《NTT DATA ：2024年全球威脅情報報告（英文版）（16頁）.pdf》由會員分享，可在線閱讀，更多相關《NTT DATA ：2024年全球威脅情報報告（英文版）（16頁）.pdf（16頁珍藏版）》請在三個皮匠報告上搜索。

1、1|2024 Global Threat Intelligence Report 2024Global Threat Intelligence ReportGrowing attack surface and threat complexity mixed with reduced staffing and budgets is creating a perfect storm for security professionalsGlobal Scalable Security Solutionssecurity.ntt2|2024 Global Threat Intelligence Rep

2、ort Forward fromCTO,NTT SECURITY HOLDINGSGregory GartenWhile the threat landscape continues to evolve at an unprecedented rate,security budgets and staffing remain stagnant or have begun to shrink.This leaves organizations exposed and struggling to defend against even routine exploitation,malware,an

3、d ransom or extortion threats.The problem becomes significantly more severe when considering the increased reliance on cloud security,third-party integration and supply chains,and the added exposure they bring with them.Nearly 50%of organizations in 2023 had numerous severe incidents and 55%have sai

4、d the severity of incidents is increasing over the past 2 years.With this imbalance between threats and the funding to combat them,security teams are being asked to do more with less.Teams need to find ways to strike the right balance between spending on tools and people,and analysts need a holistic

5、 view of their organizations security posture to enable more informed and quicker decision-making.Embracing consolidation is not just an option,but a necessity to navigate the increasingly complex threat landscape with limited resources.We need to democratize cybersecurity,empowering small and mediu

6、m sized businesses to achieve the same level of detection and response that has historically been limited to large organizations with bigger budgets.In our 2024 Global Threat Intelligence Report,NTT Security Holdings provides insights into the security trends our customers are seeing as well as the

7、threat landscape overall.NTT Security Holdings provides unified visibility and control across network,endpoint,cloud,identity,email and more.We encourage organizations to empower your teams with the insights from this report to identify risks and ensure a robust response plan is in place.Investing i

8、n the right tools can enable organizations to weather the storm and emerge stronger.This years report contains analysis based on attack and incident reports,vulnerability trends and threat intelligence from January 1,2023,to December 31,2023.Greg has been with NTT for over 10 years where he has focu

9、sed on engineering and product development of their cybersecurity platforms,products,and services.Additionally,Greg has held various engineering and executive roles at companies such as Intuit,Cisco,Silver Lake Sumeru,Exodus Communication,Cybera,and several international technology startups and mult

10、inational technology companies.NTT Global Threat Intelligence PlatformInsights from our Samurai MDR&Samurai XDR customer base800B+logs processed per month20+years experience in 24/7 Managed Security Services Global Tier 1 Internet backbone telemetry and honeypot sensors Key findingsIn our 2023 Globa

11、l Threat Intelligence Report,we highlighted the increase in cyber bleed over with cyberthreats having greater and greater impact on day-to-day life,economic conditions,and privacy.This continues to be the reality in 2024 with actors resorting to even more aggressive and unscrupulous tactics to achie

12、ve their objectives.Cybersecurity professionals are lagging at the same time,often stressed to keep pace with more responsibilities and job complexity.Weve long discussed the skills gap in cybersecurity,and that gap grows every year as we see rising fatigue and burnout from professionals become incr

13、easingly more reliant on an expanding toolset that has become borderline unmanageable.This leads to analysts and administrators missing key details or failing to follow-up efficiently,opening the door to more severe incidents.Our key findings this year focus on:We all want to strive to be on the ble

14、eding edge of cybersecurity,yet many teams and organizations are still struggling to keep the basics fresh.Cybersecurity professionals need to find ways to consolidate tools,streamline and automate processes,and establish key performance indicators that help reflect the true value information securi

