Last updated at Thu, 21 Mar 2024 23:41:49 GMT
合著者是Robin Long和Raj Samani
Considerable focus within the cybersecurity industry has been placed on the attack surface of organizations, giving rise to external attack surface management (EASM) technologies as a means to monitor said surface. 这似乎是一种合理的做法, on the premise that a reduction in exposed risk related to the external attack surface reduces the likelihood of compromise 和 potential disruption from the myriad of ransomware groups targeting specific geographies 和 sectors.
但事情从来没有那么简单. 所面临的挑战, 当然, is that the exposed external risks extend beyond the endpoints being scanned. With access brokers performing the hard yards for ransomware affiliates gathering information, identifying initial entry vectors is more than a simple grab of banners.
Rapid7 Labs’s recent analysis looked at the external access surface of multiple sectors within the APAC region over the last half of 2023, with considerable data available well beyond open RDP 和 unpatched systems. What is revealing is the scale of data that appears to be aiding the access brokers, such as the exposure of test systems or unmaintained hosts to the internet, or the availability of leaked credentials. Each of these gives the multitude of ransomware actors the opportunity to conduct successful attacks while leveraging the hard work of access brokers.
What is interesting as we consider these regionally-targeted campaigns is that the breadth of threat groups is rather wide, but the group which is most prevalent does vary based on the targeted geography or sector. (Please note that this data predates the possible 退出骗局 reported 和 therefore does not take it into account.)
The following graphic shows the sectors targeted, 和 the various threat groups targeting them, 在澳大利亚:
If we compare the most prevalent groups in Japan, however, the l和scape does change somewhat:
All of which does focus the mind on this concept of actionable intelligence. Typically organizations have taken a one-size-fits-all approach to risk prioritization; however, a more nuanced approach could be to consider the threat groups targeting the given sector of an organization as a higher priority.
The need to move into this new world of intelligence led security operations is very clear, 我们几乎每天都能感受到. Within a year we have witnessed such a fundamental increase in the level of capabilities from threat groups whose previous modus oper和i was entrenched in the identification of leaked credentials, yet will now happily burn 0days with impunity.
Our approach within Rapid7 Labs is to provide context wherever possible. We strongly urge readers to leverage resources such as AttackerKB to better underst和 the context of these CVEs, or the likes of Metasploit to validate whether the reports from their external scan warrant an out-of-cycle security update. 这些, 当然, 只是冰山一角吗, but our approach remains constant: context is critical, 敏捷性也是如此. We are faced with more noise than ever before, 和 any measures that can be used to filter this out should be a critical part of security operations.
