The Top Three Cybersecurity Threats In 2022: WatchGuard

‘It all boils down to the fact that we focus a lot on preventing the assignment and unfortunately not a lot on identifying, detecting and responding to those threats,’ says Marc Laliberte, director of security operations for WatchGuard Technologies.

On average it takes 207 days to identify a breach, according to Marc Laliberte, director of security operations for WatchGuard Technologies, a Seattle-based network security firm.

Laliberte spoke at CRN parent company’s The Channel Company’s XChange 2022 event in Denver this week to speak about the top cyber threats in the security landscape in 2022.

“What we do is basically just keep our finger on the pulse of security and take the information we get from our customers,” he said. “It all boils down to the fact that we focus a lot on preventing the assignment and unfortunately not a lot on identifying, detecting and responding to those threats.”

He said the reality is there are types of threats that can interact with some of an organization’s defenses. If they don‘t have a good, layered effect and tools to identify that activity and responsibility, they’re going to end up with a months-long span of breach activity and not knowing about it.

“One of the reasons that it takes so long to find some of these threats is because these days, it‘s easier than ever to create evasive malware that makes the attacks,” he said.

Bill Butler, CEO of Dallas-based MSP Dallas Network Services, said the threat landscape is constantly changing and what can be attacked is growing all the time.

“We live in a scary world,” he told CRN. “It used to be just a PC, now it’s your data is everywhere, so you have to constantly check. I think that knowing what the threats are is the biggest takeaway, and knowing you need help.”

Here are the top cyberthreats of 2022.

Spear phishing

While phishing scams have been around for quite some time, Laliberte said threat actors are getting more sophisticated in their phishing emails. And 90 to 95 percent of breaches all derive from spear phishing.

“The reality is we‘re actually getting pretty good at spotting that they’re bogus, even our end users are getting pretty good at that too,” he said. “But unfortunately threat actors are making the phishing messages significantly more believable and they’ve been doing it with great success.”

They use techniques like “automated social network recon,” which goes through a user’s Facebook, LinkedIn and corporate directory to figure out who they work for.

“They can craft that message and make it look like it‘s coming from your CEO or CFO and give it a sense of urgency,” he said. “And if we’re busy during our day and we see that pop up, there‘s a chance that you might miss that telltale signs and potentially fall victim to that phishing.”

He said there’s also a lot of brand representation that sends a spoof message to make it look like it‘s coming from everywhere. Unfortunately, that is “running rampant” because it’s successful against corporations.

Account Takeover

Account takeover is the act of carrying out those phishing attacks, Laliberte said.

The majority of credentials hackers are getting come from phishing messages, but there are many other ways they can potentially get their hands on a valid account.

“The reality is the majority of the services we use, even if we’re using other forms of biometrics or other bases of authentication, they are still backed up by a password,” he said. “If they can get a hold of that and you don’t have other records behind it backing it up, then that could potentially lead to account takeover.”

He said WatchGuard always sees actors “trolling the dark web” to be able to get breaches either for sale or for free from recent attacks. They can turn around and use those for password spraying attacks, which is trying the most common passwords against all of a user’s accounts.

“They’ve actually gotten really good about circumventing those,” he said. “Instead of trying 10,000 passwords against one account, they try 10,000 accounts against one password. By the time they cycled through that next password, they’re often outside of that window of potentially logging onto the account.”

Fileless Malware

Fileless malware differs from traditional number in that in a traditional malware attack, it‘s binary and executable in that a user downloaded and saved it and then ran it, Laliberte said.

“Those are actually pretty easy for even legacy endpoint protection services to detect,” he said. You have the option to scan it as it’s being downloaded, periodically rescan your hard drive for this and if you find that malicious payload you can delete it.”

With fileless malware, at no point in time has a user saved something on a storage device. It runs entirely in memory, which means it is significantly more difficult for traditional endpoint protection services to identify and deal with the threats. It doesn’t always work off memory, but in most cases it does.

“Everything it does is just in memory,” he said. “It can download the malicious payload, pivot, inject it into another processes memory and all without ever touching a storage device, which makes it very difficult to tap.”