Cybercriminals are directing increasingly sophisticated attacks against servers, networks, and mobile devices, in addition to notebooks and desktops, according to research from security vendor Sophos Ltd.
The new study, entitled “7 Uncomfortable Truths of Endpoint Security,” made its debut today in conjunction with the 2019 RSA Conference, a major security event currently underway in San Francisco.
Data from the report, which is based on input from 3,100 IT decision-makers at midsize businesses in 12 countries, indicates that the success rate for high-impact attacks like ransomware strikes is up significantly in the last year.
“It’s very, very scary that this many people in this survey had what they would consider a significant attack,” says Sophos Chief Product Officer Dan Schiappa.
Worse yet, he adds, many significant attack victims have little forensic insight into what happened and why afterwards. Indeed, 20 percent of IT managers at companies struck by a cyberattack last year can’t pinpoint how the attackers gained entry, according to the survey, and 17 percent don’t know how long the threat was present before it was detected.
“They could have been there for days, weeks, months. It was really unknown,” Schiappa notes.
Hackers who do penetrate a company’s defenses are increasingly focusing their attention on servers rather than PCs. Some 37 percent of detected intruders last year were found on servers, in fact, according to the Sophos research report. “We’re starting to see that they’re going after the crown jewels,” Schiappa says. “They know that the important data is on servers.”
Another 37 percent of discovered cybercriminals were located on the network, the new study shows, while 10 percent were spotted on mobile devices. That’s a disturbing but not surprising statistic to Schiappa.
“If you really look at the IT security landscape, we’re still seeing very few people care about, pay attention to, or even look at the mobile device as a key entry point,” he says. “The reality of it is these mobile devices are very, very sophisticated in their capabilities and certain platforms are actually quite prone to being hacked because of the accessibility and the way the operating system’s architected.”
Another recent trend noted by Sophos researchers is the declining prevalence of broad-based “spray and pray” attacks, which have long been the norm among ransomware practitioners. “What the hackers quickly found is that companies like Sophos got pretty astute at blocking those types of attacks, and something more sophisticated was necessary,” Schiappa says.
As a result, he continues, the latest exploits methodically sniff out gaps in vulnerable infrastructure components, like remote desktop protocol systems and virtual private networks, and then use the resulting foothold to disable a victim’s backups and locate high-value data before ultimately launching a ransomware program.
Newly published reports from the Sophos Labs research unit detail two specific examples of that phenomenon, called GandCrab and Emotet. Both utilize more labor-intensive techniques than attackers have traditionally employed.
“Even though they had some sophistication to the way they infiltrated the environment through malware, it was still primarily kind of a hands-off type of an attack, where now what we’re seeing is a hands-on active adversary leveraging ransomware,” Schiappa says.
The perpetrators of such attacks, he continues, are demanding higher ransoms in return for their greater investment of effort, and increasingly targeting businesses in high-value verticals like financial services and healthcare. SMBs, despite their smaller size, are very much in the cross hairs of such attacks, according to Schiappa. “It could be a small hospital that has access to healthcare data,” he says. “That data’s very valuable.”
Though mounting dangers from data breaches and ransomware assaults are nothing new, the growing rate at which cybercriminals are successfully evading security solutions caught Schiappa by surprise. “They’re kind of finding the seams in the defenses and getting through there,” he says.
That suggests end users today need security solutions engineered to collaborate with one another rather than stand-alone systems, he continues, noting that Sophos has been pursuing that kind of integrated approach through its Synchronized Security technology for the last several years. Bound together by the Sophos Central administration console, Synchronized Security allows endpoint, server, firewall, and email security solutions, among others, to share threat information in real time and trigger automated responses.
That vision passed a significant milestone two weeks ago when XG Firewall became the last major Sophos product supported by Sophos Central.
Longer term in connection with an initiative called Project Darwin that Schiappa discussed with ChannelPro at last year’s RSA Conference, Sophos plans to let technicians view and manage third-party solutions through Sophos Central as well as its own. The company will begin taking initial steps in that direction this year. “We do have a full-fledged API initiative coming out soon,” Schiappa says.
“This is an all-encompassing initiative for us and we do think that it’s the best way for organizations to secure their environments,” he continues. “That also means the ability to integrate the third-party technologies into that ecosystem, so that’ll be a big part of the strategy.”