Discover the cyber threats to your business.
By understanding the threats your organization faces, you’ll be better prepared to protect it from cyber threats. Join NTT’s Head of Threat Intelligence Mark Thomas for a replay of our webinar highlighting the key findings of our 2022 Global Threat Intelligence Report.
In 45 minutes, you’ll learn about the most targeted industries, how cloud migration is changing global attacks and the most common types of malware. Watch now to get the insights needed to protect your organization.
- Original date: August 17, 2022
- Run time: 45 minutes
- Speaker: Mark Thomas, Head of Threat Intelligence, NTT
Webinar Video
Webinar Transcript
0:0:22.530 --> 0:0:37.700
Mark Thomas (Group)
Cheers. Today I'll be taking you through some of the key findings of our annual global Threat Intelligence Report. And this is a report that we put together every year and it's actually the 10th year that we've been doing these reports.
0:0:39.300 --> 0:0:50.50
And I'll be distilling the five key trends based on the data that we've analyzed this year. So thank you all for joining.
0:0:51.710 --> 0:1:21.460
The analysis of our report is based on logs, events, attacks that are all real-world security incidents detected by our security operations center. They monitor our clients' infrastructure, looking at threats, infrastructure, and data. As we put together this report, we also have access to NTT's global Internet backbone telemetry
0:1:21.840 --> 0:1:53.510
That provides us with additional visibility into attacks and you know who they're targeting, and we can help understand some of the nature of the threat landscapes that we see. We also maintain a global network of honeypot sensors that we look at to see who's targeting what applications, what tools that threat actors may be leaving behind and all of that intelligence is collected by our global Threat Intelligence Center, which I lead.
0:1:54.330 --> 0:2:24.160
And we also have contributions from NTT CERT in Japan as well, who analysed threats based on threats targeting our own infrastructure. So the purpose of producing this report is having a look how the threat landscape is changing over time. It helps us understand what the impact is to not only our own infrastructure, but that of our clients and understanding what we can be doing to enhance our client security posture.
0:2:25.550 0:2:49.530
And so obviously the threat landscape evolves every year, right? 'It's constantly challenging the status quo.' We've also seen a lot of transformation right across different industries and certainly our clients. But more broadly, we've also seen a very uncertain geopolitical environment emerge over the past 12 to 18 months.
0:2:50.190 --> 0:2:55.750
So in terms of the five key findings that we'll talk about today:
0:2:56.930 --> 0:3:26.900
You can see them here. So firstly, attackers are refocusing their targeting towards critical infrastructure and we'll get into some of the details behind each of these trends a bit later on what we've seen different sectors that have been targeted globally, not only because of COVID-19, we've seen that geopolitical tensions more recently supply chain disruptions. Secondly, we've seen this migration to the cloud.
0:3:27.80 --> 0:3:50.200
Migrating to the cloud means that the attacks targeting those applications and data has also changed. Thirdly, we talk about the diversified scope and intensity of attacks here. We'll talk about how attackers are branching out into more industries, experiencing higher volumes of activity than previous years.
0:3:51.160 --> 0:4:21.390
Fourth, we're seeing Trojan deployments surge, so there are certainly more Trojans and botnets increasing, whilst we're also seeing reductions in certain types of malware, cryptocurrency miners as an example of that. And lastly, ransomware prevalence whereby organizations are facing challenges in defending and responding to ransomware incidents. So let's kick off into the first key trend.
0:4:22.310 --> 0:4:51.120
And obviously one of the outcomes from geopolitical conflict, COVID-19 and the ongoing supply chain issues that has resulted in disruption across many different industries. We've seen fluctuations in not only the types of malicious activity, but also the volume of activity as well as the industries that are now most targeted. As an example, we've seen attacks have more than doubled in both the telco space.
0:4:51.800 --> 0:5:21.360
As well as transport and distribution sector. Transport and distribution appeared in the top five most targeted sectors. That was certainly new for us. We haven't seen that before and you think just what's happened over the past two years or so, there has been increased reliance on global supply chains and logistics, and also an increase in virtualization of business processes. The shift to working from anywhere.
