TechBoost Webinar Series

August 25, 2022

Today’s Topic:

Unit 42: Incident Report Response Insights

Your Speakers For Today’s Session

Jen Miller Osborn

Deputy Director, Unit 42 Threat
Intelligence
2022 Unit 42 IR
Report Insights

May 2022
UNIT 42: EXPERTS IN THREAT RESEARCH & INCIDENT RESPONSE

200+ Depth and Breadth of Partnerships and Open

Threat Researchers Telemetry Source Data
● Reverse engineering ● 85k+ customers ● Open source gathering

● 10+ years of historical ● 500BN events per day from ● 75+ third party feeds
malware analysis growing by endpoint, network, cloud
30M samples a day ● Cyber Threat Alliance,
● 1k+ Incident response 6M observables/month
● Threat modeling engagements per year
● Law enforcement, government,
● Multiple awards for ● Across multiple verticals military partnerships
vulnerability research

© 2022 Palo Alto Networks, Inc. All rights reserved. 4

2022 Unit 42 Incident Response Report

● In-depth interviews with a dozen incident

responders

● Analyzed over 600 IR cases from the past

year, including ransomware, BEC, insider
threat, nation state, network intrusions, etc.
● 7 Issues that contribute to attackers’ success
● 5 Future Predictions
● 6 Recommendations to proactively prepare
for future threats
HOW THIS WEBINAR WILL HELP YOU

Insight An understanding Recommendations

into key findings from the of tactics and trends for resilience
2022 report

© 2022 Palo Alto Networks, Inc. All rights reserved. 6

Key Takeaways: Incident types

Ransomware &
BEC make up 70%
of the cases
handled by Unit 42.
Key Takeaways: Attack Vectors
Attackers are looking for an easy way in.

3 attack vectors
represent 77% of the
suspected initial access
vectors for incidents.
Key Takeaways: Exploited Vulnerabilities
A few key vulnerabilities have become attackers’ favorites.

6 CVE categories
made up 87% of
exploited
vulnerabilities.
Key Takeaways: Exploited Vulnerabilities - ProxyShell
ProxyShell represented 55% of exploited vulnerabilities.
Key Takeaways: Exploited Vulnerabilities - Log4j
Log4j came in 2nd, with 14% of exploited vulnerabilities.

>_Log4Shell
Key Takeaways: Affected Industries
Attackers follow the money when targeting industries.

Finance, Professional and Legal services,

Manufacturing, Healthcare, High Tech,
and Wholesale and Retail accounted for
over 60% of our cases.

Attackers may at times purposely target

certain industries based on the sensitive
data they transfer (finance), or potential
for high impact (healthcare).
 Spotlight: Ransomware
A Favorite Cash Cow for Cybercriminals
Ransomware Demand & Payment Trends

Ransomware is the top incident investigated by

Unit 42: 36% of cases.

Attackers are asking for, and getting, higher

ransom payouts.

Demands as high as Payouts as high as

$30M USD $8.5M USD

Attackers use multi- RaaS is helping drive

extortion techniques to an increase in unskilled
maximize profit.
threat actors.
Average Ransom Demanded
Ransomware Initial Access Vectors
Automated techniques dominate ransomware vectors.

68% of ransomware incidents started with

either software vulnerability exploits or brute-
force credential attacks. Ransomware-as-a-
Service (Raas) & exploit toolkits make it easy
for threat actor’s to scan for known
vulnerabilities.

Remote Desktop Protocol (RDP) is often

targeted in credential-related attacks.

median dwell time after

28 Days initial access
Most Active Ransomware Groups

Closed shop since Conti Leaks

Scandal where chats leaked

Watching BlackCat closely - they

offer 80-90% affiliate fee

New groups continuing to pop-up all the time

as old groups split
Industries vs. Ransomware Groups
Industries Affected by Ransomware vs. Ransomware Groups

Different ransomware
operators target
different industries.
Spotlight: Business Email Compromise
Under the Radar, But Costly
Business Email Compromise Key Trends
Under the Radar, But Costly.

