eSentire Quarterly Midmarket Threat Summary Report
June 2017 by eSentire
Cyber security company eSentire released its Q1 Midmarket Threat Summary Report, which provides a quarterly snapshot of threat events investigated by the eSentire Security Operations Center (SOC).
Addressing three key topics – threat types, threat volume and attack types – the quarterly assessment includes visual data analysis, written analytical evaluations, practical recommendations, and key analytical assumptions, providing threat perspective for business leaders in the midmarket, and actionable takeaways to help leaders strategically reduce their threat surface.
· Between January 1 and March 31, the eSentire SOC detected nearly 4 million
attacks across multiple industries, with Finance, Technology, Legal, Mining, and
Retail seeing the most activity.
· Q1 2017 has seen an upward trend in attacks with the threat landscape increasing dramatically in the third week of February and through March. Scanning and intrusion attempts dominated the data trends. Together, they represent 75% of signals for Q1, with Malicious Code trailing at 11%. Compared to 2016, scanning events have seen a large increase in 2017, particularly in the month of March, in which detection of scanning events nearly doubled. As exploitation becomes more costly for attackers, analysts are observing a gradual transition to tactics that rely on social engineering. This includes phishing, spam, and webpages that manipulate users into installing malware on their computer or divulging confidential information.
· Together, Intrusion Attempts and Information Gathering accounted for about three quarters of observed attacks. March, in particular, saw the largest increase, as indicated by month-to-month analysis. March also saw an increase in the use of Malicious Code, while denial-of-service attacks (Availability) saw a slight decline.
· Analysis of weekday threat activity suggests that some threat activity is comprised of business models that respect the traditional work week, indicating an organization or structured threat actor.
Tips for Reducing the Threat Surface
· Administrators can reduce their threat surface by reducing the number of
externally facing endpoints within the organization, such as printers or web pages
that are only used internally. Implementing a VPN, which requires a password for
users to access the network, can further reduce positive results from scanning
campaigns, effectively hiding endpoints from sweeping, untargeted attacks.
· Programs and devices used in an organization should periodically be checked for patches and updates that can nullify the vulnerabilities that attackers rely on.
· Disabling PowerShell on Windows machines and using non-standard ports for protocols (e.g. FTP, SSH, RDP) can also reduce risks for attack.
· Training for employees that helps them to identify, avoid and report phishing (and other social engineering) attempts will help prepare organizations for the shifting threat landscape in the years to come.