Hornetsecurity’s Cyber Security Report 2024 is here!

Hornetsecurity’s Cyber Security Report 2024 is here!

Every year we at the Security Lab here at Hornetsecurity sift through billions of emails from every year and analyze the data to provide actionable insights to cyber defenders everywhere.

This article serves as your appetizer for the main course, the free report which you can download here.

In this year’s report we processed over 45 billion emails and just over a third of those, 36.4%, were categorized as unwanted. Out of that slice, 96.4% were spam or rejected outright due to external indicators, with 3.6% identified as malicious emails.

Out of all the malicious emails we identified, the majority were phishing emails (43.3% which is a 4% increase from last year) while the second most prevalent type was malicious links at 30.5% (an increase of 18%!). In the report itself we analyze these findings in more detail and tease out how you can use these data to defend your organization.

We also look at attachment types and analyze why certain types are gaining in “popularity” with the criminals and why others are losing their appeal, such as Microsoft Office documents. We also looked at which industry verticals were most targeted (Research, Manufacturing and Entertainment), another point you can use to raise awareness with your organization’s leadership if you need to.

The report looks at backup in Microsoft 365, the need for it and Microsoft’s changing stance on the topic as well as how to manage permissions effectively in a tenant, something that’s very hard using only the built-in tools. The rise of QR code phishing is noteworthy, as is the prevalence of brand impersonation in malicious emails.

As Multi Factor Authentication (MFA) adoption is increasing, criminals are adapting using Attacker-in-the-Middle kits such as W3LL to trick users and stealing identity tokens, even when MFA is used. The risks of vendor overdependence are analyzed in the report, and we also look at several high-profile security events in the Microsoft 365 sphere, including the highly sophisticated Storm-0558 attack on Entra ID.

An interesting part of last year’s report was our predictions for emerging risks and trends we’d see over the last 12 months, in this year’s report we look at how we did with those. We also outline our predictions for the coming year, which include the use of AI for both attack and defense, MFA bypass technique proliferation, supply chain attacks and the risks of network slicing in 5G networks. There are many others, and we go in depth in the report.

The report rounds out with a look at how you can protect your organization, how to build a cyber resilient culture, getting the basics of cyber hygiene right, and how to adopt a zero-trust mindset across the whole business.

Hopefully this has enticed you to grab the full Cyber Security Report, get all the details and most importantly, improve your own and your organization’s security posture. We at Hornetsecurity are here to help you.

What Are Insider Threats? Definition, Types, and Mitigation Tactics

What Are Insider Threats? Definition, Types, and Mitigation Tactics

What Is an Insider Threat?

An insider threat is like a wolf in sheep’s clothing. Outwardly, they appear just like any other trusted member of your enterprise, but inside, they have the potential and agenda to destroy whole infrastructures or manipulate data for their satisfaction or monetary end goal.

They can be a current or former employee, a disgruntled system administrator, an outside contractor, cyber intrusion, or an infiltrator from a business competitor. Their objectives can range from fraud and intellectual property theft to plain and simple revenge.

Types of Insider Threats

When you first think of insider threats, the first thing that comes to mind is a person with a privileged access system, a system/database administrator, or individuals with capabilities within applications, but that’s not always the case.

Today, anyone can become an insider threat, willingly or unwillingly, by providing valuable information to an external source delivered with a successful phishing attempt.

However, the motives fluctuate, and there are various reasons why one might become an insider threat:

Malicious insider

This individual has joined the company for the sole purpose of retrieving information from the organization, and their motives could be financial or based on a patriotic government espionage approach.

What they do with the stolen data is a debatable subject, as they could sell it to a third party or a competitor, and it mostly boils down to money. They can act alone or in a group with a larger picture, depending on their end-game.

Lack of recognition

Workers who do not have a strong sense of identification or loyalty to the company may be more inclined to take part in insider threats. A sense of disengagement may bring this on, a short-term job outlook, or a lack of engagement.

Sabotage

Employees may turn spiteful and commit acts of sabotage if they believe their diligence and commitment are not appreciated and/or go unnoticed. For vengeance or attention, they might purposefully interfere with operations by installing malware, harming systems, and erasing essential data, or their motive could only be driven by chaos.

Insider Espionage

Sometimes, the most vulnerable employees are the ones who feel undervalued or mistreated. When outside actors sense that an insider feels neglected, they may contact them. These outside parties might recruit these people by disclosing private company secrets to conduct insider espionage.

Ideological or Political Motivation

Insiders may have ideological solid or political beliefs that lead them to engage in insider threats. They might seek to dismantle the organization’s functioning for ideological reasons or expose any wrongdoings inside it.

(H)Activism

Employees may utilize their access to an organization’s systems to further their political or ideological agendas. They might, for instance, partake in hacktivism, which is breaking into systems to forward a political viewpoint or message.

Whistleblowing

People occasionally have a strong moral opinion that an organization is engaging in unethical or illegal activity that doesn’t match their beliefs. They might commit insider threats by revealing private information in an effort to expose misconduct by ruining the company’s reputation or punishing them financially.

Personal problems

An organization’s internal insider risks may be influenced by personal issues. Insider threats may arise due to employees’ or individual’s substantial personal concerns or challenges that affect their behavior and provide them access to an organization’s systems and data. Personal issues can lead to insider threats in a number of ways, including:

Financial Stress

As they say, money is the root of all evil. Individuals with financial difficulty may be more susceptible to corruption and accepting bribes from outside parties that want access to confidential data. They might jeopardize security to benefit financially from it.

Personal legal troubles

People who encounter legal issues, such as criminal charges or lawsuits, may be more susceptible to external threats who could abuse their personal issues as leverage to pressure them to perform malicious activities.