15、ty programs provide an organization.Well provide some recommendations at the end of the report which we believe will help,especially for smaller teams that are struggling to stay above water.3|2024 Global Threat Intelligence Report 1Top Attacked Sectors4Vulnerability Intelligence2Ransomware Telemetr

16、y5Exploitation Insights3Malware Telemetry4|2024 Global Threat Intelligence Report While a lot changed across the threat landscape in 2023,the Global Threat Intelligence Center(GTIC)saw less shuffle in the most attacked sectors across our Samurai platform.Manufacturing,technology,and transportation&d

17、istribution sectors maintained their positions in the top 5,as we see a continued focus from adversaries on targeting critical infrastructure and supply chains,posing substantial risks.Manufacturing moved into the top slot as we observed a surge in attacks against entities manufacturing components f

18、or the energy and mining industries,as well as construction.Technology dipped to#2 but still made up over 20%of the attacks observed,in particular targeting technology and service providers.Finance,a prime target for financially motivated threat actors,regained its spot in the top 5 after a small di

19、p last year.Financial service companies had been in our top 3 for the prior 5 years before a small decrease in attacks saw them drop to#6 last year.PUBLIC7.94%TRANSPORT&DISTRIBUTION10.20%FINANCE 10.84%MANUFACTURING 25.66%TECHNOLOGY 21.42%1Top Attacked Sectors5|2024 Global Threat Intelligence Report

20、As anticipated after a down year in 2022,ransomware and extortion incidents surged quickly.In 2023,there was a rise in both victims and payments,with more than 5,000 victims being posted across multiple channels,up from approximately 3,000 in 2022.It is worth noting these are only those discovered b

21、y NTT Security Holdings and reported or disclosed on operator sites.These numbers do not capture incidents where a ransom was paid before it was made public,so the actual number of incidents should be assumed to be notably higher.These statistics are based on GTIC research and MDR/XDR detections,as

22、well as a collection of listings on extortion sites,social media(e.g.,Telegram)channels and public reporting and disclosures.2Ransomware TelemetryUNITED STATES45.45%ITALY3.88%CANADA4.69%UNITED KINGDOM6.10%GERMANY4.02%LOCKBIT21.09%MANUFACTURING27.75%ALPHV(BLACKCAT)9.01%TECHNOLOGY10.78%CL0P7.75%FINANC

23、E10.44%PLAY6.40%RETAIL10.36%8BASE5.79%HEALTHCARE6.50%United States and Manufacturing companies top the charts.Both had the most victims posted,with each leading the way in their respective area every year since we began tracking in 2020.Top targeted sectors can largely be categorized as organization

24、s that need near perfect uptime,increasing the probability of negotiating a ransom.Lockbit claimed the most victims for the second year in a row after ramping up into the top 3 in 2021.GTIC continues to see small and medium-sized businesses(SMBs)face significant risk,with over 50%of victims we track

25、ed having less than 200 employees and two thirds having less than 500 employees.6|2024 Global Threat Intelligence Report Malware continues to evolve to gain initial access,evade detection,and maintain persistence.To account for the modularization,we have updated our taxonomy to account for the distr

26、ibution of these capabilities and delivery stages.This provides a more detailed breakdown of malicious files our Samurai customers are seeing than we have previously reported.We see a steep drop from banking trojans this year with the new breakout due to better classifying certain malware behaviors

27、more accurately.Trojans continue to be a major factor,with Agent Tesla and Remcos being detected most frequently.The breakdown also resulted in an increase in infostealers identification,such as RedLine and Lumma,to account for when it isnt limited to banking sites and financial data.We introduced a

28、 new class for malicious detections of penetration testing tools,for example Cobalt Strike and Metasploit.Generic malware accounts for artificial intelligence and heuristic detections where a more specific classification isnt available.Rounding out the top 5 is botnet activity,primarily lead by Andr

29、oxgh0st and Mirai.In 2023,ransomware detections decreased,with numerous operators shifting away from the traditional encryption and ransom strategy,focusing instead on faster data exfiltration for extortion purposes.The modularization of malware,and the increase in adversaries living off the land,hi

