SASE およびゼロ トラスト変革の課題の解決は、RSA の Netskope から始まります。詳細はこちらをご覧ください。

閉める
虫眼鏡
お問い合わせ
虫眼鏡
サポート
シェブロン
サポート 言語
閉める
  • Netskopeが選ばれる理由 シェブロン

    ネットワークとセキュリティの連携方法を変える。

  • 導入企業 シェブロン

    Netskope は世界中で 3,000 を超える顧客にサービスを提供しており、その中にはフォーチュン 100 企業の 25 以上が含まれます

  • パートナー シェブロン

    私たちはセキュリティリーダーと提携して、クラウドへの旅を保護します。

実行能力とビジョンの完全性において
最上位の評価

ネットスコープが2024年Gartner®社のセキュリティ・サービス・エッジ(SSE)のマジック・クアドラントで3年連続リーダーの1社として評価された理由をご覧ください。

レポートを読む
Netskope Named a Leader in the 2024 Gartner® Magic Quadrant™ for Security Service Edge graphic for menu
私たちは、お客様が何にでも備えることができるように支援します

お客様について
窓の外を見て微笑むメガネをかけた女性
Netskopeのパートナー中心の市場開拓戦略により、パートナーは企業のセキュリティを変革しながら、成長と収益性を最大化できます。

Netskope パートナーについて学ぶ
色々な若い専門家が集う笑顔のグループ
明日に向けたネットワーク

サポートするアプリケーションとユーザー向けに設計された、より高速で、より安全で、回復力のあるネットワークへの道を計画します。

ホワイトペーパーはこちら
明日に向けたネットワーク
Netskope One プラットフォームの紹介

Netskope One は、SASE とゼロトラスト変革を可能にする統合型セキュリティおよびネットワーキング サービスを提供するクラウドネイティブ プラットフォームです。

Netskope One について学ぶ
青い照明の抽象画
セキュアアクセスサービスエッジ(SASE)アーキテクチャの採用

Netskope NewEdgeは、世界最大かつ最高のパフォーマンスのセキュリティプライベートクラウドであり、比類のないサービスカバレッジ、パフォーマンス、および回復力を顧客に提供します。

NewEdgeの詳細
NewEdge
Netskope Cloud Exchange

Netskope Cloud Exchange (CE) は、セキュリティポスチャに対する投資を活用するための強力な統合ツールを提供します。

Cloud Exchangeについて学ぶ
Netskopeの動画
  • セキュリティサービスエッジ製品 シェブロン

    高度なクラウド対応の脅威から保護し、あらゆるベクトルにわたってデータを保護

  • Borderless SD-WAN シェブロン

    すべてのリモートユーザー、デバイス、サイト、クラウドへ安全で高性能なアクセスを提供

  • Secure Access Service Edge シェブロン

    Netskope One SASE は、クラウドネイティブで完全に統合された単一ベンダーの SASE ソリューションを提供します。

Borderless SD-WANの詳細を見る
未来のプラットフォームはNetskopeです

インテリジェントセキュリティサービスエッジ(SSE)、クラウドアクセスセキュリティブローカー(CASB)、クラウドファイアウォール、セキュアウェブゲートウェイ(SWG)、およびZTNAのプライベートアクセスは、単一のソリューションにネイティブに組み込まれており、セキュアアクセスサービスエッジ(SASE)アーキテクチャへの道のりですべてのビジネスを支援します。

製品概要はこちら
Netskopeの動画
Next Gen SASE Branch はハイブリッドである:接続、保護、自動化

Netskope Next Gen SASE Branchは、コンテキストアウェアSASEファブリック、ゼロトラストハイブリッドセキュリティ、 SkopeAI-Powered Cloud Orchestrator を統合クラウド製品に統合し、ボーダレスエンタープライズ向けに完全に最新化されたブランチエクスペリエンスを実現します。