Insider Threat Behavior Patterns

The term “insider threat behavior patterns” describes the visible behaviors and acts that people within an organization display that may point to the possibility of an insider threat. Understanding these trends is essential for early insider threat identification and mitigation. The following are typical insider threat behavior patterns:

  1. Access abuse: Insiders may frequently access private systems, documents, or locations outside the bounds of their official duties. Unauthorized access to financial information, private papers, or intellectual property is a few examples that indicate an employee might have an agenda that differs from their role.
  2. Data Hoarding/Exfiltration: Insiders may be planning to misuse or exfiltrate this information if they gather or download an excessive amount of data, especially if it has nothing to do with their job responsibilities.
  3. Unauthorized Software Installation: Installing malicious or unauthorized software on work-issued devices is cause for concern because it can be leveraged to cover up insider activity or exploit security holes.
  4. Social Engineering: One of the main signs of insider threats is manipulative behavior intended to deceive coworkers into disclosing private information, getting over security measures, or helping with insider attacks.
  5. Unauthorized Physical Access: Employees who have physical access to a company’s facilities run the risk of abusing it to steal devices and private documents or compromise physical security.

How to Detect Malicious Insider Threats

Do you know your people? Detecting an insider threat can be a difficult task, but not impossible, as every employee has a certain amount of power and a baseline behavior within the company. Before you can look for anomalies, you must create a baseline of “normal” behavior in both people and systems.

Typical login times, data access patterns, communication styles, and job-related tasks should all be part of this baseline.

Exfiltration of data can be averted by enforcing Data Loss Prevention (DLP) solutions by continuously monitoring data movement and transfers across the network. Any employee retrieving or exfiltrating sensitive data could be a potential malicious behavior that should not go unnoticed by the DLP solution, which can be an early detection of an insider threat.

No matter how secure you think your company is by implementing different kinds of solutions, Security Awareness Training should be the first priority of the company, as humans are the weakest link in the organization.

Training and raising the awareness of your employees while encouraging them to report any suspicious activity is the single greatest shield against a malicious insider threat.

How to Protect Against Insider Attacks

In order to protect against cyber attacks, the most important thing for corporate security is to mitigate insider risks. Start by enforcing rigorous access controls in place and limiting unnecessary access, following the principle of least privilege.

  • Establish clear security guidelines and provide staff training to encourage a vigilant culture.
  • Urge the creation of solid and one-of-a-kind passwords that require frequent changes.
  • Keep an eye out for anomalies in user behavior, particularly regarding system logins and data access.
  • To encourage employees to raise suspicions, create a confidential reporting method.
  • When employing new employees, make sure they have undergone extensive background checks. You should also implement security safeguards for outside vendors accessing your systems. These steps can aid in defending your company from insider threats.

Your IT security staff needs to understand the importance of confidentiality and integrity in the data they process and possess. Knowing what to protect is the most critical thing when it comes to security, whether digital or physical property.

Advanced Threat Protection is essential for preventing insider threats. Offering cutting-edge tools and technologies to identify anomalous activity, illegal access, and data exfiltration. It improves overall security by reducing the risks associated with both deliberate and unintentional insider threats.

Enhance employee awareness and safeguard critical data by leveraging Hornetsecurity’s Security Awareness Service for comprehensive cyber threat education and protection.

To keep up with the latest articles and practices, visit our Hornetsecurity blog now.

Conclusion

In conclusion, in the present-day technological setting, shielding an organization from insider threats is vitally important. The significance of taking proactive efforts to identify, stop, and lessen internal security threats has been emphasized in this article.

Through a focus on staff awareness, rigorous access controls, ongoing monitoring, and a solid security culture, companies can effectively mitigate the risk of insider threats.

It is critical to keep in mind that insider threats can come from a variety of sources, such as coercion, negligence, or malicious motivation.

FAQ

What is considered an insider threat?

An insider threat is a security risk that arises from people working for an organization who may, whether on purpose or accidentally, jeopardize its data, operations, or security.

What is the most common form of insider threat?

The most common form of insider threat up to date is negligent employees who unintentionally jeopardize security by falling for phishing scams or misusing sensitive data. When employees click on a dangerous link in an email that appears to be from a reliable source, they may not be aware that it could result in a malware infection or data breach.

Is insider threat a vulnerability?

Insider threat is not a vulnerability by itself but is a security risk. Employees can use a potential vulnerability like their badge and privileged access to the server room to exploit it and compromise security.

While a vulnerability represents a weakness in the organization’s defenses, an insider threat involves individuals, whether employees or contractors, who can leverage these vulnerabilities for unauthorized access, data theft, or other malicious activities.

In summary, insider threats can capitalize on vulnerabilities, making them a critical consideration for comprehensive cybersecurity.

How are insider threats detected?

Active surveillance of user behavior, network activity, and data access is how insider threats are found. Sophisticated security tools, like anomaly detection and user behavior analytics, assist in spotting departures from known patterns and generate alarms for additional research and mitigation. Access controls and routine audits are also essential for detection.

Bypassing Authentication A Comprehensive Guide to Pass-the-Hash Attacks

Bypassing Authentication A Comprehensive Guide to Pass-the-Hash Attacks

No, this guide does not relate to any sort of attack on potato hash or anything to do with the passing of other versions of hash. This is a brief peek behind the curtain on how a hacker might exploit your account to gain privileged access to your environment with a pass-the-hash attack.

Unlike in the movies, a hacker usually doesn’t type away on the keyboard for a few seconds to crack a password. Instead, they typically don’t even need to know or decrypt your password to exploit your account. It’s all about how the attacker can move laterally through an environment, for example:

  • Mary is a receptionist for Vandelay Industries, an import company. She uses the same password for her personal and work accounts. Unfortunately for Mary, she was the victim of a phishing campaign and unwittingly gave her password out to an external attacker.
  • The attacker could then log into her personal email and locate some key information about Mary; in particular, they discovered she had sent some recipes to her work email to print out.
  • The attacker can now create a method to get Mary to install some malware onto her work computer. The next time the attacker saw her sending recipes to her work, they added another email with a Word attachment and a payload. Mary opens this and infects the computer with remote access tools.
  • Next, the attacker gets to work discovering what they have access to in the environment and what they can move to laterally. They decided to create a simple issue on Mary’s work on a computer that locks up her print spooler. This is now preventing her from printing, so she calls the help desk for assistance. The help desk engineer happily connects to her computer with their elevated account and proceeds to repair the spooler services. The attacker continues to cause these small issues until Mary is provided with temporary local administration access so she can keep working and not always call the help desk.
  • With these new privileges, the attacker can now execute their password hash extraction tool to gather all the hashes from the system. Fortunately for the attacker, the help desk engineer has logged onto this system with their support account. With the NTLM hash of this account, the attacker is then able to connect directly to one of the administrator’s jump boxes.
  • On the administrator jump box, the attacker repeats the process and gathers another account with Domain Admin privileges. They then proceed to exploit a Domain Controller and inject backup administrator accounts and services into the environment.

