Top Adversary Tactics and Techniques

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG) und Private Access for ZTNA sind nativ in einer einzigen Lösung integriert, um jedes Unternehmen auf seinem Weg zum Secure Access Service zu unterstützen Edge (SASE)-Architektur.

Netskope Produktübersicht

Netskope Next Gen SASE Branch vereint kontextsensitives SASE Fabric, Zero-Trust Hybrid Security und SkopeAI-Powered Cloud Orchestrator in einem einheitlichen Cloud-Angebot und führt so zu einem vollständig modernisierten Branch-Erlebnis für das grenzenlose Unternehmen.

Erfahren Sie mehr über Next Gen SASE Branch

Netskope NewEdge ist die weltweit größte und leistungsstärkste private Sicherheits-Cloud und bietet Kunden eine beispiellose Serviceabdeckung, Leistung und Ausfallsicherheit.

Mehr über NewEdge erfahren

Planen Sie Ihren Weg zu einem schnelleren, sichereren und widerstandsfähigeren Netzwerk, das auf die von Ihnen unterstützten Anwendungen und Benutzer zugeschnitten ist.

Whitepaper lesen

Cloud Exchange (CE) von Netskope gibt Ihren Kunden leistungsstarke Integrationstools an die Hand, mit denen sie in jeden Aspekt ihres Sicherheitsstatus investieren können.

Erfahren Sie mehr über Cloud Exchange

Mehr über NewEdge erfahren

Beleuchtete Schnellstraße mit Serpentinen durch die Berge

Erfahren Sie, wie wir den Einsatz generativer KI sichern

ChatGPT und Generative AI sicher aktivieren

Erfahren Sie mehr über Zero Trust

Erfahren Sie mehr über Branchenlösungen

Vorhersagen für 2024
Gastgeberin Emily Wearmouth setzt sich zu einem Gespräch mit Sherron Burgess, Senior VP und CISO bei BCD Travel, und Shamla Naidoo, Head of Cloud Strategy and Innovation bei Netskope, zusammen, um über die heißen Themen zu sprechen, die sie für das kommende Jahr sehen.

Podcast abspielen

Wie Netskope die Zero-Trust- und SASE-Reise durch Security Service Edge (SSE)-Funktionen ermöglichen kann.

Den Blog lesen

Wiederholungssitzungen der vierten jährlichen SASE Week.

Entdecken Sie Sitzungen

Entdecken Sie die Sicherheitselemente von SASE, die Zukunft des Netzwerks und der Security in der Cloud.

Erfahren Sie mehr über Security Service Edge

Sehen Sie sich unsere Kunden an

Lächelnde Frau mit Brille schaut aus dem Fenster

Erfahren Sie mehr über professionelle Dienstleistungen

Zur Netskope Community

Erfahren Sie mehr über Schulungen und Zertifizierungen

Gruppe junger Berufstätiger bei der Arbeit

Netskope ist stolz darauf, an Vision 2045 teilzunehmen: einer Initiative, die darauf abzielt, das Bewusstsein für die Rolle der Privatwirtschaft bei der Nachhaltigkeit zu schärfen.

Finde mehr heraus

Unterstützung der Nachhaltigkeit durch Datensicherheit

Im 2023 Gartner® Magic Quadrant™ für SSE wurde Netskope als führender Anbieter ausgezeichnet.

Report abrufen

Lernen Sie unser Team kennen

Gruppe von Wanderern erklimmt einen verschneiten Berg

Erfahren Sie mehr über Netskope-Partner

Gruppe junger, lächelnder Berufstätiger mit unterschiedlicher Herkunft

Netskope Threat LabsOctober 2023

Report Highlights Executive Summary Top Techniques

Initial Access: Spearphishing Execution: User Execution Command and Control and Exfiltration

Adversary Analysis

Top Adversary Groups Geographic and Industry Differences Recommendations

About This Report Netskope Threat Labs

17 Min. gelesen

Report Highlights

test answer

Spearphishing links and attachments are the top initial access techniques tracked by Netskope Threat Labs this year, with adversaries successfully tricking victims into opening the links and attachments via email, voice, text, social media, and search engines.
User execution is the top execution technique, with adversaries having the highest rate of success in tricking their victims into downloading Trojans when they host them using popular cloud apps.
For command and control and data exfiltration, adversaries are heavily favoring the use of HTTP and HTTPS to fly under the radar and blend in with benign traffic.
The majority of adversary activity on the Netskope Security Cloud platform comes from criminal adversaries, with the most activity attributable to Wizard Spider, a Russian group responsible for creating the TrickBot malware.
The financial services and healthcare industry verticals have the highest percentage of activity attributable to geopolitical adversary groups on the Netskope Security Cloud platform.