Next Gen SASE Branchの詳細はこちら
オープンスペースオフィスの様子
SASEアーキテクチャの設計 For Dummies

SASE設計について網羅した電子書籍を無償でダウンロード

電子書籍を入手する
ソリューション概要はこちら
ソリューション概要はこちら
ソリューション概要はこちら
すべての業界を見る
最小の遅延と高い信頼性を備えた、市場をリードするクラウドセキュリティサービスに移行します。

NewEdgeの詳細
山腹のスイッチバックを通るライトアップされた高速道路
アプリケーションのアクセス制御、リアルタイムのユーザーコーチング、クラス最高のデータ保護により、生成型AIアプリケーションを安全に使用できるようにします。

生成AIの使用を保護する方法を学ぶ
ChatGPTと生成AIを安全に有効にする
SSEおよびSASE展開のためのゼロトラストソリューション

ゼロトラストについて学ぶ
大海原を走るボート
NetskopeがFedRAMPの高認証を達成

政府機関の変革を加速するには、Netskope GovCloud を選択してください。

Netskope GovCloud について学ぶ
Netskope GovCloud
  • リソース シェブロン

    クラウドへ安全に移行する上でNetskopeがどのように役立つかについての詳細は、以下をご覧ください。

  • ブログ シェブロン

    Netskope がセキュリティ サービス エッジ (SSE) を通じてセキュリティとネットワークの変革を実現する方法を学びます

  • イベント&ワークショップ シェブロン

    最新のセキュリティトレンドを先取りし、仲間とつながりましょう。

  • 定義されたセキュリティ シェブロン

    サイバーセキュリティ百科事典、知っておくべきすべてのこと

「セキュリティビジョナリー」ポッドキャスト

リモートワークが進む中でのイノベーションの推進
このエピソードでは、ホストのMax Haveyがリモートワークとイノベーションの世界を掘り下げます。

ポッドキャストを再生する
リモートワークが進む中でのイノベーションの推進
最新のブログ

Netskope がセキュリティ サービス エッジ (SSE) 機能を通じてゼロ トラストと SASE の導入をどのように実現できるかをご覧ください。

ブログを読む
日の出と曇り空
SASE Week 2023年:SASEの旅が今始まります!

第4回 SASE Weekのリプレイセッション。

セッションの詳細
SASE Week 2023
セキュリティサービスエッジとは

SASEのセキュリティ面、ネットワークとクラウドでの保護の未来を探ります。

セキュリティサービスエッジの詳細
4方向ラウンドアバウト
  • 会社概要 シェブロン

    クラウド、データ、ネットワークセキュリティの課題に対して一歩先を行くサポートを提供

  • リーダーシップ シェブロン

    Netskopeの経営陣はお客様を成功に導くために全力を尽くしています。

  • カスタマーソリューション シェブロン

    お客様の成功のために、Netskopeはあらゆるステップを支援いたします。

  • トレーニングと認定 シェブロン

    Netskopeのトレーニングで、クラウドセキュリティのスキルを学ぶ

カスタマーソリューションに移動
Netskopeトレーニング
データセキュリティによる持続可能性のサポート

Netskope は、持続可能性における民間企業の役割についての認識を高めることを目的としたイニシアチブである「ビジョン2045」に参加できることを誇りに思っています。

詳しくはこちら
データセキュリティによる持続可能性のサポート
思想家、建築家、夢想家、革新者。 一緒に、私たちはお客様がデータと人々を保護するのを助けるために最先端のクラウドセキュリティソリューションを提供します。

当社のチーム紹介
雪山を登るハイカーのグループ
Netskopeの有能で経験豊富なプロフェッショナルサービスチームは、実装を成功させるための規範的なアプローチを提供します。

プロフェッショナルサービスについて学ぶ
Netskopeプロフェッショナルサービス
Netskopeトレーニングで、デジタルトランスフォーメーションの旅を保護し、クラウド、ウェブ、プライベートアプリケーションを最大限に活用してください。

トレーニングと認定資格について学ぶ
働く若い専門家のグループ

クラウドと脅威レポート:主な敵対者の戦術と手法

ライトブループラス
This edition of the Netskope Cloud and Threat Report focuses on the tactics and techniques that were most commonly used against Netskope customers during the first nine months of 2023, with Wizard Spider targeting more organizations than any other group.
夕焼けに暗い雲

Netskope Threat LabsOctober 2023

Report Highlights Executive Summary Top Techniques
Initial Access: Spearphishing Execution: User Execution Command and Control and Exfiltration
Adversary Analysis
Top Adversary Groups Geographic and Industry Differences 推奨 事項
このレポートについて Netskope Threat Labs
17分 読む

Report Highlights リンク リンク

test answer
  • Spearphishing links and attachments are the top initial access techniques tracked by Netskope Threat Labs this year, with adversaries successfully tricking victims into opening the links and attachments via email, voice, text, social media, and search engines.
  • User execution is the top execution technique, with adversaries having the highest rate of success in tricking their victims into downloading Trojans when they host them using popular cloud apps.
  • For command and control and data exfiltration, adversaries are heavily favoring the use of HTTP and HTTPS to fly under the radar and blend in with benign traffic.
  • The majority of adversary activity on the Netskope Security Cloud platform comes from criminal adversaries, with the most activity attributable to Wizard Spider, a Russian group responsible for creating the TrickBot malware.
  • The financial services and healthcare industry verticals have the highest percentage of activity attributable to geopolitical adversary groups on the Netskope Security Cloud platform.

 

Executive Summary リンク リンク

sdofjsfojefgejelosij

Cybersecurity is a battle between two opponents: Defenders who seek to protect their users, their data, and their systems, and adversaries, who seek to harm and exploit them. The defender’s most valuable tool is their knowledge of the adversary. As defenders, we seek to understand the adversary’s motivations and objectives, as well as the tactics and techniques they use to achieve those objectives. We then design our systems to be resilient to those tactics and techniques and implement controls to detect adversary activity.

This edition of the Netskope Cloud and Threat Report focuses on the tactics and techniques that were most commonly used against Netskope customers during the first nine months of 2023. To facilitate more efficient communication and understanding, we present this report in terms of the MITRE ATT&CK framework. The framework provides comprehensive categorization of adversary tactics and techniques as well as grouping and naming of adversaries.

Globally, Netskope customers were most commonly targeted by criminal adversaries, with Wizard Spider targeting more organizations than any other group. Information stealers and ransomware remained popular tools employed by financially motivated adversaries. Less-common were geopolitically motivated adversaries, whose most popular tools were remote access Trojans that create backdoors into the organizations they target.

Geography and industry are significant factors in determining which adversaries are likely to target an organization. Geopolitical adversaries tend to target specific regions and industries for their intellectual property, while financially motivated adversaries tend to develop playbooks optimized for targeting similar organizations, where they can recycle tactics and techniques with minimal customization. We round out this report by exploring which are the most active adversaries in multiple industry verticals and geographic regions.

 

Top Techniques リンク リンク

This section explores the most common tactics and techniques used by adversaries to gain access to their targets’ systems, execute malicious code, and communicate with compromised systems. We highlight four tactics where the Netskope Security Cloud platform provides visibility, and highlight the six most commonly observed techniques within those tactics:

  • Initial Access The techniques adversaries use to get into their targets’ systems.
  • Execution The techniques adversaries use to run malicious code.
  • Command and Control The techniques adversaries use to communicate with compromised systems.
  • Exfiltration The techniques adversaries use to steal information from their victims.

 

Initial Access: Spearphishing

When remote access to a system is locked down and the system is patched against known security vulnerabilities, the easiest way for an adversary to access that system is often through its users. For that reason, social engineering techniques have continued to be a mainstay of the adversary playbook. For example, initial access during the September 2023 MGM hack was achieved through vishing (voice phishing) by calling the victim’s helpdesk. Among the various Phishing techniques, Spearphishing Links and Spearphishing Attachments are two of the most popular on the Netskope Security Cloud Platform in 2023.

Analyzing the phishing links victims clicked on can provide insights into where adversaries are having the most success targeting their victims. By a large margin, users most frequently clicked phishing links targeted cloud apps, with one-third of those phishing links targeting Microsoft products. This is not surprising, as Microsoft OneDrive is the single most popular cloud app in the enterprise by a large margin, alongside other Microsoft products including SharePoint, Outlook, and Teams.

Top Phishing Targets by Links Clicked

Top Cloud Phishing Targets by Links Clicked

How are adversaries tricking their victims into clicking on phishing links? While email continues to be a very common channel, the success rate there is fairly low for multiple reasons. First, organizations tend to employ sophisticated anti-phishing filters to block phishing emails from ever reaching their victims. Second, organizations typically train their users to be able to recognize phishing emails. In response, attackers are using a variety of other tactics to reach their victims:

Search engine optimization (SEO) – Adversaries create web pages that employ SEO techniques to ensure they are listed on popular search engines, including Bing and Google. The pages are typically crafted around data voids–specific sets of keywords that don’t have many results–and are targeted toward specific demographics.

Social media and messaging apps – Adversaries abuse popular social media apps (like Facebook) and messaging apps (like WhatsApp) to reach their victims using a variety of different baits.

Voice and text messages – Mobile devices often lack the security controls present on more traditional devices like laptops, making them a popular target for phishing attacks. Calling or texting victims are becoming increasingly popular methods to spread phishing links.

Personal email accounts – Personal email accounts tend to have less strict anti-phishing controls, so more phishing emails are able to reach their victims. Because personal email accounts are often used on the same systems the victims use for work, phishing for access to sensitive organization-managed assets via personal email accounts can be a highly successful strategy for adversaries.

Spearphishing attachments are a special type of phishing where the adversary uses attachments both to create an air of legitimacy–typically these attachments look like professional invoices–and also to bypass security controls that don’t inspect attachments. While there is some variety in the types of files adversaries use for phishing attachments–Microsoft Excel spreadsheets, ZIP files, etc.–most of these file types are rare. A staggering 90% of phishing attachments are PDFs designed to entice victims into clicking on a phishing link.

Top Phishing Attachment Types

Similar to phishing links, adversaries spread phishing attachments over multiple channels, including personal email. The number of phishing attachments downloaded by victims spiked to more than triple its baseline level in August as adversaries began having more success by sending their baits to their victim’s personal Microsoft Live email accounts. Over the past nine months, there were 16 times as many users who downloaded a phishing attachment from a personal webmail app compared to users downloading phishing attachments from managed organization webmail apps.

Phishing Attachment Download Volume Over Time

 

Execution: User Execution

Social engineering isn’t limited to initial access. Adversaries also depend on users to execute malicious payloads that provide clandestine remote access, steal sensitive information, or deploy ransomware. Convincing a target user to execute a malicious payload often requires the user to click a Malicious Link or otherwise download and execute a Malicious File. Adversaries are constantly trying new ways to trick victims into doing so, and Netskope Threat Labs tracks those changes in our monthly reports. There are two overarching themes that have dominated 2023. First, adversaries are most successful in convincing their victims to download malicious files when those files are delivered via cloud apps. So far this year, an average of 55% of the malware that users attempted to download was delivered via cloud apps.

Malware Delivery, Cloud vs. Web

Second, the apps where the highest number of malware downloads were attempted were also some of the most popular cloud apps in use in the enterprise. Microsoft OneDrive, the most popular cloud app in the enterprise, took the top spot with more than one-quarter of all cloud malware downloads. In total, adversaries were successful in enticing users to download malware for execution from 477 distinct cloud apps so far this year.

Top Apps for Malware Downloads

 

Command and Control and Exfiltration

After an adversary has successfully executed a malicious payload in a victim’s environment, they often need to establish a channel to communicate with the compromised system, which is where command and control comes into play. The most common command and control technique adversaries used in 2023 was Application Layer Protocol: Web Protocols, which was often coupled with Exfiltration over C2 Channel. Adversaries have multiple options for creating command and control channels, including using a C2 framework like CobaltStrike, abusing a popular cloud app, or creating their own custom implementation.