Although this scenario does have some points of mitigation, it isn’t an unlikely event for this type of lateral movement and social engineering to occur in the workplace.

Disclaimer: The technical steps outlined in this article are to be used for educational purposes only. We do not condone the use of these pass-the-hash attack examples for illegal or nefarious actions.

What is Pass-The-Hash (PtH)

Pass the Hash (PtH) is the method of capturing “hashed” user credentials and exploiting authentication protocols to gain lateral access to other systems. The term Pass the Hash is taken from the fact that the hashed password doesn’t need to be decrypted into plain text for authentication systems to accept the user session.

Instead, this password hash can be reused to generate new sessions as the user, as the hash will remain static until the password is rotated.

How Does a Pass-The-Hash Attack Work?

The entry point for an attacker can vary, sometimes from malware or baiting attacks, but more commonly, it is gained via some version of social engineering. In most scenarios, the target has been the victim of phishing or spear phishing attack, so the attacker can gain credentials or access to the system.

Once on the system, the attacker will scrape the system for hashes of every account logged into that machine. These hashes can be stored within the LSASS process memory, Windows Memory dumps, Page Files, Credential Manager, and SAM registry hives.

To extract these hashed passwords, an attacker can use tools such as Mimikatz to pass the extracted hashed password back to the authenticator and successfully authenticate.

Pass-the-Hash Attack Examples

The best way to understand proactive methods and mitigation strategies for pass-the-hash attacks is to show an example of how these tools can be utilized. For education purposes, we have outlined the steps in a pass-the-hash tutorial for the more common method of hash extraction from the LSASS.

Extract the Hash

The first step we must consider is extracting an NTLM hash. This can then be passed back to authentication systems to allow us access to privileged systems. The tool we will use for these examples is Mimikatz.exe, and we will run the following commands to elevate and extract the hashes and simulate the pass-the-hash attack.

  1. Run Mimikatz.exe as an administrator and grant the current account permissions to debug processes.
    privilege::debug
  2. We then want to list all the active user sessions and their hashes
    sekurlsa::logonPasswords full
Extract the Hash

As we can see, a user called “notadadmin” has an RDP session on this computer. We can capture their NTLM hash and save this for the next step.

NOTE: If a user has saved a password into Credential Manager, this can also be extracted when reviewing the outputs.

Extract the Hash

Exploit the Hash

Next, we can use our newly gathered hash to exploit some services within the domain and execute the pass-the-hash attack. We know that this user is called “notadadmin” so it’s possible they might be a domain administrator. Let’s try to create a new CMD.exe session with our new account.

  1. While still in our Mimikatz session, run the following command to create a CMD session as the user
    sekurlsa::pth /user:<username> /domain:<domain name> /ntlm:<NTLM Hash>
Exploit the Hash
  1. This will now open a new CMD window for this user. Let’s now invoke a remote session onto the domain controller within this environment. We can utilize the PsExec.exe tool to initiate a remote CMD session on the IP of the Domain Controller. To validate our access, let’s list the NTDS directory.
Exploit the Hash
  1. We can also confirm that we are using the correct account with the “whoami” command. We can take it one step further, and RDP onto the Domain Controller for more freedom. We can add a new registry item to the Domain Controller to allow RDP-restricted admin with the following command in PowerShell.
    New-ItemProperty -Path “HKLM:\System\CurrentControlSet\Control\Lsa” -Name
    “DisableRestrictedAdmin” -Value “0” -PropertyType DWORD
Exploit the Hash
  1. After successfully allowing RDP-restricted access, we can run the following command back in Mimikatz to initiate an RDP session with the NTLM hash.
    sekurlsa::pth /user:<username> /domain:<domain name> /ntlm:<NTLM Hash>
    /run:”mstsc,exe /restrictedadmin”
Exploit the Hash
  1. The RDP window will appear as usual with a user account already filled in. We can ignore what this says as we have passed our desired account NTLM hash in the background. Click connect, and it will initiate the RDP session. We can list our accounts to validate who we are and the groups we are a member of.
Exploit the Hash

How to Prevent & Mitigate Pass-the-Hash Attacks

Although we have shown how simple it can be to perform a pass-the-hash attack, it can be a little trickier in reality. In most scenarios, AV and EDR will block Mimikatz from downloading, along with restricting the execution of the process.

However, pass-the-hash detection can be difficult as the foundation of the attack is to use existing authentication mechanisms. The best way to reduce and mitigate a pass-the-hash attack is to leverage the following recommendations:

Enable Windows Defender Credential Guard

Windows 10 and above contain the Windows Defender Credential Guard tool natively. When this is enabled, the Local Security Authority Subsystem Service (LSASS) is run in a virtualized sandbox environment. This solution now isolates itself from the wider operating system and only allows a small subset of binaries with valid Microsoft signatures access to the service.

Restrict Privileged Access accounts

Administration accounts or privileged accounts should never be used on a regular workstation. This also applies to local administration accounts or users with local admin privileges.

The best method to reduce the attack surface if an account gets compromised is to use a service such as Windows Local Administrator Password Solution (LAPS) to manage, rotate, and back up local administrator passwords.

This solution has been specifically designed to reduce the dangers of pass-the-hash attacks and exploitation of local administrator accounts.

In many networks, every client PC has the same local administrator account and password (because they were deployed from the same image), which makes lateral movement very easy. LAPS ensures each client PC has a unique local administrator password.