30、ghlights the need for organizations to have more comprehensive protections in place.Teams must be prepared to defend against and hunt for the behaviors and tactics,techniques,and procedures(TTPs)of malware as opposed to just known malicious hashes and artifacts.3Malware TelemetryBACKDOOR10.63%TROJAN

31、12.73%BOTNET7.66%BANKING TROJAN6.11%PENETRATION TESTING TOOL9.85%RAT(REMOTE ACCESS TROJAN)6.57%RANSOMWARE6.35%GENERIC MALWARE8.87%WORM4.37%INFOSTEALER7.48%7|2024 Global Threat Intelligence Report Patch management is a simple concept at its core,however there can be quite a bit of nuance that is ofte

32、n overlooked.A small gap in the process can leave your attack surface and organization exposed.As the saying goes we must be right every time,whereas attackers must only be right once.Common pitfalls we see include:Improper asset discovery and management,both internally and externally Maintaining up

33、-to-date inventory Establishing and enforcing software and version restrictions Patch prioritization and testing Incomplete assessment of supply chainVulnerability intelligence is an important aspect of threat intelligence that can provide key data points to help protect your business.It can help gu

34、ide policy and enforcement decisions on authorized software or hardware,help establish data driven risk metrics,and assist with prioritization in patch management.While Common Vulnerabilities and Exposures(CVEs)arent a definitive listing of every known weakness,it provides valuable contribution to v

35、ulnerability management programs,particularly when contextualized further for your environment and based on known exploited vulnerabilities.With over 8,500 unique products being assigned a CVE last year,it is safe to say this is an area businesses must keep close tabs on to protect themselves.Organi

36、zations should leverage these insights to assess vendors and limit what is allowed within their environments especially with increasing adoption of hybrid and remote working situations.Many of the most popular vendors by market share and reputation are also among the highest in announced CVEs each y

37、ear,as well as vulnerabilities added to the CISAs Known Exploited Vulnerabilities Catalog.Popular vendors,software-as-a-Service(SaaS)and remote management tools are key targets for adversaries looking to maximize victim count with exploitation.4Vulnerability IntelligenceCVEs by Year2019010,00020,000

38、30,00020202021202220238|2024 Global Threat Intelligence Report 2023 CVEs by Vendor2023 Known Exploited Vulnerabilities by VendorGOOGLEMICROSOFTADOBEAPPLEIBMORACLECISCOJENKINS SIEMENSHUAWEIMICROSOFTAPPLEGOOGLEADOBEIVANTICITRIXJUNIPERCISCOZYXELQUALCOMM02004006008001,00005101520251,2001,4009|2024 Globa

39、l Threat Intelligence Report We highlighted last year that malware and botnets continue to integrate exploit code for high and critical severity vulnerabilities quickly,increasingly so when aided by generative AI.GTIC also observed several threat actors utilize critical severity 0days for massive ga

40、ins in 2023.This trends with the vulnerability releases above with the majority of targeted platforms aligning to vendors with the highest volume of CVEs acknowledged or vendors with the highest market share.Of these 10 CVEs,9 appear in the Known Exploited Vulnerabilities Catalog which reiterates th

41、e importance of leveraging insights such as this to inform patch management programs.This is true for vital software and systems such as email or firewalls,but also needs to account for IT service management and SaaS integrations.5Exploitation InsightsMost critical CVEs leveraged by ransomware opera

42、tors in 2023Most critical CVEs leveraged by malware&botnets targeting our Samurai customers in 2023,by percentage of attacksCVE IDCVSSVulnerability NameActor(s)CVE-2023-273509.8PaperCut MF/NG Improper Access Control VulnerabilityCIOp,Bl00DyCVE-2023-343629.8Progress MOVEit Transfer SQL Injection Vuln

