SASE Week 2023 À la demande ! Explorer les sessions.

Commencez
Support
Support Langue
Explorez le SD-WAN sans frontières
La plateforme du futur est Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG), et Private Access for ZTNA intégrés nativement dans une solution unique pour aider chaque entreprise dans son cheminement vers l'architecture Secure Access Service Edge (SASE).

Présentation des produits
Vidéo Netskope
Next Gen SASE Branch est hybride - connectée, sécurisée et automatisée

Netskope Next Gen SASE Branch fait converger Context-Aware SASE Fabric, Zero-Trust Hybrid Security et SkopeAI-Powered Cloud Orchestrator dans une offre cloud unifiée, ouvrant la voie à une expérience de succursale entièrement modernisée pour l'entreprise sans frontières.

En savoir plus Next Gen SASE Branch
People at the open space office
  • NewEdge

    NewEdge est le nuage privé de sécurité le plus important et le plus performant au monde.

  • Plate-forme de sécurité en nuage

    Une visibilité inégalée et une protection des données et des menaces en temps réel sur le plus grand cloud privé de sécurité au monde.

  • Partenaires technologiques et intégrations

    Netskope s'associe aux sociétés les plus performantes en matière de technologies destinées aux entreprises.

Adopter une architecture SASE (Secure Access Service Edge)

Netskope NewEdge est le nuage privé de sécurité le plus grand et le plus performant au monde. Il offre aux clients une couverture de service, des performances et une résilience inégalées.

Découvrez NewEdge
NewEdge
Votre réseau de demain

Planifiez votre chemin vers un réseau plus rapide, plus sûr et plus résilient, conçu pour les applications et les utilisateurs que vous prenez en charge.

Obtenir le livre blanc
Votre réseau de demain
Netskope Cloud Exchange

Le Netskope Cloud Exchange (CE) fournit aux clients des outils d'intégration puissants pour optimiser les investissements dans l'ensemble de leur infrastructure de sécurité.

En savoir plus sur Cloud Exchange
Vidéo Netskope
Go to Solutions Overview
Go to Solutions Overview
Go to Solutions Overview
Go to Industries Overview
Optez pour les meilleurs services de sécurité cloud du marché, avec un temps de latence minimum et une fiabilité élevée.

Découvrez NewEdge
Lighted highway through mountainside switchbacks
Permettez en toute sécurité l'utilisation d'applications d'IA générative grâce au contrôle d'accès aux applications, à l'accompagnement des utilisateurs en temps réel et à une protection des données de premier ordre.

Découvrez comment nous sécurisons l'utilisation de l'IA générative
Autorisez ChatGPT et l’IA générative en toute sécurité
Solutions Zero Trust pour les déploiements du SSE et du SASE

En savoir plus sur la confiance zéro
Boat driving through open sea
Netskope permet à toutes les entreprises d'adopter des services et des applications cloud ainsi que des infrastructures cloud publiques rapidement et en toute sécurité.

En savoir plus sur les solutions sectorielles
Wind turbines along cliffside
  • Ressources

    Découvrez comment Netskope peut vous aider à sécuriser votre migration vers le Cloud.

  • Blog

    Découvrez comment Netskope permet de transformer la sécurité et les réseaux à l'aide du Security Service Edge (SSE).

  • Événements et ateliers

    Restez à l'affût des dernières tendances en matière de sécurité et créez des liens avec vos pairs.

  • Définition de la sécurité

    Tout ce que vous devez savoir dans notre encyclopédie de la cybersécurité.

Lire le blog
Podcast Security Visionaries

Prévisions pour 2024
L'animatrice Emily Wearmouth s'entretient avec Sherron Burgess, Senior VP et CISO de BCD Travel, et Shamla Naidoo, Head of Cloud Strategy and Innovation de Netskope, pour parler des sujets d'actualité qu'ils envisagent pour l'année à venir.

