You just bought an MDR or XDR service and need to answer one simple question - now what? At a large organization, this is literally a million-dollar question. We are here to help with advice based on the experience and insight of our MDR team.
Security providers can do a lot by providing you with tooling and expertise. However, this includes something which you need to hold onto your end of the deal. Maximizing security partnership outcomes requires that best practices are in place for a truly great defense-in-depth build-out.
Earlier this month, the MDR Cyber Intelligence Fusion Cell (CIFC) analyzed Bitdefender customer activity throughout 2022. Every year, we provide our annual insights research to MDR customers. Using some of that data we shine a light on things to think about once you’ve signed on the dotted line and started the service.
Know your environment
You can’t know what you don’t know, but unfortunately for a SOC analyst, this presents problems that complicate incident response.
Over the past year, MDR has worked through several customer incidents in which an attacker exploited an unmonitored or unmanaged asset in the environment. This allowed the attackers to conduct reconnaissance and add privileged accounts which were then used to access other assets.
Our goal is to disrupt attackers as early as possible in the attack life cycle, but we can’t protect what we can’t see. Invisible endpoints may allow attackers to establish a foothold before signals are developed, putting us in the position of playing catch-up.
Fortunately, a combination of tools and analyst know-how were able to stop attackers in their tracks. But can you imagine if wide parts of an environment are not monitored or otherwise visible? This is why we always recommend deploying tools across the entire environment. This can be actively accomplished if you have asset management, so you know which operating systems, applications and services are in your environment, as well as structured naming conventions and other clues to facilitate investigations. Auditing accesses, accounts, and everything in between also helps close the gaps.
You may now be thinking about remote workers. People using personal computers for work without any security tooling installed opens risk. We can help you make sure those assets are known and secured.
The bottom line is the quality of results at the security insight and control layer – via MDR or XDR – depends on having complete information about your environment. To get the most from these services, work with your MDR and XDR teams to identify the unknown-unknowns and see what your security tools are capable of.
Get perspective through alerts, intelligence, and other sources
Intelligence and security analysts here at Bitdefender are constantly triaging and investigating daily alerts for customer environments. Those that are most critical or important are sent for customer review, along with MDR recommendations for the next steps.
Over the past year, CIFC’s most frequent customer alert was around exposures of information on code repositories such as GitHub or Pastebin. In most cases, these alerts were benign; but in others, some insider information or otherwise unknown or forgotten information was exposed.
Our next most popular customer alert involved typosquatting. While the alerts are mostly benign, they can indicate whether a competitor or threat actor is trying to target you or your customers by abusing the brand. Because it can be cost-prohibitive to purchase and maintain every variation of your domain’s spelling or top-level domains (TLD), it’s more beneficial to monitor these for changes. In 2022, we saw the number of these alerts almost double compared to 2021 for some reason, and we’re expecting much of the same activity this year, based on numbers we’ve already seen in January.
Finally, the most frequent customer communication CIFC had centers on credential leaks. Our intelligence tools look for public breaches or exposures, as well as using other sources to find credential information such as usernames, emails, or passwords. While activity levels remained the same as 2021, we gained a more actionable source of information that alerted us to logins and passwords that were likely still in use somewhere. Because people often reuse passwords or use work-associated emails for non-working purposes, getting that information quickly can make a huge difference to customers. The sooner you can force a password change or delete an unused account is one less avenue an attacker must get inside.
Spear phishing attacks are often used as an initial attack vector and ransomware infection is often the final stage of the kill chain. For this report, we analyzed malware detections collected in December 2023 from our static anti-malware engines. Note: we only count total cases, not how monetarily significant the impact of infection is. Opportunistic adversaries and some Ransomware-as-a-Service (RaaS) groups represent a higher percentage compared to groups that are more selective about their targets, since they prefer volume over higher value.
When looking at this data, remember these are ransomware detections, not infections.
Top 10 Ransomware Families
We analyzed malware detections from December 1 to December 31. In total, we identified 207 ransomware families. The number of detected ransomware families can vary each month, depending on the current ransomware campaigns in different countries.
Top 10 Countries
In total, we detected ransomware from 147 countries in our dataset this month. Ransomware continues to be a threat that touches almost the entire world. Below is a list of the top 10 countries most impacted by ransomware. Many ransomware attacks continue to be opportunistic, and the size of population is correlated to the number of detections.
Below are the top 10 trojans targeting Android we have seen in our telemetry during December 2023.
SMSSend.AYE - Malware that tries to register as the default SMS application on the first run by requesting the consent of the user. If successful, it collects the user's incoming and outgoing messages and forwards them to a Command & Control (C&C) server.
Downloader.DN – Repacked applications taken from Google App Store and bundled with aggressive adware. Some adware downloads other malware variants.
Banker.ACT, ACI - Polymorphic applications that impersonate legit apps (Google, Facebook, Sagawa Express ...). Once installed, it locates banking applications on the device and tries downloading a trojanized version from the C&C server.
Triada.LC – Malware that gathers sensitive information about a device (Device IDs, Subscriber IDs, MAC addresses) and sends them to a malicious C&C server. The C&C server responds by sending back a link to a payload that the malware downloads and executes.
Banker.ACX - Applications that impersonate Korean banking applications to record audio and video, collect sensitive information (SMS messages, contacts, GPS location…) and upload it to a C&C server.
HiddenApp.AID - Aggressive adware that impersonates AdBlock applications. When running for the first time, it asks permission to display on top of other apps. With this permission, the application can hide from the launcher.
Banker.XJ - Applications that drop and install encrypted modules. This trojan grants device admin privileges, and gains access to manage phone calls and text messages. After deploying, it maintains a connection with the C&C server to receive command and upload sensitive information.
SpyAgent.GC –Applications that exfiltrate sensitive data like SMS messages, call logs, contacts, or GPS location.
Banker.ZF - Applications that disguise themselves as banking apps and can imitate conversation with customer support. When the malware runs for the first time, it asks for permissions to access contacts, microphone, geolocation, and camera. Once the permissions are granted, the malware can receive commands from the C&C server to exfiltrate sensitive data from the phone.
Homograph Phishing Report
Homograph attacks work to abuse international domain names (IDN). Threat actors create international domain names that spoof a target domain name. When we talk about “target” of IDN homograph phishing attacks, we refer to the domain that threat actors are trying to impersonate. You can read more about this type of attack in one of our previous reports.
Below is the list of the top 10 most common targets for phishing sites.
About Bitdefender Threat Debrief
The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next BDTD release, subscribe to the Business Insights blog, and follow us on Twitter. You can find all previous debriefs here.
Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 150 technology brands have licensed and added Bitdefender technology to their product or service offerings. This vast OEM ecosystem complements telemetry data already collected from our business and consumer solutions. To give you some idea of the scale, Bitdefender Labs discover 400+ new threats each minute and validate 30 billion threat queries daily. This gives us one of the industry’s most extensive real-time views of the evolving threat landscape.
We would like to thank bitdefenders Tyler Baker, Alin Damian, Mihai Leonte, Andrei Mogage, Sean Nikkel, Nikki Salas, Rares Radu, Ioan Stan, Marius Tivadar, and Horia Zegheru (sorted alphabetically) for their help with putting this report together.