Zero Trust Network Architecture

This key architecture decision should be made in all modern enterprise environments. The methodology is to ‘trust nothing and no one’. Correct network segmentation and security will ensure that end-user computer environments don’t have direct access to sensitive infrastructure and that only the bare minimum is required for client authentication.

Enhance employee awareness and safeguard critical data by leveraging Hornetsecurity’s Security Awareness Service for comprehensive cyber threat education and protection.

To keep up with the latest articles and practices, visit our Hornetsecurity blog now.

Conclusion

In conclusion, understanding the intricacies of Pass-the-Hash attacks is crucial for bolstering cybersecurity measures. This comprehensive guide sheds light on the methods, risks, and preventive strategies associated with such attacks.

By staying informed and implementing security best practices, individuals and organizations can fortify their defenses against potential breaches, safeguarding sensitive data and maintaining the integrity of their systems.

FAQ

What are the tools for a pass-the-hash attack?

The most used tool for a pass-the-hash attack is called Mimikatz. Other tools of note are Metasploit and Invoke-TheHash.

How do you mitigate a pass-the-hash attack?

With a holistic approach to privileged access management, Zero Trust Network Architecture, and OS hardening, specifically Windows Defender Credential Guard.

What is the risk of pass-the-hash?

The risk of a pass-the-hash attack is hard to quantify as the methods themselves are hard to detect. The best approach to take with any security mitigation is to apply the methodology that you have already been attacked and take appropriate actions to protect your environment.

What is a pass-the-hash attack, how is it executed, and which type of hash is used in this attack?

A pass-the-hash attack is the action of extracting password hash tokens from a system and using these to reauthenticate services. In most scenarios, NTLM is primarily targeted as this is widely used within most organizations to access information.

How do hackers get hashes?

Hackers can exploit the Local Security Authority Subsystem Service (LSASS), dumping memory to a file, extracting from the page file, Security Account Management (SAM) registry hive, or even the Credential Manager saved passwords. Some of the main tools attackers use to execute a pass-the-hash attack are Mimikatz, Invoke-TheHash, and Metasploit.

Boosting Safety Through Cyber Threat Intelligence to Secure Your Digital Space

Boosting Safety Through Cyber Threat Intelligence to Secure Your Digital Space

In an age where the digital landscape is continually evolving, businesses and individuals alike face increasing threats from a myriad of cyber adversaries. To navigate these challenges, there has been a growing emphasis on the value of threat intelligence in the cybersecurity domain.

But what exactly is threat intelligence, and why has it become a cornerstone of contemporary cyber defense strategies? In this article we’ll look at threat intelligence (TI), the different flavors of threat intelligence, how it can be operationalized in a business, and the different stakeholders that can benefit from it.

Understanding Cyber Threat Intelligence

At its core, cyber threat intelligence (CTI) is a comprehensive understanding of potential threats that could target an organization or individual. This knowledge isn’t merely about being aware of possible cyber threats, but it encapsulates the wider context in which these threats operate. It dives into the motivations, Tactics, Techniques, and Procedures (TTPs) used by threat actors.

CTI is derived from an analysis of both raw and processed data. The data’s source can range from open sources (like news articles or blogs) to dark web forums and technical data from internal and external threat feeds. The ultimate aim is to convert this vast amount of data into actionable intelligence that can guide both strategic and tactical decisions.

Obviously, the concept and application of threat intelligence will differ greatly between smaller and larger organizations.

For very small SMBs, threat intelligence may simply be having awareness that there are threat actors that pose a cyber threat to them and maybe (if they can afford it), outsourcing their cyber security team to a provider, such as a Managed Security Service Provider (MSSP), or a Managed Service Provider (MSP). This organization will then enlist threat intelligence as described in this article to keep their clients safe.

Larger organizations with their own security team and cybersecurity professionals will have a different approach to threat intelligence.

Some teams will merely consume cyber threat intelligence prepared by external vendors in a threat intelligence platform, in even larger organizations there might be a whole team of security analysts investigating the cyber threat landscape, emerging threats, and preparing actionable cyber threat intelligence for the larger security operations teams.

The Rise and Importance of Threat Intelligence

One might wonder why threat intelligence is suddenly in the limelight. The importance of threat intelligence lies in its proactive nature. Instead of waiting for an attack to happen, organizations can use threat intelligence to anticipate potential threats and fortify their defenses accordingly.

It’s akin to having a forward scout in a battle, providing information about enemy movement, enabling an organization to anticipate and strategize instead of merely reacting.

By understanding the motivations and Tactics, Techniques and Procedures (TTPs) of adversaries, businesses can build more robust security measures that specifically target these potential weak points. This contextual information makes all the difference; it’s the transformation of a generic defense strategy into one tailored to the specific threats an organization might face.

The Threat Intelligence Lifecycle

Where the organization is large enough to have cybersecurity professionals focused on gathering threat intelligence data and produce finished threat intelligence, the process generally goes through the following phases:

  1. First the requirements are gathered from various stakeholders involved in the business.
  2. Raw threat data is collected from internal logging systems such as Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), eXtended Detection and Response (XDR) and even Attack Surface Management tools. This is augmented by external threat data feeds and other publicly available data sources, information sharing communities and X (Twitter).
  3. The collected data is processed to narrow down the relevant information.
  4. In the analysis phase the filtered data is aligned with the requirements from phase one to produce actionable threat intelligence.
  5. This is then disseminated to the stakeholders in the business, such as security personnel, and senior leadership, and also perhaps shared in a threat intelligence platform.
  6. Once this threat intelligence lifecycle is complete, feedback is gathered so that the process flows smoother next time around.
External Attack Surface Management Attack Surface Summary

The Beneficiaries of Threat Intelligence

The benefits of threat intelligence aren’t exclusive to large corporations with vast cybersecurity infrastructures. Multiple entities, ranging from individual users to governments and multinational corporations, can reap its rewards.