Executive Summary

sdofjsfojefgejelosij

Cybersecurity is a battle between two opponents: Defenders who seek to protect their users, their data, and their systems, and adversaries, who seek to harm and exploit them. The defender’s most valuable tool is their knowledge of the adversary. As defenders, we seek to understand the adversary’s motivations and objectives, as well as the tactics and techniques they use to achieve those objectives. We then design our systems to be resilient to those tactics and techniques and implement controls to detect adversary activity.

This edition of the Netskope Cloud and Threat Report focuses on the tactics and techniques that were most commonly used against Netskope customers during the first nine months of 2023. To facilitate more efficient communication and understanding, we present this report in terms of the MITRE ATT&CK framework. The framework provides comprehensive categorization of adversary tactics and techniques as well as grouping and naming of adversaries.

Globally, Netskope customers were most commonly targeted by criminal adversaries, with Wizard Spider targeting more organizations than any other group. Information stealers and ransomware remained popular tools employed by financially motivated adversaries. Less-common were geopolitically motivated adversaries, whose most popular tools were remote access Trojans that create backdoors into the organizations they target.

Top Techniques

This section explores the most common tactics and techniques used by adversaries to gain access to their targets’ systems, execute malicious code, and communicate with compromised systems. We highlight four tactics where the Netskope Security Cloud platform provides visibility, and highlight the six most commonly observed techniques within those tactics:

Initial Access The techniques adversaries use to get into their targets’ systems.
Execution The techniques adversaries use to run malicious code.
Command and Control The techniques adversaries use to communicate with compromised systems.
Exfiltration The techniques adversaries use to steal information from their victims.

Initial Access: Spearphishing

When remote access to a system is locked down and the system is patched against known security vulnerabilities, the easiest way for an adversary to access that system is often through its users. For that reason, social engineering techniques have continued to be a mainstay of the adversary playbook. For example, initial access during the September 2023 MGM hack was achieved through vishing (voice phishing) by calling the victim’s helpdesk. Among the various Phishing techniques, Spearphishing Links and Spearphishing Attachments are two of the most popular on the Netskope Security Cloud Platform in 2023.

Analyzing the phishing links victims clicked on can provide insights into where adversaries are having the most success targeting their victims. By a large margin, users most frequently clicked phishing links targeted cloud apps, with one-third of those phishing links targeting Microsoft products. This is not surprising, as Microsoft OneDrive is the single most popular cloud app in the enterprise by a large margin, alongside other Microsoft products including SharePoint, Outlook, and Teams.

Execution: User Execution

Social engineering isn’t limited to initial access. Adversaries also depend on users to execute malicious payloads that provide clandestine remote access, steal sensitive information, or deploy ransomware. Convincing a target user to execute a malicious payload often requires the user to click a Malicious Link or otherwise download and execute a Malicious File. Adversaries are constantly trying new ways to trick victims into doing so, and Netskope Threat Labs tracks those changes in our monthly reports. There are two overarching themes that have dominated 2023. First, adversaries are most successful in convincing their victims to download malicious files when those files are delivered via cloud apps. So far this year, an average of 55% of the malware that users attempted to download was delivered via cloud apps.

Malware Delivery, Cloud vs. Web

Second, the apps where the highest number of malware downloads were attempted were also some of the most popular cloud apps in use in the enterprise. Microsoft OneDrive, the most popular cloud app in the enterprise, took the top spot with more than one-quarter of all cloud malware downloads. In total, adversaries were successful in enticing users to download malware for execution from 477 distinct cloud apps so far this year.

Top Apps for Malware Downloads

Command and Control and Exfiltration

After an adversary has successfully executed a malicious payload in a victim’s environment, they often need to establish a channel to communicate with the compromised system, which is where command and control comes into play. The most common command and control technique adversaries used in 2023 was Application Layer Protocol: Web Protocols, which was often coupled with Exfiltration over C2 Channel. Adversaries have multiple options for creating command and control channels, including using a C2 framework like CobaltStrike, abusing a popular cloud app, or creating their own custom implementation.

