrastructure, many of which use modified and tailored malware to target these appliances.
Even though the average security stack is becoming more robust, ESXi and other virtual appliances remain unprotected as they are often not considered part of the network perimeter. Furthermore, visibility into ESXi activity and authentication are blind spots in security defense plans. Therefore, ESXi and other virtual appliances have become a huge opportunity for threat actors, and organizations must start including them as an integral part of their overall security strategy.
MFA is a useful tool that helps prevent and/or reduce cyberattacks and protect organizations' identities, however, it should never be the sole basis of an organization's security strategy.
Overcoming AMF obstacles
As organizations raise the bar on security by mandating multi-factor authentication (MFA) as a common practice, threat actors are finding new and creative ways to bypass it. Whether through SIM swapping, social engineering, or MiTM phishing kits, threat actors are developing improved methods to bypass the MFA barrier and gain access to systems and accounts.
MFA is a useful tool that helps prevent and/or reduce cyberattacks and protect organizations' identities; however, it should never be the sole basis of an organization's security strategy.
With the rise in the use of SIM swapping and phishing kits in 2023, organizations must adopt layered security approaches, assuming that there will come a time when the MFA barrier will be breached.
Greater focus on companies in the cryptocurrency sector
The cryptocurrency sector is experiencing an increase in activity from both nation-states and financially motivated actors. Over the past year, we have seen a notable increase in the frequency and sophistication of these incidents, resulting in both the leakage of sensitive data and the theft of large amounts of digital funds. The lack of meaningful regulation in the cryptocurrency sector, coupled with its considerable monetary potential, is a cause for concern as threat actors see it as a great opportunity. Furthermore, companies in the sector are relatively young and their overall cybersecurity infrastructures are often less mature than those of more established companies.
When applied to the cryptocurrency context, common best practices such as implementing multi-factor authentication (MFA) for fund transactions and strengthening security around storing wallet secrets in vaults often succeed in deflecting basic intrusions and providing a greater window of time to respond to more sophisticated breaches.
Identity-based cyber intrusions
With cloud-based software and SaaS applications available from anywhere in the world, we’ve seen a rise in identity-based attacks in 2023. Threat actors’ strategies and tactics are evolving alongside the landscape, with cybercriminals increasingly looking to take over accounts not only to steal sensitive information, but also to move laterally between applications, leveraging single sign-on (SSO) access.
As organizations adapt and adopt the cloud, they must configure their cloud environments to limit applications and identities as much as possible, avoiding unnecessary overlaps in access between them. Gaining visibility into identities across the organization and implementing least privilege and zero trust principles are crucial to combatting identity-based attacks.
What will 2024 bring to the global economy?
As we move into 2024, we can expect threats to continue to shift toward new opportunities arising from the advancement of IT and software solutions:e las soluciones de TI y software:
Evolution of cloud and identity-based cyberattacks
The past few years may have represented the first phase in the evolution of cloud and identity-based cyberattacks. Taking advantage of the fact that the cloud is accessible from anywhere, the nature of these attacks is often relatively straightforward. The next step in this evolution, as we have already begun to see, will include a more sophisticated approach, such as leveraging features that allow lateral movement between IaaS accounts or using the encryption procedures built into cloud storage resources to hold data hostage.
The role of AI in cyber intrusions
With AI becoming more accessible, 2024 will see its application on both the offensive and defensive sides of the cyber playing field.
On the offensive side, cybercriminals will use AI to amplify social engineering attacks, creating phishing emails, SMS, deepfakes, and other types of manipulative communication in even more sophisticated ways. This will result in an increase in successful exploitation of the human factor, account takeovers (ATOs), and business email compromises (BECs), as well as greater negotiation capabilities by threat actors. Additionally, AI and large-scale language models (LLMs) present an entirely new attack surface that threat actors can exploit, from point-in-time injections to taking over AI agents and their capabilities.
On the defensive side, we should expect to see the first real applications of AI beyond current threat intelligence tools. AI will improve the daily productivity and capabilities of Security Operations Center (SoC) teams, allowing them to manage a higher volume of alerts and perform triage more quickly and, in some cases, automatically.
Cybersecurity regulations
New cybersecurity and data breach laws and regulations passed in the United States last year are beginning to impact businesses and organizations, and a global spread of these regulations is expected. In 2024, it will be put to the test whether and how these regulations will impact cyber intrusions and rescue operations, forcing organizations to comply with the established set of standards. In particular, this could affect incident containment methodologies, prompting organizations to accelerate response measures (IR).