igor - Fotolia
More than a third of all security incidents start with phishing emails or malicious attachments sent to company employees, according to a report by cyber security firm F-Secure.
The company’s latest incident response report is based on findings from F-Secure’s incident response investigations and shows how cyber criminals attack organisations.
Attackers exploiting vulnerabilities in organisations’ internet-facing services is the most common source of breaches the data shows, accounting for 21% of incidents investigated by F-Secure’s incident responders, followed by insider attacks (20%).
But phishing and emails with malicious attachments together accounted for about 34% of breaches, making attacks by email a much bigger pain point for organisations, according to Tom Van de Wiele, F-Secure principal security consultant
“Exploiting software vulnerabilities in drive-by scenarios is typical in opportunistic attacks, but breaching companies via email is actually far more common,” he said.
Van de Wiele points out that three are many different ways different attackers can use email, and these attacks are popular because almost every company relies on email for communication. “People need to think before they click on attachments and links, but the pressure of many jobs overrides this logic, which attackers understand and exploit.”
Other important findings of the report include that organisations were hit by targeted (55%) and opportunistic attacks (45%) in nearly equal proportion. However, there are some significant differences across industries, with gaming companies and public sector organisations attracting almost exclusively targeted attacks, while telecom and insurance companies are mainly affected by opportunistic attacks.
Read more about incident response
- Making the most of incident detection and response.
- Ensure incident response in the face of inevitable messaging leaks.
- Crafting a cyber security incident response plan, step by step.
- High performing UK companies with a high level of cyber security maturity are leading in cyber resiliency, but most have to work on operationalising incident response plans.
- Professional incident response providers can quickly bring the additional resources and the expertise that companies often need to handle a rapidly unfolding threat.
The data also revealed that in targeted attacks, adversaries mainly used social engineering to exploit human weaknesses, but in opportunistic attacks, adversaries relied more on technical weaknesses in an organisation’s IT infrastructure, such as software vulnerabilities.
The report notes that targeted attacks, which are a growing problem, use a greater range of tools, techniques and procedures than their opportunistic counterparts. In spite of this range, the report said the F-Secure data shows that here are certain patterns that attackers use and re-use consistently.
With the right threat intelligence and resources, the report said, organisations can better predict and prevent attacks and be better prepared to respond swiftly and effectively to any threat.
The report also shows that incident responders were contacted after the security perimeter was breached in nearly 80% of cases, and that the most common post-breach action taken by attackers was spreading malware, mostly for financial gain, but also for espionage or maintaining access for future purposes.
Commenting on the fact that 13% of investigations turned out to be false alarms, Van de Wiele said this figure is surprising, and shows that too many organisations struggle with accurately detecting cyber attacks.
“We’re often called in to investigate ‘suspicious activity,’ which tells me that a lot of organisations don’t have accurate incident detection capabilities. Sometimes we even discover an IT problem rather than an attack, which drains resources and distracts everyone from dealing with the real issue,” he said.
The report recommends companies improve their incident detection and response capabilities by investing in an endpoint detection and response system or service.