Written by Traci Hamilton, Senior Security Consultant at Avasek
2022 was another busy year for our Incident Response team. Whether it was responding to a breach onsite, or remote restoration, there were some consistencies we found as to how threat actors were able to get in. Here are our findings for what we saw most in 2022.
Matt Pippin, Director of Incident Response, says the top two causes for compromise in 2022 were not patching or updating systems as well as a lack of user education. Let’s break it down.
Patch Management
Patch Management is an important part of systems management and involves monitoring systems for updates and installing patches that may change features, correct bugs, and most importantly, fix critical security vulnerabilities.
Pippin says, “We see servers running Server 2008-2016 that are online and not patched.” Some IT teams may hold off on installing patches and test them to ensure they don’t disrupt critical systems within their environment, but as Pippin emphasizes, not patching systems is usually “due to a lack of IT resources.” In our review of 2022, there were three distinct areas of compromise for unpatched systems.
Areas of Compromise for Unpatched Systems
Apache Log4j vulnerability, also known as Log4Shell, is a vulnerability on the Apache Log4j 2 Java Library. It is a Remote Code Execution (RCE) vulnerability that’s been given a threat rating of CVSS-10, which is considered the most critical and rarely assigned to a vulnerability. It is also the top compromise Avasek’s Incident Response Team saw in 2022. Does that mean all Log4j compromises were on unpatched systems? Not necessarily. Four patches have been released since the discovery of the Log4j vulnerability, two of which had vulnerabilities of their own. So, what can businesses and IT teams do to protect themselves from this ongoing, critical security vulnerability?
“For any system that has the Log4j vulnerability, remove its exposure to the internet,” says Pippin. “If that’s not possible then limit traffic to it from only known and verified good sources. Outside of those things, putting MFA for logins on the system as well as isolation from the main production network will help as well. There are other things that can be done depending on what the system is used for but getting an Avasek Security Assessment would help determine other avenues of protection.”
George Zilahi, Director of Managed Services, adds, “Make sure Remote Desktop Protocol (RDP) is not publicly accessible. It should only be behind a VPN or inside the network. Vulnerability assessments should also be done regularly.” This leads us to the other top two areas of compromise we saw in 2022 for unpatched and updated systems: Exchange servers and firewalls. Even if IT resources are minimal, keeping an eye out for critical system patches and updates, and most importantly installing them, can help reduce your company’s chance of compromise.
User Error Can Leave Your Organization Vulnerable
Now let’s turn to the other top cause of compromise we saw in 2022, which is lack of user education. More specifically, lack of security awareness education. Phishing, as defined by NIST, is “A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.” But not all phishing attacks are the same, and from what Avasek’s Incident Response team saw in 2022, spear phishing attacks took the top spot.
You might be asking, “What’s the difference between phishing and spear phishing?” Phishing broadly describes an attack that’s designed to get someone to take action, like clicking a link in a mass spam email. Spear phishing is simply a targeted phishing attack. The cybercriminal, for example, may be looking for specific information that only one or two individuals at an organization have. They then use techniques like social engineering to gain that individual’s trust to get the desired information, which in turn, is used to execute the cyberattack.
It should come as no surprise to anyone that phishing attacks are not going away anytime soon. In fact, they’re increasing day-by-day. Messaging security company, SlashNext, conducted a study analyzing “billions of link-based URLs, attachments, and natural language messages in email, mobile and browser channels over six months in 2022 and found more than 255 million attacks – a 61% increase in the rate of phishing attacks compared to 2021.” Additionally, global technology company, Acronis, says that the average cost per data breach could reach more than $5 million in 2023.
Educating your employees on security awareness and what to watch out for is a vital step in protecting your company from these types of attacks. Training company, KnowB4, notes that, “Old-school awareness training does not work anymore, and email filters have an average 7-10% failure rate.” Regular monthly simulated phishing attacks, in addition to continued education, can help dramatically reduce a company’s phishing risk.
Final Thoughts
While this is not an all-inclusive list of every top compromise in 2022, we thought it best to share what our team saw most over the past year, along with some insights to help you, your company, and employees stay secure.
Contact us for more information on a security assessment or to learn how Avasek can help protect your organization.