Source URL: https://blog.talosintelligence.com/ir-trends-q1-2025/
Source: Cisco Talos Blog
Title: IR Trends Q1 2025: Phishing soars as identity-based attacks persist
Feedly Summary: This quarter, phishing attacks surged as the primary method for initial access. Learn how you can detect and prevent pre-ransomware attacks.
AI Summary and Description: Yes
**Summary:** The text discusses a significant rise in phishing attacks over the past quarter, with these tactics being used predominantly for initial access in cyber incidents. It provides insights into the evolving strategies of threat actors, notably the use of vishing, and highlights ransomware trends, particularly within manufacturing and construction sectors. The analysis offers effective defensive measures against these threats, emphasizing the need for robust MFA, user education, and endpoint protection.
**Detailed Description:**
The report outlines the current cybersecurity landscape focused on phishing and ransomware, detailing how threat actors are adapting their strategies to exploit vulnerabilities. Key observations include:
– **Increase in Phishing Attacks:**
– Phishing accounted for 50% of all sets of engagements this quarter, up from less than 10% in the previous quarter.
– Vishing (voice phishing) was the most prevalent form of phishing, comprising over 60% of engagements. Other forms included malicious links and attachments, along with business email compromise (BEC).
– **Use of Valid Accounts:**
– Although the use of valid accounts for initial access decreased this quarter, they played a critical role in attack chains where attackers used phishing to gain access and then establish persistence.
– **Ransomware Trends:**
– Ransomware and pre-ransomware incidents made up over 50% of engagements this quarter.
– A robust vishing campaign targeted manufacturing and construction sectors, representing about 60% of ransomware and pre-ransomware engagements.
– **Defensive Measures:**
– Early engagement with incident response teams was crucial in halting ransomware attacks before encryption occurred.
– Recommendations were made to implement multi-factor authentication (MFA), ensure user education on phishing, and enhance endpoint security solutions to protect against uninstallation and exploitation by threat actors.
– **Response to Specific Attacks:**
– A case study was presented on a pre-ransomware event where an organization experienced a large volume of spam emails, allowing the incident response team to provide timely alerts and mitigation strategies.
– **Observations from MITRE ATT&CK Framework:**
– Various techniques used by adversaries were categorized, emphasizing the need for organizations to be aware of potential vulnerabilities and the evolving tactics threat actors may employ.
**Additional Recommendations:**
– Enforce better configuration of MFA and access controls.
– Provide comprehensive training for users regarding phishing and social engineering.
– Protect endpoint security solutions with additional safeguards against unauthorized changes.
This report serves as a timely and critical resource for security professionals needing to understand current attack trends and enhance their cybersecurity measures accordingly.