For instance, IT teams can leverage threat intelligence to prioritize patch management by understanding which vulnerabilities are being actively exploited in the wild. On the other hand, executive leadership can use threat intelligence insights to steer the broader organizational cybersecurity strategy.

Furthermore, even smaller businesses, which often believe they are not prime targets for cyber-attacks, can benefit immensely from threat intelligence. With the understanding that many cyber adversaries use automated attacks, small to mid-sized businesses realize they too can be collateral damage or a steppingstone in a larger attack chain.

Delving Deeper: Types of Threat Intelligence

While threat intelligence as a concept might seem straightforward, it can be further broken down into several types:

Tactical threat intelligence

This pertains to information regarding specific tactics, techniques, and procedures used by cyber adversaries and generally focuses on the immediate future. It can be in the form of indicators of compromise (IoCs), which include IP addresses, URLs or specific malware hashes.

Strategic threat intelligence

This type gives a holistic view of threats, focusing on long-term trends and emerging risks. It’s essential for high-level executives and decision-makers who need to understand the bigger picture.

Operational threat intelligence

More hands-on, this type provides insights about specific operations, campaigns, or attack patterns, allowing defenders to discern potential motives and targets. It answers questions such as who / why and how regarding the threat groups.

Technical threat intelligence

Sometimes a fourth type is included, Technical Threat Intelligence. This is more focused on the mechanics of the early phase of an attack, often involving spear phishing, baiting and social engineering.

Operational Threat Intelligence example

The Importance of Threat Intelligence

As cyber threats evolve, the reactive approach of patching vulnerabilities and recovering from breaches is proving insufficient. Threat intelligence offers a proactive stance. It’s about understanding the threat landscape, anticipating potential risks, and taking appropriate preventive measures.

One very important point to realize is that threat intelligence on its own is of limited value. To achieve the best value out of any of the three or four types of CTI it must provide actionable advice. Ideal characteristics are organization specific, detailed, and contextual to the business and being actionable.

Threat Intelligence Benefits

Anticipatory defense

By understanding the tactics and techniques of adversaries, organizations can anticipate and prevent potential threats rather than reacting post-breach.

Enhanced decision making

Knowledge is power. With accurate and timely threat intelligence, decision-makers are empowered to make informed choices regarding resource allocation, strategic planning, and risk management.

Strengthened security posture

Informed by threat intelligence, security teams can fine-tune their defense mechanisms, adopt suitable technologies, and devise appropriate security strategies.
Example Strategic Threat Intelligence

Sources and Collection of Threat Intelligence

Effective threat intelligence is as much about quality as it is about quantity. The sources of both tactical intelligence and strategic intelligence are varied:

Open-source intelligence (OSINT)

Information derived from publicly available sources. This could be information shared on security forums, news articles, or other public domains. A good place to start are vendor reports such as Hornetsecurity’s Cyber Security Report and surveys, such as this one for Ransomware.

Commercial threat intelligence

Offered by specialized providers, this kind of intelligence typically comes at a cost but offers in-depth insights, often tailored to specific industries or threat landscapes.

Internal threat intelligence

Derived from an organization’s internal security logs, traffic data, and previous incidents. This type of intelligence is unique to the organization and provides insights into specific vulnerabilities and past breaches.

Government and industry-specific sources

Governments and industry bodies often share threat intelligence pertinent to their specific sectors, ensuring organizations within their domain remain secure. Depending on the size of your organization, having a good relationship with the Information Sharing and Analysis Centre (ISAC) for your industry vertical or country is important.

The Application of Threat Intelligence

As mentioned, while having threat intelligence is one half of the puzzle, its effective application is the other half. Here’s how threat intelligence is used:

Security operations

Enhancing the efficiency of security operations centers (SOCs) by providing them with the latest information on threats.

Risk management

Assisting in the identification, assessment, and prioritization of risks.

Incident response

Informing teams about the latest threats, ensuring faster and more effective response strategies.

Awareness and training

Educating stakeholders and staff about the latest threats, ensuring everyone is informed and vigilant. Don’t forget your end users, they need regular security awareness training to ensure they catch attacks that slip through your technical controls.

To properly protect your cyber environment, use Hornetsecurity Security Awareness Service, and Advanced Threat Protection to secure your critical data.

We work hard perpetually to give our customers confidence in their Spam & Malware Protection, Email Encryption, and Email Archiving strategies.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.

Conclusion

The realm of cybersecurity is no longer just about having the most substantial walls or the most robust firewalls. It’s about understanding the enemy – their motivations, their methods, and their tools. That’s where threat intelligence shines.

With an effective threat intelligence strategy, organizations are not only more informed but are also better equipped to thwart potential cyber threats.

Given the relentless evolution of the cyber threat landscape, the importance of threat intelligence cannot be overstated. It serves as a beacon, guiding entities through the intricate maze of cyber risks, ensuring that they remain one step ahead of potential adversaries.

In an increasingly digital world, staying informed and proactive with the help of threat intelligence will be the hallmark of a robust cybersecurity strategy.

FAQ

What is cyber threat intelligence?

Cyber threat intelligence is the collected and analyzed information about potential cyber threats, including the methods, motivations, and tactics used by cyber adversaries. It offers actionable insights to organizations, allowing them to anticipate and mitigate potential cyber risks.

Why is threat intelligence important?

Threat intelligence is crucial because it enables organizations to adopt a proactive stance against potential cyber threats, rather than merely being reactive. By understanding the landscape of possible threats, organizations can tailor their cybersecurity strategies and defenses more effectively.

Who benefits from threat intelligence?

Everyone, from individual users to large corporations and governments, benefits from threat intelligence. It helps in identifying, understanding, and mitigating potential threats, thus safeguarding assets, data, and overall digital infrastructure.

Advanced Threat Protection for Evolving Email Threats

Advanced Threat Protection for Evolving Email Threats

Email Security – The State of Play

On Monday morning, James in marketing at YOLO Pty Ltd sees an enticing email on his phone from a vendor that he does a lot of business with. It talks about the upcoming soccer finals being held in his city and offers two tickets for free as a thank you for being a great customer, along with a QR code link to a website to get the tickets.

James – a football fanatic – immediately scans the QR code, enters his work details and agrees to the application permissions screen that pops up.

Within a few minutes, attackers have used the OAuth permissions granted to them to gain full access to James’s Exchange Online inbox, a few hours later they’ve moved laterally from his account to others and within 24 hours they’ve obtained full access to YOLO’s entire network, with the ransomware attack following immediately after they’ve exfiltrated private corporate data for extortion and corrupted any backups they could access.

This is a fictional scenario but everything in it matches our Security Lab’s expert investigations, including the time spans.

If James had been protected by Hornetsecurity’s Advanced Threat Protection the malicious email would have been scanned, the QR code identified, the malicious form found, and the email would never had been delivered to James and his colleagues.

Email is by far the most common way attackers gain a foothold in your organization. And this is an ever-evolving arms race, the criminals (who are well funded and well organized) are always changing and improving their attacks, so yesterday’s defenses and yesterday’s technology are going to be bypassed.

To be protected and stay secure against new threats, you need Hornetsecurity next-gen technology in your corner, with new protections against novel attacks, such as malicious QR codes.

The news is often filled with headlines about Advanced Persistent Threats (APTs) and it seems that every organization that gets breached leads their PR response with “it was a very advanced attack”, the subtext being that it was really hard to defend against.

However, Hornetsecurity has produced many reports, along with others in the industry, showing that most successful attacks aren’t the result of some amazing, previously unknown attack vector – they’re the consequence of basic security hygiene failures, such as allowing phishing and spear phishing emails to end up in your users’ inboxes.

And not having a thorough and ongoing security awareness training program for all users, to strengthen the “human firewalls” throughout your business.  

A variant is Business Email Compromise (BEC) where an attacker has compromised one user’s email account and monitors normal communications over a period of time, then inserts a request to change a bank account for a regular payment (to the attackers account) for example. 

These examples are just scratching the surface. The real challenge is new and evolving threats. Attackers are always changing and improving their lures and attacks, and with their ill-gotten gains they can afford new technologies.

For example, just like marketing departments and app makers, they’ll A/B test different emails to see which wording and approach gets the most clicks. This approach is also being augmented by AI – where we use ChatGPT to improve the language in a presentation, they might use similar technologies to generate “psychologically appealing” email lures.

All of this is to say that you need a strong team, that’s ahead of the curve, to make sure your users don’t have to deal with these threats, and that’s where Hornetsecurity comes in.  

Attack Type Usage in 2022

An analysis conducted by Hornetsecurity’s dedicated Security Lab of 25 billion business emails found that 40.5% were unwanted, and out of that portion, 94.5% were spam, and 5% malicious.

Social engineering is a large part of the threat landscape and email threats from 10 years ago that were filled with spelling and grammar mistakes and clearly fake, have been replaced with psychologically appealing, cunning text playing on human nature.

Brand impersonation is another part of the risk, with so many of the cues to assess trust we rely on when we first meet someone in the real world absent in emails, a message from a trusted brand is more likely to result in that unfortunate click.

Most-used file types in malicious emails

As we saw with James, that single click can lead to your business data being encrypted, your backups corrupted, and sensitive data you hold exfiltrated and threatened to be disclosed publicly.  

There are many, many more varieties of email attacks and risks, our Cyber Security Report goes into much more depth.  

Basic and Advanced Threat Protection 

To mitigate the risks outlined above you need both basic and advanced email hygiene services. The basic approach, which every vendor provides, takes care of (most of) the spam so that your users don’t have to wade through enormous amounts of junk just to find their business emails.

It’ll also catch (some of) the malicious emails and attachments but given how central email communication is to business today – catching most isn’t good enough. You need the best protection possible, and that is Hornetsecurity’s Advanced Threat Protection – a next generation security service for Microsoft 365 that provides precise and comprehensive protection against all forms of malicious emails.  

This cloud service provides excellent spam filtering and email security, for both incoming and outgoing emails, you don’t want to be the unwitting spreader of malicious emails because one of your users was compromised. Both malware and malicious URLs are spotted and blocked before they can do harm.

Advanced Threat Protection goes beyond these basic services to specifically catch ransomware emails and lures, spear phishing campaigns and CEO fraud. Behind the scenes we use AI-based Targeted Fraud Forensics to spot risks that others miss.

Advanced Threat Protection also catches forged email headers, a popular attack method to make an email appear to come from someone trustworthy, when in fact it doesn’t.  

As for malicious email attachments, unless we’ve seen the file before and we know it’s benign (or malicious, in which case the email will be blocked outright), we use our proprietary Sandbox Engine to go through the steps a user would upon receiving the email, and then monitor very carefully what happens when the attachment is opened or executed, using over 500 behavioral analysis sensors.

These sensors detect attempts by the executable to detect if it’s running in a sandbox (a dead giveaway), and carefully monitors filesystem, processes, memory, and registry changes to catch evidence of a malicious payload. Filetypes such as executables, PDF, Office files and archive (ZIP etc.) are all identified and the engine looks at macros, embedded URLs, metadata, and JavaScript code.

If an email or attachment is identified as malicious after delivery, it’ll be automatically marked for deletion in the inboxes where it has already been delivered.

Like any good security solution, Advanced Threat Protection mostly does its work silently and provides your end users with clean inboxes but in situations where your attention is required such as when your organization is under targeted attack – Real Time alerts are issued to your administrators.  

Hornetsecurity’s complete portfolio also includes email encryption to ensure that only the sender and recipients can read the contents of sensitive emails, handling encryption keys and certificate management behind the scenes for ease of use.

If you have regulatory requirements to keep all emails for extended periods of time (6 months to 10 years), legally compliant archiving is built in. It also allows you to import data from other email systems.

365 Total Protection also provides an easy-to-use signature and disclaimer feature that lets you create individual signatures based on Active Directory user information automatically.  

QR codes – The criminal’s new best friend

A new, bleeding edge attack vector is malicious Quick Response (QR) codes and we’ve added scanning of these to keep your users safe. Remember James and his disastrous Monday?

