Q1 2022 Incident Response Insights
Key Takeaways:
- 82% of incidents responded to by Tetra Defense were caused by the external exposure of a known vulnerability on the victim’s network
- Incidents caused by unpatched systems cost organizations 54% more than those caused by employee error
- Log4J/Log4Shell is still being actively exploited, but the significant global attention of the vulnerability has prevented ongoing widespread exploitation
- Compromised credentials still account for a number of incidents, underscoring the need for more organizations to adopt multi-factor authentication (MFA) and implement dark web monitoring
Each quarter, Tetra Defense, an Arctic Wolf company, collects and analyzes data and insights from its incident response engagements in the United States. These statistics are a vital part of assessing the cyber threat landscape at large and are intended to guide underwriting strategies, loss prevention programs, broker advisement, and client security priorities.
Additionally, Arctic Wolf publicly shares this information to benefit cybersecurity practitioners, while also advancing detections within the Arctic Wolf Security Cloud by augmenting its massive AI-based detection engine that processes over two trillion security events a week.
Some of the most notable observations from Q1 2022 (January – March) include:
Root Point of Compromise: External Exposures Reign Supreme
The Root Point of Compromise (RPOC) is the initial entry point of a threat actor — how they first infiltrated a victim organization’s systems. RPOC is defined by three main categories:
1. External Exposure – A threat actor utilized a technological exploit to compromise a publicly accessible system (i.e., a known vulnerability). This is the easiest method for threat actors to deploy, therefore it is widely used.
2. User Action – A threat actor gained entry through a specific user’s behavior on the victim network (i.e., downloading a malicious document from a phishing email). Threat actors need a user to perform a specific action for the attack to work, making them less reliable avenues for attack.
3. Misconfiguration – A threat actor gained entry via systems that were misconfigured (i.e., a non-password protected web-portal). These typically make up a very small percentage of Tetra Defense’s overall caseload.
In Q1 2022, the vast majority — 82% — of total incidents happened through external exposure of either a known vulnerability on the victim’s network or a Remote Desktop Protocol (RDP). Taking a deeper look into these external exposures, they are classified in two ways:
1. “External Vulnerabilities” which could have been mitigated through publicly available security patches and software updates. In these instances, a threat actor utilized a known vulnerability to gain access to the network before the internal organization was able to patch the system. In Q1 57% of total incidents were caused by the exploitation of external vulnerabilities.
2. “Risky External Exposures” which are IT practices such as leaving a Remote Desktop Protocol (RDP) port open to the public internet. These behaviors are considered “risky” because the mitigation relies on an organization’s continued security vigilance and willingness to enforce consistent standards over long periods of time. In Q1, 25% of total incidents Tetra Defense handled were caused by risky external exposures.
ProxyShell Outpaces Log4Shell
Despite widespread attention brought to Log4J/Log4Shell vulnerabilities in December 2021, as the calendar ticked forward into the new year, it was only the third most exploited External Exposure in the quarter, accounting for 22% of Tetra Defense’s total incident response cases. Leading the way, and accounting for 33% of cases, was a series of Microsoft Exchange vulnerabilities known as ProxyShell, which were originally disclosed in August 2021.
Patching Pays Off
The most common incidents – those with an RPOC linked to an externally facing vulnerability – are also the most expensive to recover from. The cost of an incident response engagement can vary wildly based on the size of the organization and scope of the incident response activities.
Looking at the median cost for an incident response engagement from Tetra Defense in Q1 2022 reveals that incidents where an “External Vulnerability” was the RPOC were 54% more costly than incidents where “User Action” was the RPOC, and 80% more expensive than incidents driven by a Risky External Exposure.
This cost discrepancy highlights the complexity of recovery from external vulnerability incidents and how failing to patch in a timely manner can be a contributor to a higher financial cost to an organization.
Advocating for better patching practices has almost become a cliché at this point as it’s common knowledge that it plays a major role in reducing cyber risk, but the reality is no organization can achieve a perfect patching record due to the many complexities that come with operating business that has multiple systems, tools, and teams in place.
To best prevent exploitation of external vulnerabilities, organizations need to understand their attack surface and prioritize patching based on risk, all while ensuring they have the defenses in place to protect their systems knowing that that will have obstacles that will prevent them from immediately patching vulnerable systems.
User Exploitation
While “External Exposures” were the root cause of most incidents Tetra Defense observed in Q1, nearly one-in-five (18%) incidents were still caused by the action of an individual employee within the organization.
Over half (54%) of the incidents where “User Action” was the RPOC were caused by an employee opening a malicious document. In many of these cases malware is spread through malicious email spam campaigns targeting individuals and organizations seemingly at random. Infection then occurs when an employee clicks to open rogue software attachments disguised within malicious spam emails, invoices, and Microsoft Office documents.
The other major driver (23%) of “User Action” incidents was with compromised credentials. In some instances, these incidents are from threat actors brute force attacking systems username and password combinations, but in many of these cases, password reuse is to blame from employees using the same username and password across multiple sites. If one of the sites experiences a breach and the credentials are leaked to the dark web, those credentials can be used to compromise other systems where the same pair of username and password is used.
The ongoing exploitation of compromised credentials highlights the importance that multi-factor authentication (MFA) plays in securing organizations. With MFA in place, exploitation of compromised credentials becomes more challenging because even if a threat actor has a known username and password pair, the account remains inaccessible without a second factor of authentication such as an app push notification, text message, or security challenge question.
Threat Actors: The Usual Suspects
Across Tetra Defense’s cases and all publicly observed attacks by e-crime groups on the dark web, there was unsurprisingly a diverse number of threat actor groups observed. With such a large number of groups being actively observed it highlights the constant challenges organization have in protecting themselves, because if even one group becomes inactive or is taken down by law enforcement, there remain dozens of other groups actively trying to compromise them.
Industry Insights: Healthcare Leads in Incidents
In Q1 2022, Tetra Defense responded to incidents across twelve different verticals, with Healthcare, Finance, Education, Manufacturing, and Construction being the industries that Tetra Defense responded to the most frequently. As a trusted partner of many cyber insurers, Tetra Defense frequently works with organizations who are more mature in their cyber risk planning activities and have an active cyber insurance policy or work with industry clients who are willing to pay for rapid incident response service because downtime can be financially costly (Manufacturing, Construction, Finance) or even life threatening (Healthcare).
The first quarter of 2022 was filled with unprecedented international geopolitical strife and economic uncertainty, but even with these global events, threat actors did not stop committing their cybercrimes against organizations of all sizes.
This quarterly overview of the threat landscape serves as a way for Arctic Wolf and Tetra Defense to not only share our knowledge with the security community, but also helps to inform how we build and enhance our detections to anticipate future tactics, techniques, and procedures. Arctic Wolf works side by side with customers, 24×7, to hunt for activity and deploy new detections—always advancing security operations with threat intelligence and analysis to fuel into the Arctic Wolf Security Operations Cloud.
