2023 Annual InfoSec Report

2023 Annual InfoSec Report​

Download your free copy now

Fixing the broken information security industry can look like many things, but increasing education, awareness, and transparency are paramount.

We’ve compiled InfoSec report after analyzing validated risk assessments and incident response cases FRSecure engaged in in 2022. 

And we’re giving it to you as a way to understand what’s happening in the industry today, what the future of information security might look like, and what changes you can make to help level up your organization’s security game.

Free Resource

Download the full 2023 Annual InfoSec Report now.

DOWNLOAD REPORT

Introduction

Hello, and welcome to the first-ever FRSecure InfoSec Report! As we march forward in our mission to fix a broken industry, we believe that providing the public with this data set and analysis is a critical step in increasing awareness and understanding.

About the Data

The data in this report is derived from nearly 400 validated security assessments and 55 incident response engagements that were completed by FRSecure in the year 2022. The assessments ranged from 175 to 678 controls where the level of assessment is dependent on the maturity of the organization. The dataset represents businesses from over 145 unique NAICS codes. Sectors include education, healthcare, materials, technology, financial, consumer services, transportation, food and agriculture, energy and utilities, insurance, legal, and government. Head counts ranged from 50-2500 employees.

Within these engagements, we’ve anonymized all the information, logged data on controls, incident root causes, exploits, and more. The result is a combination of analysis, interpretation, and related suggestions.

Objective

This data should be used to understand the current ecosphere of information security. See this as a lens into the eyes of the attacker, but more importantly, let’s understand how those attacks can be prevented.

Purpose

The current state of our industry can feel overwhelming and daunting at times. I hope that this report will help provide clarity, a sense of normalcy, and a level of understanding that can be used as a powerful tool to aid in the maturation of each organization and person’s information security posture.

We explore where we are winning, where we are improving, and where we are falling behind. We must also understand that our world evolves rapidly, and the data from this study will be used to further improve our assessment frameworks, understanding, guidance, and support of each other.

Sample Content and Quick Hits

Digital Forensics and Incident Response Analysis

In 2022 the FRSecure CSIRT (Cyber Security Incident Response Team) completed 55 total DFIR (Digital Forensics and Incident Response) engagements. Those engagements included a variety of incidents or potential incident types. For our analysis, these incidents are categorized as BEC (Business Email Compromise), internal compromise, and ransomware. Fourteen cases were related to BEC, thirty six were categorized as an internal compromise, and ransomware was successfully deployed in five cases.
pie chart with teal, orange, and gray of incident overviews from the 2023 infosec report

Business Email Compromise

Fourteen BEC cases were analyzed in this study, and 64% of the incidents were the result of a successful social engineering campaign. The most common method of social engineering utilized was phishing emails which included links to malicious websites designed to harvest email credentials or authentication cookies.

Multifactor Authentication

For the audience of this report, it will likely come as no surprise that protecting your publicly available logon systems with multi-factor authentication is a critical step in guarding your perimeter.

Researchers and practitioners have been shouting this from the rooftops for years, yet buy-in continues to be a challenge.

Of the fourteen business email compromise cases we worked on, only four organizations had fully implemented multi-factor authentication controls.

While MFA is not a silver bullet, it is an essential part of any defense to prevent unauthorized access to your network and email system.

BEC Compromise—The Payload

The majority of the BEC cases we responded to resulted in one of two things; ACH Fraud attempts or continued phishing.

ACH (Automated Clearing House) is a system utilized by financial institutions to execute electronic funds transfers. In most ACH fraud attempts, the attackers were able to intercept ongoing conversations regarding financial transactions. The attackers then provided fraudulent account numbers and instructed the unaware victim to send payment to this account.

Best Defense? Normalize Your Environment.

We recommend executing a normalization process throughout the environment. This will help you identify patterns that should be considered normal, making it much easier to spot potential malicious activities through anomaly discovery.

Organizations should also have a procedure in place to review and authorize any new devices that connect to your tenants or applications. Regularly review all connected devices with access to your environment and investigate any unapproved devices promptly. A similar process should be implemented for all applications with authorized access to your environment.

Ransomware and Internal Compromise

The ransomware industry continues to grow and be extremely financially lucrative for threat actors. Over the years, we have observed ransomware costs balloon into billions and billions of dollars, and we shouldn’t expect that to slow down anytime soon. Despite this, FRSecure is proud to report that less than 10% of all incident response cases we observed in 2022 resulted in the encryption of the client environment.

For all internal compromise or pre-ransomware cases worked by the FRSecure CSIRT, only one resulted in partial encryption of the client environment. This is in no way a guarantee that FRSecure can prevent a ransomware attack, but is supporting evidence that having a strong incident response and action capabilities are critically important in limiting damages incurred by a cyber incident.

How Do We Manage These Vulnerabilities?

  • Asset Management
  • Vulnerability Management
  • Vulnerability Scanning is Not Enough – You Need to Test!
  • Social Engineering: Another Angle
  • Other Social Engineering Attacks Observed

Vendor Risk Management

Vendor-associated compromises hit mainstream media back in 2014 when Target was compromised after threat actors compromised their HVAC vendor and used this access to pivot into their environment. While this was the incident that made many folks aware of this method of attack, it was not new and continues today.

To defend against these attacks, vendor management programs should be developed and implemented. A good vendor management program should include a maintained inventory of all vendors, classifications of vendors according to the inherent risk posed to the organization, and vendors should be assessed for risks on a regular and ongoing basis.

Ransomware

In no way are we guaranteeing that if you engage your IR partner before encryption you will be protected.

However, it cannot be ignored that when FRSecure CSIRT was engaged before the ransom, no incidents reached this point. Early detection and prompt, knowledgeable response are critical opportunities in our defense mechanisms.

IR Preparedness is Key!

Having an incident response plan will ensure that you know how to respond during a cyber incident quickly and properly. Testing that plan will ensure that all involved parties know their roles and responsibilities beforehand and can assist in reducing the time to respond. This will also give you the ability to identify deficiencies in your plan before the fact.

The result is continuously improving incident response capabilities for your organization. The absolute worst time to test your incident response plan is in the middle of an active incident.

Other Key Learnings

  • Egress Traffic (read SolarWinds)
  • Identify & Combat OSINT/Recon Techniques to Supplement Scanning
    • Email Harvesting
    • Leaked Credentials
    • Social Media Review
    • Accidental Information Leakage
  • Security MUST be Top-Down. Leaders MUST Set Examples!

Summary and Conclusions

Let’s be logical in our approach to information security. Shiny new tools and technologies are fun and exciting, but they are not the solution we need. There is no easy button for security, and there’s not going to be one in our foreseeable future. Let’s focus on cleaning up our messes before we focus on anything else.

  • You can’t secure what you don’t know exists.
  • Get a better handle on your vulnerability management programs!
  • Logs, Logs, Logs!
  • MFA everything… but do it the right way!
  • IR Preparedness. Have an IR plan, and test the plan!
  • Train – Develop a Security-Focused Culture.
  • Security is not easy.

Part of FRSecure’s mission is to be a resource for everyone in the industry, so we’re always more than happy to help where we can. Stay safe and happy hunting!

Reports

Cheat Sheets

Checklists

Incident Response Playbooks

Policy Templates

Program Guides

Workbooks

2023 Annual InfoSec Report

For the full stats, analysis, and recommendations, download the report!

DOWNLOAD