Stealth is an important feature of a command and control channel. Not only does the adversary need to communicate with the compromised system, they also need to avoid detection when doing so. For this reason, adversaries are increasingly using HTTP and HTTPS over ports 80 and 443 as their primary C2 communication channels. HTTP and HTTPS traffic is highly likely to be allowed from an infected system and will blend in with the abundance of HTTP and HTTPS traffic already on the network. Contrast this approach with malware that communicate over rarely used ports or protocols, such as IRC or FTP. Such communication would be comparatively easy to detect and easy to block, even with a layer-3 firewall and especially with a layer-7 firewall. Based on an analysis of tens of thousands of malware samples detected in 2023, HTTP (80) and HTTPS (443) were the favorite C2 and data exfiltration protocols by a large margin, used by more than two-thirds of malware samples. The next most popular protocol was DNS, followed by a variety of other rarely used ports and protocols.

Top Malware Communication Ports

Adversary Analysis

Netskope Threat Labs tracks adversaries that are actively targeting Netskope customers to better understand their motivations, tactics, and techniques. We then leverage that information to help our customers defend their systems against those adversaries. The adversaries that Netskope Threat Labs tracks generally fall into two categories, based on their motivations.

Criminal
The primary objective of criminal adversary groups is financial gain, and their toolset typically includes information stealers and ransomware. Extortion has been an extremely profitable business for cybercriminals for the past several years, with an estimated $457 million in ransom payments made in 2022. Most criminal adversaries have diversified their operations to use both ransomware and infostealers to increase the odds of a victim paying up. If encrypting their systems with ransomware wasn’t enough to convince them to pay, perhaps the public release of sensitive information stolen from the organization would help. Although we attempt to label each criminal adversary group according to the country in which they operate, many groups work transnationally. Furthermore, many are now operating in an affiliate model, making their operations even more dispersed. As a result, we typically associate a group with the country or region from which its core members are believed to be located.

Geopolitical
Geopolitical adversary groups are motivated by geopolitical issues. They are typically either nation-states or their proxies, and their activities typically mirror broader political, economic, military, or social conflicts. For example, Russian adversary groups launched cyberattacks against Ukraine that coincided with their invasion of that country. Geopolitical groups typically engage in cyber operations against other nation-states, and such operations have become a critical component of modern international relations. The lines between geopolitical and criminal adversaries sometimes blur, with some geopolitical groups also engaging in financially motivated activities. For example, the current North Korean regime funds development of its missile program via cybercrime. The specific cyber-operations undertaken by geopolitical adversaries vary, including cyber-espionage against government and non-government organizations and sabotaging critical infrastructure to destabilize an adversary. Geopolitical adversaries also engage in information warfare, spreading propaganda, manipulating public opinion, and influencing popular elections.

Attributing activity to a specific adversary group can be challenging. Adversaries try to hide their true identities or even intentionally launch false-flag operations wherein they try to make their attacks appear as though they came from another group. Multiple groups often use the same tactics and techniques, some going as far as to use the same exact tooling or even share infrastructure. Even defining adversary groups can be challenging, as groups evolve or members move between groups. For these reasons, adversary attributions are fuzzy and subject to change and evolve as new information comes to light. In the remainder of this report, we present stats about the adversary activities observed on the Netskope Security Cloud platform and the groups most likely responsible for those activities.

Top Adversary Groups

The top adversary group targeting users of the Netskope Security Cloud platform was Wizard Spider (a.k.a. UNC1878, TEMP.MixMaster, Grim Spider), a Russia-based criminal adversary credited with creating the TrickBot malware. The TrickBot malware was originally created as a banking Trojan, but has since evolved into a complex malware platform containing information stealing, lateral movement, command and control, and data exfiltration components. As is typical of criminal adversary groups, Wizard Spider has targeted a wide variety of victim organizations with ransomware. Among the tactics and techniques used by Wizard Spider include the six techniques highlighted in this report around spearphishing, user execution, and command and control.

