Akamai Diversity

The Akamai Blog

Observed Changes to the Threat Landscape in 2020

Reflecting on the cybersecurity threat landscape in 2020, we can't overlook the massive changes that landed on us. Global security attacks increased at a significant pace between 2019 and 2020, and the COVID-19 pandemic only deepened these troubling conditions. As corporations tried to adapt to remote working practices and other environmental changes, cybercriminals ramped up their attacks 

By following the trends, we will try to show the clear line of escalation, with a brief overview of the current state and how Akamai solutions and technologies interact to help corporate security teams face the day-to-day challenges in a much more holistic way that is relevant to the always-changing threat landscape. 

Trends  

Phishing is one of the top threat vectors used in most attacks today. It exploits the human factor, which is often the weakest link in the chain. People usually work according to a daily routine, and attackers apply social engineering and psychological techniques so their victims provide the information they seek. Illustrated below are some phishing campaigns that succeeded in getting victims to provide attackers with their credentials. 

Screen Shot 2021-04-26 at 1.39.00 PM.jpgDuring 2020, Akamai enterprise traffic saw more than 100% increase in year-over-year phishing attacks that targeted mostly gaming, technology, and e-commerce verticals, as shown in Figures 1, 2, and 3.  

Image 2 sec.jpeg

Figure 1. Phishing target: e-commerce. Activity beginning July 2019 and compared with 2020.

Image 3sec.jpeg

Figure 2. Phishing target: gaming. Activity beginning July 2019 and compared with 2020.

Image 3sec.pngFigure 3. Phishing target: technology. Activity beginning July 2019 and compared with 2020.

Emotet is one of the largest malware campaign infrastructures. It started by initially targeting finance but soon after transformed to malware as a service for cybercriminals, opening a path for other attacks from TrickBot to Ryuk ransomware.\

Figure 4 shows that the Emotet campaign threat activity increased by more than 5 times in 2020.

Image 4sec.jpg

Figure 4. Emotet threat activity: beginning July 2019 and compared with 2020.

Specifically, we can still see Emotet activity during the time frame from July 2020 to even after the FBI took down the infrastructure. Only time will tell if the takedown worked completely or if Emotet will rise again.

In addition to Emotet, the somewhat related TrickBot banking Trojan started to gain momentum. In Figure 5, we can see the almost negligible attack count observed in 2019 and the massive growth in attacks over the last months of 2020, along with recently published updates that would "help" TrickBot to better evade endpoint technologies.

Image 5sec.jpgFigure 5. Trickbot threat activity: beginning July 2019 and compared with 2020.

In early 2021, we started hearing about and seeing massive supply chain attacks that began during 2020, providing us with indicators over what to look for:

Supply chain attacks are highly dangerous because they hit us in our soft belly and impact the services we trust and use on a daily basis. However, there are important actions all of us can take to reduce, and sometimes even eliminate, the attack surface:

  • Make sure to apply security patches on time

  • Update, and make sure you always use the latest code

  • Do not turn off endpoint security; this is often overlooked 

  • Employ Zero Trust; make sure identity and access solutions track and monitor all activity

  • Enforce change password policy when possible

  • Use multi-factor authentication wherever possible

Overall, 2020 was a busy year and signs indicate that it will be even busier in 2021. As the Akamai Security Technology Group expands more deeply into the security landscape, it plans to extend its solutions for tracking, monitoring, and responding to threats on all levels -- and will look forward to devising groundbreaking smart solutions that provide additional security layers of detection and protection.

How Akamai Solutions Interact with Cybersecurity Framework

Corporate security operations often can be overwhelmed with tasks / alerts / vulnerabilities / incidents; to assure security posture, organizations need to work based on well defined flows and procedures. 

The solution would often be to rely on cybersecurity frameworks. Such as one most common Cybersecurity NIST Framework 1.1  

Image 6sec.png

  • Identify -- Develop organization-wide understanding of the assets and inventory from all types

  • Protect -- Develop and implement organizational controls and safeguards to protect the assets

  • Detect -- Develop and implement organizational identification and monitoring

  • Respond -- Develop and implement organizational procedures to take action on incidents

  • Recover -- Develop and implement organizational procedures for recovering from cybersecurity incidents

Akamai products and solutions are available to provide organizations with tools to assist in all aspects of the framework.  

Access layer: 

Enterprise Application Access provides the Zero Trust model to provide the tool to list and identify organizational assets to protect your inside work environment from insider threats as well as detecting potential anomalies.

Screen Shot 2021-04-26 at 2.00.42 PM.jpg

Figure 6. How Enterprise Application Access components work.

Network to application layer:
Enterprise Threat Protector (ETP) provides detection via real-time and historical monitoring and provides a protection layer to the external activity both on customer premises and off network using tools and policies to custom fit the corporate risk appetite. 

Screen Shot 2021-04-26 at 2.00.52 PM.jpgFigure 7. How Enterprise Threat Protector works. 

Leveraging tools such as:

  • ETP Client installed over desktop and mobile OS for allowing onsite and off-network protection and identification 

  • DNS Forwarder to provide in network any node activity detection and identify the offender host 

  • Employing Akamai sophisticated edge proxy technology to assure data leak detection and threat protection 

  • APIs to be integrated with third-party solutions for incident response and recovery

Authentication layer: 

Multi-actor authentication (MFA) offers you an additional layer of protection on top of your username and password, which gives you more control over the identity and access management challenges.

Summary

Overall, 2020 was a year in which we saw a massive increase in cybercriminal activity, mostly targeting weaknesses that arose from the changes enforced on most corporations. Social engineering attacks are not going to go away, they will adapt according to market trends. Looking forward, cybercriminals will become more and more sophisticated by updating old threats with new techniques, hitting the supply chain, and adapting their attacks in pursuit of higher monetary gains. 

Akamai, as the largest edge cloud platform in the world, processing huge data sets of DNS and web traffic on a daily basis facilitating highly sophisticated home breed machine learning-based algorithm for attacks and anomaly detections like: 

  • DNS exfiltration anomaly and signature-based identification 

  • domain generation algorithm threat detection

  • zero day phishing, allowing phishing campaigns detection in real time

  • user behavior analytics algorithms

Providing tools for customers to get more context such as MISP for enriching corporate own threat information, apply APIs for monitoring and controlling corporate policy from SIEM according to desired security posture, all based on flexible and dynamic policy rules for active detection and protection from attacks both inside and outside the corporate perimeter.

Learn more about Akamai's technologies: