Cyber Criminals Changing Attack Strategies to Focus on Exploiting Employee Behaviour Finds SANS Endpoint Survey
May 2017 by SANS INSTITUTE
Highlighting the change in cyber-criminals’ focus from attacking technical vulnerabilities to now exploiting user behaviour, SANS Institute, in its recent survey titled ‘SANS 2017 Endpoint Risks and Protections’, found that browser-based attacks and social engineering are now the two most powerful techniques targeting organizations. Both techniques prey upon users as their initial point of entry.
“Cyber criminals are going after the weakest link- the employee. Unfortunately for organizations, this means that even after they have invested heavily in IT security technologies, poor security awareness among employees can still result in their systems being breached,” explained Ned Baltagi, Managing Director, Middle East & Africa at SANS. “Social exploits are becoming more sophisticated than ever before and even employees with the best intentions, can severely compromise the cyber security of their organisations.”
While users represent the top target leveraged by attackers, vulnerabilities such as misconfigurations or software flaws were also commonly leveraged in attacks against the endpoints, ranking as the third most common source of significant compromise, according to survey respondents. Such vulnerabilities have been responsible for a number of large-scale attacks including the very recent and infamous WannaCry which is considered to be the most successful ransomware campaign to date.
According to the survey, 53% of respondents have knowledge of impactful compromises starting at their endpoints in the past 24 months. And that total doesn’t include the 37% who don’t know whether they’ve been compromised or not during that timeframe.
Of the 53% of significant breaches that respondents knew about, just 48% were detected through endpoint detection and response (EDR) solutions. The remainder of detections were not directly from endpoint solutions, and included such sources as log analysis, security information and event management (SIEM) system alerts, cloud-based monitoring, and even third-party notification.
"The farther from the endpoint a breach is discovered, the more time it has to pivot from system to system and increase the impact of the breach," said SANS Analyst G.W. Ray Davidson who authored the report. "As organizations develop sufficient maturity, they should automate remediation activities as much as possible, because the scope of a breach can quickly outpace remediation efforts." "Organizations must devote more resources to user education and to monitoring activities that result from user behaviour," Davidson continued. "The insider threat is no longer just the malicious actor with unauthorized access; well-intentioned but naive employees can be just as dangerous."