Click the image to download the 2022 DSIR Report.

Many of the trends we observed in 2020 continued in 2021. Network intrusions and ransomware continued in full force, representing more than half the incidents we handled last year. Threat actors continued their tried-and-true tactics of encrypting devices and exfiltrating data to extort payments, and also tried new approaches or variations on old ones, like resorting to distributed denial-of-service attacks, contacting company employees to threaten them if ransoms weren’t paid, or looking for new targets in company networks, such as Linux-based systems. And threat actors are also leveraging the data stolen during ransomware incidents for other purposes, like business email compromise and wire transfer fraud.

Organizations didn’t take these challenges lying down. Multifactor authentication (MFA), endpoint detection and response (EDR) tools, immutable backups – we saw more clients than in years past relying on these technologies to combat pervasive cybersecurity threats. But it is not enough to just have the tools – making sure that they are properly configured and monitored is key.

  • Enforce Modern Authentication for Email: If you aren’t enforcing modern authentication in your email tenant, threat actors may be able to bypass MFA and access your email accounts through legacy authentication protocols, such as IMAP and POP3. Making sure you periodically review your authentication protocols also is important. We have handled matters in which software updates for the email platform have inadvertently re-enabled legacy authentication without the organization’s knowledge.
  • EDR – Fully Deployed and Constantly Monitored: EDR tools are invaluable resources in the fight against ransomware. They provide you with the ability to monitor devices in real time and to remotely contain unauthorized activity, which can allow organizations to identify and stop network intrusions before data is stolen and encrypted. But if the tool is only set to alert (not block) suspicious activity and no one is watching it, or if it is only deployed to certain devices in a network, an organization may not catch the activity until it is too late. Making sure that the tool is fully deployed in your environment, that it is set in enforcement (not just alert) mode, and that the anti-uninstall feature is enabled will pay dividends. If you don’t have the internal resources to properly configure, deploy, and monitor these tools, consider engaging a third party to help.
  • Protect Access to Backups: More organizations are relying on immutable backups, which are backups that cannot be altered or deleted in any way. Ever resourceful, threat actors have found ways—accidentally or intentionally—to prevent organizations from relying on these backups. In some instances, threat actors have encrypted the devices hosting the software that organizations use to access the immutable backups, preventing them from getting to their backups even though the backups are intact. In others, we have seen attempts to delete on-premises immutable backups cause failures in the underlying hardware, which nearly led to the loss of the backups. Regardless of whether organizations are relying on mutable or immutable backups, they should ensure that the backups are air-gapped, are accessible only with unique credentials that are not domain-joined, are protected with MFA, and are not labeled in ways that would allow a threat actor to easily identify them (i.e., having them saved on a “backup” server).
  • Trust No One: The ransomware epidemic has highlighted the risks of relying exclusively or predominantly on strong exterior network defenses. No defense is perfect, and once a threat actor is able to gain access to a network (through an open RDP port, unpatched vulnerability, successful phishing attempt, or other method), they usually are able to harvest credentials, deploy persistence mechanisms, and move freely through an environment. In response, more organizations have started moving toward a zero-trust framework, which requires additional authentication and authorization for accessing devices or applications even for users on a company’s network. Zero trust also relies on logging, monitoring, and other measures to identify anomalous activity that might be indicative of a compromise. A move to zero trust requires planning, investment, and proper implementation, but it can be an effective measure for limiting the ability of threat actors to accomplish their objectives.
  • Inventory and Secure Cloud Assets: With the proliferation of ransomware and the challenges of managing an on-premises environment, we have seen more and more organizations moving some or all of their assets and data to the cloud. But a cloud environment presents its own risks. Without proper controls for the creation, tracking, and maintenance of cloud-based data and assets, organizations may soon find that they no longer have a comprehensive picture of where their data resides and who has access to it. Improperly configured and publicly accessible cloud instances remain a challenge, and we have seen scenarios where highly sensitive company data was placed into a publicly accessible cloud repository that the company did not even know existed because it did not have sufficient controls to prevent employees from creating their own instances and transferring company data off network to them. Organizations should ensure that they establish controls for the creation of cloud instances, that they properly configure legitimate instances to permit only authorized access, and that they track their cloud assets and data so they can properly manage access.
  • Defense-in-Depth: There is no silver bullet for preventing security incidents. If you deploy MFA, an employee might inadvertently authorize an attempted connection from a threat actor. If you deploy an EDR tool, a threat actor may gain access to the management console to disable it, or they may gain access to your software deployment platform and use it to push the ransomware before the EDR tool can catch it (we have seen both occur). If you rely on immutable backups, threat actors may encrypt the device you use to access them, as we mentioned above. Layering these and other defenses one on top of the other will give you a much better level of protection against the diverse array of threats present in today’s cybersecurity landscape.