Écouter le podcast
Prévisions pour 2024
Derniers blogs

Comment Netskope peut faciliter le parcours Zero Trust et SASE grâce aux capacités des services de sécurité en périphérie (SSE).

Lire le blog
Sunrise and cloudy sky
SASE Week 2023 : Votre voyage SASE commence maintenant !

Retrouvez les sessions de la quatrième édition annuelle de SASE Week.

Explorer les sessions
SASE Week 2023
Qu'est-ce que le Security Service Edge ?

Découvrez le côté sécurité de SASE, l'avenir du réseau et de la protection dans le cloud.

En savoir plus sur Security Service Edge
Four-way roundabout
  • Nos clients

    Netskope sert plus de 2 000 clients dans le monde, dont plus de 25 des entreprises du classement Fortune 100

  • Solutions pour les clients

    Nous sommes là pour vous et avec vous à chaque étape, pour assurer votre succès avec Netskope.

  • Communauté Netskope

    Apprenez d'autres professionnels des réseaux, des données et de la sécurité.

  • Formation et certification

    Avec Netskope, devenez un expert de la sécurité du cloud.

Aller aux clients
Aller à Solutions clients
Formation Netskope
Nous parons nos clients à l'avenir, quel qu'il soit

Voir nos clients
Woman smiling with glasses looking out window
L’équipe de services professionnels talentueuse et expérimentée de Netskope propose une approche prescriptive pour une mise en œuvre réussie.

En savoir plus sur les services professionnels
Services professionnels Netskope
La communauté Netskope peut vous aider, vous et votre équipe, à tirer le meilleur parti des produits et des pratiques.

Accéder à la communauté Netskope
La communauté Netskope
Sécurisez votre parcours de transformation numérique et tirez le meilleur parti de vos applications cloud, Web et privées grâce à la formation Netskope.

En savoir plus sur les formations et les certifications
Group of young professionals working
  • Entreprise

    Nous vous aidons à conserver une longueur d'avance sur les défis posés par le cloud, les données et les réseaux en matière de sécurité.

  • Pourquoi Netskope

    La transformation du cloud et le travail à distance ont révolutionné le fonctionnement de la sécurité.

  • Équipe de direction

    Nos dirigeants sont déterminés à faciliter la réussite de nos clients.

  • Partenaires

    Nous collaborons avec des leaders de la sécurité pour vous aider à sécuriser votre transition vers le cloud.

Soutenir le développement durable par la sécurité des données

Netskope est fière de participer à Vision 2045 : une initiative visant à sensibiliser au rôle de l'industrie privée dans le développement durable.

En savoir plus
Soutenir le développement durable grâce à la sécurité des données
Meilleure capacité d'exécution. Le plus loin dans sa vision.

Netskope nommé leader dans le rapport Magic QuadrantTM 2023 pour SSE de Gartner®.

Recevoir le rapport
Netskope nommé leader dans le rapport Magic QuadrantTM 2023 pour SSE de Gartner®.
Penseurs, concepteurs, rêveurs, innovateurs. Ensemble, nous fournissons le nec plus ultra des solutions de sécurité cloud afin d'aider nos clients à protéger leurs données et leurs collaborateurs.

Rencontrez notre équipe
Group of hikers scaling a snowy mountain
La stratégie de commercialisation de Netskope privilégie ses partenaires, ce qui leur permet de maximiser leur croissance et leur rentabilité, tout en transformant la sécurité des entreprises.