Stealth is an important feature of a command and control channel. Not only does the adversary need to communicate with the compromised system, they also need to avoid detection when doing so. For this reason, adversaries are increasingly using HTTP and HTTPS over ports 80 and 443 as their primary C2 communication channels. HTTP and HTTPS traffic is highly likely to be allowed from an infected system and will blend in with the abundance of HTTP and HTTPS traffic already on the network. Contrast this approach with malware that communicate over rarely used ports or protocols, such as IRC or FTP. Such communication would be comparatively easy to detect and easy to block, even with a layer-3 firewall and especially with a layer-7 firewall. Based on an analysis of tens of thousands of malware samples detected in 2023, HTTP (80) and HTTPS (443) were the favorite C2 and data exfiltration protocols by a large margin, used by more than two-thirds of malware samples. The next most popular protocol was DNS, followed by a variety of other rarely used ports and protocols.

Top Malware Communication Ports

 

Adversary Analysis リンク リンク

Netskope Threat Labs tracks adversaries that are actively targeting Netskope customers to better understand their motivations, tactics, and techniques. We then leverage that information to help our customers defend their systems against those adversaries. The adversaries that Netskope Threat Labs tracks generally fall into two categories, based on their motivations.

Criminal
The primary objective of criminal adversary groups is financial gain, and their toolset typically includes information stealers and ransomware. Extortion has been an extremely profitable business for cybercriminals for the past several years, with an estimated $457 million in ransom payments made in 2022. Most criminal adversaries have diversified their operations to use both ransomware and infostealers to increase the odds of a victim paying up. If encrypting their systems with ransomware wasn’t enough to convince them to pay, perhaps the public release of sensitive information stolen from the organization would help. Although we attempt to label each criminal adversary group according to the country in which they operate, many groups work transnationally. Furthermore, many are now operating in an affiliate model, making their operations even more dispersed. As a result, we typically associate a group with the country or region from which its core members are believed to be located.

Geopolitical
Geopolitical adversary groups are motivated by geopolitical issues. They are typically either nation-states or their proxies, and their activities typically mirror broader political, economic, military, or social conflicts. For example, Russian adversary groups launched cyberattacks against Ukraine that coincided with their invasion of that country. Geopolitical groups typically engage in cyber operations against other nation-states, and such operations have become a critical component of modern international relations. The lines between geopolitical and criminal adversaries sometimes blur, with some geopolitical groups also engaging in financially motivated activities. For example, the current North Korean regime funds development of its missile program via cybercrime. The specific cyber-operations undertaken by geopolitical adversaries vary, including cyber-espionage against government and non-government organizations and sabotaging critical infrastructure to destabilize an adversary. Geopolitical adversaries also engage in information warfare, spreading propaganda, manipulating public opinion, and influencing popular elections.

Attributing activity to a specific adversary group can be challenging. Adversaries try to hide their true identities or even intentionally launch false-flag operations wherein they try to make their attacks appear as though they came from another group. Multiple groups often use the same tactics and techniques, some going as far as to use the same exact tooling or even share infrastructure. Even defining adversary groups can be challenging, as groups evolve or members move between groups. For these reasons, adversary attributions are fuzzy and subject to change and evolve as new information comes to light. In the remainder of this report, we present stats about the adversary activities observed on the Netskope Security Cloud platform and the groups most likely responsible for those activities.

 

Top Adversary Groups

The top adversary group targeting users of the Netskope Security Cloud platform was Wizard Spider (a.k.a. UNC1878, TEMP.MixMaster, Grim Spider), a Russia-based criminal adversary credited with creating the TrickBot malware. The TrickBot malware was originally created as a banking Trojan, but has since evolved into a complex malware platform containing information stealing, lateral movement, command and control, and data exfiltration components. As is typical of criminal adversary groups, Wizard Spider has targeted a wide variety of victim organizations with ransomware. Among the tactics and techniques used by Wizard Spider include the six techniques highlighted in this report around spearphishing, user execution, and command and control.

