At les Assises de la Sécurité, the consulting firm Wavestone reveals the results of its study1 devoted to the Cybersecurity incidents that it has managed in large French groups. While the year 2022 has been rich in terms of cyber-attacks (geopolitical context in Ukraine, continued presence of large groups of attackers), this context has not fundamentally transformed the threat in France. However, the cyber threat persists: attackers have time, money, are always looking for new ways to achieve their goals and are now more capable of specialising, organising themselves and increasing their expertise.
The main findings of our incident response team over the past year:
- The main motivation for attacks remains financial and the most common means of extortion is still ransomware (51% of managed incidents).
- The fraudulent use of valid accounts, stolen through phishing, remains the main entry point for attackers.
- Large companies have increased their cyber maturity, particularly in the speed of detection of attacks.
- The attacks remain largely opportunistic (76% of our sample) with no desire to target a specific sector or company.
- Threatening actors are becoming more professional and structured, and recent revelations show the advent of real cybercrime SMEs.
Attackers remain motivated mainly by money
Attackers do not hesitate to combine extortion methods to maximise the success of the ransom payment. For example, the CONTI and Lockbit groups now almost systematically practice "double extortion" schemes: they combine the paralysis of the IS with the threat of publishing the stolen data. Sometimes, attackers also put pressure directly on the victim's ecosystem, through threatening phone calls, emails, and DDoS attacks, thus instrumentalising the victim's business partners.
Attackers penetrate information systems mainly by stealing valid user accounts
Access to these accounts is gained by recovering leaked passwords, buying databases on the darknet, exploiting weak passwords, and phishing attacks which exploit poor cyber hygiene.
Today, according to our Cyber benchmark of company maturity, 90% of companies have understood the need to deploy an awareness programme, but only 15% of them do so in a professional manner, adapting messages and tools to different populations. Awareness efforts must be combined with technological solutions to maximise protection.
Cybercriminals still operate mainly on an opportunistic basis
While in some rare cases, attacker groups build targeted, complex, and multi-stage attacks, for example, by aiming at the appropriation of data in order to prepare a large-scale attack on another target, cybercriminals still operate mostly in an opportunistic manner (76% of managed incidents), i.e., without any desire to specifically target a sector or a company.
It should be noted that cases of internal maliciousness are still recorded (9% in 2022). These cases are rarely made public, and this lack of visibility can reduce the vigilance of companies that prioritise taking external threats into account.
The cyber threat is becoming more professional and structured
Firstly, the attacker groups, and in particular the groups operating on the ransomware model, are now organised like real companies (made concrete in 2022 by the elements that have been revealed about the functioning of the CONTI group) with, for example, HR, purchasing and training departments. They have sophisticated tools and are creative in maximising the profitability of their activities. We note that these groups are increasingly experiencing the same business problems as entrepreneurs: problems of recruitment, marketing, conflict management, and payment management.
Secondly, the threat ecosystem is also becoming more structured. Rogue service providers are multiplying and providing material and digital support to attacker groups (provision of hacked access, attack software, money laundering services…).
Large companies are making progress in their ability to protect and detect, leaving medium-sized companies ever more exposed.
While any organisation can be the target of cyber-attacks, large companies continue to gain maturity. For example, the time to detect an attack has dropped from 94 days in 2020 to 35 days in 2022. Large companies are better equipped and better protected. On several occasions this year, our teams have been mobilised preventively and have therefore been able to interrupt attacks in the making.
Large organisations need to consider the new methods of attack that are emerging and in particular those targeting the cloud, the use of intelligent malware technologies capable of adapting their behaviour to analysis environments, the bypassing of strong authentication (in particular via mass notification to phones that force users to accept) and attacks by third parties (for which data exchanges create a simplified entry point). The combination of innovative measures on these themes with the application of basic cybersecurity measures (patches, backups, access management, parameterisation, rigorous testing and control on cloud environments, etc.) remains necessary.
"Even if we can see an improvement in defence in large organisations, they must remain vigilant. Indeed, faced with the extreme professionalisation of attackers' organisations and the constant invention of new intrusion methods, it is necessary to remain alert and to maintain investment levels," says Gérôme BILLOIS, cybersecurity partner.
*Methodology: this study is based on the cyber incidents and crises managed by Wavestone between October 2021 and September 2022: that is, 35 attacks, including 9 major crises.
Gérôme Billois, cybersecurity and digital risk management expert at Wavestone, is available to provide you with an insight
Gérôme BILLOIS, cybersecurity partner, has more than 20 years of experience in cyber security and digital risk management consulting. He is a graduate of the National Institute of Applied Sciences in Lyon. Since 2001, he has led numerous projects for major international accounts, including the definition of cyber security strategies to enable a confident digital transformation and the management of programmes to combat cybercrime. He has led and participated in crisis management units in the context of cyber-attacks.
Gérôme BILLOIS is a regular contributor to the French media and press (TF1, France 2, BFM, iTélé, France Info, Les Echos, Le Monde, etc.). He also gives conferences and lectures in the high level schools (INSA, Télécom Sud Paris…).
About Wavestone
In a world where knowing how to transform is the key to success, Wavestone's mission is to enlighten and guide large organisations in their most critical transformations with the ambition of making them positive for all stakeholders. This ambition is anchored in the firm's DNA and is summed up by the signature "The Positive Way".
Wavestone has over 3,000 employees in 9 countries. It is one of the leading independent consultancies in Europe.
Wavestone is listed on Euronext Paris and has been awarded the Great Place To Work® label.
More information on wwa.wavestone.com // @wavestoneFR
| Wavestone Mélodie LAUQUE melodie.lauque@wavestone.com Tel: + 33 1 49 03 20 00 |
Wellcom PR Agency Agathe Billiette: agathe.billiette@wellcom.fr Chloé Bencivengo: chloe.bencivengo@wellcom.fr Marie-Charlotte Fauquette: mariecharlotte.fauquette@wellcom.fr Tel: + 33 1 46 34 60 60 |
– SECURITY MASTER Key: mZxxlpWXZGyal2ualsdlbZJlmpxhl5SUapWYlZVsaJ+XnJ1gl2lim5yZZnBnnGZt
– Check this key: https://www.security-master-key.com.