En savoir plus sur les partenaires de Netskope
Group of diverse young professionals smiling

Cloud and Threat Report: Top Adversary Tactics and Techniques

light blue plus
This edition of the Netskope Cloud and Threat Report focuses on the tactics and techniques that were most commonly used against Netskope customers during the first nine months of 2023, with Wizard Spider targeting more organizations than any other group.
Dark cloud over the sunset

Netskope Threat LabsOctober 2023

Report Highlights Executive Summary Top Techniques
Initial Access: Spearphishing Execution: User Execution Command and Control and Exfiltration
Adversary Analysis
Top Adversary Groups Geographic and Industry Differences Recommendations
About This Report Netskope Threat Labs
17 min read

Report Highlights

test answer
  • Spearphishing links and attachments are the top initial access techniques tracked by Netskope Threat Labs this year, with adversaries successfully tricking victims into opening the links and attachments via email, voice, text, social media, and search engines.
  • User execution is the top execution technique, with adversaries having the highest rate of success in tricking their victims into downloading Trojans when they host them using popular cloud apps.
  • For command and control and data exfiltration, adversaries are heavily favoring the use of HTTP and HTTPS to fly under the radar and blend in with benign traffic.
  • The majority of adversary activity on the Netskope Security Cloud platform comes from criminal adversaries, with the most activity attributable to Wizard Spider, a Russian group responsible for creating the TrickBot malware.
  • The financial services and healthcare industry verticals have the highest percentage of activity attributable to geopolitical adversary groups on the Netskope Security Cloud platform.

 

Executive Summary

sdofjsfojefgejelosij

Cybersecurity is a battle between two opponents: Defenders who seek to protect their users, their data, and their systems, and adversaries, who seek to harm and exploit them. The defender’s most valuable tool is their knowledge of the adversary. As defenders, we seek to understand the adversary’s motivations and objectives, as well as the tactics and techniques they use to achieve those objectives. We then design our systems to be resilient to those tactics and techniques and implement controls to detect adversary activity.

This edition of the Netskope Cloud and Threat Report focuses on the tactics and techniques that were most commonly used against Netskope customers during the first nine months of 2023. To facilitate more efficient communication and understanding, we present this report in terms of the MITRE ATT&CK framework. The framework provides comprehensive categorization of adversary tactics and techniques as well as grouping and naming of adversaries.

Globally, Netskope customers were most commonly targeted by criminal adversaries, with Wizard Spider targeting more organizations than any other group. Information stealers and ransomware remained popular tools employed by financially motivated adversaries. Less-common were geopolitically motivated adversaries, whose most popular tools were remote access Trojans that create backdoors into the organizations they target.

Geography and industry are significant factors in determining which adversaries are likely to target an organization. Geopolitical adversaries tend to target specific regions and industries for their intellectual property, while financially motivated adversaries tend to develop playbooks optimized for targeting similar organizations, where they can recycle tactics and techniques with minimal customization. We round out this report by exploring which are the most active adversaries in multiple industry verticals and geographic regions.

 

Top Techniques

This section explores the most common tactics and techniques used by adversaries to gain access to their targets’ systems, execute malicious code, and communicate with compromised systems. We highlight four tactics where the Netskope Security Cloud platform provides visibility, and highlight the six most commonly observed techniques within those tactics:

  • Initial Access The techniques adversaries use to get into their targets’ systems.
  • Execution The techniques adversaries use to run malicious code.
  • Command and Control The techniques adversaries use to communicate with compromised systems.
  • Exfiltration The techniques adversaries use to steal information from their victims.

 

Initial Access: Spearphishing

When remote access to a system is locked down and the system is patched against known security vulnerabilities, the easiest way for an adversary to access that system is often through its users. For that reason, social engineering techniques have continued to be a mainstay of the adversary playbook. For example, initial access during the September 2023 MGM hack was achieved through vishing (voice phishing) by calling the victim’s helpdesk. Among the various Phishing techniques, Spearphishing Links and Spearphishing Attachments are two of the most popular on the Netskope Security Cloud Platform in 2023.

Analyzing the phishing links victims clicked on can provide insights into where adversaries are having the most success targeting their victims. By a large margin, users most frequently clicked phishing links targeted cloud apps, with one-third of those phishing links targeting Microsoft products. This is not surprising, as Microsoft OneDrive is the single most popular cloud app in the enterprise by a large margin, alongside other Microsoft products including SharePoint, Outlook, and Teams.

