Unlocking Cybersecurity Insights

Elastic®, the firm responsible for Elasticsearch®, has unveiled its second Elastic Global Threat Report, which has been issued by Elastic Security Labs. Drawing upon insights derived from over 1 billion data points collected in the past year, the report highlights several noteworthy trends, including the expansion and diversification of ransomware, the prevalence of malware infections on Linux systems, and the integral role of credential access techniques in cloud intrusion.

Key takeaways from the report encompass:

Trends in Malware:

The report notes that the majority of observed malware consists of a small selection of highly prevalent ransomware families and commercially available off-the-shelf (COTS) tools. With financially motivated threat communities increasingly embracing malware-as-a-service (MaaS) capabilities, the report emphasizes the importance of substantial investments in security functions capable of uncovering previously undisclosed threats through broad visibility of low-level behaviors.

The most commonly identified ransomware families, including BlackCat, Conti, Hive, Sodinokibi, and Stop, account for approximately 81% of all ransomware activities according to signatures.

COTS malware capabilities, such as Metasploit and Cobalt Strike, contribute to 5.7% of all signature events, with these families responsible for nearly 68% of infection attempts on Windows.

Approximately 91% of malware signature events are associated with Linux endpoints, while Windows endpoints represent only about 6% of these events.

Endpoint Behavior Patterns:

Sophisticated threat groups increasingly avoid detection by retreating to edge devices, appliances, and platforms where visibility is minimal. The report underscores the need for enterprises to assess the tamper-resistant qualities of their endpoint security sensors and consider monitoring initiatives for tracking vulnerable device drivers used to disable security technologies. Organizations with substantial Windows environments should also monitor vulnerable device drivers aimed at disabling essential technologies.

When considering Execution and Defense Evasion together, these elements account for over 70% of all endpoint alerts.

The report reveals that Windows endpoints are most frequently targeted, with 94% of all endpoint behavior alerts attributed to Windows, followed by macOS at 3%.

macOS-specific credential dumping contributes to a staggering 79% of all credential access techniques employed by adversaries, marking a 9% increase compared to the previous year. Among these attempts, it is observed that in Windows environments, ProcessDump.exe, WriteMiniDump.exe, and RUNDLL32.exe are utilized over 78% of the time.

Cloud Security Developments:

In a world where businesses are increasingly transitioning their resources from on-premises to hybrid or entirely cloud-based settings, threat actors are capitalizing on misconfigurations, lax access controls, unsecured credentials, and a lack of adherence to the principle of least privilege (PoLP). The report underscores the importance of reducing the risk of compromise by implementing existing security features provided by cloud providers and monitoring common credential abuse attempts.

For Amazon Web Services, the report highlights defense evasion (38%), credential access (37%), and execution (21%) as the most prevalent tactics tied to threat detection signals.

Approximately 53% of credential access events are linked to compromised legitimate Microsoft Azure accounts.

Microsoft 365 experiences a high incidence of credential access signals, accounting for 86% of such events.

Google Cloud sees 85% of its threat detection signals related to defense evasion.

Discovery comprises around 61% of all Kubernetes-specific signals, primarily related to denied service account requests.

Jake King, head of security intelligence and director of engineering at Elastic, comments on the evolving threat landscape, describing it as borderless and emphasizing the shift of adversaries towards criminal enterprises focused on monetizing their attack strategies. He underscores the role of open source tools, commodity malware, and AI in lowering entry barriers for attackers and highlights the rise of automated detection and response systems, which empower engineers to better defend their infrastructures. He concludes by emphasizing that vigilance and continuous investment in new defense technologies and strategies remain crucial in this ongoing cat-and-mouse game against cyber threats.

Elastic’s Global Threat Report offers a comprehensive glimpse into the evolving dynamics of cybersecurity, where the landscape is marked by ransomware diversification, malware prevalence, and the significance of cloud security. The report underscores the critical importance of heightened vigilance and strategic investment in cutting-edge defense technologies as our first line of defense in an increasingly borderless digital realm. With threat actors continually adapting and innovating, the call for sustained diligence and resilient defenses has never been clearer. As organizations and security professionals unite in this ever-escalating cat-and-mouse game, the insights and recommendations in this report serve as a beacon to guide us toward a more secure and resilient digital future.

---