Other active criminal adversary groups relying heavily on ransomware included TA505 (a.k.a. Hive0065), who is responsible for the Clop ransomware, and FIN7 (a.k.a. GOLD NIAGARA, ITG14, Carbon Spider), who used the REvil ransomware and created the Darkside ransomware. While the top criminal adversary groups targeting Netskope customers are Russian and Ukrainian, the top geopolitical adversary groups are Chinese, led by memupass (a.k.a. Cicada, POTASSIUM, Stone Panda, APT10, Red Apollo, CVNX, HOGFISH) and Aquatic Panda, both of whom have targeted a variety of different types of organizations worldwide.

 

Geographic and Industry Differences

Geography and industry are significant factors in determining which adversaries are likely to target an organization. Geopolitical adversaries tend to target specific regions and industries for their intellectual property, while financially motivated adversaries tend to develop playbooks optimized for targeting similar organizations, where they can recycle techniques with minimal customization. By industry vertical, there are two that stand out: financial services and healthcare. In those two verticals, the split between criminal and geopolitical adversary activities is nearly 50/50. Meanwhile in the other industry verticals, the split is closer to 80/20. This indicates that organizations in the financial services and healthcare sector are more commonly targeted by geopolitical adversaries.

Adversary Motivations by Target Industry

These differences are also apparent when comparing the likely sources of the adversary activity in each industry. Because many of the criminal adversaries we are tracking are located in Russia, the industries with the highest percentage of criminal activity also have the highest percentages of activity attributable to groups based in Russia. Meanwhile, financial services and healthcare (the industries targeted by more geopolitical adversaries) have a more even mixture of adversaries targeting them from Russia, the Middle East, and China. The other adversary locations not shown in the chart below include North Korea, Pakistan, India, Vietnam, and Nigeria.

Industry Adversary Activity

By region, the most active adversaries also differ significantly, with two stand-out regions: Australia and North America. Both of these regions stand out by having the highest percentage of adversary activity attributable to criminal groups.This indicates that users in the US and Australia are more likely to be targeted by criminal adversaries, whereas in other parts of the world, the split of geopolitical and criminal adversary activity is closer to 50/50.

Adversary Motivations by Target Region

The breakdown of regional adversary activity follows a similar pattern as the industry data: the regions targeted by criminal groups tend to be targeted by groups based in Russia, while the regions with a higher percentage of geopolitical activity tend to see a more significant percentage of adversary activity attributed to geopolitical groups in China.

Regional Adversary Activity

 

推奨 事項

The Mitre ATT&CK framework provides a common language for adversary groups, their tactics, and their techniques. Defenders can use this framework to determine whether their defenses are appropriately matched against their adversaries. For each of the techniques discussed in this report, this section provides specific recommendations.

Initial Access: Spearphishing Links
Implement anti-phishing defenses that go beyond email to ensure that users are protected against spearphishing links no matter where they originate. A SWG solution that inspects DNS traffic, cloud traffic, and web traffic for evidence of phishing can prevent users from visiting spearphishing links regardless of origin, using signatures and intelligence to protect against known phishing threats and AI to protect against unknown and targeted threats. Netskope customers can configure their Netskope NG-SWG to protect against phishing. Remote Browser Isolation (RBI) technology can provide additional protection when there is a need to visit websites in categories that can present higher risk, like newly observed and newly registered domains, personal webmail, and social media.

Initial Access: Spearphishing Attachments
While spearphishing link protections can also help protect against users that click on links in spearphishing attachment, a more robust defense will provide additional protections against users downloading spearphishing attachments. Because they can come from multiple sources, an effective strategy will inspect all HTTP and HTTPS downloads, including all web and cloud traffic, for evidence of spearphishing using threat intelligence, signatures, heuristics, and AI. Netskope customers can configure their Netskope NG-SWG with a Threat Protection policy that applies to downloads of all file types from all sources. Inspecting content downloads from popular cloud apps (like Microsoft OneDrive) is particularly important to protect against adversaries abusing such apps to deliver malware.

