SASE Week 2023 オンデマンド! セッションを探索します

未来のプラットフォームはNetskopeです

インテリジェントセキュリティサービスエッジ(SSE)、クラウドアクセスセキュリティブローカー(CASB)、クラウドファイアウォール、セキュアウェブゲートウェイ(SWG)、およびZTNAのプライベートアクセスは、単一のソリューションにネイティブに組み込まれており、セキュアアクセスサービスエッジ(SASE)アーキテクチャへの道のりですべてのビジネスを支援します。

製品概要はこちら
Netskopeの動画
Next Gen SASE Branch はハイブリッドであり、接続、保護、自動化

Netskope Next Gen SASE Branchは、コンテキストアウェアSASEファブリック、ゼロトラストハイブリッドセキュリティ、 SkopeAI-Powered Cloud Orchestrator を統合クラウド製品に統合し、ボーダレスエンタープライズ向けに完全に近代化されたブランチエクスペリエンスを実現します。

Next Gen SASE Branchの詳細はこちら
People at the open space office
  • NewEdge

    NewEdgeは、世界最大かつ最高のパフォーマンスを誇るセキュリティプライベートクラウドです。

  • クラウドセキュリティプラットフォーム

    世界最大のセキュリティプライベートクラウドにおける可視性とリアルタイムデータおよび脅威保護

  • 技術パートナーと統合

    Netskopeは、エンタープライズテクノロジーの最強の企業と提携しています。

セキュアアクセスサービスエッジ(SASE)アーキテクチャの採用

Netskope NewEdgeは、世界最大かつ最高のパフォーマンスのセキュリティプライベートクラウドであり、比類のないサービスカバレッジ、パフォーマンス、および回復力を顧客に提供します。

NewEdgeの詳細
NewEdge
明日に向けたネットワーク

サポートするアプリケーションとユーザー向けに設計された、より高速で、より安全で、回復力のあるネットワークへの道を計画します。

ホワイトペーパーはこちら
明日に向けたネットワーク
Netskope Cloud Exchange

Netskope Cloud Exchange (CE) は、セキュリティポスチャに対する投資を活用するための強力な統合ツールを提供します。

Cloud Exchangeについて学ぶ
Netskopeの動画
最小の遅延と高い信頼性を備えた、市場をリードするクラウドセキュリティサービスに移行します。

NewEdgeの詳細
山腹のスイッチバックを通るライトアップされた高速道路
アプリケーションのアクセス制御、リアルタイムのユーザーコーチング、クラス最高のデータ保護により、生成型AIアプリケーションを安全に使用できるようにします。

生成AIの使用を保護する方法を学ぶ
ChatGPTと生成AIを安全に有効にする
SSEおよびSASE展開のためのゼロトラストソリューション

ゼロトラストについて学ぶ
大海原を走るボート
Netskopeは、クラウドサービス、アプリ、パブリッククラウドインフラストラクチャを採用するための安全でクラウドスマートかつ迅速な旅を可能にします。

業界別ソリューションについて学ぶ
崖沿いの風力タービン
  • リソース

    クラウドへ安全に移行する上でNetskopeがどのように役立つかについての詳細は、以下をご覧ください。

  • ブログ

    Netskopeがセキュリティサービスエッジ(SSE)を通じてセキュリティとネットワークの変革を可能にする方法を学びましょう。

  • イベント&ワークショップ

    最新のセキュリティトレンドを先取りし、仲間とつながりましょう。

  • 定義されたセキュリティ

    サイバーセキュリティ百科事典、知っておくべきすべてのこと

「セキュリティビジョナリー」ポッドキャスト

2024年の予測
ホストのEmily Wearmouthが、BCD Travelのシニアバイスプレジデント兼CISOであるSherron Burgess氏と、Netskopeのクラウド戦略およびイノベーション責任者であるShamla Naidoo氏と対談し、来年のホットなトピックについて語ります。

ポッドキャストを再生する
2024年の予測
最新のブログ

Netskopeがセキュリティサービスエッジ(SSE)機能を通じてゼロトラストとSASEの旅を可能にする方法。

ブログを読む
日の出と曇り空
SASE Week 2023年:SASEの旅が今始まります!