0:5:21.560 --> 0:5:34.490
And also changing consumer behavior as well. So you think about going back to 2021, everyone was remotely working, they were purchasing goods online and probably more frequently than they had been in the past.
0:5:35.920 --> 0:6:2.60
And the essential nature of the vaccine supply chain is really an integral part of getting a product from point A to point B involves the transportation and logistics sector. So those drivers place greater demand on both network and communication systems like routers, Edge devices, infrastructure and cloud applications.
0:6:3.220 --> 0:6:33.20
And I think it also explains why we're seeing governance and industry bodies call for more safeguards into protecting critical infrastructure in some cases, for example, this has meant redefining what it means to be a custodian of critical infrastructure or a system of national importance. But clearly the world is increasingly connected and therefore organizations have to be doing more to protect society,
0:6:33.140 --> 0:6:38.220
critical infrastructure and the supply chain to preserve our way of life.
0:6:38.900 --> 0:7:8.790
Second major trend that we see here is the type of assets that are being targeted. Over the past few years, organizations have shifted more of their workloads to the cloud and web-based environments in general, but that has given rise to more attacks targeting those web applications. I think in general cloud providers have done a solid job in protecting their infrastructure and platforms, but application and data
0:7:9.330 --> 0:7:14.290
supporting those applications tend to be under the control of end users or clients.
0:7:15.390 --> 0:7:44.780
Most businesses these days have a web presence and that is really the footprint which is now actively targeted by would-be attackers. So looking at things like misconfigurations, vulnerabilities, credential leaks, what we're seeing is about 72% of all attacks are now directed towards web and applications and we're seeing that trend continuing to rise each year.
0:7:45.180 --> 0:7:57.630
For example, if you look at 2018, that was only about 32%, but as you go up every year, the attacks or the volume of those attacks is increasing.
0:7:59.970 --> 0:8:23.60
We've also observed attackers expanding their scope and intensity, so we saw about 30% increase in hostile activity targeting clients. And again this was led by attacks targeting applications and network infrastructure. But we're also seeing denial of service as well as credential brute force as well.
0:8:23.540 --> 0:8:53.30
Tag volumes increased for about 7 of the top 10 most targeted industries, with web application attacks and application specific attacks up in most of those industries, and in nearly every region that we analyzed. Now the proportion of attacks targeting those top 3 industries actually declined. So what that actually means is that more industries are now experiencing higher levels of activity.
0:8:53.370 --> 0:9:12.100
It also indicates that attacks are moving on to lower hanging fruit. It's not just about targeting those top three sectors. What we're seeing is that attackers are now targeting those less secure organizations and those that they've traditionally targeted. So all industries are effectively fair game.
0:9:13.250 --> 0:9:39.400
We also have a look at vulnerabilities and in 2021 we saw the greatest number of newly discovered vulnerabilities compared to any previous year, and that was at about slightly under 22,000, whereby a vulnerability was discovered every 24 minutes on average. So it's kind of against this complex and challenging backdrop in which businesses and security leaders have to navigate.
0:9:41.570 --> 0:10:5.500
In terms of Trojan deployments, we're seeing these increase as well. I think anyone who's involved in operations can attest to that. But again, we're seeing botnets resurface. We've seen increased use of banking Trojans, which demonstrates a rise in cyber-criminal activity and that's often motivated by financial gain.
0:10:6.620 --> 0:10:33.930
Whilst increase deployment of the likes of Remote Access Trojans suggest a rise in corporate espionage and theft of intellectual property and trade secrets that tends to suggest a desire to maintain control of victims longer term, it's not necessarily about smash-and-grab attacks, but we're seeing more activity that involves malware with the intention to maintain persistence.
0:10:34.750 --> 0:11:6.400
For example, Trojans accounted for about 65% of all malware detections in every industry that we analyzed, excluding the education sector. That's up from 35% the previous year. And as I mentioned before, cryptocurrency miners have actually decreased. Now that's down to 6%, which was only a year prior to that, up to around 41% and that tends to correlate with the price
0:11:6.470 --> 0:11:13.270
of cryptocurrency assets where over the past 12 months or so, the price of cryptocurrency has actually dropped.
