Executive summary
The annual situation report is a compilation of information from hundreds of projects spanning incident response (IR), architecture and resilience assessments of customer infrastructures, and simulated attacks throughout 2023.The report incorporates the identified trends, strategic insights from our client engagements, and the most notable tactics, techniques and procedures employed by key threat actors.
The report also includes key preventative strategies that have proven highly effective in combating emerging threats, offering guidance for strengthening cybersecurity defenses.
This field report is a compilation of findings from Incident Response, Adversary Tactics, Enterprise Security, MXDR, Engagement Managers, and Legal teams, each of which will be published individually at a later date.
Key findings
Key findings include:
1. The threat landscape perspective
Our incident response teams have identified significant changes in ransomware attack strategies over the past year. Ransomware groups have shifted from encryption-oriented attacks to data exfiltration and extortion strategies.
Tactics are being employed that seek faster monetization and, by refining new ways to paralyze organizations and pressure them into giving in to extortion.
Furthermore, bypassing MFA (Multiple Factor Authentication) has become a common tactic and goal, as there is already a high percentage of organizations that apply this policy within their compendium of best practices.
Identity and cloud-based breaches are on the rise, with new techniques being used to exploit and deal severe blows to networks around the world.
2. The attacker's perspective
Our Adversary/Attacker Tactics team shares improvements and developments that impact threat actor operations and identifies the most common TTPs (Tactics, Techniques, and Procedures) that have been used.
There is a marked increase in the number of system misconfigurations being exploited, and a need to define new, innovative and more effective mitigation strategies.
3. The defense perspective · Preparation
Our enterprise security team sees a return to basics in the cybercrime community, as evidenced by the simplicity of some of the top cyberattacks of 2023. The SEC’s dual challenges in regulatory compliance and CISO accountability are complicating things for organizations, as new regulations are already having an impact on major incidents. The rise of AI in cybersecurity may mark a turning point in attack strategies: a reduction in the time required to execute them, coupled with an increase in their specific capabilities.
4. The defender's perspective · Detection
Our MXDR (Extended Managed Detection and Response Services) department monitors market behavior, the impact of major technological advancements, and user adoption of these MXDR services. This will have a profound impact on the 2024 landscape as trends combine with emerging technologies that will drive the XDR market.
5. The executive perspective
After conducting countless simulation exercises in 2023, our Area Managers outline the most common challenges and elements that are underestimated by clients around the world. They also advise CISOs on how to build a security team, set priorities, analyze the resilience of our infrastructure, budget and measure the effectiveness of a cybersecurity program.
Our legal team identifies the three most notable emerging themes of 2023; the expanding role of CISOS, their increased responsibility, new SEC disclosure requirements and their implications on the regulatory landscape and global collaboration, as well as emerging trends in attacks and their impact on risk management.
Annual field report
The threat landscape perspective.
Our Incident Response (IR) teams handled hundreds of incidents in 2023, from small-scale intrusions to ransomware incidents and large-scale Advanced Persistent Threat (APT) campaigns.
Compared to the previous year, we conclude that the driving force of cybercriminal groups continues to be maximizing monetization, pushing threat actors towards new capabilities and techniques to overcome new barriers.
Key Ideas
- A high percentage of organizations already implement MFA (Multi-Factor Authentication) as a best practice, creating a layered security approach is crucial in case the hurdles that the MFA tool provides fail.
- Identity and cloud breaches are a priority target for attacks and are on the rise. Threat actors taking advantage of the opportunity presented by unsupervised IT areas move laterally between applications to gain access to sensitive data. These systems are accessible from anywhere in the world in contrast to on-premises applications and services.
Top trends 2023
Increase in extortion attacks due to data theft
2023 saw a significant increase in data theft extortion attacks. This is a significant shift in the ransomware landscape, as some ransomware groups shifted from encryption to exfiltration and extortion to leaking and selling that data to third parties.
Unsophisticated threat actors can carry out these data-stealing attacks even if they do not have access to high-quality ransomware. Encryptors and traditional threat actors often opt for these low-cost intrusions, rather than full-blown double extortion attacks, as they require less effort and are often just as lucrative.
This shift underscores the need for substantial adjustments to ransomware preparedness strategies. Organizing sensitive company data in advance allows for better detections, prevention, and if a data breach has occurred, it can be more quickly determined what data was actually stolen, allowing for a more informed response in managing ransom demands.
Aggressive bailout negotiation aimed at building customer confidence
Threat actors’ ransom negotiation tactics have changed dramatically over the past few years. 2023 saw a shift in extortion tactics, as threat actors repeatedly attempted to exploit the trust relationship between the company and its customers. In these cases, threat actors deliberately contact customers or publicize the breach through public channels to pressure the victim into meeting the ransom demand.
This tactic is very effective, as the customer usually questions whether the company cares enough about their data and pressures them to pay the threat actor and protect their information. This puts the victim company at further risk, burning the trust between them and their customers, potentially losing customers if they do not respond quickly and effectively.
