The pandemic, a distributed workforce and the U.S. Presidential Elections have created a “perfect storm” for cybercriminals, according to VMware Carbon Black’s Global Incident Response Threat Report.
This threat intelligence report found that cybercriminals are honing their ability to remain undetected inside organizations they’ve breached. Even more troubling is that they have evolved their attacks to counter defenders’ response efforts.
The latest report also uncovered insights from respondents who reported that 82 percent of attacks now involve instances of counter incident, while 55 percent involve island hopping—where an attacker infiltrates an organization’s network to launch attacks on others along its supply chain.
These evolving challenges now pose new security challenges for IR and cybersecurity professionals responsible for detecting and stopping emerging attacks.
Watch Tom Kellermann, Head of Cybersecurity Strategy at VMware Carbon Black, Rick McElroy, Senior Cybersecurity Strategist at VMware Carbon Black, Taree Reardon, Senior Threat Analyst at VMware Carbon Black, and Eric Groce, Incident Handler at Red Canary, as they discuss the rising threat of counter IR via lateral movement, effective incident response in a remote world, and how to address these challenges with VMware Carbon Black Cloud and Red Canary.
00:11 Panelist Introduction
00:38 Webinar Agenda
01:22 Security Threats by the Numbers
01:26 82% of incidents have counter incident response associated with them.
02:52 Detecting Emerging Attacks
02:59 [Counter incident response] are the activities that the adversary takes when they know that you’re either onto them—vis-à-vis you’ve stopped some executable, detected what they’re up to, and moved them into another environment.
04:04 Island hopping is the phenomenon of getting onto one piece of infrastructure inside of an environment and now leveraging that infrastructure to go attack partner networks or anything that’s connected to the infrastructure.
06:40 “We really have to pay attention to what’s happening within our network and on our endpoints and be able to detect those anomalies after we form a really good baseline.” – Taree
07:44 “You can’t just rely on network detection because oftentimes you’ll see the attackers hiding in common traffic. From an endpoint standpoint, you need some type of network data to determine what resources were accessed and what the actual attacker was looking after. Endpoints hold a lot of valuable information, especially surrounding what types of commands are being run.” – Taree
08:43 Threat Hunting Best Practices
09:17 “As adversaries are getting more sophisticated in their attacking methodologies, you have to look at the behavior: if they’re trying to blend in, if they’re trying to be stealthy, if they’re pivoting tactics, they’re still going to exhibit behavior to get to their end goal that’s in very stark contrast to what a normal user would be doing on their network.” – Eric
14:36 “There’s a lot of things that organizations need to do in order to understand what’s on their network, understand what’s normal, and then build detections around pointing out the abnormal. That way analysts won’t be inundated with numerous alerts of the exact same thing every day.” – Taree
17:11 Basics to Focus Your Detection Program On
18:28 Fighting Back Against the Biggest Cybersecurity Threats
20:59 Rapidly Evolving Business Environment
26:17 Best Practices for Transitioning Endpoints from WFH to the Office
28:26 Disabling Security Tools
42:39 Lateral Movement
43:58 “Now that we can put this contextual picture together [with detection tools], we have an opportunity to figure out which part of our real estate isn’t owned by us and kick the cyber squatters out.” – Rick
52:09 How Can We Be Future Ready?
54:27 “Whether it’s work from home or satellite or HQ, there’s a couple things that don’t change: the data—which is still critical, whether it’s on an endpoint or a data center—and credentials.” – Eric
55:15 “No matter how secure you and your organization are, the people you’re working with maybe aren’t as secure, so make sure that with any trusted relationships you have with vendors, you’re not giving them admin credentials and are locking down any type of access that they have.” – Taree
55:53 Additional Resources