0:11:14.730 --> 0:11:43.520
In terms of the ransomware threat, almost one in four of our incident response engagements we're involved with were related to ransomware. That's a 240% growth from levels in 2019. Obviously, a significant increase there, but such activity indicates that organizations are increasingly challenged in defending and responding to ransomware incidents.
0:11:44.120 --> 0:11:55.910
The industries who most frequently have called upon us to assist in those engagements were the retail sector, manufacturing, insurance and of course technology and healthcare were also not far behind.
0:11:57.130 --> 0:12:11.140
But I think there's no shortage of incidents in the news talking about the impact of ransomware on business. I certainly know that the number of malware families that we're monitoring now have increased certainly over the past six months as well.
0:12:12.580 --> 0:12:42.710
In terms of the most common method attackers are using to infect organizations here, it tends to be via e-mail containing malicious links or attachments. And we know that from our research that the average ransomware demand is going up, payouts are going up and the total cost of ransomware for 2021 was actually expected to near around 20 billion
0:12:42.930 --> 0:13:5.300
U.S. dollars, and I think as a result of that, we're also seeing more industry bodies and government agencies establish the likes of ransomware task forces to enhance in information sharing and other types of collaboration initiatives in pursuit of disrupting ransomware actors.
0:13:7.600 --> 0:13:37.950
Next we'll go on to some of the global insights that we're seeing as well. As you can see here, technology and finance experience the majority of attacks that we saw, but where we've seen that biggest change is in that transport and distribution sector, which now comes in as the number 5 most targeted industry. But regardless of the industry region or technology targeted,
0:13:38.330 --> 0:13:45.80
the volume of web applications and applications specific attacks has increased and continued to increase annually.
0:13:46.0 --> 0:14:11.950
But as you can see here as well, we're also seeing denial of service and brute force activity. Credential brute force is continuing to also take center stage in most instances. Attackers are not leveraging those zero-day exploits. They're looking for that easiest path to compromise an organization. Whilst you do have highly sophisticated adversaries like nation states
0:14:13.150 --> 0:14:42.580
who may use zero-day exploits in their campaigns, but they do so infrequently. The preference is always to look for more simple attack vectors. You know the opportunistic attack and that really explains why we continue to observe a higher amount of brute force activity always continues to remain in the top five attacks that we see because it's far easier to use brute force or password theft to log into
0:14:42.650 --> 0:14:49.620
internet accessible systems, be it remote desktop VPNs, web portals, and so forth.
0:14:52.480 --> 0:15:22.850
On the left-hand side here we can see the top industries targeted annually by year, and we've done this for the past ten years now. As you can see, it's color-coded based on the top malware threats we observe. Blue indicates Trojan, Gray is Information Stealers and this year reveals that of course technology and finance being the top (targeted). But with the manufacturing sector, we've seen that steadily increase over the past few years as well.
0:15:23.30 --> 0:15:53.270
And again, this is an industry that's undergoing a lot of transformation. Think about the connectedness of things...IoT Edge devices, robotic process automation, a lot of activities happening in that environment and with a lot of new technologies being deployed or being integrated, of course you're going to see more attacks target that because the application attack surface is increasing. The education sector, again, is something that we tend to see
0:15:53.640 --> 0:16:20.290
within the top five, at least for the last few years where we've been doing these reports, they tend to conduct research on behalf of governments and private industry, so they do store and process vast amounts of intellectual property, which is valuable to would-be attackers. And obviously gaining access to trademark secrets and key resources is something that's
0:16:22.0 --> 0:16:33.210
a great avenue for an attacker to target because education sector tends not to have that same level of security that the likes of the financial sector does.