Handling these rescue negotiations requires a solid and mature negotiation approach, avoiding common mistakes of inexperience that often result in significant damage to client relationships. Participating in a controlled disaster event, such as war games, creates a more informed and knowledgeable starting point, establishing a plan to be prepared and handle the dilemmas that may arise during such events.
ESXi encryptions on the rise in ransomware incidents
The Holy Grail of on-premises ransomware incidents, ESXi and virtualization appliances remain the most lucrative target for quick gain. This is because it allows threat actors to control significant parts of the infrastructure from a few individual locations. This has been a trend for several years now, and as time goes on, threat actors continue to improve techniques to maximize impact and destruction with minimal effort. In early 2023, the “ESXiArgs” ransomware campaign showcased the growing interest in virtual infrastructure among ransomware groups, many of whom are using modified and tailored malware to target appliances.
While the security stack is becoming more robust, ESXi and other virtual appliances are often the ones that suffer the most from being neglected due to lack of attention to patching and updating, as they are often not seen as part of the network perimeter. Additionally, ESXi activity visibility and authentication are often blind spots in security defense plans. Therefore, ESXi and other virtual appliances have become a huge opportunity for threat actors. Organizations should start including them as part of the organization’s overall security strategy.
MFA (Multi-Factor Authentication) is a useful tool that helps prevent and/or reduce cyberattacks and protect organizational identities, however, it should never be the sole basis of an organization's security strategy."
Overcoming the hurdles of MFA (Multi-Factor Authentication)
As organizations raise the bar on security by enforcing MFA as a common practice, threat actors are finding new and creative ways to bypass it. Whether it’s SIM swapping, social engineering, or MiTM phishing kits, threat actors are creating enhanced methods to bypass the MFA barrier to gain access to systems and accounts.
MFA is a useful tool that helps prevent and/or reduce cyberattacks and protect identities in organizations, however, it should never be the sole basis of an organization's security strategy.
With the use of phishing kits and SIM swapping set to increase in 2023, organizations must adopt layered approaches to security, assuming that there will come a time when the MFA barrier will be overcome.
Strengthening corporate resilience with cryptocurrency business areas
The cryptocurrency sector is witnessing an increase in cyberattack activity, both from nation-states and other threat actors in financial environments. Over the past year, we witnessed a notable increase in the frequency and sophistication of such incidents leading to both the exfiltration of sensitive data and the theft of large amounts of digital funds.
The fact that the cryptocurrency industry is largely unregulated gives it significant monetary potential and raises concerns as threat actors see it as a huge opportunity. To make matters worse, companies in the cryptocurrency sector are relatively young and so is their overall cybersecurity and infrastructure, which is less mature than the average company.
When applied to the cryptocurrency context, common best practices such as MFA for funds, transactions and increased security over wallet secrets are often successful in achieving complete bypass of basic intrusions and allowing a longer time frame to respond to sophisticated attacks.
Identity-based cyber intrusions
With cloud-based software and SaaS applications available from anywhere in the world, we are seeing a significant rise in identity-based attacks in 2023. Threat actor strategies and tactics are changing the landscape, with cybercriminals increasingly targeting account takeovers to not only steal sensitive information but also as a means to move laterally between applications by leveraging SSO access.
As organizations adapt and adopt the cloud, they must configure these environments in a way that controls applications and identities as much as possible, avoiding unnecessary access overlaps between them. Gaining visibility into identities across the organization and implementing the principles of least privilege and zero trust are crucial to combatting identity-based attacks.
What will happen in 2024?
Cyber landscape
As we move closer to 2024, we can expect threats to shift even further towards new opportunities arising from the advancement of IT and software solutions.
The role of AI in cyber intrusions
With AI becoming increasingly commoditized, 2024 will see these capabilities applied on both the offensive and defensive sides of the cyber playing field.
On the offensive side, cybercriminals will further leverage AI to amplify social engineering attacks in crafting sophisticated phishing emails, SMS, deep-fakes, and other types of communication manipulation. This should have an impact of an increase in the successful exploitation of the human factor, in account takeovers (ATOs), business email compromises (BECs), as well as achieving enhanced negotiation capabilities of these threat actors.
Threat actors will tend to take control of AI agents and their capabilities.
On the defensive side, we should expect to see the first real applications of AI beyond threat intelligence, improving the productivity and day-to-day capabilities of SoC teams to cope with the number of alerts and triage both faster and, in some cases, even automatically.
Cybersecurity regulations
New cybersecurity and data breach laws and legislation passed in the United States in the past year are beginning to impact businesses and organizations. 2024 will test whether these regulations will impact cyber intrusions and rescue operations, forcing organizations to comply by the given set of rules. Specifically, this may impact incident containment methodologies, causing organizations to expedite response measures (IR).