Be prepared for the increase in reconnaissance

Issue 4 2022 Information Security

Cybercriminals are always looking for opportunities to wage an attack. Whether it's a vulnerable system or a particularly enticing email designed to dupe an unsuspecting employee into clicking, low-hanging fruit is everywhere.


Aamir Lakhani.

Many organisations bank on the notion that if they put some defences in place, an attacker will move on to an easier target. But that approach doesn't take greed into account. Because ransomware has become so lucrative, cybercriminals are becoming more devious and putting significantly more energy into reconnaissance.

Pay attention to the left-hand side

Reconnaissance is one of the first phases of an attack. The steps are often described as a progression, starting on the left and moving to the right. The MITRE ATT&CK; framework and Lockheed Martin Kill Chain are two examples that detail the tactics used in a campaign. The left-hand side includes pre-attack strategies, such as reconnaissance, planning and development. On the right-hand side are the execution phases that include launching malware and stealing data.

The left side includes advanced persistent threats (APTs) with activities that include determining that a network is vulnerable, obtaining unauthorised access, and avoiding detection for an extended period of time. State-sponsored actors or nation states with considerable resources are often allied with APTs.

Most organisations don't focus as much on the left side of the attack framework, but that mindset needs to change. With better reconnaissance, cyberattacks are likely to be more effective and more destructive. Ransomware attacks will increase and undoubtedly become more expensive. According to FortiGuard Labs researchers, in the 12 months between July 2020 and June 2021, there was an almost eleven-fold increase in ransomware.

Ransomware attacks may even be accompanied by distributed denial of service (DDoS) attacks designed to distract and overwhelm security teams. And the addition of wiper malware that destroys data, systems and hardware acts as an added incentive for companies to pay quickly.

A recent global ransomware survey conducted by Fortinet indicates that ransomware is routinely successful, with 67% of organisations reporting having been a ransomware target. And nearly half said they'd been targeted more than once.

More money means more cybercrime

As the number of incidents increases and gangs compete for a slice of the profitable pie, cybercriminals motivated by money are going to focus more attention on left-side activities. Much like nation-state-funded APT groups, these groups are likely to spend more time and effort on reconnaissance and ferreting out zero-day capabilities.

By spending more time on the left-hand side doing reconnaissance, cybercriminals can improve the likelihood of a successful attack. Often, they can even reuse the same reconnaissance techniques against other organisations. So, some upfront effort can reap great rewards.

Attack kits will make it easier for other attackers to reuse tactics and exploit vulnerabilities. These kits, coupled with the increase in malware-as-a-service, mean the sheer number of attacks is likely to rise because there will be more cybercriminals and their affiliates launching attacks at the same time.

Get smarter about reconnaissance

To combat advanced attacks, organisations need holistic and scalable security that facilitates visibility and communication across the network. To mount a swift and coordinated response, security solutions should be enhanced with artificial intelligence (AI) so they can detect attack patterns and stop threats in real time. Solutions should also be able to scale to address the increase in attacks. Organisations should have these solutions in place:

• Anti-malware that includes AI detection signatures.

• Endpoint detection and response (EDR).

• Advanced intrusion prevention system (IPS) detection.

• Sandbox solutions augmented with MITRE ATT&CK; mappings.

• Next-generation firewalls (NGFWs).

• Digital risk protection service (DRPS) designed to counter attacks at the reconnaissance phase.

Ideally, the tools should be deployed consistently across the distributed network, including data centre, campus, branch, multi-cloud, home office and endpoint, using an integrated security platform such as the Fortinet Security Fabric.

The Security Fabric can detect, share, correlate and respond to threats as a unified solution. It integrates crucial security and networking solutions, including third-party components, and supports and supplements the people and processes that are part of in-house teams and skillsets.

Fortinet delivers a multi-phase approach to cybersecurity that can prevent the early-stage delivery of threat components as much as possible, while continuing to inspect for and detect activity that indicates an intrusion or attack in progress. It is followed by a quick response to cyber events, coordinated across the distributed cybersecurity mesh, to contain and mitigate attacks. 

Cybercriminals will be upping their games with more reconnaissance efforts, more zero-day exploits and more attacks, so organisations need to take action before it's too late.




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Upgrade your PCs to improve security
Information Security Infrastructure
Truly secure technology today must be designed to detect and address unusual activity as it happens, wherever it happens, right down to the BIOS and silicon levels.

Read more...
Open source code can also be open risk
Information Security Infrastructure
Software development has changed significantly over the years, and today, open-source code increasingly forms the foundation of modern applications, with surveys indicating that 60 – 90% of the average application's code base consists of open-source components.

Read more...
DeepSneak deception
Information Security News & Events
Kaspersky Global Research & Analysis researchers have discovered a new malicious campaign which is distributing a Trojan through a fake DeepSeek-R1 Large Language Model (LLM) app for PCs.

Read more...
SA’s strained, loadshedding-prone grid faces cyberthreats
Power Management Information Security
South Africa’s energy sector, already battered by decades of underinvestment and loadshedding, faces another escalating crisis; a wave of cyberthreats that could turn disruptions into catastrophic failures. Attacks are already happening internationally.

Read more...
Almost 50% of companies choose to pay the ransom
News & Events Information Security
This year’s Sophos State of Ransomware 2025 report found that nearly 50% of companies paid the ransom to get their data back, the second-highest rate of ransom payment for ransom demands in six years.

Read more...
Survey highlights cost of cyberdamage to industrial companies
Kaspersky Information Security News & Events
The majority of industrial organisations estimate their financial losses caused by cyberattacks to be over $1 million, while almost one in four report losses exceeding $5 million, and for some, it surpasses $10 million.

Read more...
Digital economy needs an agile approach to cybersecurity
Information Security News & Events
South Africa is the most targeted country in Africa when it comes to infostealer and ransomware attacks. Being at the forefront of the continent’s digital transformation puts South Africa in the crosshairs for sophisticated cyberattacks

Read more...
SIEM rule threat coverage validation
Information Security News & Events
New AI-detection engineering assistant from Cymulate automates SIEM rule validation for SecOps and blue teams by streamlining threat detection engineering with automated testing, control integrations and enhanced detections.

Read more...
Cybersecurity a challenge in digitalising OT
Kaspersky Information Security Industrial (Industry)
According to a study by Kaspersky and VDC Research on securing operational technology environments, the primary risks are inadequate security measures, insufficient resources allocated to OT cybersecurity, challenges surrounding regulatory compliance, and the complexities of IT/OT integration.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.