0:16:34.500 --> 0:17:5.560
Interestingly, here we see Healthcare was a prime target during COVID in 2020 as part of the vaccine supply chain. However, that activity has really decreased over the past 12 months or so. Now on the right-hand side, we see sectors and the most common malware we observe in those environments. Whilst ransomware disruption became one of the most significant threats to business continuity,
0:17:5.820 --> 0:17:37.70
it's actually Trojans and botnets which are dominating the malware landscape. As you can see in the dark and light blue, again we're seeing that common theme of Trojans and botnets really taking center stage here. The occurrence of these types of malware demonstrates the attackers are seeking control. They're seeking persistence whereby the intention is not necessarily to steal data. It could be to conduct further surveillance as well. And are a lot of these types of malware
0:17:37.450 --> 0:18:7.580
multifunctional in nature? They're not just there to deploy payloads, you know, download additional software, but they have multifunctional malware capabilities like taking screenshots, monitoring keyboard strokes, sending data to attacker, controlling infrastructure as well. But in terms of the overall malware activity that we saw last year, that has actually increased by nearly 50% from levels observed in 2020.
0:18:8.380 --> 0:18:38.50
And you'll also notice here that the presence of crypto mining activity in the education sector, that was the only one to see that in the top five top five types of malware, whereby that's different to what we see from a regional perspective as well. And we'll touch on what that looks like in the next couple of slides. But the education sector, because it tends to be more open and accessible,
0:18:38.940 --> 0:18:52.890
it's needed for collaboration purposes, right? Education sector has to be open for R&D purposes. Students are conducting mining operations. They're looking to generate passive incomes at the expense of the educational institution. So they'll
0:18:53.690 --> 0:19:4.360
go to universities, school environments, they'll plug in their laptops, which are used to mine cryptocurrency. And of course that's where we are able to detect that type of activity.
0:19:7.470 --> 0:19:37.780
So this shift to cloud computing has, you know, fundamentally changed the way organizations and their web infrastructure are supported. In most cases moving to the cloud means that the organizations biggest potential target for attackers are those external facing applications that they manage. Technology transformation, cloud migration, work from anywhere, those types of trends have resulted in that
0:19:37.900 --> 0:20:7.850
ratio of attacks increasing from 32% to 72%, and that's a significant rise in a trend that indicates that attackers are moving up the stack closer to where the application data is actually processed or stored. And it's not just the proportion of those attacks shifting to target web applications, but it's also the volume of activity here as well, which has increased about 30% from the previous year in some industries.
0:20:8.360 --> 0:20:38.310
We're actually seeing it two-fold increase in attacks, specifically the technology sector. But the key point here is that the volume of activity and vulnerabilities are also becoming more frequent. So when we look at vulnerabilities, we think about the weaponization of those vulnerabilities and we don't have to look any further than Log4J, which most people I'm sure would be familiar with. It's an open-source logging library
0:20:38.570 --> 0:21:11.340
vulnerability that was discovered in mid-December of 2021, but that piece of code or that application was used by millions of computers worldwide running online services. So it requires very little expertise to exploit, making it actually one of the most severe vulnerabilities that we have seen in recent years. So within only a few hours of that vulnerability being reported, we started to see those in the wild exported tempts already making their rounds
0:21:11.420 --> 0:21:30.230
across outline bases, you know, those organizations race to patch their environment. Of course they have to patch multiple times because new ways of exploiting that vulnerability had been discovered over the coming days and it actually became the eighth most targeted technology for the entire year,
0:21:30.950 --> 0:22:0.780
even though there are only 23 days left in the calendar, that's how proactive attackers were scanning and trying to exploit that particular vulnerability. So I think this type of vulnerability as well really highlights the importance of software supply chain and trust. Do we trust the software and the quality of the software that we use? Because only a small window of vulnerability
0:22:1.20 --> 0:22:17.730
creates a window of opportunity for attackers. So with the increased use of automated tools and cybercrime as a service models, this is really lowering the barrier for entry for attackers to actually be effective in targeting organizations.
0:22:19.350 --> 0:22:45.240
In terms of malware from a global perspective, Ursnif was the most detected malware at 20% followed by Emotet and for those who don't know, Ursnif is a very common banking Trojan. Again, it's multifunctional in nature. It steals credentials. It can take other types of information from your computer and network details.
