Palo Alto Networks’ Unit 42 Publishes 2022 Response Report

Palo Alto Networks' Unit 42 has released its 2022 response report, which is a culmination of findings from more than 600 incident response cases that aided in the analysis of threat trends and cybersecurity predictions.

Aug 18th, 2022 3:00am by Starr Campbell

Featued image for: Palo Alto Networks’ Unit 42 Publishes 2022 Response Report

Enterprise Cybersecurity company Palo Alto Networks recently published its 2022 Unit 42 Response Report, filled with need-to-know tidbits of information like the most popular methods hackers use for attacks. Unit 42 is a division of the company made up of incident responders, threat researchers, and security consultants who advise organizations on cybersecurity strategy. The report includes a culmination of findings from more than 600 incident response cases that aided in Unit 42’s analysis of threat trends and cybersecurity predictions.

“This is our way of sharing lessons from the incident response trenches to help bolster your security efforts,” Palo Alto Networks states in the report’s summary to preface their data. “While there is no one-size-fits-all solution to protect your organization from cyberattacks, [cybersecurity professionals] can use commonalities in our cases to understand what attackers are going after and how they’ve been successful.” There is a multitude of key takeaways you can gain — but a few themes in particular reoccur.

Over the past year, business email compromises (BEC) and ransomware have been the most prevalent incident types, with ransomware payouts totaling as high as $8 million. BEC heists, on average, earned cybercriminals in the range of $286,000. Unsurprisingly, the primary entry point for hackers continues to be phishing and software vulnerabilities. With one of the incident response team’s notable predictions being an uptick in cybercrime due to declining economic conditions, it’s critical for organizations to be cognizant of the ways they can be susceptible to attacks.

Looking at Initial Access

According to the report, 87% of CVEs (common vulnerabilities and exploits) can fit into six categories including:

Proxyshell (55%)
Log4j (14%)
SonicWall CVEs (7%)
ProxyLogon (5%)
Zoho ManageEngine ADSelfService Plus (4%)

As stated previously, Unit 42’s overall statistics show phishing as the top means of access for cyberattacks at 37%, followed closely by software vulnerabilities which ring in at 31%. Hackers are continuing to leverage zero-day vulnerabilities, resulting in less time between discovery and exploitation. Fixing unpatched vulnerabilities and following best security practices can help thwart these attacks, but it’s not always a faceless hacker that brings a devastating cyberattack to a company. The report finds that 75% of insider threat cases involved a former employee.

What Unit 42 calls the “cash cow for cybercriminals” is none other than ransomware. The ransomware market has grown into RaaS (ransomware as a service) where criminals lease out ransomware for either a percentage of the ransom or monthly fees. In the report, Unit 42 states they are tracking 56 active RaaS groups. Even more concerning than the number of groups is the fact that some of them have been around since 2020, growing and inspiring future attackers.

The finance and real estate industries in particular are the most appealing for ransomware attackers with demands up to $8 million. They also found that threat actors commonly make entry into their target almost a month before being detected, hence most victims aren’t aware an attack is underway until they get a ransom note.

Don’t Underestimate BEC Attacks

BEC scams are often thought of as a minor threat because they are “easy” to avoid. Unit 42 argues that it’s this exact thinking that leaves businesses and individuals vulnerable. In a blog post, they say that 89% of victims did not turn on multifactor authentication (MFA) or follow best practices for its implementation. The team’s investigations also discovered the typical dwell time prior to containment is 7 to 48 days. Luckily, identifying the areas where organizations are weak and susceptible to BEC attacks isn’t difficult.

Regular assessments and security checks will ensure proper implementation and that everyone is upholding the standard for security. When a BEC attack occurs, even if the stolen money is retrieved, the damage to the business is already done. Cybercriminals who go after business emails try a variety of methods including phishing and brute-force credential attacks. In many cases, according to Unit 42, attackers find a clever way to ask for credentials, and the victim is tricked into simply sending them over. Though ransomware makes more headlines, cybercriminals are quietly and successfully pulling off BEC heists. In the report, Unit 42 quotes an FBI report that calls BEC “The $43 billion scam”.

Towards the end of the report, Unit 42 presents seven issues threat actors are counting on you not addressing, including mitigations for brute-force attacks and password security. They list the number one issue as MFA, stating that 50% of companies were not requiring the extra layer of security on their core internet-facing systems like remote access solutions or corporate webmail.

The 50-page report is geared towards security leaders looking for guidance on where to direct their attention and resources and security practitioners. Both can gain insights into attack trend predictions for the upcoming year, what capabilities attackers use after initial access, expert-recommended protections to put in place, and more.

TNS owner Insight Partners is an investor in: Unit.