RSAC, DBIR 2022 Trends: Rise in Ransomware, Partner Attacks & Cyber Insurance

The annual Verizon Data Breach Investigations Report (DBIR) 2022 is out. Here’s a summary of the top takeaways:

• Key paths to compromise include credentials, phishing, vulnerability exploitation and botnets
• Ransomware is up 13%, but blocking the four most common paths (listed above) can help stop ransomware infection
• In 2021, supply chain incidents have wide-ranging effects — “compromising the right partner is a force multiplier for threat actors”
• Misconfigured cloud storage errors and the human element (stolen credentials, phishing or errors) can lead to incidents and breaches, no surprise here

Partners: Targeted by Attackers; Viewed as Force Multipliers

About 80% of attacks come from external sources, with about 20% from internal. Business partners were involved in 39% of data breaches handled by Verizon’s investigators. The partner factor plays a big role in compromises, as nation-state threat actors may opt to keep persistent access to leverage it at a later time. 

As Verizon Director Chris Novak stated in his RSA Conference 2022 talk on Cybersecurity as a Business Conversation, “Threat actors are looking at how they hit interesting targets — but do it through an intermediary; a third-party; a supplier that may ultimately have access to that data.”

In the Kaseya ransomware attack of 2021, threat actors exploited a vulnerability in Kaseya’s on-premises software used for remote management in order to exploit MSPs and their downstream customers. They infected many victims through what appeared to be a legitimate automatic software update.

Of course, there was also the SolarWinds supply chain attack that affected thousands of customers, government agencies, and private companies by exploiting monitoring and administration software. Without naming names, Novak acknowledged that a few major attacks did skew this year’s DBIR data toward partner-related attacks.

For the first time, the DBIR included Partner and Software update among the top vectors for attacker actions this year. Partners account for 60% of top action vectors in system intrusion incidents.

Novak breaks down the most common methods used to target partners: “There’s a whole plethora of different ways in which those events take place.” 

The most common method is to use stolen credentials, according to Novak. Threat actors obtain credentials by purchasing them on the dark web or by performing social engineering. By getting access to a third-party or supply chain operator, threat actors can ultimately access their targeted victim, said Novak.  

“So much of the ways in which they get into those third parties is typically because those third parties have a much less mature cybersecurity program,” he said.

A persisting issue is that threat actors can still easily get access to passwords, according to Novak.

“Security is only as strong as your weakest link,” Novak said. “Attackers may also hit service accounts, whose passwords are easy to breach or never rotated.”

While some organizations may have multi-factor authentication (MFA), this issue still keeps them up at night, Novak said.

“They may have capabilities in place, but only in certain parts of the environment or only for administrative access,” he continued. 

Ransomware: Common Routes & Impact of Cyber Insurance

The report found a few common routes attackers use to deploy ransomware:

• 40% of ransomware incidents involved the use of desktop sharing software, exploiting stolen credentials
• 35% used email, with phishing as the top hacking action
• 18% targeted web applications, exploiting vulnerabilities

As a result, the DBIR recommends that organizations lock down external-facing infrastructure including Remote Desktop Protocol (RDP) and emails to help protect against ransomware.

Ransomware increased more than the last five years combined in 2021, according to the report. 

“Ransomware is more about extortion rather than locking up your files,” Novak said. “Organizations are paying quicker and more readily than ever before.”

Cyber insurance is another trend that is impacting the ransomware landscape, as it covers ransomware events.

“It’s given people a sort of safety net and backstop,” said Noak. “Ransomware operators realize if they hit someone with insurance, they will get paid quickly. Sometimes they will even give victims instructions on how to contact their insurer to pay the ransom.”

Security Controls to Meet Cyber Insurance Requirements

According to CISOs he’s talked to, it’s getting harder and harder for organizations to get coverage they want, Novak said. The premiums are also increasing, enabling victims to pay the ransom much more quickly. 

Part of the difficulty with getting cyber insurance coverage is that a number of insurers are stepping up their questionnaires, or requirements for organizations. Insurance companies require organizations to put certain mitigating controls in place in order to obtain insurance and get paid in the case of a ransomware or other breach event. Some of those controls may include:

• Business continuity and disaster recovery programs in place
• Offsite backups (cloud) less than a year old
• Centralized log collection and management allowing for the review of all network access and activity
• Restricted administrative privileges on all workstations
• Computer security awareness training provided for all employees
• Multi-factor authentication (MFA) used for remote access to email and systems
• Logging enabled and maintained for all systems and networking devices, including Microsoft Exchange servers
• Enforcement of a software update process, including installing software patches within thirty days of release
• A CPO (Chief Privacy Officer) or CISO (Chief Information Security Officer) or person responsible for privacy and security

Aside from being a requirement for cyber insurance and renewals, these are also security best practices that every business should consider implementing to protect against security incidents, ransomware and breaches.

For an easy, effective way to get coverage, Blumira’s detection and response platform keeps an audit trail of your logs that’s easily accessible for one year, while analyzing the logs in real-time for attacker activity across your entire environment. Designed to deploy in minutes to hours by your existing team, Blumira provides playbooks to guide them through faster response for better security outcomes.

That way, you can identify indicators of an attack in progress and contain it well before a ransomware attack results in a breach. Check it out for yourself by signing up free today (no credit card or sales convo required to get started).

Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.

# rsa conference, rsa