0:22:46.360 --> 0:22:51.850
And generally, attackers use Ursnif to install additional malware components as well.
0:22:52.950 --> 0:23:11.890
tRamnit, on the other hand, was originally designed to be a virus. It then gained worm like capabilities, but now it has also been upgraded to provide command and control capabilities as well. So again we're kind of seeing that trend of malware becoming more multifunctional.
0:23:13.250 --> 0:23:43.280
That was certainly common in the APAC region and Japan, but it was quite different to what we saw in Europe. We've also witnessed the resurgence of Emotet and Trickbot - two very well-known banking Trojans. Emotet, for example, was taken offline by a coordinated effort at the start of last year that was conducted by Europol with various support from law enforcement
0:23:43.350 --> 0:24:10.690
and other judicial authorities. But that botnet actually resurfaced in November of 2021, and then it continued to provide malware as a service capabilities to the cyber-criminal groups, who would then access those compromised systems to further malware propagation. So what we're seeing is that Emotet was actually deploying Trickbot and Trickbot was deploying Qakbott and Qakbot was deploying Ryuk. So a lot of these.
0:24:12.200 --> 0:24:41.190
banking Trojans work hand in hand with those payloads being deployed for access. For other types of threat groups. So whilst many of these attacks followed global trends, there were some notable differences here. You can probably spot Europe. That again was the only region to observe cryptocurrency miners in the top ten malware detections and the only region that did not have Trojans as the most commonly detected malware.
0:24:42.450 --> 0:25:7.740
So Europe in this case actually shows three cryptocurrency miners here. So crypto miner, coin miner and XMRig being the key standouts and it was also the only region to observe detection of exploit kits in the top ten malware and an exploit kit being a tool used for automatically managing and deploying exploits against the target.
0:25:10.430 --> 0:25:39.10
So off the back of the COVID health crisis, ongoing geopolitical conflict and this impact of supply chain that really captured the attention of organizations and the minds of individuals, those two major events had significant impact and still remain unresolved in the world today. So what our team did was look at some of the
0:25:39.80 --> 0:26:4.500
activity happening in the Russia and Ukraine conflict, and specifically we were looking at whether or not there was potential spillover for attacks to impact other countries. Like COVID-19 did on the cyber security domain, the Russian invasion will also have this lasting impact on cybersecurity. Effectively what happened
0:26:5.170 --> 0:26:36.360
was the physical invasion began late February 2022, but the actual cyber operations began earlier than that, and that conflict has brought economic sanctions, physical and cyber operations targeting critical infrastructure, financial institutions, oil, gas, et cetera. But businesses and other types of industries along that supply chain have also been impacted by that now.
0:26:37.510 --> 0:27:6.680
Initially what we saw was a series of operations using data wiping malware that targeted multiple industries in Ukraine, governments and nonprofit technology companies, and the goal of that was really about sabotage, wiping critical data or rendering systems inoperable. But actually a month prior to that physical invasion in January, 22, attackers defaced about 50
0:27:6.820 --> 0:27:36.650
Ukrainian government websites. In February, we started to see those DDoS attacks target Ukraine's armed forces, national banks and crippled services for hours. But what this shows is that we're seeing this full range of cyberattacks employed to support conflict. And as you can see here, we've put together some of the types of attacks that we're observed...everything from credential compromise, data theft and DDoS to
0:27:36.840 --> 0:28:6.250
phishing, ransomware, and disinformation campaigns -- the whole gamut of attack categories have been employed to support the actual physical war. So I think this is a change in activity compared to previous wars. It really plays that hybrid role between cyber and physical. So I think it goes to support that all's fair in love and war. The diversity
0:28:6.830 --> 0:28:38.210
of these attacks employed during the conflict will continue to expand over time. Specifically with the conflict we have been tracking a group called Gamaredon, which is an APT group. It's also called Primitive Bear or Actinium depending which vendor you ask, they've been targeting Ukraine government agencies for many years, and in fact the first known activities from this group were around 2013.