Other active criminal adversary groups relying heavily on ransomware included TA505 (a.k.a. Hive0065), who is responsible for the Clop ransomware, and FIN7 (a.k.a. GOLD NIAGARA, ITG14, Carbon Spider), who used the REvil ransomware and created the Darkside ransomware. While the top criminal adversary groups targeting Netskope customers are Russian and Ukrainian, the top geopolitical adversary groups are Chinese, led by memupass (a.k.a. Cicada, POTASSIUM, Stone Panda, APT10, Red Apollo, CVNX, HOGFISH) and Aquatic Panda, both of whom have targeted a variety of different types of organizations worldwide.

Geographic and Industry Differences

Geography and industry are significant factors in determining which adversaries are likely to target an organization. Geopolitical adversaries tend to target specific regions and industries for their intellectual property, while financially motivated adversaries tend to develop playbooks optimized for targeting similar organizations, where they can recycle techniques with minimal customization. By industry vertical, there are two that stand out: financial services and healthcare. In those two verticals, the split between criminal and geopolitical adversary activities is nearly 50/50. Meanwhile in the other industry verticals, the split is closer to 80/20. This indicates that organizations in the financial services and healthcare sector are more commonly targeted by geopolitical adversaries.

Adversary Motivations by Target Industry

These differences are also apparent when comparing the likely sources of the adversary activity in each industry. Because many of the criminal adversaries we are tracking are located in Russia, the industries with the highest percentage of criminal activity also have the highest percentages of activity attributable to groups based in Russia. Meanwhile, financial services and healthcare (the industries targeted by more geopolitical adversaries) have a more even mixture of adversaries targeting them from Russia, the Middle East, and China. The other adversary locations not shown in the chart below include North Korea, Pakistan, India, Vietnam, and Nigeria.

Industry Adversary Activity

By region, the most active adversaries also differ significantly, with two stand-out regions: Australia and North America. Both of these regions stand out by having the highest percentage of adversary activity attributable to criminal groups.This indicates that users in the US and Australia are more likely to be targeted by criminal adversaries, whereas in other parts of the world, the split of geopolitical and criminal adversary activity is closer to 50/50.

Adversary Motivations by Target Region

The breakdown of regional adversary activity follows a similar pattern as the industry data: the regions targeted by criminal groups tend to be targeted by groups based in Russia, while the regions with a higher percentage of geopolitical activity tend to see a more significant percentage of adversary activity attributed to geopolitical groups in China.

Regional Adversary Activity

Recommendations

The Mitre ATT&CK framework provides a common language for adversary groups, their tactics, and their techniques. Defenders can use this framework to determine whether their defenses are appropriately matched against their adversaries. For each of the techniques discussed in this report, this section provides specific recommendations.

Initial Access: Spearphishing Links
Implement anti-phishing defenses that go beyond email to ensure that users are protected against spearphishing links no matter where they originate. A SWG solution that inspects DNS traffic, cloud traffic, and web traffic for evidence of phishing can prevent users from visiting spearphishing links regardless of origin, using signatures and intelligence to protect against known phishing threats and AI to protect against unknown and targeted threats. Netskope customers can configure their Netskope NG-SWG to protect against phishing. Remote Browser Isolation (RBI) technology can provide additional protection when there is a need to visit websites in categories that can present higher risk, like newly observed and newly registered domains, personal webmail, and social media.

Initial Access: Spearphishing Attachments
While spearphishing link protections can also help protect against users that click on links in spearphishing attachment, a more robust defense will provide additional protections against users downloading spearphishing attachments. Because they can come from multiple sources, an effective strategy will inspect all HTTP and HTTPS downloads, including all web and cloud traffic, for evidence of spearphishing using threat intelligence, signatures, heuristics, and AI. Netskope customers can configure their Netskope NG-SWG with a Threat Protection policy that applies to downloads of all file types from all sources. Inspecting content downloads from popular cloud apps (like Microsoft OneDrive) is particularly important to protect against adversaries abusing such apps to deliver malware.