Top Phishing Targets by Links Clicked

Top Cloud Phishing Targets by Links Clicked

How are adversaries tricking their victims into clicking on phishing links? While email continues to be a very common channel, the success rate there is fairly low for multiple reasons. First, organizations tend to employ sophisticated anti-phishing filters to block phishing emails from ever reaching their victims. Second, organizations typically train their users to be able to recognize phishing emails. In response, attackers are using a variety of other tactics to reach their victims:

Search engine optimization (SEO) – Adversaries create web pages that employ SEO techniques to ensure they are listed on popular search engines, including Bing and Google. The pages are typically crafted around data voids–specific sets of keywords that don’t have many results–and are targeted toward specific demographics.

Social media and messaging apps – Adversaries abuse popular social media apps (like Facebook) and messaging apps (like WhatsApp) to reach their victims using a variety of different baits.

Voice and text messages – Mobile devices often lack the security controls present on more traditional devices like laptops, making them a popular target for phishing attacks. Calling or texting victims are becoming increasingly popular methods to spread phishing links.

Personal email accounts – Personal email accounts tend to have less strict anti-phishing controls, so more phishing emails are able to reach their victims. Because personal email accounts are often used on the same systems the victims use for work, phishing for access to sensitive organization-managed assets via personal email accounts can be a highly successful strategy for adversaries.

Spearphishing attachments are a special type of phishing where the adversary uses attachments both to create an air of legitimacy–typically these attachments look like professional invoices–and also to bypass security controls that don’t inspect attachments. While there is some variety in the types of files adversaries use for phishing attachments–Microsoft Excel spreadsheets, ZIP files, etc.–most of these file types are rare. A staggering 90% of phishing attachments are PDFs designed to entice victims into clicking on a phishing link.

Top Phishing Attachment Types

Similar to phishing links, adversaries spread phishing attachments over multiple channels, including personal email. The number of phishing attachments downloaded by victims spiked to more than triple its baseline level in August as adversaries began having more success by sending their baits to their victim’s personal Microsoft Live email accounts. Over the past nine months, there were 16 times as many users who downloaded a phishing attachment from a personal webmail app compared to users downloading phishing attachments from managed organization webmail apps.

Phishing Attachment Download Volume Over Time

 

Execution: User Execution

Social engineering isn’t limited to initial access. Adversaries also depend on users to execute malicious payloads that provide clandestine remote access, steal sensitive information, or deploy ransomware. Convincing a target user to execute a malicious payload often requires the user to click a Malicious Link or otherwise download and execute a Malicious File. Adversaries are constantly trying new ways to trick victims into doing so, and Netskope Threat Labs tracks those changes in our monthly reports. There are two overarching themes that have dominated 2023. First, adversaries are most successful in convincing their victims to download malicious files when those files are delivered via cloud apps. So far this year, an average of 55% of the malware that users attempted to download was delivered via cloud apps.

Malware Delivery, Cloud vs. Web

Second, the apps where the highest number of malware downloads were attempted were also some of the most popular cloud apps in use in the enterprise. Microsoft OneDrive, the most popular cloud app in the enterprise, took the top spot with more than one-quarter of all cloud malware downloads. In total, adversaries were successful in enticing users to download malware for execution from 477 distinct cloud apps so far this year.

Top Apps for Malware Downloads

 

Command and Control and Exfiltration

After an adversary has successfully executed a malicious payload in a victim’s environment, they often need to establish a channel to communicate with the compromised system, which is where command and control comes into play. The most common command and control technique adversaries used in 2023 was Application Layer Protocol: Web Protocols, which was often coupled with Exfiltration over C2 Channel. Adversaries have multiple options for creating command and control channels, including using a C2 framework like CobaltStrike, abusing a popular cloud app, or creating their own custom implementation.