0:28:38.550 --> 0:28:41.740
They tend to conduct espionage operations.
0:28:42.860 --> 0:28:55.10
Recently we've seen the Security Service of Ukraine publicly attribute this to five Russian Federal Security Service officers who are based in Crimea.
0:28:56.390 --> 0:29:25.420
But this group tends to use spear phishing to compromise its targets. What we did using our unique Internet backbone telemetry was identify some of the attackers can control infrastructure, and multiple compromises were identified across not only Ukraine during the early weeks of the conflict, but we also saw this communication to other victims
0:29:25.500 --> 0:29:54.860
operating within the European Nexus as well. Therefore we could confirm that there was spill over into other NATO countries. Effectively, that visibility, using our Internet backbone to support our intelligence collection, allows us to automatically detect those changes to adversarial infrastructure, which we then can propagate as a blacklist to support our threat detection platform. That really supports our ability to detect and respond
0:29:55.150 --> 0:30:1.660
to security incidents on behalf of our clients. But unlike many other APT groups,
0:30:2.370 --> 0:30:32.240
Gamaredon typically reuses domains across multiple categories or multiple campaigns. So as domains are created, they then use those in new campaigns. They also add those to a pool of domains that are rotated for future use. They also cluster their infrastructure for specific use cases. So for example they have a download cluster and later intrusion stages such as PowerShell, Ultra VNC and Pteranodon,
0:30:33.300 --> 0:31:3.830
which is a custom backdoor. They all use separate infrastructure that does not directly communicate with each other. So the point here is that they have clustering tools based on campaigns, used for phishing and malware distribution. But this is only one particular group that has been known to be targeting Ukraine based on the conflict. There are well over a dozen different types of threat groups. Be it Trickbot,
0:31:3.900 --> 0:31:20.660
APT 29, Red Delta, Sandworm. All have been known to be linked to the ongoing intrusion, and some of the malware tools that have been deployed off the back of this have included everything from Conti ransomware and
0:31:22.360 --> 0:31:34.640
IcedID to Industroyer, PlugX and LOIC Trojan. A t lot of these are commercially available and some of them are open source as well.
0:31:37.510 --> 0:32:11.310
I've discussed the threats and the evolving nature of the landscape from NTT's perspective, I think cyber resilience is really a key focus area that organizations have to prioritize in order to safeguard their critical assets. Those who do will be more effective in delivering more reliable services securely. Based on that, we have five strategic recommendations that organizations need to be considering.
0:32:11.780 --> 0:32:42.770
Firstly, security by design and zero-trust architecture. Organisations must prepare for today's threats by adopting the likes of those zero-trust architectures in order to ensure that security follows the user regardless of their device or work action. The whole concept is never trust, always verify. We know that security is a continuous process that has to be embedded into the business and organizational processes, not something that should be bolted on at the last minute.
0:32:44.140 --> 0:33:10.530
Second, within this presentation, I've also mentioned the use of vulnerabilities. Vulnerabilities are weaponized to penetrate an organization and break into systems. Monitoring early and frequently reduces risk exposure and the window of opportunity for attackers to target assets. So again, it's something that organizations really have to be prioritizing in order to uplift their security posture.
0:33:11.570 --> 0:33:40.730
Third is continuous monitoring or threat detection and response, gaining visibility into attacks, not just targeting endpoints, but also targeting the network. And of course now targeting cloud environments where we tend to find a lot of organizations don't have visibility into the cloud, threat detection and response capabilities minimize the scope and impact of a breach. And that's really where NTT Security Holdings specializes. s.
0:33:41.540 --> 0:34:11.90
The 4th recommendation we have is securing data at rest, in use and in transit...and here it's all about securing the crown jewels and it depends which industry you may be in. So if, for example, you're in the financial services sector, credit card data is really key. You might be in healthcare. Therefore patient healthcare records are important. You might develop technology. Therefore it's intellectual property or trade secrets, whatever critical business
0:34:11.440 --> 0:34:19.360
assets or business data you have, you have to encrypt it. You have to have a backup strategy. You have to test out that backup and build controls around that data.