Business Email Compromise (BEC) sophisticated scams which target legitimate business email accounts
through social engineering (e.g., phishing) or other computer intrusion activities. Once businesses are
compromised, cybercriminals leverage their access to initiate or redirect the transfer of business funds for
personal gain.

Dwell Time before Containment Median Dwell Time Wire Fraud

7-48 DAYS 38 DAYS $286K

Typical Dwell Time Prior to Median Dwell Time in Environment Average Amount of Successful Wire
Containment Fraud
Business Email Compromise Case Study
MFA-Fatigue Attack to Bypass Multi-Factor.

$1M!
MFA Approved
1. Attacker compromises
user’s email creds and logs
in numerous times.
3. Attacker gained access to
email system and
subsequently processed a
$1M fraudulent wire
MFA transfer.

2. User is flooded with X X

numerous MFA
authentication requests -
many are denied until
ultimately one is approved.
X X X

MFA-Fatigue Attack
Spotlight: Cloud Incidents
Low-Hanging Fruit for Threat Actors
Cloud Incidents
Why Cloud Threat Actors Have it Easy

Misconfigurations are a primary root cause of breaches

in the cloud (65%) - mostly tied to
Identity and Access Management (IAM)

99% 2.5x
Granted excessive permissions More permissions to CSP-managed
policies

44% 53%
Allow IAM Password reuse Allowed weak passwords
cloudthreat.report/volume-6-iam
Seven Issues Threat Actors
Don’t Want You to Address
7 Key Insights
Seven Issues Threat Actors Don’t Want You to Address

70%
Phishing and Software Vulnerabilities cause
majority of Cyber Incidents
START WITH THESE 6 RECOMMENDATIONS TO BUILD YOUR RESILIENCE

01 04
Harden your attack surface against common
intrusion vectors. Implement MFA as a technical control.

02
05
Disable any direct external RDP access: ensure
Require that all payment verification takes place
all external remote administration is conducted
outside of email to ensure a multi-step verification
through an enterprise-grade MFA VPN.
process.

03 06
Patch internet-exposed systems as quickly as Consider a credential breach detection service and/or
possible (given best practices for testing and attack surface management solution to help track
responsible deployment) to prevent vulnerability vulnerable systems and potential breaches.
exploitation.

© 2022 Palo Alto Networks, Inc. All rights reserved. 25

WHAT WE’RE DOING
IN OUR OWN SOC

● Strong MFA
● Defense in depth
● Lock down cloud services
● Least privilege/least access

© 2022 Palo Alto Networks, Inc. All rights reserved. 26

Wrap-up
FOCUS PEOPLE EFFORT ON RIGHT SIDE OF CYBER ATTACK LIFECYCLE

Tech and Automation

Reconnaissance Weaponization Exploitation Installation Command and Lateral Actions on

and Delivery Control Movement the Objective

Experts

© 2022 Palo Alto Networks, Inc. All rights reserved. 28

KEY INCIDENT RESPONSE REPORT FINDINGS

Ransomware and BEC have The most affected industries In 77% of our cases we
been a major problem in are finance, professional and suspect that phishing,
2022 legal services, and software vulns or brute
manufacturing force were used

© 2022 Palo Alto Networks, Inc. All rights reserved. 29

 Execute an Organization-Wide Plan
Notify all stakeholders and engage all teams

But if you have

Isolate Infected Resources
already been Build in capabilities to isolate resources

attacked... Carefully Consider Before Rebooting

Sometimes the encryption key and other attack info
can be found in the memory

Execute an IR Plan or Call an IR Team

© 2022 Palo Alto Networks, Inc. All rights reserved. 30

Predictions
Follow the Money!
 Predictions: Follow the Money
Where threat actors are going in the near future.