Stealth is an important feature of a command and control channel. Not only does the adversary need to communicate with the compromised system, they also need to avoid detection when doing so. For this reason, adversaries are increasingly using HTTP and HTTPS over ports 80 and 443 as their primary C2 communication channels. HTTP and HTTPS traffic is highly likely to be allowed from an infected system and will blend in with the abundance of HTTP and HTTPS traffic already on the network. Contrast this approach with malware that communicate over rarely used ports or protocols, such as IRC or FTP. Such communication would be comparatively easy to detect and easy to block, even with a layer-3 firewall and especially with a layer-7 firewall. Based on an analysis of tens of thousands of malware samples detected in 2023, HTTP (80) and HTTPS (443) were the favorite C2 and data exfiltration protocols by a large margin, used by more than two-thirds of malware samples. The next most popular protocol was DNS, followed by a variety of other rarely used ports and protocols.

Top Malware Communication Ports

 

Adversary Analysis

Netskope Threat Labs tracks adversaries that are actively targeting Netskope customers to better understand their motivations, tactics, and techniques. We then leverage that information to help our customers defend their systems against those adversaries. The adversaries that Netskope Threat Labs tracks generally fall into two categories, based on their motivations.

Criminal
The primary objective of criminal adversary groups is financial gain, and their toolset typically includes information stealers and ransomware. Extortion has been an extremely profitable business for cybercriminals for the past several years, with an estimated $457 million in ransom payments made in 2022. Most criminal adversaries have diversified their operations to use both ransomware and infostealers to increase the odds of a victim paying up. If encrypting their systems with ransomware wasn’t enough to convince them to pay, perhaps the public release of sensitive information stolen from the organization would help. Although we attempt to label each criminal adversary group according to the country in which they operate, many groups work transnationally. Furthermore, many are now operating in an affiliate model, making their operations even more dispersed. As a result, we typically associate a group with the country or region from which its core members are believed to be located.

Geopolitical
Geopolitical adversary groups are motivated by geopolitical issues. They are typically either nation-states or their proxies, and their activities typically mirror broader political, economic, military, or social conflicts. For example, Russian adversary groups launched cyberattacks against Ukraine that coincided with their invasion of that country. Geopolitical groups typically engage in cyber operations against other nation-states, and such operations have become a critical component of modern international relations. The lines between geopolitical and criminal adversaries sometimes blur, with some geopolitical groups also engaging in financially motivated activities. For example, the current North Korean regime funds development of its missile program via cybercrime. The specific cyber-operations undertaken by geopolitical adversaries vary, including cyber-espionage against government and non-government organizations and sabotaging critical infrastructure to destabilize an adversary. Geopolitical adversaries also engage in information warfare, spreading propaganda, manipulating public opinion, and influencing popular elections.

Attributing activity to a specific adversary group can be challenging. Adversaries try to hide their true identities or even intentionally launch false-flag operations wherein they try to make their attacks appear as though they came from another group. Multiple groups often use the same tactics and techniques, some going as far as to use the same exact tooling or even share infrastructure. Even defining adversary groups can be challenging, as groups evolve or members move between groups. For these reasons, adversary attributions are fuzzy and subject to change and evolve as new information comes to light. In the remainder of this report, we present stats about the adversary activities observed on the Netskope Security Cloud platform and the groups most likely responsible for those activities.

 

Top Adversary Groups

The top adversary group targeting users of the Netskope Security Cloud platform was Wizard Spider (a.k.a. UNC1878, TEMP.MixMaster, Grim Spider), a Russia-based criminal adversary credited with creating the TrickBot malware. The TrickBot malware was originally created as a banking Trojan, but has since evolved into a complex malware platform containing information stealing, lateral movement, command and control, and data exfiltration components. As is typical of criminal adversary groups, Wizard Spider has targeted a wide variety of victim organizations with ransomware. Among the tactics and techniques used by Wizard Spider include the six techniques highlighted in this report around spearphishing, user execution, and command and control.