Execution: Malicious Link and Execution: Malicious File
Because adversaries use multiple channels to deliver malware, including popular cloud apps like Microsoft OneDrive, an effective defensive strategy must inspect all traffic–including web and cloud–for malicious content. Ensure that high-risk file types, like executables and archives, are thoroughly inspected using a combination of static and dynamic analysis before being downloaded. Netskope Advanced Threat Protection customers can use a Patient Zero Prevention Policy to hold downloads until they have been fully inspected by multiple static and dynamic analysis engines, including ones that use AI to detect targeted attacks. Netskope customers can configure their Netskope NG-SWG with a Threat Protection policy that applies to downloads of all file types from all sources. To further reduce risk surface, configure policies to block downloads from apps that are not used in your organization to reduce your risk surface to only those apps and instances (company vs. personal) that are necessary. Block downloads of all risky file types from newly registered domains, newly observed domains, and other risky categories.

Command and Control: Application Layer Protocol: Web Protocols
An effective strategy to detect and prevent adversary C2 traffic over web protocols includes using a SWG and an IPS to block communication to known C2 infrastructure and exhibiting common C2 patterns. Netskope Advanced Threat Protection customers can use the IPS and Advanced UEBA features to identify C2 traffic and other signals of post-compromise behavior. Blocking newly registered domains, newly observed domains, and alerting on unusual network traffic patterns can also reduce risk surface and enable early detection. DNS Security and Cloud Firewall can also be used to protect against non-HTTP/HTTPS C2 traffic.

Exfiltration: Exfiltration over C2 Channel
The same protections for detecting and preventing adversary C2 traffic can also be effective against data exfiltration over the same C2 channel or any other web protocols. Netskope customers using DLP can configure policies that restrict where data can be uploaded, effectively limiting the channels over which the attacker is able to exfiltrate data. Netskope customers using Advanced UEBA have additional protections against C2 that include the identification of data transfer anomalies, including spikes of uploads to unusual locations and the transfer of encrypted or encoded content (a common technique used by adversaries).

In summary, an assessment of what traffic is inspected versus bypassed is vital for your defenses to protect users, data, applications, and infrastructure from these adversaries. Knowing you are inspecting all possible traffic, the next step is to align defenses to the six techniques noted in this report. Some defenses will rely on signatures and patterns, while innovations in AI/ML (e.g., algorithms, feature extractors, and anomaly detection) can be used to protect against unknown or zero-day threats. Once or twice per year, assess how adversaries are pivoting to evade current defenses and review what new defenses are available to protect your users, data, applications, and infrastructure.

About This Report

Netskope Threat Labs publishes a quarterly Cloud and Threat Report to highlight a specific set of cybersecurity challenges. The purpose of this report is to provide strategic, actionable intelligence on active threats.

Netskope provides threat and data protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization. This report contains information about detections raised by Netskope’s Next Generation Secure Web Gateway (SWG), not considering the significance of the impact of each individual threat. Therefore, the tactics and techniques highlighted in the report are limited to those that are observable in HTTP/HTTPS traffic, and the adversary groups tracking in this report are limited to those using said techniques. Stats presented in this report are a reflection of both adversary activity and user behavior. For example, the Initial Access: Spearphishing section discusses the actual phishing links that users are clicking, not the universe of all phishing links created by adversaries. Stats in this report are based on the period starting January 1, 2023 through September 23, 2023.

Netskope Threat Labs

Staffed by the industry’s foremost cloud threat and malware researchers, Netskope Threat Labs discovers, analyzes, and designs defenses against the latest web, cloud, and data threats affecting enterprises. Our researchers are regular presenters and volunteers at top security conferences, including DEF CON, Black Hat, and RSA.

Cloud- und Bedrohungsberichte

The Netskope Cloud and Threat Report delivers unique insights into the adoption of cloud applications, changes in the cloud-enabled threat landscape, and the risks to enterprise data.

Browse reports

Storm with lightning over the city at night

Beschleunigen Sie Ihr Sicherheitsprogramm mit dem SASE Leader

Loslegen

Cloud- und Bedrohungsbericht: Top-Taktiken und -Techniken von Gegnern

Netskope Threat LabsOctober 2023

Report Highlights

Executive Summary

Top Techniques

Initial Access: Spearphishing

Execution: User Execution

Command and Control and Exfiltration

Adversary Analysis

Top Adversary Groups

Geographic and Industry Differences

Recommendations

About This Report

Netskope Threat Labs

Cloud- und Bedrohungsberichte

Beschleunigen Sie Ihr Sicherheitsprogramm mit dem SASE Leader