Execution: Malicious Link and Execution: Malicious File
Because adversaries use multiple channels to deliver malware, including popular cloud apps like Microsoft OneDrive, an effective defensive strategy must inspect all traffic–including web and cloud–for malicious content. Ensure that high-risk file types, like executables and archives, are thoroughly inspected using a combination of static and dynamic analysis before being downloaded. Netskope Advanced Threat Protection customers can use a Patient Zero Prevention Policy to hold downloads until they have been fully inspected by multiple static and dynamic analysis engines, including ones that use AI to detect targeted attacks. Netskope customers can configure their Netskope NG-SWG with a Threat Protection policy that applies to downloads of all file types from all sources. To further reduce risk surface, configure policies to block downloads from apps that are not used in your organization to reduce your risk surface to only those apps and instances (company vs. personal) that are necessary. Block downloads of all risky file types from newly registered domains, newly observed domains, and other risky categories.

Command and Control: Application Layer Protocol: Web Protocols
An effective strategy to detect and prevent adversary C2 traffic over web protocols includes using a SWG and an IPS to block communication to known C2 infrastructure and exhibiting common C2 patterns. Netskope Advanced Threat Protection customers can use the IPS and Advanced UEBA features to identify C2 traffic and other signals of post-compromise behavior. Blocking newly registered domains, newly observed domains, and alerting on unusual network traffic patterns can also reduce risk surface and enable early detection. DNS Security and Cloud Firewall can also be used to protect against non-HTTP/HTTPS C2 traffic.

Exfiltration: Exfiltration over C2 Channel
The same protections for detecting and preventing adversary C2 traffic can also be effective against data exfiltration over the same C2 channel or any other web protocols. Netskope customers using DLP can configure policies that restrict where data can be uploaded, effectively limiting the channels over which the attacker is able to exfiltrate data. Netskope customers using Advanced UEBA have additional protections against C2 that include the identification of data transfer anomalies, including spikes of uploads to unusual locations and the transfer of encrypted or encoded content (a common technique used by adversaries).

In summary, an assessment of what traffic is inspected versus bypassed is vital for your defenses to protect users, data, applications, and infrastructure from these adversaries. Knowing you are inspecting all possible traffic, the next step is to align defenses to the six techniques noted in this report. Some defenses will rely on signatures and patterns, while innovations in AI/ML (e.g., algorithms, feature extractors, and anomaly detection) can be used to protect against unknown or zero-day threats. Once or twice per year, assess how adversaries are pivoting to evade current defenses and review what new defenses are available to protect your users, data, applications, and infrastructure.

このレポートについて リンク リンク

Netskope Threat Labs publishes a quarterly Cloud and Threat Report to highlight a specific set of cybersecurity challenges. The purpose of this report is to provide strategic, actionable intelligence on active threats.

Netskope provides threat and data protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization. This report contains information about detections raised by Netskope’s Next Generation Secure Web Gateway (SWG), not considering the significance of the impact of each individual threat. Therefore, the tactics and techniques highlighted in the report are limited to those that are observable in HTTP/HTTPS traffic, and the adversary groups tracking in this report are limited to those using said techniques. Stats presented in this report are a reflection of both adversary activity and user behavior. For example, the Initial Access: Spearphishing section discusses the actual phishing links that users are clicking, not the universe of all phishing links created by adversaries. Stats in this report are based on the period starting January 1, 2023 through September 23, 2023.

Netskope Threat Labs リンク リンク

業界屈指のクラウド脅威およびマルウェア研究者を擁するNetskope Threat Labs は、企業に影響を与える最新のウェブ、クラウド、データの脅威を発見、分析し、防御策を設計します。 当社の研究者は、DEF CON、Black Hat、RSAなどのトップセキュリティカンファレンスで定期的にプレゼンターやボランティアを務めています。
ライトブループラス

クラウドと脅威のレポート

The Netskope Cloud and Threat Report delivers unique insights into the adoption of cloud applications, changes in the cloud-enabled threat landscape, and the risks to enterprise data.

レポートを参照する
Storm with lightning over the city at night

SASEのリーダーと共にセキュリティ対策を強化する

お問い合わせ