Top Cyber-Threat Techniques in Q4 2023: What We’re Seeing
January 2024 by ReliaQuest
The final quarter of 2023 brought many of us festivities, time off work, and warm memories. Simultaneously, cyber-threat actors were busy finding new and innovative ways to wage attacks. As it turns out, innocent employees were actually (unknowingly) helping those threat actors: In Q4 : 2023 user behavior proved a key factor in opening the door to attackers.
Below we explore that trend, and others that affected ReliaQuest customers in Q4, including the MITRE ATT&CK techniques used for initial access, command-and-control (C2), defense evasion, and impact. Spoiler alert: They’re all likely to be seen again in the coming months. And we’ve got tips to stay one step ahead.
Initial Access: PEBKAC Alert
Your network security is only as strong as your weakest link, and organizations are full of these weak links...we’re all familiar with the "problem existing between keyboard and chair" (aka PEBKAC). Our data showing threat activity against our customers in Q4 2023 revealed that the vast majority of initial-access activity was aided by user actions during social engineering. These attacks exploit features typical of human beings: curiosity, naivety, and occasional carelessness.
Most attacks began with an unsuspecting employee clicking on a phishing link. This trend is consistent with the findings from our Q3 2024. Luckily for attackers, phishing and similar techniques are the easiest and cheapest of all ways to gain initial access to a target system, thanks to resources like phishing-as-a-service (PhaaS) toolkits.
We saw spearphishing in abundant use, but also drive-by compromise. Often referred to as drive-by download, this is when a person visits a seemingly-benign-but-compromised website, and malware is immediately downloaded to their computer.
To counter these techniques, ReliaQuest protects customers by using numerous detection rules and a specialized Phishing Analyzer. You can also protect yourself from the above initial-access techniques by:
Educating employees on cybersecurity best practices, including reporting any potential phishing emails immediately
Ensuring secure email gateways (SEG) are effectively filtering out spam, malicious content, and potential phishing attacks
Detecting drive-by activity, by continuously monitoring network traffic for suspicious patterns and using intrusion detection systems plus antivirus software
Defense Evasion: Lurking in the Shadows
With one foot in the door of a targeted system, a threat actor typically does everything in their power to make the most of it. But they need to work undetected, bypassing or eluding security measures.
In Q4 2023, command obfuscation was the defense-evasion technique most used in our customers’ environments. The attackers increased the complexity of their command code to make it less intelligible to security tools (which are trained to identify certain patterns). Just like a student might add white text to a Word document to trick the word-count feature, hackers add whitespace and special characters to confuse your expensive anti-malware tools.
We’ve created a set of detection rules in our GreyMatter platform to keep our customers safe from even the most obfuscated commands. You can also take the following steps:
Deploy and regularly update antivirus and anti-malware software to detect and block known obfuscation techniques.
Use Endpoint Detection and Response (EDR) and detection solutions that can employ behavioral analysis.
Regularly monitor and analyze command-line activity, to help identify and investigate suspicious or obfuscated commands.
Command-and-Control: A Special C2 Connection
After evading detection tools, the attacker wants to set up a C2 system to communicate with compromised systems. In most of the activity observed within ReliaQuest customer environments, C2 was established through HTTPS (Hypertext Transfer Protocol Secure), the primary protocol used to send data between a web browser and a website. To an attacker’s advantage, it does so in an encrypted manner and typically slips past firewalls. Suspicious traffic blends with everyday traffic, and security teams are none the wiser.
GreyMatter can help with detection rules aimed at high-risk HTTPS and suspicious traffic, but here’s what you can do:
Implement Deep Packet Inspection (DPI) technologies that analyze the content of encrypted network traffic, including HTTPS.
Regularly monitor SSL/TLS (Secure Sockets Layer/transport layer security) certificates used by your organization, checking: certificate issuance, expiration dates, and any abnormal or unauthorized certificate activity.
Deploy behavior-based analysis tools that can detect suspicious activities and communication patterns within your network.
Impact: The Great Cost of Cyber Attacks
Q4 marked a final blow in an already costly year for the cyber-compromised; financial theft was, overwhelmingly, the most common way attackers created an impact on our customers. Whether they used ransomware, business email compromise, data theft, or cryptocurrency network exploitation, one goal was always in mind: get rich quick(ly).
Our data shows an overall increase in extortion activity, particularly in ransomware and data theft extortion—2023 was a record-breaking year in that regard.
What’s to Come
Unlike January gym rats, threat actors are unlikely to abandon their plans in 2024. Many of the techniques seen in Q4 2023 will probably continue to be widely used this year. (Get the full picture of 2023 threats in our year-end blog.)
By staying one step ahead of attackers, ReliaQuest will continue pursue the most up-to-date and forward-looking means of protection, keeping our customers informed and responsive along the way. If you’d like a slice of this cybersecurity pie, find out more about our GreyMatter platform and request a demo today.