Up until now, and in nearly all other email security solutions on the market, if the attackers included a QR code instead or a plain text link, it would have just been seen as a benign picture and not set off any alarms.

With Advanced Threat Protection, and the new QR Code Analyzer this gap has now been firmly closed.  

QR codes are a very popular way for businesses worldwide to advertise and engage customers and potential buyers, “just scan this code and receive a $ 5 voucher on your first purchase”. It’s amazing to think they were invented all the way back in 1994 in Japan.

They are everywhere, this one for example takes you to Hornetsecurity’s homepage.  

QR Code example

How popular are QR codes in marketing today? Bitly published a report filled with interesting statistics, but in summary, they saw 152% growth of their use in 2022, with Finance, Healthcare and Government Services seeing huge growth in 2022.

People are scanning QR codes more and they link to more diverse content, not just a single website. There are now QR codes that lead to coupons, events, social media content and marketing video content.  

This means end users are becoming more and more accustomed to scanning QR codes and expecting “something good” at the end of it. This is a perfect opportunity for criminals to hide their malicious links in innocuous looking picture files and bypass protections – except if you have Advanced Threat Protection guarding you.  

Our scanner looks for QR codes in GIF, JPEG, PNG, and BMP image files in emails and can extract both URLs and text from them, analyze them and only allows the email to be delivered if it’s benign.

There’s no configuration of the QR code scanner in Advanced Protection’s Control Panel, it’s simply turned on and protecting all your users, just like any good security service.   

Secure Links

Speaking of scanning links, Advanced Threat Protection has had URL Rewriting and scanning for a long time, the new version is called Secure Links and uses a new engine.

Using Hornetsecurity’s secure web gateway it doesn’t just scan the links in emails, it also “visits” the website and recursively scans links to establish if the site presents a risk to your users, and of course blocking access if it does. Most importantly it’ll do the check at the time the user clicks the link, not just when the email was delivered.

Sometimes attackers will compromise a site but not change anything until after their emails have been delivered, making time of click protection paramount.

Secure Links

Security Awareness Service

No security service is perfect, there’s always a chance that something will slip through even the strongest net, so you need to add another layer of defense – your end users.

Hornetsecurity’s Security Awareness Service provides simulated phishing emails to train users to be wary, and not fall for lures, plus follow up short e-learning content to help cement the knowledge.

Unlike other solutions administration of the system is very lightweight and it’s mostly a “set and forget” solution, that uses an Employee Security Index to identify users most likely to click on links without hesitation and increase their training.  

Mailbox Migration Tool

There’s no doubt that hosting your email inboxes in Exchange Online is more secure than hosting them on-premises, especially given several high-profile vulnerabilities that were exploited in 2021, 2022 and now in 2023. To assist with your migration, Hornetsecurity now offers an easy-to-use Mailbox Migration Tool.

Once your users are onboarded in Control Panel, a simple Azure AD Application is configured with OAuth permissions and you can start migrating mailboxes to the cloud, which could take some time, depending on the number of mailboxes and their size. Once they’re migrated you can enable 365 Total Protection for them.  

Harness Next-Generation Security

Specifically designed for Microsoft 365, Hornetsecurity’s 365 Total Protection offers comprehensive protection for a wide range of Microsoft cloud services.

It is easy to set up, seamlessly integrates with your existing Microsoft 365 environment and is extremely intuitive to use. 365 Total Protection simplifies and strengthens your IT security management from the very start. 

Detecting and Preventing Password Spraying Attacks

Detecting and Preventing Password Spraying Attacks

Passwords are common ways of logging into the system, service, or application. They are typically used in combination with usernames to confirm user identity and gain access to target systems. Even though many of us know passwords should be strong and frequently changed, we don’t always follow the best practices until it is too late.

There are several mistakes that lead to password attacks including weak passwords, password reuse, lack of policies, and others. Using the same password on multiple systems is problematic and opens the door for password spraying attacks.

In this article, we will discuss password spraying attacks, talk about the process, compare it to credentials stuffing and brute force attacks, and give you some tips on how to strengthen your credentials. 

What is a password-spraying attack?

In 2018, an Iranian hacker group compromised six terabytes of sensitive documents from Citrix using password-spraying attacks. They deployed commonly used passwords across different devices, gaining access to systems and potentially introducing ransomware.

A password-spraying attack is a type of attack where attackers attempt to access a target device or system by using the most common passwords. Practically saying, an attacker takes a common password, e.g. „pass@123“ and spray it across multiple devices, systems, and application.

If the attempt is not successful, attackers would take a different password and repeat the process until they gain access to the target systems.

Some of the common passwords are password1, a1b2c3, qwerty, 1q2w3e4r, 1qaz2wsx, and others. The list of common passwords can be easily found on the Internet.

Password Spraying vs. Credential Stuffing vs. Brute Force Attacks

There are different types of password attacks, including password spraying, credentials stuffing, and brute force attacks. Sometimes they might look like exact types of attacks, but they are not. We already clarified password spraying, and we can move to the next one; credential stuffing.

Credential stuffing is a type of attack where attackers try to use valid breached credentials to access different applications. Practically, an attacker would obtain the list of breached (stolen) passwords from the Internet with valid usernames and passwords and attempt to log in to the target system.

Credential stuffing attacks rely on users using the same password for multiple different targets. In January 2023, 35,000 PayPal accounts were hacked using a credentials-stuffing attack.

On the other hand, brute force attacks are a method of using a list of different passwords to get into the system. Practically, an attacker would take a list of passwords and use them against the target one by one. These lists of passwords are available on the Internet and include millions of different combinations for different targets.

In the screenshot below, you can see there are 8932 potential passwords for Hotmail accounts, 2441 passwords for Facebook, and some other examples.

Wordlists for brute-force attacks

How Password Spraying Attacks Are Carried Out

Password spraying attack is a 4-steps process. Firstly, an attacker identifies the potential target, user, or organization. He does it based on varied reasons including motivations, opportunities, reputation, profit, and others.
The process

Once the attacker chooses the target, he or she collects the password list on the internet. Password lists can include common passwords, dictionary words, or previously breached passwords.