43、erabilityCIOpCVE-2023-472469.8SysAid Server Path Traversal VulnerabilityCIOpCVE-2023-202699.1Cisco Adaptive Security Appliance and Firepower Threat Defense Unauthorized Access VulnerabilityLockBit,AkiraCVE-2023-282527.8Microsoft Windows Common Log File System(CLFS)Driver Privilege Escalation Vulnera

44、bilityNokoyawaCVE IDCVSSVulnerability NamePercentageCVE-2022-410408.8Microsoft Exchange Server Server-Side Request Forgery Vulnerability16.25%CVE-2014-62719.8GNU Bourne-Again Shell(Bash)Arbitrary Code Execution Vulnerability13.72%CVE-2021-4422810Apache Log4j2 Remote Code Execution Vulnerability10.95

45、%CVE-2023-257259.1HAProxy Empty Header Name Access Control Bypass3.60%CVE-2021-344739.1Microsoft Exchange Server Remote Code Execution Vulnerability2.87%10|2024 Global Threat Intelligence Report Spotlight On:Billion Dollar IndustryAccording to a report from Chainalysis,ransomware payments in 2023 re

46、ached an all-time high of over$1 billion after a decline in 2022.Despite increasing competition from new operators and affiliates as well as law enforcement disruption efforts,ransomware payments are climbing,highlighting the profitability of this criminal activity.This escalation can be attributed

47、to a few evolutions;an increase in ransomware operators,successful ransomware-as-a-service(RaaS)programs and a shift to more aggressive tactics for extorting organizations and victims of organization data leaks.Some notable highlights from 2023:The jump in victims across more sensitive industries su

48、ch as hospitals,critical infrastructure providers,and large corporations is concerning.Many RaaS and affiliate programs historically prohibited targeting some of these industries and banned partners who attacked or leaked their data.The shift in belief that these institutions are more likely to pay

49、large ransoms to restore access to their vital systems and data due to the potential consequences of service disruptions increases concerns around future targets and both the immediate and lasting impacts of industries whose uptime can hold lives in the balance.With roughly 100 ransomware operators

50、active in 2023,organizations need to ensure theyre prepared for the variety of approaches leveraged by these groups and their affiliates.Organizations should assess their incident response plans to ensure it covers best business practices and common standards for ransomware incidents,conduct gap ass

51、essments and tabletop exercises and develop playbooks to prevent,respond to and hunt for signs of ransomware or data leaks which could lead to extortion.Cl0p leverages 0days and exploitation in larger scale operations,with over 50%of victims having over 1,000 employees.AlphV(BlackCat)and Ransomed we

52、aponized federal agencies and regulations to increase likelihood of payment.Operators are targeting industries that used to be considered off limits such as aviation,healthcare,non-profits,and energy(oil,gas,water).Healthcare and non-profits saw more than 2 times as many victims in 2023 than 2022,an

53、d aviation and energy saw more than a 50%increase.Many groups have begun to cross moral lines in addition to criminal ones.Groups such as Hunters International have begun to extort individual patients and customers of breached organizations.Groups such as AlphV(BlackCat)and Medusa have threatened to

54、 release sensitive medical photos or records of patients and students if ransoms are not paid.10|2024 Global Threat Intelligence Report 11|2024 Global Threat Intelligence Report Spotlight On:Human VulnerabilitiesHumans are often considered the weakest link in the cybersecurity chain for a multitude

55、of reasons.Most non-technical and even some technical users can be dismissive towards threat awareness and often prioritize ease of use over security.This includes using weak passwords or reusing passwords across multiple sites,including outside of work such as social media sites.Users tend to be to

56、o trusting or“click happy”easily falling for social engineering and phishing emails or websites.While some organizations have begun returning to offices,many continue to have a fully remote or split work force.This,combined with hybrid cloud environments,bring your own device(BYOD)and third-party in