Other active criminal adversary groups relying heavily on ransomware included TA505 (a.k.a. Hive0065), who is responsible for the Clop ransomware, and FIN7 (a.k.a. GOLD NIAGARA, ITG14, Carbon Spider), who used the REvil ransomware and created the Darkside ransomware. While the top criminal adversary groups targeting Netskope customers are Russian and Ukrainian, the top geopolitical adversary groups are Chinese, led by memupass (a.k.a. Cicada, POTASSIUM, Stone Panda, APT10, Red Apollo, CVNX, HOGFISH) and Aquatic Panda, both of whom have targeted a variety of different types of organizations worldwide.

 

Geographic and Industry Differences

Geography and industry are significant factors in determining which adversaries are likely to target an organization. Geopolitical adversaries tend to target specific regions and industries for their intellectual property, while financially motivated adversaries tend to develop playbooks optimized for targeting similar organizations, where they can recycle techniques with minimal customization. By industry vertical, there are two that stand out: financial services and healthcare. In those two verticals, the split between criminal and geopolitical adversary activities is nearly 50/50. Meanwhile in the other industry verticals, the split is closer to 80/20. This indicates that organizations in the financial services and healthcare sector are more commonly targeted by geopolitical adversaries.

Adversary Motivations by Target Industry

These differences are also apparent when comparing the likely sources of the adversary activity in each industry. Because many of the criminal adversaries we are tracking are located in Russia, the industries with the highest percentage of criminal activity also have the highest percentages of activity attributable to groups based in Russia. Meanwhile, financial services and healthcare (the industries targeted by more geopolitical adversaries) have a more even mixture of adversaries targeting them from Russia, the Middle East, and China. The other adversary locations not shown in the chart below include North Korea, Pakistan, India, Vietnam, and Nigeria.

Industry Adversary Activity

By region, the most active adversaries also differ significantly, with two stand-out regions: Australia and North America. Both of these regions stand out by having the highest percentage of adversary activity attributable to criminal groups.This indicates that users in the US and Australia are more likely to be targeted by criminal adversaries, whereas in other parts of the world, the split of geopolitical and criminal adversary activity is closer to 50/50.

Adversary Motivations by Target Region

The breakdown of regional adversary activity follows a similar pattern as the industry data: the regions targeted by criminal groups tend to be targeted by groups based in Russia, while the regions with a higher percentage of geopolitical activity tend to see a more significant percentage of adversary activity attributed to geopolitical groups in China.

Regional Adversary Activity

 

Recommendations

The Mitre ATT&CK framework provides a common language for adversary groups, their tactics, and their techniques. Defenders can use this framework to determine whether their defenses are appropriately matched against their adversaries. For each of the techniques discussed in this report, this section provides specific recommendations.

Initial Access: Spearphishing Links
Implement anti-phishing defenses that go beyond email to ensure that users are protected against spearphishing links no matter where they originate. A SWG solution that inspects DNS traffic, cloud traffic, and web traffic for evidence of phishing can prevent users from visiting spearphishing links regardless of origin, using signatures and intelligence to protect against known phishing threats and AI to protect against unknown and targeted threats. Netskope customers can configure their Netskope NG-SWG to protect against phishing. Remote Browser Isolation (RBI) technology can provide additional protection when there is a need to visit websites in categories that can present higher risk, like newly observed and newly registered domains, personal webmail, and social media.

Initial Access: Spearphishing Attachments
While spearphishing link protections can also help protect against users that click on links in spearphishing attachment, a more robust defense will provide additional protections against users downloading spearphishing attachments. Because they can come from multiple sources, an effective strategy will inspect all HTTP and HTTPS downloads, including all web and cloud traffic, for evidence of spearphishing using threat intelligence, signatures, heuristics, and AI. Netskope customers can configure their Netskope NG-SWG with a Threat Protection policy that applies to downloads of all file types from all sources. Inspecting content downloads from popular cloud apps (like Microsoft OneDrive) is particularly important to protect against adversaries abusing such apps to deliver malware.