In the third step, an attacker performs user enumeration as part of the initial stage in the cyber kill chain and attempts to use a valid username, potentially facilitating the deployment of a computer worm.

Today, it is not that difficult to find potential SSO accounts, because much information is available on social media, forums, and different channels. Unfortunately, there are also companies who are selling our data to third parties.

In the fourth step, an attacker executes password-spraying attacks and tries to log in to different systems, services, and applications using a single username and multiple passwords, and vice versa. These usernames and passwords are based on step two.

During the process of a password spraying attack, an attacker is often intentionally making delays to avoid account lockout and being detected by IDS (Intrusion Detection System). Also, attackers perform monitoring to see the result of the attack.

In the last step, if attackers (we hope not) access the target system, they perform malicious activities such as installing malware, stealing data, spyware, encrypting files, and others.

How to Detect Password Spraying Attacks

Strong IT security is a must.

In the first place, you should ensure that end users are well-trained and understand the importance of a strong password policy. You can achieve that through ongoing cybersecurity training.

Our Security Awareness Service helps you train your users and keep them engaged with the different security simulations. That includes phishing attacks spread via phishing email, SMS, or QR code scams, social engineering, supply chain attacks, and different attacks. This is one of the ways attackers are stealing credentials, and then gaining access to a system or exposing them online.

Monitoring and logging are some of the best proactive ways to detect password-spraying attacks. They help to detect failed login attempts and inform the IT Administrator accordingly. For example, if there are 5 unsuccessful login attempts, the password policy locks out the user account, and the network monitoring solution triggers an alarm to the IT Administrator.

You can also create user baseline behaviour and learn information about login time, location, IPs, and patterns. Based on certain anomalies, for example, trigger CAPTCHA if there is a high number of login attempts from a single IP.

In case there is unusual behaviour in your organization, your SIEM (Security Information and Event Management) will pick it up.

You can also implement IDS (Intrusion Detection System) and Web Application Firewall (WAF) to detect and prevent malicious traffic from coming to your network.

How to Prevent Password Spraying

There are several ways that can help personal and business users to prevent password spraying attacks. Firstly, IT Administrators should ensure that different password policies are enforced in the organization. Some of the common password policies are as follows.

Password length

Password length policy defines a minimum number of characters for your password. For example, according to Microsoft a strong password is at least 12 characters long, but 14 or more is better.

Password complexity

Password complexity policy requires passwords with a combination of lowercase, uppercase, numbers, and special characters. A long and complex password is difficult to hack.

Password history policy

Password history policy prevents users from reusing their old password. This is important since old passwords might be leaked on malicious sites.

Password aging policy

Password aging policy requires changing passwords at regular intervals, for example, every 6 months.

Account lockout policy

Account lockout policy temporarily locks out an account after X amount of unsuccessfully login attempts.
Different password policies

MFA – multi-factor authentication

On top of the strong password, you should also implement multi-factor authentication (MFA). Multi-factor authentication provides additional layers of security such as PIN, biometric authentication, or physical device.

One of the next levels of the protection is implementation of password-less authentication. These includes FIDO (Fast Identity Online) keys and biometric solution such as Windows Hello for Business. This and more information you can find in our Cyber Security Report.

If your business services are exposed to the Internet, you should implement CAPTCHAs. CAPTCHAs help to distinguish humans from machines, and they help prevent boots from trying different passwords on the target system or the service.

How Password Spraying Affects Business

Many organizations are using SSO (Single Sign On) for different systems, and they are one of the potential targets for password spraying attacks. If an attacker gets to the password of any service, they can execute a password spraying attack and try to access other relevant systems and services. This can cause a lot of trouble to the organization, its data integrity, and its reputation.

There are a few negative effects on companies that are victims of password-spraying attacks. If accounts are compromised, there is a high probability, that attackers compromised the data. That leads to data breaches, loss of intellectual property, financial loss, reputation damage, operational disruption, and legal issues.

It is crucial to implement the abovementioned password policies to ensure password safety.

To properly protect your cyber environment, use Hornetsecurity Security Awareness Service, Spam & Malware Protection, and Advanced Threat Protection to secure your critical data.

We work hard perpetually to give our customers confidence in their Email Encryption, and Email Archiving strategies.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.

 

We encourage you to check our ransomware attacks survey.

Conclusion

Passwords in combination with usernames help us to confirm user identity and login to the target systems. When an attacker gain access to the target device, they often lead to data breaches.

There are different password attacks including password spraying attack, credentials stuffing and brute force attack. Password spraying attack includes using commonly known password and spraying them across the devices in the organization. This is what differentiates password-spraying attacks from brute-force attacks.

There are different ways to protect your targets against password spraying attacks including strong password policies such as password length, password complexity, password history, password aging, and account lockout policy. On top of that, using multi-factor authentication (MFA) and password-less authentication is highly recommended.

Additionally, implementing CAPTCHA to differentiate humans from machines helps to avoid bots executing password attacks.

This article is about password spraying attacks, the back-end process, and how to stay safe.

FAQ

What is an example of a password spraying attack?

An example of a password-spraying attack is when the attacker uses one password (such as Hack#666) against multiple accounts on a given application. This is performed to evade account lockouts, which generally result from an attempt to brute force a single account with an array of passwords.

What is the success rate of password spraying?

The success rate of password spraying is estimated to be approximately 1% for accounts without password protection in place.

What are the effects of password spraying?

Password spraying effects are as follows:

  • compromises accounts;
  • data breaches;
  • unauthorized access;
  • account lockouts;
  • resource consumption;
  • legal consequences.

If the victim uses the same password for multiple accounts, a successful spraying attack grants the attacker access to all those accounts.

SSO and federated authentication systems are particularly vulnerable to these attacks since a single password can provide access to multiple assets or accounts. In such cases, a compromised account can quickly compromise various systems and business accounts, making these attacks highly damaging.