Threat actors are leaning on trusted services more than ever
Cyber threats are increasingly incorporating legitimate services in their attack chain, researchers warn.
In its latest threat intelligence report, email security platform Mimecast said it flagged more than 5 billion threats in the second half of 2024.
Mimecast identified the growing trend of living off trusted services (LOTS) attacks as its most significant finding over the period, as attackers increasingly incorporate legitimate IT tools in their TTPs to avoid detection.
It noted this approach is particularly useful in helping get around a recent push in the security industry to raise the levels of authentication required to access corporate accounts.
“While the technologies make their attacks more complicated, the attackers continue to find services to pass authentication and alignment checks,” the report explained.
Mimecast said a significant number of these threats take advantage of major cloud providers for a wide array of their attacks, but also leverage individual aspects of other cloud services for specific parts of the kill chain.
“Microsoft’s, Google’s, and Evernote’s cloud services commonly play hosts for threat actor’s payloads and landing pages,” the report warned.
“However, other cloud services are frequently being used for specific components of attack structure: Cloudflare’s Turnstyle CAPTCHAs are regularly used to prevent threat analysis.”
But it added that as these larger providers work to root out abuse of their platforms, attackers have been observed using smaller services from providers like Airtable, Publuu, and Wave Compliance.
Geopolitical lures used to deceive staff
Mimecast also called attention to the extent to which human error still plagues businesses as the most consistent element in cyber incidents.
The report warned that humans continue to have a primary role in successful breaches, citing data from Verizon that showed 68% of successful breaches that occurred in 2023 had “a non malicious human element”.
Mimecast referenced findings from a survey by EY, which found 34% of employees reported they were worried they might be the weakness exploited in a breach, even though 86% said they were knowledgeable about the types of threats they face.
The report showed threat actors frequently use references to current geopolitical events in their phishing lures, with China-Taiwan, the South China Sea, and China’s activities related to cutting undersea cables the top three geopolitical lures seen by Mimecast researchers.
Mimecast detailed a number of threat-specific countermeasures to address concerns businesses have with the human aspect of their defense posture.
Firstly, organizations should implement a robust framework for human risk management that aligns both security objectives and business targets. By doing so, firms can develop a “multi-tiered response system that differentiates between unintentional mistakes and malicious actions”, Mimecast advised.
Awareness training is also an essential part of any countermeasure, but the report emphasized that staff must be educated on not just the general cyber risks they face but how global events can influence threat campaigns.
“By implementing robust awareness training programs and human risk platforms to guardrail users, organizations can strengthen their human firewall against both conventional cyberattacks and those driven by geopolitical motives,” Mimecast advised.
MORE FROM ITPRO
Source link