57、tegrations,has expanded the attack surface for most organizations.This distribution of workforce and infrastructure has highlighted gaps in proper asset management for organizations,leaving blind spots in security controls and data collection.The expansion of work responsibilities across cybersecuri

58、ty roles and the proliferation in tools required to complete these responsibilities continues to increase staff fatigue and burnout.With most businesses seeing budgets tighten,keeping on top of this all has become increasingly challenging.In fall 2023,the National Security Agency(NSA)and Cybersecuri

59、ty and Infrastructure Security Agency(CISA)released the most common misconfigurations found during their red and blue team engagements.11|2024 Global Threat Intelligence Report 2Improper separation of user/administrator privilege1Default configurations of software and applications4Lack of network se

60、gmentation10Unrestricted code execution6Bypass of system access controls3Insufficient internal network monitoring9Poor credential hygiene7Weak or misconfigured multifactor authentication(MFA)methods5Poor patch management8Insufficient access control lists(ACLs)on network shares and services12|2024 Gl

61、obal Threat Intelligence Report This list perfectly encapsulates these human vulnerabilities in practice.Teams are struggling to keep users up-to-date and educated,get a complete picture of their hybrid workforce and infrastructure,and maintain an effective balance with staff to stay on top of it al

62、l.Many of the largest breaches in 2023 were the result of human error or oversight.Salesforce administrator misconfigurations expose private information to guest users DarkBeam and KidSecurity expose over 4 billion records due to unprotected Elasticsearch and Kibana interfaces 1.5 billion records ex

63、posed due to unprotected databases for Real Estate Wealth Network and TuneFab Multiple service desk and support teams socially engineered,resulting in compromised Okta super administrator accounts Unprotected Amazon Web Services endpoint exposed Pizza Hut Australia customer data These weak links can

64、 expose organizations to a significant amount of risk if not properly mitigated.Organizations should regularly educate employees on the latest threats and cybersecurity best practices with customized training for their business.Phishing resistant forms of MFA are key to protect against threats that

65、can bypass more simple MFA implementations,and employees should be made aware of how to spot the threats that still exist with your implementation.Change happened quickly the past few years so teams may also need to revisit any asset discovery and inventory processes to ensure new hybrid infrastruct

66、ure and workforce models are covered.This should incorporate any cloud or SaaS services,third-party or API integrations,and remote workforce access methods and VPNs.By addressing these human vulnerabilities,putting technical controls in place on top,and fostering a culture of cybersecurity awareness

67、 within organizations,we can significantly improve our overall cybersecurity posture.12|2024 Global Threat Intelligence Report PredictionsEDGE DEVICE ABUSE We expect to see a continued uptick in abuse of edge network devices.These devices such as routers,firewall managers,and IOT devices typically a

68、rent monitored as well as user machines and typically dont support security software such as application whitelisting,AV or EDR like a desktop or server would.Adversaries are using these as proxies into the network for access/persistence or data storage/staging for exfiltration.LEGITIMATE SOFTWARE A

69、BUSE This is not a new technique,however weve observed a noteworthy uptick in living off the land(LOTL)and legitimate software abuse by adversaries.This approach helps actors reduce effort by utilizing existing software that doesnt require any custom development or weaponization and isnt flagged by

70、detection software.This includes initial access,lateral movement and exfiltration of data leveraging primarily or entirely legitimate software that already exists within a corporate environment.TAKING ADVANTAGE OF TRUST Similar to above,there has been more use of legitimate accounts via stolen or le

71、aked credentials or account takeover to take advantage of existing trust within environments.Weve also seen this with more trust being placed in cloud,third-party integrations,and SaaS providers to gain access to corporate environments.DISCOVERY OF SIGNIFICANT DWELL TIMES While ransomware/extortion

72、actors are focused on getting in and getting data out as quickly as possible,nation state or more advanced adversaries are looking to remain within an environment as long as possible.We have seen and will continue to see several high-profile breaches lately where an actor may have been in the networ

