Top Threat Tactics and How to Address Them

Each quarter, Cisco Talos Incident Response publishes a summarized record of the notable trends from the cases they work. The attacks, techniques, and methodology that Talos observes helps to shape and inform many of the protections that Cisco’s customers use on a regular basis. Part of their work in this area helps promote Talos’ principle of see once, block everywhere.

Here are some of the key takeaways from this quarter’s report:

• Valid Accounts: Since December 2024, there has been a surge in password-spraying attacks to gain initial access using valid accounts. This can also disrupt organizations by locking trusted users out of accounts. Additionally, in 100% of ransomware incidents, accounts did not have multi-factor authentication (MFA) or MFA was bypassed during the attack.
• Initial Access: Initial access (when it could be determined) came primarily from exploiting public-facing applications, accounting for 40% of engagements (beating out valid accounts or the first time in over a year).
• Dwell Times: Attackers were spending 17 to 44 days inside the system before deploying ransomware, increasing access to sensitive data and impact on the organization. Longer dwell times can indicate an adversary’s effort to expand the scope of their attack, identify data they may consider exfiltrating or simply evade defensive measures.
• Escalate Access: Once attackers gained access, remote access tools were used in 100% of ransomware engagements (up from 13% last quarter), enabling lateral movement.
• Inflict Damage: Data showed an increase in data theft extortion which targets individuals who would be most negatively impacted by data becoming public. New tools and techniques are also driving bad actors’ ability to gain remote access.

The latest quarterly Incident Response report from Talos highlights the need for layered user protection, as well as detection and response capabilities across multiple technologies and systems. At Cisco, we have developed both the User Protection Suite to provide proactive protection, as well as the Breach Protection Suite to provide cross-product visibility to protect against the very same attacks Talos has observed.

Valid Accounts

It is essential to not only have MFA deployed across your organization but also have strong MFA that is difficult to bypass. Within the User Protection Suite, Duo provides broad MFA coverage to ensure that all users, including contractors, and all applications, including legacy applications, can easily be protected with MFA. This includes protocols, like Remote Desktop Protocol (RDP), which attackers have targeted with password spray attempts.

Complete MFA coverage is a good first step, but the type of MFA deployed is also important. With Risk-Based Authentication, Duo can recognize when there is a new or suspicious login and, in real-time, step the user up to stronger forms of authentication, including Verified Duo Push that requires the user to input a code. And for best practice, organizations should modernize authentication to phishing-resistant, Passwordless wherever possible to remove passwords from MFA altogether and instead rely on a users’ biometrics and device.

Finally, to evaluate your current identity security, Cisco Identity Intelligence can analyze an organization’s entire identity ecosystem to evaluate MFA deployment and determine if there are gaps in coverage or if users are protected by weak forms of MFA, such as one-time passcodes (OTP). With these strong protections on trusted users, organizations can block attacks and protect trusted users from getting locked out of their accounts.

Initial Access, Dwell Times & Escalation

While there are steps organizations can take to strengthen defense against initial access using valid accounts, the rise in exploiting public-facing applications can seem intimidating. That is why organizations must follow zero trust principles to protect data and resources in the event of a breach. Cisco’s User Protection Suite also includes Secure Access, which includes both Secure Internet Access and Zero Trust Network Access (ZTNA) capabilities.

With Secure Internet Access, users are protected from malicious content with both Intrusion Prevention System (IPS) and Remote Browser Isolation (RBI). If a user accesses a compromised web server with known vulnerabilities, IPS can analyze network traffic and other variables based on signatures to identify malicious behavior and protect users from potential threats, in real time. In addition, RBI enables a user to safely browse the internet by moving their activity off their machine and into the cloud. That way if the user does click on a malicious application, RBI can isolate the web traffic.

Once an attacker gains access, in 50% of engagements attackers used remote access tools to move laterally. That’s why there is an increase in dwell times, as attackers are mapping out the network and accessing sensitive resources. Therefore, it is important that organizations begin to adopt a Zero Trust Network Access (ZTNA) architecture that limits application access.

With Secure Private Access, organizations can deploy ZTNA to ensure that users only gain access to the resources that they need to do their jobs and prevent lateral movement, including protection for protocols like RDP access to private resources. To further protect against lateral movement, ZTNA access to RDP can be paired with Duo’s Trusted Endpoints solution. This ensures that only trusted or known devices can access private resources and block risky or unknown devices.

Inflict Damage

Ransomware appears as the top threat in Talos IR’s Q4 report, increasing from what was seen in Q3. This type of attack is constantly evolving to more easily and more surreptitiously breach defenses, expand the attack, and cause significant damage to organizations. The clever use of social engineering has proven to be a powerful tactic with devastating results. Talos found that adversaries impersonate IT personnel to manipulate end users into unwittingly sharing sensitive information. During these double extortion attacks, the data is then encrypted, and victims are pressured into paying for its return. Posing as an entity’s IT department is a common tactic which not only leads to data loss and potential extortion but also facilitates lateral movement within the network.

In these scenarios and as a general rule, speed to detection is critical to minimizing damaging effects. Secure Email Threat Defense utilizes sophisticated AI powered social graphing to understand relationships between senders inside and outside of an organization. This helps identify anomalies that might indicate a cause for concern. And, because Email Threat Defense analyzes the entire message content, a request to share information or credentials will quickly be flagged as malicious. By understanding the intent of a message, these types of ransomware-driven emails would be quicky quarantined before the emails even reach the end user’s inbox.

Telemetry from those incidents is automatically integrated into Cisco XDR to provide quick, comprehensive visibility of potential lateral movement and damage across the entire organization. The strength of these products working together is compounded by their inclusion in Cisco Breach Protection Suite. The suite empowers security teams to simplify operations and accelerate incident response across the most prominent attack vectors including email, endpoints, network, and cloud environments. It provides unified protection that combines multiple security technologies and leverages AI for enhanced threat detection, streamlined security operations, and improved efficiency.

Talk to an expert to discover how the Breach and User Protection Suites can provide comprehensive defense for your organization against the most common and virulent attacks.

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Security Social Channels

Instagram
Facebook
Twitter
LinkedIn

Share: