Every quarter, Cisco Talos incident responds a summary record of remarkable trends from the boxes that work. The attacks, techniques and methodologies that Talos observe help to shape and information about the many protections that Cisco customers use regularly. Part of their work in this area helps to promote Talos’ principle to see an ounce, block everywhere.
Here are some of the key ways from this quarter:
- Valid Accounts: Sentice in December 2024, attacking passwords to obtain an initial access using a valid accident. This can also disrupt the organization by locking trusted users. In addition, in 100% of ransomware incidents, accounts should not have been circumvented by multi -factor authentication (MFA) or MFA during the attack.
- Initial approach: The initial approach (if it can be determined) came primary from requests for public use, birthday for 40% of liabilities (defeated valid accounts or for the first time in a year).
- Housing time: The attackers spent 17 to 44 days before the deployment of ransomware, increased access to sensitive data and the impact on the organization. Longer apartments may indicate the opponent’s efforts to extend the extent of their attack, to identify data that may consider ex -filtering or simply avoid defensive measures.
- Escalating approach: Once the attackers have gained access, remote access tools in 100% ransomware (up to 13% of the last quarter) were used, allowing lateral movement.
- Cause damage: The data showed an increase in the blackmail of data theft that focuses on individuals who would most impact on the public to become the public. New tools and techniques also control the ability of bad actors to get remote access.
The last quarterly response report from the Talos incident emphasizes the need for layered user protection, as well as the detection and capacity of reaction across multiple technologies and systems. At Cisco, we have developed both a set of user protection to provide proactive protection and a set of protection protection that provides visibility across products that protects the same attack that the Talos observed.
Valid accounts
It is essential not only to have MFA deployed across your organization, but also to have a strong MFA that is difficult to bypass. Within the user protection set, the duo provides a wide MFA coverage to ensure that all users, including suppliers, and all applications, including older applications, can be easily protected using MFA. This included protocols such as the Remote Desktop Protocol (RDP) protocol, which attackers focused on attempts to spray passwords.
Complete MFA coverage is a good first step, but the type of MFA deployed is also important. When verifying at risk based, the duo can recognize when there is a new or suspicious login, and in real time the user accompanies the strong forms of verification included a verified duo Push, which requires the user to enter the code. And for proven procedures, organizations should modernize verification verification for phishing, without a password, wherever it is possible for MFA passwords to be fully removed and instead rely on user biometrics and devices.
Finully to evaluate your current identity security, CISCO Identity Intelligence can analyze the entire ecosystem of the organization to evaluate the deployment of MFA and see if there are gaps in coverage or protected by weak MFA forms such as one -off access codes (). With these strong protection for trusted users, organizations can block attacks and protect credible users from locking from their accounts.
Initial approach, times and escalation dwelling
Although there are steps that organizations can take to strengthen defense against the initial approach of a valid accountant, it may seem that an increase in public -oriented applications may seem. Therefore, the organization must adhere to the principles of zero trust to protect data and resources in the event of violation. SUITE to protect user Cisco also includes a safe access that includes both safe Internet access and Trund Network Access.
When accessing Internet access, users are protected from malicious content with disturbance prevention (IPS) and remote browser insulation (RBI). If the user approaches the compromised web server with known vulnerabilities, IPS can analyze network traffic and other signatures based on signatures to identify malicious behavior and protect users from potential threats in real time. In addition, RBI allows the user to safely browse the Internet by moving its activities from their machine and to the cloud. In this way, if users’ fees click on a malicious application, RBI can insulate web operation.
Once the attacker has access, 50% of the attackers used tools for remote access to move laterally. Therefore, there is an increase in dwelling because the attackers map the network and access to sensitive resources. Therefore, it is important that organizations begin to adopt an architecture of access to a network of zero confidence (ZTNA) that limits access to applications.
With a safe private access, organizations can deploy ZTNA to ensure that users only gain access to resources that need to do their work and prevent lateral movement, involving protocol protection such as RDP access to private resources. For further protection against lateral movement, the access of ZTNA to RDP can be paired with trusted DUO endpoints. This ensures that only trustworthy or NOWN has access to private renewal and block risk or unknown devices.
Damage
Ransomware appears to be the highest threat in postponing Q4 talos IR, which increases from what was seen in the quarter. This type of attack is constantly evolving to make the defense easier and secretly violated, extended the attack and cause meaningful organizations. Smart use of social engineering proved to be a strong tactic with devastating results. Talos found that apprentices are pretending to be manipulating the end users unknowingly sharing sensitive information. During these double extensive attacks are data? Introducing it as an entity, it is a common tactic that not only leads to the loss of data and the potential of blackmail, but also facilitates the side movement in the network.
In these scenarios and generally, the detection speed is decisive for minimizing damning effects. Secured e -mail threat defense uses sophisticated social graphs driven AI to understand relations between sender inside and outside the organization. This helps to identify anomalies that could indicate for concern. And because the defense of the e -mails analyzes the entire content of the message, the request for information sharing or credentials will be quickly marked as harmful. Understanding the message intention these types of e-mails of controlled ransomware would be quick quarantines before emails would achieve the end-user mailing ink.
Telemetry from these incidents is automatically integrated into Cisco XDR to provide quick and understanding the visibility of potential lateral movement and damage throughout the organization. The strength of these products that work together is enhanced by their inclusion in protection against CISCO disturbances. Suite strengthens the security teams to simplify operations and accelerate the response to incidents across the most promoted offensive vectors, including e -mails, endpoints, networks and cloud. It provides unified that multi -education technology technology and use AI for increased fiber detection, efficient safety operations and improved efficiency.
Talk to an expert to find out how they can provide a defense for your organization against the most common and virulent attacks.
We would like to hear what you think. Ask how below and stay in conjunction with Cisco Secure on Social!
Cisco Security Social Channels
Instagram
Facebook
Twitter
LinkedIn
Share: