Essential security can take care of most threats – but for businesses with larger networks, it might be time to extend the security envelope.

We’ve written before about how multilayered security is key to protection success. Each layer represents a dimension of protection, tackling specific threats or attack vectors. 

The best security solution should tackle all of this behind the scenes, only requiring human attention during setup, audits, or incidents. Security should be comprehensive, yes, but not too complicated, worsening the protective power of security operations.

To learn how complicated security tools can impact a business’s cybersecurity protection, read our blog on alert fatigue-induced burnout.

Moreover, the larger such an operation is, the harder it is to cover. Thankfully, some measures can alleviate such issues easily – such as automatic extended protection.

Let’s start from the bottom – the core of a security operation: endpoint protection, covering computers, mobile devices, and servers. Such points of convergence between users and digital networks are prime targets for threat actors, necessitating constant safeguarding.

Baseline endpoint protection should serve the smallest businesses, but larger ones might find that this is just not enough to cover their use of various cloud and mail apps, authentication, or a potential cyber insurance ask in the form of advanced encryption. Furthermore, larger businesses also require advanced threat defenses, somewhere beyond stand-alone endpoint security. This could be a protective sandbox set up to catch any incoming malicious samples, such as zero-day threats, before they hit the endpoint itself, or vulnerability and patch management to take care of exploitable gaps before they become an issue.

At ESET, we call all this extended protection – as it extends beyond endpoint security, adding additional protective layers, extending prevention efforts.

The easy answer to why a business should seek extended protection is that their involvement in commerce is enough of an incentive for threat actors to have them in their sights. Based on various reports, cracking the security of SMBs and larger businesses is the most likely goal rather than well-defended enterprises (a business with fewer than 100 employees could face 350% more attacks than enterprises).

Ransomware, a threat likely faced by every business entity, has seen a 32% rise in H1 2024 compared to H2 2023, based on ESET threat telemetry, with most detections present in the US, Mexico, the UK, and Germany.

• ESET H2 Threat Report released, summarizing the threat landscape from June through November 2024.
• Among infostealers, long-dominant Agent Tesla malware was replaced by Formbook; Lumma Stealer has increased by almost 400%. 
• Company-branded and deepfake scams increasingly target social media users with fraudulent investment schemes, as they increased by 335%.
• RansomHub grew significantly and is now the dominant ransomware-as-a-service (RaaS) player.
• Cryptocurrency wallet data was one of the prime targets of malicious actors; the increase was most dramatic on macOS.

BRATISLAVA — December 16, 2024 — ESET has released its latest Threat Report, which summarizes threat landscape trends seen in ESET telemetry and from the perspective of both ESET threat detection and research experts, from June through November 2024. Infostealers are one of the threat categories to experience a reshuffle, with the long-dominant Agent Tesla malware dethroned by Formbook – a well-established threat designed to steal a wide variety of sensitive data. Lumma Stealer too is becoming increasingly sought after by cybercriminals, appearing in several notable malicious campaigns in H2 2024. Its detections shot up by 369% in ESET telemetry. Social media saw a flood of new scams cropping up, using deepfake videos and company-branded posts to lure victims into fraudulent investment schemes. These scams, tracked by ESET as HTML/Nomani, saw a 335% increase in detections between reporting periods. Countries with the most detections were Japan, Slovakia, Canada, Spain, and Czechia.

“The second half of 2024 seems to have kept cybercriminals busy finding security loopholes and innovative ways to expand their victim pool, in the usual cat-and-mouse game with defenders. As a result, we’ve seen new attack vectors and social engineering methods, new threats skyrocketing in our telemetry, and takedown operations leading to shake-ups of previously established ranks,” says ESET Director of Threat Detection Jiří Kropáč.

Among infostealers, notorious “infostealer-as-a-service” Redline Stealer was taken down by international authorities in October 2024. But it is expected that Redline Stealer’s demise will lead to the expansion of other similar threats. The ransomware landscape was reshaped by the takedown of former leader LockBit, creating a vacuum to be filled by other actors. RansomHub, a ransomware-as-a-service, stacked up hundreds of victims by the end of H2 2024, establishing itself as the new dominant player. China-aligned, North Korea-aligned, and Iran-aligned APT groups have been getting more involved in ransomware attacks.

With cryptocurrencies reaching record values in H2 2024, cryptocurrency wallet data was one of the prime targets of malicious actors. In our telemetry, this was reflected in a rise in cryptostealer detections across multiple platforms. The increase was the most dramatic on macOS, where so-called Password-Stealing Ware – heavily targeting cryptocurrency wallet credentials – more than doubled compared to H1. AMOS (also known as Atomic Stealer), malware designed to collect and exfiltrate sensitive data from Mac devices, was a significant contributor to this increase. Android financial threats, targeting banking apps as well as cryptocurrency wallets, grew by 20%.

