Staying One Step Ahead: Insights on the Emerging External Cyber Defense Trends

As enterprises' internal cybersecurity has become more well-defended and better monitored, cyber threat actors have evolved their tactics to focus on new methods of compromise, targeting a wider attack surface than ever before. What that means is that organizations need to look outside their traditional IT perimeters to understand the full scope of threats that can result in a cyber incident.

To gain a greater understanding of this extended attack landscape, BlueVoyant continuously analyzes the latest external threats, vulnerabilities, and risks. This includes all threats from outside of organizations' internal networks, such as those that come from suppliers, vendors, and other third parties, along with threats further outside the wire on the clear, deep, and dark web.

To shed light on the state of external cyber defense, BlueVoyant recently compiled a report of emerging trends that represent critical concerns for organizations of all types. It’s based on BlueVoyant’s observations and data collection, derived from its continuous monitoring and mitigation of threats to its clients’ extended ecosystems.

1. Increasingly Advanced and Dynamic Phishing Tactics

The COVID-19 pandemic shook up the business world, pushing companies to go digital faster than they had planned. With everyone working from home and stores closing, our reliance on digital transactions skyrocketed. And with this came more opportunities for hackers to strike.

BlueVoyant’s analysts observed increasingly sophisticated phishing tactics that prey on the weakest link — the end user. Hackers have always searched for new and innovative ways to execute attacks against companies and their users, but they accelerated their efforts in response to the newly remote workforce and primarily digital global economy.

The following examples are three of the many tactics threat actors have used over the past year:

• Phishing Link Redirections
• Leveraging Dynamic DNS Infrastructure
• Smishing

2. RDP as a Primary Vector for Ransomware

With the ever-increasing need for external remote network access, and the rise of third-party connectivity, supporting technologies widely adopted by modern organizations continue to pose a greater risk and are increasingly being targeted by threat actors. Protocols like RDP, SMB, and WinRM can facilitate important business processes but introduce increased risk that must be considered in any security analysis. The Remote Desktop Protocol (RDP) in particular, has been observed as a service with increasingly successful and effective exploitation.

RDP, the proprietary Microsoft protocol that allows a user on one computer to connect to and control a remote computer, is commonly used by admins to fix an issue on a remote system, and in recent years has become popular for cloud computing to access and/or manage virtual machines in the cloud environment. Unfortunately, it is very easy to expose RDP unintentionally by leaving the RDP port open to the internet, including on a forgotten system, cloud instance, or network segment. This protocol, easily detected and exploited, can lead to loss of data, downtime, costly remediation, and brand damage for organizations.

In recent years, threat actors have more frequently probed for open RDP ports as an easy-access attack vector, since they can find vulnerable open RDP services by simply running an external scan of an organization’s network. It is a foregone conclusion that RDP will be targeted at some point if left open on an organization’s network.

3. Emerging Deep and Dark Web Financial Fraud Campaigns

Cyber fraud certainly is not a new type of attack, especially when targeting financial organizations, but our analysts have started to see new wrinkles over the past year — threat actors gravitating toward private instant messaging platforms instead of the dark web, opting to utilize fraudulent physical checks in their campaigns, and business mule accounts being used to launder money successfully obtained via fraud campaigns. Learn more about check fraud campaigns in our latest report, Checking Out: How Cyber Threat Actors Use Physical Checks to Commit Fraud.

4. The Prevalence of Zero-Day Vulnerabilities and their Patching Cadences

Zero-day vulnerabilities, also referred to as Emerging Vulnerabilities (EVs), represent one of the most notable threats to organizations due to their unforeseen and time-sensitive nature. New EVs are disclosed each week, and companies across the world and across all industries need to be constantly vigilant of which can affect them. One of the major challenges in reducing risk in an extended ecosystem is ensuring that all organizations and suppliers do not have open, unpatched instances of vulnerable software, especially when considering that the average time to compromise for a newly disclosed Zero-Day is only around 2 weeks or less.

Through its continuous monitoring service, BlueVoyant rapidly identifies EVs within its global dataset made up of the external-facing IT infrastructures of organizations from all industries and sectors. It is able to signal detections of specific assets within corporate entities. By leveraging this capability, in the following cases, BlueVoyant signatured the vulnerabilities in question and captured the remediation rate for all organizations within its data, in addition to our own clients. From this BlueVoyant can draw a number of conclusions about how companies respond to the disclosure of new EVs.

To counteract the threat of emerging vulnerabilities, BlueVoyant experts outlined the following takeaways and recommendations based on the trends they’ve seen:

• Be proactive in tracking threats
• Timeliness is key to capturing rapidly evolving threats
• Look to the future in developing an agile security process
• Be aware of your external ecosystem
• Prioritize risks and plan for the worst

You can dive deeper into these takeaways and recommendations in our free report, Emerging External Cyber Defense Trends.