Execution: Malicious Link and Execution: Malicious File
Because adversaries use multiple channels to deliver malware, including popular cloud apps like Microsoft OneDrive, an effective defensive strategy must inspect all traffic–including web and cloud–for malicious content. Ensure that high-risk file types, like executables and archives, are thoroughly inspected using a combination of static and dynamic analysis before being downloaded. Netskope Advanced Threat Protection customers can use a Patient Zero Prevention Policy to hold downloads until they have been fully inspected by multiple static and dynamic analysis engines, including ones that use AI to detect targeted attacks. Netskope customers can configure their Netskope NG-SWG with a Threat Protection policy that applies to downloads of all file types from all sources. To further reduce risk surface, configure policies to block downloads from apps that are not used in your organization to reduce your risk surface to only those apps and instances (company vs. personal) that are necessary. Block downloads of all risky file types from newly registered domains, newly observed domains, and other risky categories.

Command and Control: Application Layer Protocol: Web Protocols
An effective strategy to detect and prevent adversary C2 traffic over web protocols includes using a SWG and an IPS to block communication to known C2 infrastructure and exhibiting common C2 patterns. Netskope Advanced Threat Protection customers can use the IPS and Advanced UEBA features to identify C2 traffic and other signals of post-compromise behavior. Blocking newly registered domains, newly observed domains, and alerting on unusual network traffic patterns can also reduce risk surface and enable early detection. DNS Security and Cloud Firewall can also be used to protect against non-HTTP/HTTPS C2 traffic.

Exfiltration: Exfiltration over C2 Channel
The same protections for detecting and preventing adversary C2 traffic can also be effective against data exfiltration over the same C2 channel or any other web protocols. Netskope customers using DLP can configure policies that restrict where data can be uploaded, effectively limiting the channels over which the attacker is able to exfiltrate data. Netskope customers using Advanced UEBA have additional protections against C2 that include the identification of data transfer anomalies, including spikes of uploads to unusual locations and the transfer of encrypted or encoded content (a common technique used by adversaries).

In summary, an assessment of what traffic is inspected versus bypassed is vital for your defenses to protect users, data, applications, and infrastructure from these adversaries. Knowing you are inspecting all possible traffic, the next step is to align defenses to the six techniques noted in this report. Some defenses will rely on signatures and patterns, while innovations in AI/ML (e.g., algorithms, feature extractors, and anomaly detection) can be used to protect against unknown or zero-day threats. Once or twice per year, assess how adversaries are pivoting to evade current defenses and review what new defenses are available to protect your users, data, applications, and infrastructure.

About This Report

Netskope Threat Labs publishes a quarterly Cloud and Threat Report to highlight a specific set of cybersecurity challenges. The purpose of this report is to provide strategic, actionable intelligence on active threats.

Netskope provides threat and data protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization. This report contains information about detections raised by Netskope’s Next Generation Secure Web Gateway (SWG), not considering the significance of the impact of each individual threat. Therefore, the tactics and techniques highlighted in the report are limited to those that are observable in HTTP/HTTPS traffic, and the adversary groups tracking in this report are limited to those using said techniques. Stats presented in this report are a reflection of both adversary activity and user behavior. For example, the Initial Access: Spearphishing section discusses the actual phishing links that users are clicking, not the universe of all phishing links created by adversaries. Stats in this report are based on the period starting January 1, 2023 through September 23, 2023.

Netskope Threat Labs

Staffed by the industry’s foremost cloud threat and malware researchers, Netskope Threat Labs discovers, analyzes, and designs defenses against the latest web, cloud, and data threats affecting enterprises. Our researchers are regular presenters and volunteers at top security conferences, including DEF CON, Black Hat, and RSA.
light blue plus

Cloud and Threat Reports

The Netskope Cloud and Threat Report delivers unique insights into the adoption of cloud applications, changes in the cloud-enabled threat landscape, and the risks to enterprise data.

Browse reports
Storm with lightning over the city at night

Accelerate your security program with the SASE Leader

Get Started
Contact Us

We'd love to hear from you!

Loading...