73、k for months or even years.We expect these types of breaches will continue to be discovered and announced,particularly via supply chain channels.ACTORS USING LLMs Cyber professionals are increasing their use of AI technology to help protect and prevent attacks by tapping large language models(LLM)to

74、 defend their networks and assets but it is also one of the number one cybersecurity concerns as well.Threat actors have begun adopting this technology more heavily as well,utilizing it for reconnaissance,delivery,and assistance with production of malicious code and deception approaches.The continua

75、tion of deep fakes,targeted phishing toolkits and misinformation with this technology has become simple to create as well.13|2024 Global Threat Intelligence Report 14|2024 Global Threat Intelligence Report 14|2024 Global Threat Intelligence Report RecommendationsGLOBAL DATA ANALYSIS METHODOLOGY NTT

76、Security Holdings gathers security alert and incident information from our Samurai MDR&XDR services which it enriches and analyzes contextualized data.NTTs unique visibility into global internet telemetry and data collected from NTTs globally deployed honeypot sensors.Expert contributions provided b

77、y SOC embedded intel analysts,NTT CERT and our Security and Trust Office.Collaboration and expert insights from our intelligence alliances with the Cyber Threat Alliance,Microsoft,US CERT and Recorded Future.4321ENABLEAs cybersecurity leadership,we need to listen to and enable our teams.The boots on

78、 the ground generally feel unheard,underprepared,and overwhelmed.Most are working within environments that require multiple tools to handle a single task or respond to even simple issues.Teams need to be empowered to voice suggestions,recommend improvements in tools and find time for training and in

79、novation.COLLABORATEAs budgets and staffing tightens,we encourage teams to evaluate joining Information Sharing and Analysis Centers,intelligence sharing communities,or collaboration efforts.These can often provide organizations with high quality insights and actionable intelligence at a lower price

80、 than one or many commercial threat intelligence feeds.The added benefit is that most allow real time analyst collaboration to gain additional viewpoints and intuition from others across the intelligence community.TESTEnsure you are frequently testing your various programs and procedures attacks sur

81、face management,vulnerability management,digital forensics and incident response planning,threat hunting program.These should be living processes that are kept up-to-date and informed by the latest actionable threat intelligence.BLOCKOrganizations should revisit their device and application manageme

82、nt policies to ensure strict enforcement.This should cover employee devices which access corporate resources and include locking down default integrations.Application enforcement or whitelisting should be leveraged to reduce not only your vulnerable attack surface but tooling that would be available

83、 in the event of a breach allowing an adversary to live off the land.About GTICNTT Security Holdings Global Threat Intelligence Center goes beyond traditional research,taking threat research and combining it with NTT proprietary detection technologies to produce applied cyber threat intelligence.The

84、 GTICs mission is to protect stakeholders and clients by providing advanced threat research and cybersecurity intelligence enabling NTT Security Holdings to prevent,detect and respond to cyberthreats.The combination of proprietary intelligence capabilities and the truly unique vantage point enabled

85、by NTTs Tier 1 Internet backbone equip GTIC with exceptional insights into threat actors,vulnerabilities and malware enriched with the tactics,techniques,and procedures(TTPs)they leverage.About NTT Security HoldingsNTT Security Holdings brings together over 20 years experience of proactive cyber def

86、ense and services from across the NTT Group,combining the strengths of human capital,threat intelligence and technology developed by NTT to detect and defend against threats.Together with its partners across the world NTT Security Holdings works to create a safe and secure digital world.Cybersecurit

87、y is a constant challenge.Thats why more than 1,500 businesses around the world depend on NTT.By monitoring our customers IT/OT environments 24/7 with our proprietary intelligence,we can discover and respond to threats instantly and effectively with near-zero false positives no matter how sophisticated and malicious the threats may be.Samurai XDRManaged Detection and Response(MDR),powered by Samurai XDR15|2024 Global Threat Intelligence Report Together we do great things.security.ntt