July Cyber Threat Download™

Each month, the Pondurance team of experts in threat intelligence, incident response, security operations, vulnerability management, and compliance share insights with our clients and partners to help them stay on top of recent trends in cybersecurity and take action to prevent harm to their organizations. Please feel free to share this information with colleagues and other interested parties on social media. 

Threat trends

The team noted that business email compromise (BEC) and ransomware attacks are still a concern. Malicious threat actors are continuing to use the same tactics that have been successful in the past to exploit their victims. 

• BEC. These attacks leverage election and government news, geopolitical events, and other standard lures. Many of the credential harvesting phishing emails lead to webpages that are actually fake login pages designed for cookie stealing or session hijacking attacks. The security operations center (SOC) team is fully equipped to detect changes to Office 365 mailboxes and has identified many high-fidelity alerts on such activity.

• Ransomware. Threat actors are using manual (versus automated) deployment of ransomware to break into networks and stage, deploy, and execute ransomware. Fortunately, manual deployment allows more time for the SOC team to detect their attempts. The team typically sees threat actors using remote access and remote monitoring and management software, such as ScreenConnect.

Also, the team now recommends that clients block text storage site Pastebin and other nonbusiness file sharing sites at the network perimeter.

How to reduce threats

Users may be the greatest vulnerability for a ransomware or phishing attack, so it’s important to conduct tabletop exercises and offer user awareness training to employees to reduce that risk. 

Tabletops are simulations of real-world cyber incidents that allow participants to discuss what their roles, actions, and decisions should be during a cybersecurity threat. These exercises test an organization’s incident response plan to identify any gaps in the response processes or overall security plan. Tabletops also allow an organization to identify the departments or groups at the highest risk of attack, whether it’s accounting, human resources, or remote contract workers. A tabletop exercise helps everyone understand what’s at stake, and it allows an organization to update security policy documents or an incident response plan — or write a plan from scratch if one isn’t already in place. The Pondurance team can help implement tabletops, draft policy documents, and finalize incident response plans with specific areas of risk in mind.

User awareness training should be mandatory and ongoing to assure that every employee knows the risks posed by artificial intelligence (AI), phishing emails, malware, and more. AI can pose a risk when used by employees or by threat actors seeking to cause harm. When used by employees, prompt-driven AI tools such as ChatGPT can often provide “AI slop” or low-quality, AI-generated content. But training can teach users how to use commands and key phrases when building a prompt for better results. When used by threat actors, AI tools can generate phishing emails that look more legitimate than pre-AI fake emails. User awareness training can help employees discern a legit email from a phishing email. 

In addition, the team briefly discussed drive-by downloads, or the unintended download of malicious software. The team suggests that clients turn on PowerShell logging but recommends first discussing it with the engineering team due to the large data volumes it generates. User awareness training can also help employees recognize drive-by downloads, which is important since threat actors appear to be shifting back to this type of straightforward attack.

Recovery observations

Recovery — the restoration of data, networks, and operations to their normal state — is the top priority after a cyber event. Organizations feel tremendous pressure to recover as quickly as possible. However, victims of a ransomware attack are usually surprised to learn that it takes significant time to get the data back up and running, even if there are backups. On average, the team estimates that downtime resulting from a ransomware attack is 21 days. 

A number of key factors determine the speed of recovery including:

• Volume of data to be restored. Over time, data accumulates. Most organizations don’t realize how much data is in their backups.

• Time to locate a clean restore point. As part of the forensics investigation, the designated person will determine what date of backup will provide a clean restoration point for data.

• Specific vendors and software. Organizations need to know which third-party vendors are under contract to help and how to contact them, even after business hours. Also, organizations should consider whether to create personalized backups of their software.

• Outdated software versions. During a recovery, parts of the network may need to be rebuilt. The old and new software versions must be compatible, and vendors must be in position to help install those new versions.

• Insufficient bandwidth. Often, organizations don’t have the bandwidth required to bring the large volume of backup data down from the cloud or wherever it is stored, which can cause technical delays.

Overall, recovery is a labor-intensive process that involves many internal and external people making decisions. To be ready in advance, organizations should conduct practice tests and drills to expose any critical gaps in the backup procedure. Participants need to think through the technical, logistical, and operational aspects of the recovery. Knowing how the organization will react and interact during recovery will speed up the process.

Telemetry

The team discussed telemetry, or how data from multiple sources is collected and analyzed to understand what is happening within an environment, and compared three Windows-based, host-logging tools: group policy object (GPO), endpoint detection and response (EDR), and Sysmon.

• GPO. This tool, managed through the active directory, is a collection of group policy settings that define configurations for users and computers. Windows sends Pondurance approximately 12 low- and medium-alert event codes by default, and another 15 to 30 event codes with high and critical alerts can be enabled locally per host using GPO. The team suggests that organizations enable PowerShell Even IDs 4103, 4104 and the most important Process Creation with Command Line auditing 4688.  The sidecar agent is required on each host to send the logs to the log forwarders and then to the LogScale platform. Overall, default Windows event logging does not offer superior detection, making it important for users to augment with the GPO audit settings to enhance visibility.

• EDR. Top-tier EDR tools provide the best overall telemetry for the host, though EDRs still need GPO and sidecar due to some gaps in coverage. For example, E5 Microsoft Defender, SentinelOne Complete, and CrowdStrike send Pondurance 90% of the host picture, and the other 10% requires sidecar and additional auditing. EDR is also best for MacOS and Linux, but sidecar is recommended, and it's important to set time stamps for these systems. As a downside, EDRs can sometimes miss behaviors, allow remote data processing connection to a public IP, permit large file transfers, and lack awareness of user privileges. Also, there are no EDR data lakes for lower-tier EDRs.

• Sysmon. This tool is a free, advanced auditing tool from Microsoft Sysinternals Suite, and it might be easier for some clients to deploy than changing certain GPO policies. Since Sysmon is not fully supported by Pondurance, clients must deploy the tools themselves, supply a good configuration file, and test all Sysmon configurations before deployment. However, Pondurance does ingest the logs, and sidecar is required to forward Sysmon logs to LogScale. Sysmon can log some items better than some GPO methods, though further GPO auditing is still needed. In addition, Sysmon heavily overlaps with the top-tier EDRs and is available for Linux. 

In a perfect world, the team recommends that clients use all three tools for telemetry, tuned and filtered to fill any gaps. Of course, that’s not always feasible. The Pondurance team is available to discuss the pros and cons of telemetry tools to help clients determine which options will work best.

As a reminder, the team briefly discussed that Windows 10 support, including security updates, will expire on Oct. 14, 2025. Any organization still using Windows 10 needs to upgrade to Windows 11. 

Alert tuning

Tuning keeps escalations relevant for clients. If a client encounters a false positive or prefers not to escalate an alert, it’s important to respond rather than simply close the alert. When a  client responds with specific information, the Pondurance team can make proper adjustments to deliver only alerts that will be actionable. In addition, disclosing critical assets such as hosts, IP addresses, VIP lists, and honey tokens helps the team correct those tunings to elevate alerts to the appropriate level.

About the Pondurance threat intelligence team

The Pondurance threat intelligence team consists of cybersecurity experts across our organization dedicated to providing exceptional threat intelligence research and insights to optimize the efficacy of proactive threat prevention efforts, as well as threat detection and response. By monitoring emerging cybersecurity trends and collaborating with our security operations center, we provide real-time insights and actionable intelligence. Through knowledge sharing and advisory posts, we empower organizations to strengthen their cybersecurity posture and foster a more secure digital landscape.