0:34:20.340 --> 0:34:47.380
And lastly from a from a strategic recommendation perspective, reviewing business continuity and disaster recovery plans. So making sure that you have a crisis management communications plan in place, understanding the impact of threats to your environment and how you can overcome any unplanned or unforeseen incident should they occur. So testing out your incident response plans.
0:34:48.80 --> 0:35:19.80
And what I've also mentioned here in the box in blue is some of the MITRE ATT&CK™ mitigations. These are not just controls, technology controls, but they're also the things like user training because we know that controls aren't all just about technology, they also involve the user themselves. So user training for example, you don't want people clicking on malicious attachments or malicious links. But I think based on the types of threats that
0:35:19.190 --> 0:35:40.10
we've discussed in their support, everything from ransomware to cryptocurrency, there are different control points or ways that you can monitor for these types of threats. Using MITRE ATT&CK™ as a general framework allows you to uplift your security posture, be it updating your security software,
0:35:40.460 --> 0:36:9.620
limiting the network exposure that you have by ensuring that you have filtering and network segmentation in place, ensuring that you have an operating system that's hardwired to be secure by default, and ensuring that you have the right anti-malware protection capabilities in place as well. So I think with those types of threats in mind,
0:36:10.90 --> 0:36:26.300
organizations have to remain vigilant...constantly update their threat detection and response capabilities. But really the key here is achieving cyber resilience -- that really has to be the focus area for organizations to prioritize over the coming years.
0:36:27.680 --> 0:36:58.230
That said, just a word on final thoughts. We've discussed some of the key threats, but also have looked at some of the challenges that will continue to play out through this year and likely into the next as well. Ransomware again, it always takes media headlines, but it does so for a very important purpose. It has the ability to disrupt business availability. And I think over time we'll continue to see ransomware threats evolve.
0:36:59.680 --> 0:37:16.600
Attackers are looking to reap financial profits from these types of attacks and you know that creates incentives for them. And I think with ongoing geopolitical tensions, some ransomware operatives might find safe havens from which to operate.
0:37:18.360 --> 0:37:48.320
They'll continue to look for the weaker targets, but they'll also look to target the likes of critical infrastructure as well. Second cryptocurrency, although it was only Europe that really saw a lot of the activity there. I think over the coming years as crypto becomes more mainstream, the likes of cryptocurrency exchanges, cross chain bridges will really become a focal point for attacks. And this is really because
0:37:49.60 --> 0:38:19.250
cyber criminals are financially motivated, right? They're looking for money and there's a lot of money pouring into cryptocurrency markets. So I expect to see a lot more infrastructure associated with those types of exchanges and bridges to be targeted over the coming years. Third, supply chain attacks.I think last 12 to 18 months, we've seen the success of high-profile supply chain attacks.
0:38:19.650 --> 0:38:48.860
That will continue to inspire copycat threat actors. We know they cause wide-ranging damages to both suppliers and their clients as well. And depending on the popularity of a supplier's compromised product, a supply chain can really impact tens of thousands of downstream organizations. We've started to see that with actors targeting managed service providers software,
0:38:49.700 --> 0:39:1.600
developers as well, this is really going to be a key piece or as part of an overall security strategy. How you get visibility into third-party risk.
0:39:2.640 --> 0:39:32.550
I think this boils down to two types of threats here. One is what we're calling incorporated threats, where attacks exploit built-in vulnerabilities, and the second is insertion threads, whereby attacks have been created by intentionally implanting malicious artifacts into software themselves. So think hijacking updates, undermining code, signing other solo wins, compromising open-source code. And we saw that last year whereby
0:39:40.470 --> 0:39:48.340
there were developers who introduced vulnerabilities into the Linux kernel, and of course if you downloaded that, then you were vulnerable. And, lastly,
0:39:51.670 --> 0:40:21.600
Mark Thomas (Group)
compliance, privacy and regulation. I think throughout 2021 we saw a struggle in the balance between security and freedom and between privacy versus safety. Each year we look across what's happening in different regions. We're constantly seeing updates to regulations or legislation that does impact governance, risk compliance. More recently, the likes of Australia,
0:40:21.650 --> 0:40:33.670
Brazil, Japan, India, China, South Africa, US to name a few, many governments are renewing their focus on protecting critical infrastructure and
0:40:34.410 --> 0:41:2.900
industries associated with the vaccine supply chain. Also more recently, we are seeing increased regulation calls for the cryptocurrency industry as well. Specifically for example, in the US, we've seen proposed cybersecurity risk management rules and amendments for investment advisors. There are new security mandates for publicly traded companies.
0:41:3.820 --> 0:41:8.260
There's new cyber incident reporting for critical infrastructure.
0:41:9.230 --> 0:41:38.450
And even more recently, there's the SOCI Act, for example, which amends or strengthens the security and resilience of critical infrastructure by expanding the sector and asset classes that the Act applies to. So it's not just all about the energy sector or healthcare, but it does also now impact financial services, higher education, and so forth. I think these trends are likely to continue throughout
0:41:38.620 0:41:51.950
2022 as governments continue to take more of a proactive role in ensuring the protection of critical infrastructure of digital society, as well as people themselves.
0:41:53.70 --> 0:41:59.240
So with that said, I think we have maybe 5 minutes. For questions.
0:42:2.260 --> 0:42:5.270
Mark Thomas (Group)
So Marcus, I might turn it over to you.
0:42:5.370 --> 0:42:22.160
Marcus Silwer (Group)
Yeah. So thank you Mark, for insights and very, very much appreciated. And if you have any questions you can answer into the chat or just raise your voice. And meanwhile I got the question earlier...
0:42:22.940 --> 0:42:40.530
Marcus Silwer (Group)
You mentioned that we are collecting threat intelligence from our own data sources, but how do we in interact with other threat intelligence and sharing communities, or how are we sharing and how are we receiving threat intel from others?
0:42:41.670 --> 0:43:11.610
Mark Thomas (Group)
As part of NTT Security Holdings, we have various collaboration and initiatives with third parties, for example, the Cyber Threat Alliance and t'at's an industry and alliance that is made-up of about 30 different security vendors. We have automated indicator sharing in place with those. So we're consuming what other companies are providing that provides a level of
0:43:11.710 --> 0:43:43.70
Mark Thomas (Group)
steady state protection as part of that initiative as well. They provide disruptive capability. So for example if we see something we can always reach out to exchange intelligence and disrupt threat actors in cyberspace. W'e're part of the NCFTA (National Cyber Forensics Training Alliance). And again, this is all about sharing indicators, campaigns, new types of intelligence that may help us not only protect ourselves but also use our intelligence to protect
0:43:43.140 --> 0:43:59.780
Mark Thomas (Group)
our clients. We're also part of FS-ISAC. We collaborate amongst different entities within NTT. So it's all about collecting that intelligence in an automated way so that it can benefit our security platform.
0:44:0.850 --> 0:44:10.470
Marcus Silwer (Group)
Thanks and ,a question here from the chat. How is the future strategy in threat intel cooperation with the private and public sectors?
0:44:15.900 --> 0:44:50.190
Mark Thomas (Group)
So the likes of FS-ISAC, for example, or even the CTI, you're part of that initiative is not just to protect other security companies, but anyone who's a part or a member of those types of organizations. So if you're with the FS-ISAC, for example, that would mean banks generally are a part of that. So they can use that intelligence to protect themselves. And I think even doing these types of presentations, this in itself is a threat intelligence report and it's our way of getting the message out
0:44:50.830 --> 0:44:58.100
Mark Thomas (Group)
to the broader to community, to let them know what the key trends are so they can then act on that in order to improve their own security.
0:44:59.490 --> 0:45:28.440
Marcus Silwer (Group)
So we're running out of time. Thank you everyone for participating. And if no further questions. Thank you, Mark, for your presentations and insights.
0:45:30.330 --> 0:45:30.790
Marcus Silwer (Group)
Thank you.