Kaspersky, a cybersecurity firm, conducted an analysis of the cases it responded to in 2023. In a recent webinar, Ayman Shaaban, the firm’s digital forensic and incident response manager from its global emergency response team, discussed what that analysis revealed about top targeted industries, commonly compromised vectors, adversarial tools and tactics used by cyber aggressors.
He says ransomware attacks still take the lead among the reasons why a customer would be requesting the firm’s services. This is followed by suspicious activity being detected by the customer, in turn followed by data leakage. “Ransomware attacks are still dominating,” he says. “Your business type is irrelevant for being a cyber victim. Whatever the business type is, it can be a victim.”
Shaaban says 42 per cent of attacks the firm remediated in 2023 were the result of attackers exploiting public-facing applications – those applications or systems which clients and the public can access directly.
Privileged accounts
In the financial sectors, he says spear phishing remains popular, privileged accounts sometimes having fewer restrictions placed on them. In an example, he points to a case of a privileged account being used to lead an attack. “Excluding accounts from security policy can lead to a cyberattack. It should be the opposite – privileged accounts should be having more restricted security policy, not an easier one. In the example money was transferred using the compromised account, but the bank’s swift actions mitigated the impact.
“Whenever you have an incident, you shouldn’t be waiting, you should be responding or handling the incident as soon as possible,” he says. “You will definitely be able to reduce the impact of such an incident or a cyber attack by quick actions and right actions.”
Among his recommendations, Shaaban says companies should have strong password change policies and good patch management systems. “Establish a zero-tolerance policy with patch management. Once you have a patch, it needs to be applied right away.” He also recommends having rules to detect the tools used by adversaries, establish an incident response team and invest in their training, partner with an incident response provider and implementing strict security programs for applications with personally identifiable information.