第4回 SASE Weekのリプレイセッション。

セッションの詳細
SASE Week 2023
セキュリティサービスエッジとは

SASEのセキュリティ面、ネットワークとクラウドでの保護の未来を探ります。

セキュリティサービスエッジの詳細
4方向ラウンドアバウト
私たちは、お客様が何にでも備えることができるように支援します

お客様を見る
窓の外を見て微笑むメガネをかけた女性
Netskopeの有能で経験豊富なプロフェッショナルサービスチームは、実装を成功させるための規範的なアプローチを提供します。

プロフェッショナルサービスについて学ぶ
Netskopeプロフェッショナルサービス
Netskopeコミュニティは、あなたとあなたのチームが製品とプラクティスからより多くの価値を引き出すのに役立ちます。

Netskopeコミュニティに移動
Netskope コミュニティ
Netskopeトレーニングで、デジタルトランスフォーメーションの旅を保護し、クラウド、ウェブ、プライベートアプリケーションを最大限に活用してください。

トレーニングと認定資格について学ぶ
働く若い専門家のグループ
  • 会社概要

    クラウド、データ、ネットワークセキュリティの課題に対して一歩先を行くサポートを提供

  • Netskopeが選ばれる理由

    クラウドの変革とどこからでも機能することで、セキュリティの機能方法が変わりました。

  • リーダーシップ

    Netskopeの経営陣はお客様を成功に導くために全力を尽くしています。

  • パートナー

    私たちはセキュリティリーダーと提携して、クラウドへの旅を保護します。

データセキュリティによる持続可能性のサポート

Netskope は、持続可能性における民間企業の役割についての認識を高めることを目的としたイニシアチブである「ビジョン2045」に参加できることを誇りに思っています。

詳しくはこちら
データセキュリティによる持続可能性のサポート
Highest in Execution. Furthest in Vision.

ネットスコープは2023年Gartner®社のセキュリティ・サービス・エッジ(SSE)のマジック・クアドラント™でリーダーの1社として評価されました。

レポートを読む
ネットスコープは2023年Gartner®社のセキュリティ・サービス・エッジ(SSE)のマジック・クアドラント™でリーダーの1社として評価されました。
思想家、建築家、夢想家、革新者。 一緒に、私たちはお客様がデータと人々を保護するのを助けるために最先端のクラウドセキュリティソリューションを提供します。

当社のチーム紹介
雪山を登るハイカーのグループ
Netskopeのパートナー中心の市場開拓戦略により、パートナーは企業のセキュリティを変革しながら、成長と収益性を最大化できます。

Netskope パートナーについて学ぶ
色々な若い専門家が集う笑顔のグループ

Cloud and Threat Report: Top Adversary Tactics and Techniques

light blue plus
This edition of the Netskope Cloud and Threat Report focuses on the tactics and techniques that were most commonly used against Netskope customers during the first nine months of 2023, with Wizard Spider targeting more organizations than any other group.
Dark cloud over the sunset
17 min read

Report Highlights

test answer
  • Spearphishing links and attachments are the top initial access techniques tracked by Netskope Threat Labs this year, with adversaries successfully tricking victims into opening the links and attachments via email, voice, text, social media, and search engines.
  • User execution is the top execution technique, with adversaries having the highest rate of success in tricking their victims into downloading Trojans when they host them using popular cloud apps.
  • For command and control and data exfiltration, adversaries are heavily favoring the use of HTTP and HTTPS to fly under the radar and blend in with benign traffic.
  • The majority of adversary activity on the Netskope Security Cloud platform comes from criminal adversaries, with the most activity attributable to Wizard Spider, a Russian group responsible for creating the TrickBot malware.
  • The financial services and healthcare industry verticals have the highest percentage of activity attributable to geopolitical adversary groups on the Netskope Security Cloud platform.

 

Executive Summary

sdofjsfojefgejelosij

Cybersecurity is a battle between two opponents: Defenders who seek to protect their users, their data, and their systems, and adversaries, who seek to harm and exploit them. The defender’s most valuable tool is their knowledge of the adversary. As defenders, we seek to understand the adversary’s motivations and objectives, as well as the tactics and techniques they use to achieve those objectives. We then design our systems to be resilient to those tactics and techniques and implement controls to detect adversary activity.

This edition of the Netskope Cloud and Threat Report focuses on the tactics and techniques that were most commonly used against Netskope customers during the first nine months of 2023. To facilitate more efficient communication and understanding, we present this report in terms of the MITRE ATT&CK framework. The framework provides comprehensive categorization of adversary tactics and techniques as well as grouping and naming of adversaries.