Prediction #1: Prediction #5: Politically

Prediction #2: Unskilled Prediction #3: Changes to Prediction #4:
Time to Patch Motivated Incidents May
Threat Actors Are on the Cryptocurrency Could Difficult Economic Times
Vulnerabilities Will Rise
Rise Cause a Rise in BEC & Could Lead More People
Continue to Shrink
Web Compromises to Leverage Cybercrime

Attackers are making Even threat actors who seem One thing that currently If global economic conditions As hot-button political issues
increasing use of high-profile to have attack basics down are contributes to the lucrative worsen, more people may be intensify around the globe, we
zero days—the kind you read beginning to resort to the nature incentivized to try their hand believe there may be an
about in the news. simpler versions of attacks of ransomware is the at cybercrime. increase in hacktivism and
and using toolkits to carry out prevalence and relative politically motivated
The 2021 Attack Surface those attacks. anonymity of cryptocurrency. Some threat actor groups have cybercrime.
Management Threat Report been known to offer to pay
found that attackers start Even unskilled attackers, Changes in the availability or insiders who are willing to Threat actors may work with
scanning for vulnerabilities however, could do damage to stability of crypto undermines hand over credentials or nation-states (privateering) or
within your organization if they’re its utility & may incentivize assist. Those offers could be on the payroll of politically
15 minutes of a CVE being able to breach your systems. threat actors to pivot back to more tempting to some in motivated groups, & in other
announced. classic currency-based difficult economic times. cases, the threat actors may
schemes. themselves have political
motivations.
Sales Call to Action & Resources
How can this report help you have quality conversations with your customers?

Download and become familiar with the Share the report and invite customers &
2022 Incident Response Report partners to webinars August 17th:
practitioner webinar September 21st:
● Read the corporate blog and CXO webinar
Unit 42 blog
● Check out to the interactive webpage ● Send an email using this sales template
● Find resources on the Loop ● Share from personal social accounts via
● Use the data to initiate discussions and bambu
establish credibility ● Include in any email sends as a barker
● Replace as your email signature
● Incorporate key stats and data into your
talk tracks at events and in
presentations
 IR Report Stat to Unit 42 Solution
Report Stat Unit 42 CRM Solution
70% of incident response cases over the past twelve months were ransomware and business Unit 42 Ransomware Readiness Assessment
email compromise (BEC). Unit 42 Business Email Compromise Assessment

77% of intrusions are suspected to be caused by three initial access vectors: phishing,
Unit 42 Attack Surface Assessment
exploitation of known software vulnerabilities and brute-force credential attacks—focused
primarily on remote desktop protocol (RDP). Unit 42 Offensive Security Solutions (Pen Test, Purple Teaming)

Unit 42 Attack Surface Assessment

87%+ of positively identified vulnerabilities fell into one of six major categories.
Unit 42 Offensive Security Solutions (Pen Test, Purple Teaming)

36% of incidents investigated by Unit 42 were ransomware. Of those, nearly 68% started Unit 42 Ransomware Readiness Assessment
with either software vulnerabilities or brute force attacks. Unit 42 Attack Surface Assessment

Unit 42 observed ransom demands as high of $30M, with ransom payments as high as Unit 42 Ransomware Readiness Assessment
$8.5M. Unit 42 Table-top Exercise

Unit 42 Ransomware Readiness Assessment

28 days was the median dwell time for ransomware incidents.
Unit 42 Compromise Assessment

34% of incidents investigated by Unit 42 were BEC. The median dwell time for these Unit 42 Business Email Compromise Assessment
incidents was 38 days. Average wire fraud was $286K. Unit 42 Table-top Exercise

65% of cloud incidents are attributed to weak Identity and Access Management controls or Unit 42 Cloud Compromise Assessment (custom-scope)
misconfigurations. Unit 42 Cyber Risk Assessment
Thank you

paloaltonetworks.com