For more information, check out the ESET Threat Report H2 2024 on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

NOTE: The views and opinions expressed in this blogpost are those of ESET and do not necessarily reflect the views or positions of MITRE Engenuity.

In this year’s Enterprise edition of the ATT&CK® Evaluations, MITRE set up three attack scenarios: a Democratic People’s Republic of Korea (DPRK) scenario to test cyberespionage activity against a macOS system, a Cl0p scenario to test a ransomware attack against a Windows system, and a LockBit scenario to test a ransomware attack against a corporate environment containing both a Linux server and Windows workstations and servers.

ESET Inspect demonstrated good visibility in each scenario, detecting every step while keeping the total number of detections (or volume) low. The detections generated from the attacks were automatically correlated into incidents by ESET Inspect’s Incident Creator, giving our security analysts a focused view of the attacks and thus a clear understanding of how they happened step-by-step.

To get a better idea of how ESET fared, we will go over some of the methodological changes introduced by MITRE and then look at how Incident Creator streamlined the view and workflow of the security analysts sitting at the ESET Inspect dashboard.

This evaluation brought several well-thought-out changes to the methodology of the Detection scenarios that we believe better reflect the security analyst’s work of dealing with real-world cyberattacks.

First, Telemetry is no longer a detection category, meaning that it is not sufficient merely to show that an event occurred. The lowest detection category is now General, requiring a detection to indicate that an event occurred and is suspicious or malicious in some way. It’s important to point out that an event occurring in a sandbox does not qualify as an event occurring in the environment under evaluation. As indicated in its description, a General detection must answer the what, where, when, and who as related to the tested environment, and these cannot be answered from external sandbox execution.

Second, some benign substeps have been baked in as a test for false positives rather than for detections. This is a welcome change because it discourages a “detect everything” approach, which can otherwise create a lot of noise and needless work for the security analyst, and drive up data storage costs to boot. Another benefit of this change is that it allows calculating a precision score, indicating how many of the detections made correspond to actually malicious or suspicious substeps.

Third, some substeps are included but not evaluated. The reason for including such substeps is to better simulate a real-world cyberattack by avoiding illogical jumps in the progression of the attack.

Finally, a volume metric was introduced that records the number of detections shown in the dashboard. This is yet another way of discouraging a “detect everything” approach, dissuading vendors from allowing their dashboards to be populated sometimes with millions of detections. We welcome this adjustment too.

The volume metric also records the severity of detections, using five levels: critical, high, medium, low, and info. Since ESET Inspect has three incident severity levels of high, medium, and low, and three detection severity levels of threat, warning, and info, we agreed with the MITRE Engenuity team on the mapping shown in Table 1.

Table 1. Mapping between ATT&CK Evaluation and ESET Inspect severity levels

It is worth pointing out why we chose a severity score of 22 to divide the low and info severity levels. As noted in our documentation:

Rules with severity 22 and below are telemetry rules. They are usually used only as additional information for investigating an incident and can often be triggered by legitimate behavior. If some of these rules generate too much traffic in your environment, you may consider turning them off.

From here on out, we will refer to severity levels only as used by ESET Inspect.

An important consequence of using this mapping is that detections not correlated to an incident are out of scope in the evaluation. This largely reflects the intended usage of ESET Inspect in the real world: incidents populated by correlated detections are the primary focus for security analysts. Additional detailed information and detections not correlated to incidents, which could be of value in some cases, are secondary.

Since dashboards inevitably have various parts that show detections and other information in detailed, summary, or graphical forms, vendors were allowed to indicate for the evaluation the standard view that security operators are expected to use for handling attacks. Only information presented via this view is eligible for consideration as a detection or false positive, and for measuring volume. In ESET Inspect, the standard view for security analysts is Incidents.

The Incidents view is the primary place that security operators should use to manage their workflow. Incidents are automatically populated into this view in two ways:

• ESET Incident Creator, which uses an AI-based engine to correlate detections into a single incident.
• ESET Inspect, which currently has over 100 rules that create an incident as a response to being triggered, aggregating detections into a single incident by affected computers, a period of time, or both.

Operators are recommended to use the following workflow:

1. Investigate each incident.
2. Investigate threat-severity detections not correlated to any incident, if time allows.

Just as last year’s evaluation, each attack scenario was run twice. Vendors were allowed to make config changes for the second run to try to increase visibility, decrease false positives, and reduce volume. Figure 1 shows the Incidents view after the config change run.