Globally, Netskope customers were most commonly targeted by criminal adversaries, with Wizard Spider targeting more organizations than any other group. Information stealers and ransomware remained popular tools employed by financially motivated adversaries. Less-common were geopolitically motivated adversaries, whose most popular tools were remote access Trojans that create backdoors into the organizations they target.

Geography and industry are significant factors in determining which adversaries are likely to target an organization. Geopolitical adversaries tend to target specific regions and industries for their intellectual property, while financially motivated adversaries tend to develop playbooks optimized for targeting similar organizations, where they can recycle tactics and techniques with minimal customization. We round out this report by exploring which are the most active adversaries in multiple industry verticals and geographic regions.

 

Top Techniques

This section explores the most common tactics and techniques used by adversaries to gain access to their targets’ systems, execute malicious code, and communicate with compromised systems. We highlight four tactics where the Netskope Security Cloud platform provides visibility, and highlight the six most commonly observed techniques within those tactics:

  • Initial Access The techniques adversaries use to get into their targets’ systems.
  • Execution The techniques adversaries use to run malicious code.
  • Command and Control The techniques adversaries use to communicate with compromised systems.
  • Exfiltration The techniques adversaries use to steal information from their victims.

 

Initial Access: Spearphishing

When remote access to a system is locked down and the system is patched against known security vulnerabilities, the easiest way for an adversary to access that system is often through its users. For that reason, social engineering techniques have continued to be a mainstay of the adversary playbook. For example, initial access during the September 2023 MGM hack was achieved through vishing (voice phishing) by calling the victim’s helpdesk. Among the various Phishing techniques, Spearphishing Links and Spearphishing Attachments are two of the most popular on the Netskope Security Cloud Platform in 2023.

Analyzing the phishing links victims clicked on can provide insights into where adversaries are having the most success targeting their victims. By a large margin, users most frequently clicked phishing links targeted cloud apps, with one-third of those phishing links targeting Microsoft products. This is not surprising, as Microsoft OneDrive is the single most popular cloud app in the enterprise by a large margin, alongside other Microsoft products including SharePoint, Outlook, and Teams.

Top Phishing Targets by Links Clicked

Top Cloud Phishing Targets by Links Clicked

How are adversaries tricking their victims into clicking on phishing links? While email continues to be a very common channel, the success rate there is fairly low for multiple reasons. First, organizations tend to employ sophisticated anti-phishing filters to block phishing emails from ever reaching their victims. Second, organizations typically train their users to be able to recognize phishing emails. In response, attackers are using a variety of other tactics to reach their victims:

Search engine optimization (SEO) – Adversaries create web pages that employ SEO techniques to ensure they are listed on popular search engines, including Bing and Google. The pages are typically crafted around data voids–specific sets of keywords that don’t have many results–and are targeted toward specific demographics.

Social media and messaging apps – Adversaries abuse popular social media apps (like Facebook) and messaging apps (like WhatsApp) to reach their victims using a variety of different baits.

Voice and text messages – Mobile devices often lack the security controls present on more traditional devices like laptops, making them a popular target for phishing attacks. Calling or texting victims are becoming increasingly popular methods to spread phishing links.

Personal email accounts – Personal email accounts tend to have less strict anti-phishing controls, so more phishing emails are able to reach their victims. Because personal email accounts are often used on the same systems the victims use for work, phishing for access to sensitive organization-managed assets via personal email accounts can be a highly successful strategy for adversaries.

Spearphishing attachments are a special type of phishing where the adversary uses attachments both to create an air of legitimacy–typically these attachments look like professional invoices–and also to bypass security controls that don’t inspect attachments. While there is some variety in the types of files adversaries use for phishing attachments–Microsoft Excel spreadsheets, ZIP files, etc.–most of these file types are rare. A staggering 90% of phishing attachments are PDFs designed to entice victims into clicking on a phishing link.

Top Phishing Attachment Types

Similar to phishing links, adversaries spread phishing attachments over multiple channels, including personal email. The number of phishing attachments downloaded by victims spiked to more than triple its baseline level in August as adversaries began having more success by sending their baits to their victim’s personal Microsoft Live email accounts. Over the past nine months, there were 16 times as many users who downloaded a phishing attachment from a personal webmail app compared to users downloading phishing attachments from managed organization webmail apps.

