Cisco Talos Incident Response Quarterly Trends: Business Email Compromise Emerges as Most Common Threat

Cisco (NASDAQ: CSCO) has released the Talos Incident Response (IR) Quarterly Trends report for Q1 2024, highlighting key insights into the cybersecurity landscape. Developed by Cisco Talos Intelligence Group, the report is designed to help organizations defend against the most common cyberthreats.

Business Email Compromise on the Rise

For the first time in several quarters, Business Email Compromise (BEC) has emerged as the most common threat in Q1 2024. BEC accounted for 46 percent of all Cisco Talos IR engagements, marking a significant increase from Q4 2023. Adversaries often use this tactic to impersonate legitimate business members, sending phishing emails that may contain malicious payloads or orchestrate financial schemes.

Persistent Weaknesses in Multi-Factor Authentication

Cisco’s security researchers identified a new phishing kit named Tycoon 2FA that bypasses multi-factor authentication (MFA). Although it has not yet appeared in Talos IR engagements, it is becoming widespread. Nearly half of all engagements showed weaknesses in MFA, with unauthorized push notification acceptance and improper MFA implementation being the top vulnerabilities.

New Variants of Ransomware Detected

Incidents of ransomware decreased by 11 percent in Q1 2024, making up 17 percent of engagements. New variants of Phobos and Akira ransomware were detected for the first time, along with ongoing threats from LockBit and Black Basta. Akira has resumed using encryption for extortion, targeting both Windows and Linux machines.

Manufacturing: The Most Targeted Sector

Continuing from Q4 2023, manufacturing remained the most targeted sector, representing 21 percent of incident response engagements, followed closely by education. Healthcare, public administration, and technology sectors tied for third. The manufacturing sector's low tolerance for operational downtime makes it a prime target for financially motivated attacks, including BEC, ransomware, and brute-force attacks on VPNs.

Evolving Cyberattack Techniques

The primary method for gaining initial access was using compromised credentials, making up 29 percent of engagements—a 75 percent increase from Q4 2023. Email hiding inbox rules were the most observed defense evasion technique, representing 21 percent of engagements, likely due to the rise in BEC and phishing.

Cisco’s Proactive Cybersecurity Strategy

Fady Younes, Managing Director for Cybersecurity at Cisco Middle East & Africa, emphasized the importance of a holistic digital security strategy in the face of evolving threats. Cisco leverages advanced technologies, including AI, to help organizations implement proactive cybersecurity measures. Key recommendations include:

  • Multi-Factor Authentication (MFA): Implement MFA, such as Cisco Duo, to secure corporate email accounts and prevent BEC.
  • Endpoint Detection and Response (EDR): Utilize EDR solutions like Cisco Secure Endpoint to detect malicious activities.
  • Threat Detection Signatures: Employ Cisco’s Snort and ClamAV signatures to block known ransomware families like Black Basta and Akira.

In summary, Cisco's Q1 2024 Talos IR report underscores the critical need for robust cybersecurity measures to combat rising threats, particularly BEC, and highlights the importance of MFA and EDR solutions in protecting organizational infrastructure

Related News