Cybercriminals are always looking for opportunities to wage an attack. Whether it's a vulnerable system or a particularly enticing email designed to dupe an unsuspecting employee into clicking, low hanging fruit is everywhere. Many organizations bank on the notion that if they put some defenses in place, an attacker will move on to an easier target. But that approach doesn't take greed into account. Because ransomware has become so lucrative, cybercriminals are becoming more devious and putting significantly more energy into reconnaissance.

What is Reconnaissance?

Reconnaissance is one of the first phases of an attack. The steps are often described as a progression, starting on the left and moving to the right. The MITRE ATT&CK framework and Lockheed Martin Kill Chain are two examples that detail the tactics used in a campaign. The left-hand side includes pre-attack strategies, such as reconnaissance, planning, and development. On the right side are the execution phases that include launching malware and stealing data.

Analyzing Reconnaissance to Improve Your Security Strategy

The left side includes advanced persistent threats (APTs) with activities that include determining that a network is vulnerable, obtaining unauthorized access, and avoiding detection for an extended period of time. State-sponsored actors or nation states with considerable resources are often allied with APTs.

Most organizations don't focus as much on the left side of the attack framework, but that mindset needs to change. With better reconnaissance, cyberattacks are likely to be more effective and more destructive. Ransomware attacks will increase and undoubtedly become more expensive. According to FortiGuard Labs researchers, in the 12 months between July 2020 and June 2021, there was an almost 11x increase in ransomware.

Ransomware attacks may even be accompanied by distributed denial of service (DDoS) attacks designed to distract and overwhelm security teams. And the addition of wiper malware that destroys data, systems, and hardware acts as an added incentive for companies to pay quickly.

A recent global ransomware survey conducted by Fortinet indicates that ransomware is routinely successful with 67% of organizations reporting having been a ransomware target. And nearly half said they'd been targeted more than once.

Good Reconnaissance Leads to More Profit for Cybercriminals

As the number of incidents increase and gangs compete for a slice of the profitable pie, cybercriminals motivated by money are going to focus more attention on left-side activities. Much like nation-state-funded APT groups, these groups are likely to spend more time and effort on reconnaissance and ferreting out zero-day capabilities.

By spending more time on the left-hand side doing reconnaissance, cybercriminals can improve the likelihood of a successful attack. Often they can even reuse the same reconnaissance techniques against other organizations. So some upfront effort can reap great rewards.

Attack kits will make it easier for other attackers to reuse tactics and exploit vulnerabilities. These kits couple with the increase in malware-as-a-service means the sheer number of attacks is likely to rise because there will be more cybercriminals and their affiliates launching attacks at the same time.

Get Smarter About Reconnaissance

To combat advanced attacks, organizations need holistic and scalable security that facilitates visibility and communication across the network. To mount a swift and coordinated response, security solutions should be enhanced with artificial intelligence (AI) so they can detect attack patterns and stop threats in real time. Solutions also should be able to scale to address the increase in attacks. Organizations should have these solutions in place:

• Anti-malware that includes AI detection signatures
• Endpoint detection and response (EDR)
• Advanced intrusion prevention system (IPS) detection
• Sandbox solutions augmented with MITRE ATT&CK mappings
• Next generation firewalls (NGFWs)
• Digital risk protection service (DRPS) designed to counter attacks at the reconnaissance phase

Ideally, the tools should be deployed consistently across the distributed network, including data center, campus, branch, multi-cloud, home office, and endpoint using an integrated security platform such as the Fortinet Security Fabric.

The Security Fabric can detect, share, correlate and respond to threats as a unified solution. It integrates crucial security and networking solutions, including third-party components, and supports and supplements the people and processes that are part of in-house teams and skillsets.

Fortinet delivers a multi-phase approach to cyber security that can prevent the early-stage delivery of threat components as much as possible while continuing to inspect for and detect activity that indicates an intrusion or attack in progress. It is followed by a quick response to cyber events coordinated across the distributed cybersecurity mesh to contain and mitigate attacks. 

Cybercriminals will be upping their games with more reconnaissance efforts, more zero-day exploits, and more attacks, so organizations need to take action before it's too late.

Learn more about Fortinet's FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.