Phishing Attachment Download Volume Over Time

 

Execution: User Execution

Social engineering isn’t limited to initial access. Adversaries also depend on users to execute malicious payloads that provide clandestine remote access, steal sensitive information, or deploy ransomware. Convincing a target user to execute a malicious payload often requires the user to click a Malicious Link or otherwise download and execute a Malicious File. Adversaries are constantly trying new ways to trick victims into doing so, and Netskope Threat Labs tracks those changes in our monthly reports. There are two overarching themes that have dominated 2023. First, adversaries are most successful in convincing their victims to download malicious files when those files are delivered via cloud apps. So far this year, an average of 55% of the malware that users attempted to download was delivered via cloud apps.

Malware Delivery, Cloud vs. Web

Second, the apps where the highest number of malware downloads were attempted were also some of the most popular cloud apps in use in the enterprise. Microsoft OneDrive, the most popular cloud app in the enterprise, took the top spot with more than one-quarter of all cloud malware downloads. In total, adversaries were successful in enticing users to download malware for execution from 477 distinct cloud apps so far this year.

Top Apps for Malware Downloads

 

Command and Control and Exfiltration

After an adversary has successfully executed a malicious payload in a victim’s environment, they often need to establish a channel to communicate with the compromised system, which is where command and control comes into play. The most common command and control technique adversaries used in 2023 was Application Layer Protocol: Web Protocols, which was often coupled with Exfiltration over C2 Channel. Adversaries have multiple options for creating command and control channels, including using a C2 framework like CobaltStrike, abusing a popular cloud app, or creating their own custom implementation.

Stealth is an important feature of a command and control channel. Not only does the adversary need to communicate with the compromised system, they also need to avoid detection when doing so. For this reason, adversaries are increasingly using HTTP and HTTPS over ports 80 and 443 as their primary C2 communication channels. HTTP and HTTPS traffic is highly likely to be allowed from an infected system and will blend in with the abundance of HTTP and HTTPS traffic already on the network. Contrast this approach with malware that communicate over rarely used ports or protocols, such as IRC or FTP. Such communication would be comparatively easy to detect and easy to block, even with a layer-3 firewall and especially with a layer-7 firewall. Based on an analysis of tens of thousands of malware samples detected in 2023, HTTP (80) and HTTPS (443) were the favorite C2 and data exfiltration protocols by a large margin, used by more than two-thirds of malware samples. The next most popular protocol was DNS, followed by a variety of other rarely used ports and protocols.

Top Malware Communication Ports

 

Adversary Analysis

Netskope Threat Labs tracks adversaries that are actively targeting Netskope customers to better understand their motivations, tactics, and techniques. We then leverage that information to help our customers defend their systems against those adversaries. The adversaries that Netskope Threat Labs tracks generally fall into two categories, based on their motivations.

Criminal
The primary objective of criminal adversary groups is financial gain, and their toolset typically includes information stealers and ransomware. Extortion has been an extremely profitable business for cybercriminals for the past several years, with an estimated $457 million in ransom payments made in 2022. Most criminal adversaries have diversified their operations to use both ransomware and infostealers to increase the odds of a victim paying up. If encrypting their systems with ransomware wasn’t enough to convince them to pay, perhaps the public release of sensitive information stolen from the organization would help. Although we attempt to label each criminal adversary group according to the country in which they operate, many groups work transnationally. Furthermore, many are now operating in an affiliate model, making their operations even more dispersed. As a result, we typically associate a group with the country or region from which its core members are believed to be located.

Geopolitical
Geopolitical adversary groups are motivated by geopolitical issues. They are typically either nation-states or their proxies, and their activities typically mirror broader political, economic, military, or social conflicts. For example, Russian adversary groups launched cyberattacks against Ukraine that coincided with their invasion of that country. Geopolitical groups typically engage in cyber operations against other nation-states, and such operations have become a critical component of modern international relations. The lines between geopolitical and criminal adversaries sometimes blur, with some geopolitical groups also engaging in financially motivated activities. For example, the current North Korean regime funds development of its missile program via cybercrime. The specific cyber-operations undertaken by geopolitical adversaries vary, including cyber-espionage against government and non-government organizations and sabotaging critical infrastructure to destabilize an adversary. Geopolitical adversaries also engage in information warfare, spreading propaganda, manipulating public opinion, and influencing popular elections.

Attributing activity to a specific adversary group can be challenging. Adversaries try to hide their true identities or even intentionally launch false-flag operations wherein they try to make their attacks appear as though they came from another group. Multiple groups often use the same tactics and techniques, some going as far as to use the same exact tooling or even share infrastructure. Even defining adversary groups can be challenging, as groups evolve or members move between groups. For these reasons, adversary attributions are fuzzy and subject to change and evolve as new information comes to light. In the remainder of this report, we present stats about the adversary activities observed on the Netskope Security Cloud platform and the groups most likely responsible for those activities.

