M+E Daily

Fortinet Takes a ‘Deep Dive Into the Global Threat Landscape’

Fortinet shared cyber threat activities that its experts saw in the back half of 2022 and made predictions for what they expect in 2023 during the Feb. 22 webinar “A Deep Dive into the Global Threat Landscape.”

Data that the company shared was from the semiannual report written by its FortiGuard Labs research division.

“Something that I have seen going through it is that we’re seeing a lot of old tactics resurfacing now, like a clever remake of an old film,” according to Monika Piekarus, Fortinet product marketing manager.

She asked Fortinet’s experts: “Is there anything that surprises you guys anymore about what we’re seeing or is this pretty standard now?”

In response, Douglas Jose Pereira dos Santos, senior manager, advanced threat intelligence marketing, at Fortinet, said: “I can say that I’m surprised every day. It’s an endless cat and mouse game where we see new techniques; we see new ways of implementing a …. technique.”

He added: “It’s complicated because there is a time between [when] you discover something new [and] you try to understand how that works and create protection. But every day, at every hour, we output antivirus definitions, for instance. So, yeah, I can say that, every day, I got taken by surprise. How is that even possible? How are they doing this? And then when you start trying to [apply]  what they’re doing, you say ‘We need to either create a new signature for this specific [issue], or is this something that is completely new? It’s breaking all paradigms and we need to go back to the development of the engine and create a new feature so we can have visibility into that thing.’ So every day is a little surprise. It’s just waiting around the corner.”

Meanwhile, “we all know that there’s a lot of code reuse,” according to Anthony Giandomenico, senior director, cybersecurity consulting, proactive & reactive, at Fortinet. “As an industry, we want to build different types of detection signatures that are going to detect one and the many. We want to be able to build a signature that’s going to detect a variety of different things. And the way you do that is by sort of triggering on certain snippets of code and what have you. When you have code reuse by some of those threat actors, you might get antivirus or some type of detection signature with a specific name that’s fairly old…. Really it’s probably triggering on some other kind of code that’s being reused.”

What we are often seeing today is a “different type of threat,” Giandomenico said. “It’s more advanced. It’s more pervasive.”

Multiple industries are being impacted, Giandomenico went on to say. “From our perspective – and kind of keep in mind, our data’s biased because it’s only our view of what we’ve been sort of seeing and kind of dealing with – but when we look at the organizations that we’ve helped through crisis situations, there really is no one industry. It’s kind of pretty much almost equal across the board, you know – equal opportunity for every industry.”

He called that an “indication of, when you look at the cybercrime ecosystem, you have those that are … opportunistic. They’re really kind of trying to establish initial access. And then they sell that access over to some of the other ransomware groups or what have you, or they work together…. [In] 2022, we really didn’t see any specific industry that sort of stood out. It was just more of an organization that might not have had the most robust security program” that was attacked.

What it comes down to is that “there was some low hanging fruit that [bad actors] took advantage of,” he added, noting the motivation behind the attacks were mainly financial. “Those were the majority of the incidents that we actually sort of dealt with. And out of that, 82% of those financially motivated incidents were really ransomware. So I don’t think there’s anything sort of new there. That’s kind of where we’re at with that.”

2023 Predictions

Piekarus asked for predictions for what we can expect to see in 2023, based on what we’ve seen in these past six months and the six months before that.

Dos Santos responded: “I would say that we’ll continue to see the weaponization quickly of zero day vulnerabilities because if we look back [to] 2017, 2018, 2019, most of the vulnerabilities that were widely exploited were older. Now we’re seeing that they’re really quick to develop new exploits for those vulnerabilities and that those vulnerabilities are being exploited way quicker…. We saw that with ProxyShell, and I think that the time that it took for someone to be prepared against the next big cyber-attack is shrinking…. Just keep that in mind. I guess it might shrink a little bit more. It’s hard to tell but that’s where I see it going.”

Giandomenico chimed in, saying: “I’ll just add on to that, on that same thing . . . not only like look for how fast they’re going to be able to do that. But then I’ll go back to that same message I used before because, in my mind, I think it’s a powerful one. Those platforms that are going to have new vulnerabilities on them  . . .they’ll not only be successfully exploited but, very quickly, I think you’ll see the familiarity and the expertise on those platforms get entered into these technical documents. And they’re going to learn more ways that they can take advantage of that platform that now has a vulnerability that they can successfully exploit.”

He added: “From the crystal ball perspective ….  I go back to, as a defender, start doing this: Look at your platforms you have in your environment. Understand if someone gets admin access, not only look at the impact [to] the business, but go back and look at what else can they do.”

Beyond that, “if your organization can detect an attack, what can you do?” Giandomenico asked rhetorically. “One, you can make sure that you have good asset management, and you can see when any rogue devices are actually spinning up or spinning down. They’re going to integrate them into their playbooks. And then once they do that, they’re also going to learn that technology a lot faster and they’re going to leverage it in very unique ways that you might not necessarily sort of know of. You’ll know of it after you start to see the trend but hopefully you hear about it kind of prior, or you anticipate it before” an attack.