 

Top Adversary Groups

The top adversary group targeting users of the Netskope Security Cloud platform was Wizard Spider (a.k.a. UNC1878, TEMP.MixMaster, Grim Spider), a Russia-based criminal adversary credited with creating the TrickBot malware. The TrickBot malware was originally created as a banking Trojan, but has since evolved into a complex malware platform containing information stealing, lateral movement, command and control, and data exfiltration components. As is typical of criminal adversary groups, Wizard Spider has targeted a wide variety of victim organizations with ransomware. Among the tactics and techniques used by Wizard Spider include the six techniques highlighted in this report around spearphishing, user execution, and command and control.

Other active criminal adversary groups relying heavily on ransomware included TA505 (a.k.a. Hive0065), who is responsible for the Clop ransomware, and FIN7 (a.k.a. GOLD NIAGARA, ITG14, Carbon Spider), who used the REvil ransomware and created the Darkside ransomware. While the top criminal adversary groups targeting Netskope customers are Russian and Ukrainian, the top geopolitical adversary groups are Chinese, led by memupass (a.k.a. Cicada, POTASSIUM, Stone Panda, APT10, Red Apollo, CVNX, HOGFISH) and Aquatic Panda, both of whom have targeted a variety of different types of organizations worldwide.

 

Geographic and Industry Differences

Geography and industry are significant factors in determining which adversaries are likely to target an organization. Geopolitical adversaries tend to target specific regions and industries for their intellectual property, while financially motivated adversaries tend to develop playbooks optimized for targeting similar organizations, where they can recycle techniques with minimal customization. By industry vertical, there are two that stand out: financial services and healthcare. In those two verticals, the split between criminal and geopolitical adversary activities is nearly 50/50. Meanwhile in the other industry verticals, the split is closer to 80/20. This indicates that organizations in the financial services and healthcare sector are more commonly targeted by geopolitical adversaries.

Adversary Motivations by Target Industry

These differences are also apparent when comparing the likely sources of the adversary activity in each industry. Because many of the criminal adversaries we are tracking are located in Russia, the industries with the highest percentage of criminal activity also have the highest percentages of activity attributable to groups based in Russia. Meanwhile, financial services and healthcare (the industries targeted by more geopolitical adversaries) have a more even mixture of adversaries targeting them from Russia, the Middle East, and China. The other adversary locations not shown in the chart below include North Korea, Pakistan, India, Vietnam, and Nigeria.

Industry Adversary Activity

By region, the most active adversaries also differ significantly, with two stand-out regions: Australia and North America. Both of these regions stand out by having the highest percentage of adversary activity attributable to criminal groups.This indicates that users in the US and Australia are more likely to be targeted by criminal adversaries, whereas in other parts of the world, the split of geopolitical and criminal adversary activity is closer to 50/50.

Adversary Motivations by Target Region

The breakdown of regional adversary activity follows a similar pattern as the industry data: the regions targeted by criminal groups tend to be targeted by groups based in Russia, while the regions with a higher percentage of geopolitical activity tend to see a more significant percentage of adversary activity attributed to geopolitical groups in China.

Regional Adversary Activity

 

Recommendations

The Mitre ATT&CK framework provides a common language for adversary groups, their tactics, and their techniques. Defenders can use this framework to determine whether their defenses are appropriately matched against their adversaries. For each of the techniques discussed in this report, this section provides specific recommendations.

Initial Access: Spearphishing Links
Implement anti-phishing defenses that go beyond email to ensure that users are protected against spearphishing links no matter where they originate. A SWG solution that inspects DNS traffic, cloud traffic, and web traffic for evidence of phishing can prevent users from visiting spearphishing links regardless of origin, using signatures and intelligence to protect against known phishing threats and AI to protect against unknown and targeted threats. Netskope customers can configure their Netskope NG-SWG to protect against phishing. Remote Browser Isolation (RBI) technology can provide additional protection when there is a need to visit websites in categories that can present higher risk, like newly observed and newly registered domains, personal webmail, and social media.

Initial Access: Spearphishing Attachments
While spearphishing link protections can also help protect against users that click on links in spearphishing attachment, a more robust defense will provide additional protections against users downloading spearphishing attachments. Because they can come from multiple sources, an effective strategy will inspect all HTTP and HTTPS downloads, including all web and cloud traffic, for evidence of spearphishing using threat intelligence, signatures, heuristics, and AI. Netskope customers can configure their Netskope NG-SWG with a Threat Protection policy that applies to downloads of all file types from all sources. Inspecting content downloads from popular cloud apps (like Microsoft OneDrive) is particularly important to protect against adversaries abusing such apps to deliver malware.

Execution: Malicious Link and Execution: Malicious File
Because adversaries use multiple channels to deliver malware, including popular cloud apps like Microsoft OneDrive, an effective defensive strategy must inspect all traffic–including web and cloud–for malicious content. Ensure that high-risk file types, like executables and archives, are thoroughly inspected using a combination of static and dynamic analysis before being downloaded. Netskope Advanced Threat Protection customers can use a Patient Zero Prevention Policy to hold downloads until they have been fully inspected by multiple static and dynamic analysis engines, including ones that use AI to detect targeted attacks. Netskope customers can configure their Netskope NG-SWG with a Threat Protection policy that applies to downloads of all file types from all sources. To further reduce risk surface, configure policies to block downloads from apps that are not used in your organization to reduce your risk surface to only those apps and instances (company vs. personal) that are necessary. Block downloads of all risky file types from newly registered domains, newly observed domains, and other risky categories.

Command and Control: Application Layer Protocol: Web Protocols
An effective strategy to detect and prevent adversary C2 traffic over web protocols includes using a SWG and an IPS to block communication to known C2 infrastructure and exhibiting common C2 patterns. Netskope Advanced Threat Protection customers can use the IPS and Advanced UEBA features to identify C2 traffic and other signals of post-compromise behavior. Blocking newly registered domains, newly observed domains, and alerting on unusual network traffic patterns can also reduce risk surface and enable early detection. DNS Security and Cloud Firewall can also be used to protect against non-HTTP/HTTPS C2 traffic.

Exfiltration: Exfiltration over C2 Channel
The same protections for detecting and preventing adversary C2 traffic can also be effective against data exfiltration over the same C2 channel or any other web protocols. Netskope customers using DLP can configure policies that restrict where data can be uploaded, effectively limiting the channels over which the attacker is able to exfiltrate data. Netskope customers using Advanced UEBA have additional protections against C2 that include the identification of data transfer anomalies, including spikes of uploads to unusual locations and the transfer of encrypted or encoded content (a common technique used by adversaries).

In summary, an assessment of what traffic is inspected versus bypassed is vital for your defenses to protect users, data, applications, and infrastructure from these adversaries. Knowing you are inspecting all possible traffic, the next step is to align defenses to the six techniques noted in this report. Some defenses will rely on signatures and patterns, while innovations in AI/ML (e.g., algorithms, feature extractors, and anomaly detection) can be used to protect against unknown or zero-day threats. Once or twice per year, assess how adversaries are pivoting to evade current defenses and review what new defenses are available to protect your users, data, applications, and infrastructure.

About This Report

Netskope Threat Labs publishes a quarterly Cloud and Threat Report to highlight a specific set of cybersecurity challenges. The purpose of this report is to provide strategic, actionable intelligence on active threats.

Netskope provides threat and data protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization. This report contains information about detections raised by Netskope’s Next Generation Secure Web Gateway (SWG), not considering the significance of the impact of each individual threat. Therefore, the tactics and techniques highlighted in the report are limited to those that are observable in HTTP/HTTPS traffic, and the adversary groups tracking in this report are limited to those using said techniques. Stats presented in this report are a reflection of both adversary activity and user behavior. For example, the Initial Access: Spearphishing section discusses the actual phishing links that users are clicking, not the universe of all phishing links created by adversaries. Stats in this report are based on the period starting January 1, 2023 through September 23, 2023.

Netskope Threat Labs

Staffed by the industry’s foremost cloud threat and malware researchers, Netskope Threat Labs discovers, analyzes, and designs defenses against the latest web, cloud, and data threats affecting enterprises. Our researchers are regular presenters and volunteers at top security conferences, including DEF CON, Black Hat, and RSA.

light blue plus

Cloud and Threat Reports

The Netskope Cloud and Threat Report delivers unique insights into the adoption of cloud applications, changes in the cloud-enabled threat landscape, and the risks to enterprise data.

Storm with lightning over the city at night

Accelerate your security program with the SASE Leader